{"id":2491,"date":"2023-12-22T09:36:09","date_gmt":"2023-12-22T08:36:09","guid":{"rendered":"http:\/\/clark.tipistrani.it\/?p=2491"},"modified":"2024-07-10T11:04:20","modified_gmt":"2024-07-10T09:04:20","slug":"openvpn-su-devuan-daedalus","status":"publish","type":"post","link":"http:\/\/clark.tipistrani.it\/?p=2491","title":{"rendered":"Openvpn su Devuan Daedalus"},"content":{"rendered":"

Dopo 3 anni dall’ultima volta mi sono trovato a dover configurare un altra VPN da affiancare a quella aziendale per poter accedere al mio PC da remoto e quindi da li con IDRAC<\/a> che secondo me \u00e8 l’invenzione del secolo per chi fa il mio lavoro, poter riaccendere la LAN da casa durante un giorno di festa poich\u00e9 la manutenzione aveva dovuto togliere tensione.<\/p>\n

Su Devuan 5 la versione di Openvpn \u00e8 la 2.6.3 e sono cambiate un bel po di cose rispetto alle versioni precedenti tant’\u00e8 che partito a razzo con i soliti comandi mi son visto restituire un bel root@pc0:\/etc\/openvpn# . .\/vars
\nbash: .\/vars: File o directory non esistente.
\nQuindi al solito una rapida ricerca in Internet e ho trovato il procedimento per configurare openvpn su debian 12 che \u00e8 la mamma di daedalus, e che riporto qui adattato alle mie esigenze.
\nfatto il solito simlynk a \/usr\/share\/easy-rsa\/ in \/etc\/openvpn
\ned entrato in esso<\/p>\n

root@pc0:\/etc\/openvpn\/easy-rsa# .\/easyrsa init-pki
\n* Notice:<\/p>\n

init-pki complete; you may now create a CA or requests.<\/p>\n

Your newly created PKI dir is:
\n* \/etc\/openvpn\/easy-rsa\/pki<\/p>\n

inizializza pki<\/p>\n

root@pc0:\/etc\/openvpn\/easy-rsa# cd pki<\/p>\n

root@pc0:\/etc\/openvpn\/easy-rsa\/pki#cp vars.example vars quindi editare e cambiare<\/p>\n

set_var EASYRSA_REQ_COUNTRY “IT”
\nset_var EASYRSA_REQ_PROVINCE “Lombardia”
\nset_var EASYRSA_REQ_CITY “Inveruno”
\nset_var EASYRSA_REQ_ORG “Myfirm S.p.A.”
\nset_var EASYRSA_REQ_EMAIL “clark@myfirm.com”
\nset_var EASYRSA_REQ_OU “Systems and Networking”<\/p>\n

 <\/p>\n

aggiustamento dei parametri<\/p>\n

 <\/p>\n

root@pc0:\/etc\/openvpn\/easy-rsa\/pki# cd ..<\/p>\n

root@pc0:\/etc\/openvpn\/easy-rsa#.\/easyrsa build-ca
\n* WARNING:<\/p>\n

Unsupported \u00a0characters are present in the vars file.
\nThese characters are not supported: (‘) (&) (`) ($) (#)
\nSourcing the vars file and building certificates will probably fail ..<\/p>\n

* Notice:
\nUsing Easy-RSA configuration from: \/etc\/openvpn\/easy-rsa\/pki\/vars<\/p>\n

* Notice:
\nUsing SSL: openssl OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)<\/p>\n

