OpenVPN and easy-rsa Stretch to Buster migration » History » Version 1
Charles Atkinson, 18/05/2020 09:38
| 1 | 1 | Charles Atkinson | h1. OpenVPN and easy-rsa Stretch to Buster migration |
|---|---|---|---|
| 2 | 1 | Charles Atkinson | |
| 3 | 1 | Charles Atkinson | {{toc}} |
| 4 | 1 | Charles Atkinson | |
| 5 | 1 | Charles Atkinson | h1. Introduction |
| 6 | 1 | Charles Atkinson | |
| 7 | 1 | Charles Atkinson | This page documents how a working OpenVPN and easy-rsa system was migrated from Stretch to Buster. |
| 8 | 1 | Charles Atkinson | |
| 9 | 1 | Charles Atkinson | The difficulty |
| 10 | 1 | Charles Atkinson | * From https://github.com/OpenVPN/easy-rsa/issues/259#issuecomment-484531964 |
| 11 | 1 | Charles Atkinson | > We're still working on a proper upgrade mechanism from 3.0.5 to 3.0.6. There were changes made that we didn't consider impacted upgrade |
| 12 | 1 | Charles Atkinson | * From https://github.com/OpenVPN/easy-rsa/issues/259#issuecomment-613794588 |
| 13 | 1 | Charles Atkinson | > There is an upgrade mechanism in place and available in the v3.0.7 release |
| 14 | 1 | Charles Atkinson | * https://packages.debian.org/search?keywords=easy-rsa&searchon=names&suite=all§ion=all showed Debian using 3.0.6 in stable, testing and unstable so no backports solution. |
| 15 | 1 | Charles Atkinson | |
| 16 | 1 | Charles Atkinson | OpenVPN alternatives were considered. A management GUI would be nice and OpenVPN + easy-rsa upgrades have been time consuming |
| 17 | 1 | Charles Atkinson | * Searched for alternatives. The best summary was in the "OpenVPN Alternatives" table in https://thebestvpn.com/reviews/openvpn (Jan 2020). |
| 18 | 1 | Charles Atkinson | * SoftEther was rejected because it had no management GUI for Linux. Neither does OpenVPN but any new solution should have |
| 19 | 1 | Charles Atkinson | * WireGuard was rejected as not yet mature enough for production |
| 20 | 1 | Charles Atkinson | |
| 21 | 1 | Charles Atkinson | Names: the package is easy-rsa, the script is easyrsa |
| 22 | 1 | Charles Atkinson | |
| 23 | 1 | Charles Atkinson | Given that we use only three of easyrsa's commands -- build-client-full, revoke and gen-crl -- we worked around the easyrsa breakage by creating /usr/local/bin/local-easyrsa and using it instead of package script. local-easyrsa is at https://redmine.auroville.org.in/attachments/download/6676/_usr_local_bin_local-easyrsa |
| 24 | 1 | Charles Atkinson | |
| 25 | 1 | Charles Atkinson | h1. Implementation |
| 26 | 1 | Charles Atkinson | |
| 27 | 1 | Charles Atkinson | After stopping openvpn.service and syncing the /etc/openvpn tree from the Stretch server |
| 28 | 1 | Charles Atkinson | <pre> |
| 29 | 1 | Charles Atkinson | mv /etc/openvpn/easy-rsa/pki/private/{ca.key,cakey.pem} |
| 30 | 1 | Charles Atkinson | mv /etc/openvpn/easy-rsa/pki/{ca.crt,cacert.pem} |
| 31 | 1 | Charles Atkinson | mkdir -p /etc/openvpn/easy-rsa/pki/newcerts /var/log/local-easyrsa |
| 32 | 1 | Charles Atkinson | echo 00 > /etc/openvpn/easy-rsa/pki/crlnumber |
| 33 | 1 | Charles Atkinson | ln -s /usr/local/bin/local-easyrsa /etc/openvpn/easy-rsa/local-easyrsa |
| 34 | 1 | Charles Atkinson | systemctl start openvpn.service |
| 35 | 1 | Charles Atkinson | </pre>We were then able to use local-easyrsa in the same way as we had previously used easyrsa |