Enter New CA Key Passphrase:
\nRe-Enter New CA Key Passphrase:
\nUsing configuration from \/etc\/openvpn\/easy-rsa\/pki\/967c26e0\/temp.34b5ff81
\n…….+…….+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*……+…..+.+..+…+.+…+…..+.+…..+.+…………..+…….+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*…+..+………………………+.+…+..+………+…+……….+………..
\n+.+…+……+…………+…+..+…+….+..+.+…………..+…………….+..+.+……+…..+…+…….+…+…..+.+…………..+.+…..+.+…..+.+..+…+…….+…..+…….+……+…+…………..+…+…….+..+………+….+…..+……….+……+…..+.+…..+….+++++++++++
\n++++++++++++++++++++++++++++++++++++++++++++++++++++++
\n..+….+…..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+……………+…..+…+.+………..+.+…+..+………+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*……+…+………+.+…………+..+…….+…+..+………….+…+…..+…+…..
\n…..+………+..+….+…..+…….+..+……….+..+.+..+…………+.+…..+……….+..+……….+..+.+…..+…………+.+………+…..+.+…..+…….+..+…+……….+..+…….+…..+.+…+………………..+.+…+…+…..+…+……….+……………+..+…………+…+
\n………+……….+…..+….+…..+.+…+..+…+…+….+…+……..+…+………+…+…………+…+…….+…+…..+….+…..+.+…+…..+…….+..+.+…………………………..+…….+..+…+……….+..+…+.+..+…+….+……+..+…+……+…………….+………+…
\n…..+…….+…+……+………..+……+………….+………+………………+………+…..+….+……+……..+…+………………….+…+…..+………….+……+……..+……+.+…+..+……………+…+…+………………+…….+…+..+…+…….+………+……
\n..+…+…+….+…..+.+…………+…+…..+.+……..+……+….+…………+…..+….+………+…+…+……………+…..+………………….+……..+…….+..+.+..+…………+…+….+………+………+……+………+..+…………….+…………+..+…+…………
\n+.+…+..+…+.+…+..+………+….+..+………….+..+.+……………..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
\nEnter PEM pass phrase:
\nVerifying – Enter PEM pass phrase:
\n—–
\nYou are about to be asked to enter information that will be incorporated
\ninto your certificate request.
\nWhat you are about to enter is what is called a Distinguished Name or a DN.
\nThere are quite a few fields but you can leave some blank
\nFor some fields there will be a default value,
\nIf you enter ‘.’, the field will be left blank.
\n—–
\nCommon Name (eg: your user, host, or server name) [Easy-RSA CA]:<\/p>\n

* Notice:<\/p>\n

CA creation complete and you may now import and sign cert requests.
\nYour new CA certificate file for publishing is at:\/etc\/openvpn\/easy-rsa\/pki\/ca.crt<\/p>\n

e con questo si genera il CA<\/p>\n

cd pki<\/p>\n

vim safessl-easyrsa.cnf<\/p>\n

cambiare default_days da 825 a 3650<\/p>\n

cambiare default_crl_days da 180 a 3650 #per evitare dopo 6 mesi che nessun client si colleghi piu’ perche’ il certificato non e’ piu’ valido<\/p>\n

Durata dei certificati<\/p>\n

cd ..<\/p>\n

root@pc0:\/etc\/openvpn\/easy-rsa#.\/easyrsa gen-dh<\/p>\n

* WARNING:<\/p>\n

Unsupported \u00a0characters are present in the vars file.
\nThese characters are not supported: (‘) (&) (`) ($) (#)
\nSourcing the vars file and building certificates will probably fail ..<\/p>\n

* Notice:
\nUsing Easy-RSA configuration from: \/etc\/openvpn\/easy-rsa\/pki\/vars<\/p>\n

* Notice:
\nUsing SSL: openssl OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)<\/p>\n

Generating DH parameters, 2048 bit long safe prime
\n………………………+…………………………………………………..+……………………………………………………………………………………………..
\n+……………..+…….+……………………………+……………………………………………………………………………………+……………………………….
\n……………………………………………………..+……………………………………………………………………………………………………………………
\n……………………………………………………………………………………………………………………………………………………………………………
\n…..+………………………………………………………………………………………………………………………………………….+………………………….
\n…….+…………+……………………………….
\n* Notice:<\/p>\n

DH parameters of size 2048 created at \/etc\/openvpn\/easy-rsa\/pki\/dh.pem<\/p>\n

e con questo si generano i parametri diffie hellman<\/p>\n

root@pc0:\/etc\/openvpn\/easy-rsa#.\/easyrsa build-server-full server nopass<\/p>\n

* Notice:
\nUsing Easy-RSA configuration from: \/etc\/openvpn\/easy-rsa\/pki\/vars<\/p>\n

* Notice:
\nUsing SSL: openssl OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)<\/p>\n

……..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+…+…….+…..+…….+…..+……+…+.+………..+….+++++++++++++++++++++++++++++++++++++++++++++++++++++++
\n++++++++++*…….+……+…….+…..+.+……………+……………..+…….+..+……………+…+.+..+…….+…+…..+….+…+..+………+…………+…………+.+…………+..
\n.+………..+…+……+……+.+..+………….+..+……+……+….+………+……………+…..+.+..+….+………+..+………+…+……+……….+..+…….+………..+….+…….
\n.+…+……+.+..+…+…………+.+……+……+..+……+…….+..+.+……+………+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
\n…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.+………+……+…..+…………+…+……….+……+…..+.+..+……….+..+.+……………+…..+…+……….+
\n++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+..+…+……+….+..+….+…..+……+.+…+………………………+..+……+….+…..+……+…………+…….+..+..
\n…………..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
\n—–
\n* Notice:<\/p>\n

Keypair and certificate request completed. Your files are:
\nreq: \/etc\/openvpn\/easy-rsa\/pki\/reqs\/server.req
\nkey: \/etc\/openvpn\/easy-rsa\/pki\/private\/server.key<\/p>\n

You are about to sign the following certificate.
\nPlease check over the details shown below for accuracy. Note that this request
\nhas not been cryptographically verified. Please be sure it came from a trusted
\nsource or that you have verified the request checksum with the sender.<\/p>\n

Request subject, to be signed as a server certificate for 825 days:<\/p>\n

subject=
\ncommonName \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0= server<\/p>\n

Type the word ‘yes’ to continue, or any other input to abort.
\nConfirm request details: yes
\nUsing configuration from \/etc\/openvpn\/easy-rsa\/pki\/466eb3c1\/temp.c0865d32
\nEnter pass phrase for \/etc\/openvpn\/easy-rsa\/pki\/private\/ca.key:
\nCheck that the request matches the signature
\nSignature ok
\nThe Subject’s Distinguished Name is as follows
\ncommonName \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0:ASN.1 12:’server’
\nCertificate is to be certified until Mar 25 08:51:14 2026 GMT (825 days)<\/p>\n

Write out database with 1 new entries
\nDatabase updated<\/p>\n

* Notice:
\nCertificate created at: \/etc\/openvpn\/easy-rsa\/pki\/issued\/server.crt<\/p>\n

generazione certificato server il parametro nopass evita la richiesta di password<\/p>\n

root@pc0:\/etc\/openvpn\/easy-rsa# openvpn –genkey secret \/etc\/openvpn\/easy-rsa\/pki\/ta.key
\ngenerazione della chiave precondivisa TLS\/SSL
\nroot@pc0:\/etc\/openvpn\/easy-rsa# .\/easyrsa gen-crl
\n* Notice:
\nUsing Easy-RSA configuration from: \/etc\/openvpn\/easy-rsa\/pki\/vars<\/p>\n

* Notice:
\nUsing SSL: openssl OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)<\/p>\n

Using configuration from \/etc\/openvpn\/easy-rsa\/pki\/c06ed74f\/temp.25f1295e
\nEnter pass phrase for \/etc\/openvpn\/easy-rsa\/pki\/private\/ca.key:<\/p>\n

* Notice:<\/p>\n

An updated CRL has been created.
\nCRL file: \/etc\/openvpn\/easy-rsa\/pki\/crl.pem
\nGenerazione del certificato di revoca<\/p>\n

root@pc0:\/etc\/openvpn\/easy-rsa# .\/easyrsa build-client-full picinin3 nopass<\/p>\n

 <\/p>\n

* Notice:
\nUsing Easy-RSA configuration from: \/etc\/openvpn\/easy-rsa\/pki\/vars<\/p>\n

* Notice:
\nUsing SSL: openssl OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)<\/p>\n

…..+..+.+..+…….+……..+…+.+…..+.+…..+…+….+…..+…….+…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*….+…..+.+…+……………+……………….
\n……..+……..+.+…+………..+………+……+…….+…………..+.+…..+…+………+……….+..+………….+…+…..+……….+..+.+………..+…+.+..+…+.+…………….
\n….+……+…+……+.+..+…….+………+……+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*….+…….+……+..+….+…..+…+.+…………+..+…….+…..+…+…
\n+……….+…..+…….+…..+.+……………..+…….+……+…………..+……+.+……+………+…+…..+…….+…..+………+…….+..+…+…….+..+………+…………+…+
\n……+.+..+.+…………..+…………+………….+……………..+.+..+……….+…..+…+….+………..+….+…..+……….+…..+…+………….+………+…+…+…+..+…+…
\n…………….+..+….+…..+………+.+……+…+..+….+………..+.+..+…+……………….+…..+.+……..+……….+..+………….+…………..+.+…..+…….+………+++++++
\n++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
\n.+….+…+…..+…….+………..+………………+……+.+..+.+…..+….+…..+…….+…..+………………+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+..+…+.
\n…..+……+…….+..+……………….+..+…….+..+…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*……+…+……….+…..+………+…+…….+……+………..
\n.+…..+….+…………..+……………………………….+…..+…+…………+…….+……..+……………+…+.+…..+.+…+…..+.+……………+………..+…+.+………+…
\n……+……………+..+….+…..+…….+…………………..+……+.+………+…+…..+…+………+………….+..+…+…….+…………..+….+……+..+…….+..+.+……..+..
\n….+….+..+…+.+……..+…+…….+…+…………+..+………………+……….+…+………+…+..+………+.+……..+.+…..+.+…..+………….+…+…+…………+..+………
\n………+…+.+……+…+…..+……+…+……+…….+…+…..+…….+..+…………+….+..+…+……….+……+…+..+…+…+…+….+…+…..+…+………+.+……+………..+…
\n……+.+………+…..+.+…..+………+…………………+………….+………+..+.+..+…….+……..+……+……+…+……+.+…+..+.+……..+….+…..+…………….+…..+..
\n…………..+…..+….+…..+……….+………..+……….+………+..+……….+…+..+…………+.+..+….+……+…..+….+…+..+…+++++++++++++++++++++++++++++++++++++++++++++++
\n++++++++++++++++++
\n—–
\n* Notice:<\/p>\n

Keypair and certificate request completed. Your files are:
\nreq: \/etc\/openvpn\/easy-rsa\/pki\/reqs\/picinin3.req
\nkey: \/etc\/openvpn\/easy-rsa\/pki\/private\/picinin3.key<\/p>\n

You are about to sign the following certificate.
\nPlease check over the details shown below for accuracy. Note that this request
\nhas not been cryptographically verified. Please be sure it came from a trusted
\nsource or that you have verified the request checksum with the sender.<\/p>\n

Request subject, to be signed as a client certificate for 825 days:<\/p>\n

subject=
\ncommonName \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0= picinin3<\/p>\n

Type the word ‘yes’ to continue, or any other input to abort.
\nConfirm request details: yes
\nUsing configuration from \/etc\/openvpn\/easy-rsa\/pki\/a19c4363\/temp.5b4d6217
\nEnter pass phrase for \/etc\/openvpn\/easy-rsa\/pki\/private\/ca.key:
\nCheck that the request matches the signature
\nSignature ok
\nThe Subject’s Distinguished Name is as follows
\ncommonName \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0:ASN.1 12:’picinin3′
\nCertificate is to be certified until Mar 25 10:52:54 2026 GMT (825 days)<\/p>\n

Write out database with 1 new entries
\nDatabase updated<\/p>\n

* Notice:
\nCertificate created at: \/etc\/openvpn\/easy-rsa\/pki\/issued\/picinin3.crt
\ncreazione certificati e chiavi per il client picinin3 (il mio portatile da combattimento) e a seguire stessa procedura per tutti client che si rendessero necessari.<\/p>\n

Per il formato del file dei client un po per comodit\u00e0 un po per voglia di provare anche su macchine linux ho scelto l’unified format<\/a>.
\nUnica differenza per le macchine Linux l’estensione deve essee .conf e non .ovpn<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Dopo 3 anni dall’ultima volta mi sono trovato a dover configurare un altra VPN da affiancare a quella aziendale per poter accedere al mio PC da remoto e quindi da li con IDRAC che secondo me \u00e8 l’invenzione del secolo per chi fa il mio lavoro, poter riaccendere la LAN da casa durante un giorno […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,14,284,6],"tags":[285,78],"class_list":["post-2491","post","type-post","status-publish","format-standard","hentry","category-linux","category-networking","category-openvpn","category-work","tag-daedalus","tag-openvpn"],"_links":{"self":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/2491","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2491"}],"version-history":[{"count":5,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/2491\/revisions"}],"predecessor-version":[{"id":2528,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/2491\/revisions\/2528"}],"wp:attachment":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2491"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}