OpenVPN & Libre & esayrsa

[todd_carp]

Hi All,

SO I'm trying to get openvpn working on openbsd 5.9 and sofar its been nothing but a nightmare with libre and easyrsa.

The install guide I am using is http://www.openbsdsupport.org/openvp...MissingOpenSSL

the fix was here: https://forums.openvpn.net/viewtopic.php?t=17800

For the sake of testing I installed EasyRsa-v3.0.0-rc2

OpenSSL> version
LibreSSL 2.3.2

My install process is:

pkg_add openvpn

install -m 700 -d /etc/openvpn/private
install -m 700 -d /etc/openvpn/private-client-conf
install -m 755 -d /etc/openvpn/certs
install -m 755 -d /var/log/openvpn
install -m 755 -d /var/openvpn/chrootjail/etc/openvpn
install -m 755 -d /etc/openvpn/chrootjail/etc/openvpn/ccd # client custom configuration dir
install -m 755 -d /var/openvpn/chrootjail/var/openvpn
install -m 755 -d /var/openvpn/chrootjail/tmp
mv /etc/openvpn/ccd/ /etc/openvpn/crl.pem /var/openvpn/chrootjail/etc/openvpn/
ln -s /var/openvpn/chrootjail/etc/openvpn/crl.pem /etc/openvpn/crl.pem
ln -s /var/openvpn/chrootjail/etc/openvpn/ccd/ /etc/openvpn/
ln -s /var/openvpn/chrootjail/etc/openvpn/replay-persist-file /etc/openvpn/replay-persist-file

everything except that move works..

tar czvf /ins/easyrsa.old.tgz /etc/openvpn/easy-rsa/3/
cd /etc/openvpn/easy-rsa/3/
tar tzvf /root/EasyRSA-3.0.0-rc2.tgz
tar tzvsf +EasyRSA[^/]*/++gp /root/EasyRSA-3/EasyRSA-3.0.0-rc2.tgz '*/easyrsa' '*/openssl*.cnf' '*/vars.example' '*/x509-types'
tar xzvsf +EasyRSA[^/]*/++gp /3/EasyRSA-3.0.0-rc2.tgz '*/easyrsa' '*/openssl*.cnf' '*/vars.example' '*/x509-types'

install -m 700 -d /etc/openvpn/private
install -m 700 -d /etc/openvpn/private-client-conf
install -m 755 -d /etc/openvpn/certs
install -m 755 -d /var/log/openvpn
install -m 755 -d /var/openvpn/chrootjail/etc/openvpn
install -m 755 -d /etc/openvpn/chrootjail/etc/openvpn/ccd # client custom configuration dir
install -m 755 -d /var/openvpn/chrootjail/var/openvpn
install -m 755 -d /var/openvpn/chrootjail/tmp
mv /etc/openvpn/ccd/ /etc/openvpn/crl.pem /var/openvpn/chrootjail/etc/openvpn/
ln -s /var/openvpn/chrootjail/etc/openvpn/crl.pem /etc/openvpn/crl.pem
ln -s /var/openvpn/chrootjail/etc/openvpn/ccd/ /etc/openvpn/
ln -s /var/openvpn/chrootjail/etc/openvpn/replay-persist-file /etc/openvpn/replay-persist-file

install -m 700 -d /etc/openvpn/easy-rsa /etc/openvpn/easy-rsa/3
cd /etc/openvpn/easy-rsa/3/
ls -alpd easyrsa vars*
less vars.example

tar czvf /ins/easyrsa.old.tgz /etc/openvpn/easy-rsa/3/
cd /etc/openvpn/easy-rsa/3/
tar tzvf /ins/EasyRSA-3.0.0-rc2.tgz
tar tzvsf +EasyRSA[^/]*/++gp /ins/EasyRSA-3.0.0-rc2.tgz '*/easyrsa' '*/openssl*.cnf' '*/vars.example' '*/x509-types'
tar xzvsf +EasyRSA[^/]*/++gp /ins/EasyRSA-3.0.0-rc2.tgz '*/easyrsa' '*/openssl*.cnf' '*/vars.example' '*/x509-types'

Then I get to this part

Optional - fixing error "Missing or invalid OpenSSL"

If you get an error with easyrsa like Missing or invalid OpenSSL or Expected to find openssl command at: openssl then search forward in this document for Appendix A - fixing error Missing or invalid OpenSSL

That was needed in November 2014 with OpenBsd 5.6 and EasyRSA-3.0.0-rc2

Appendix A - fixing error Missing or invalid OpenSSL
If you get an error with easyrsa like:

Easy-RSA error:

Missing or invalid OpenSSL
Expected to find openssl command at: openssl
Check the openssl version

openssl version
LibreSSL 2.0
If the version does not start with OpenSSL - then might be not recognized by easyrsa script and then needs correction. That was the case for OpenBsd version 5.6 and EasyRSA-3.0.0-rc2.
The fix is quite simple (but verify that all further executions of easyrsa are working correctly).

I mod the file as noted. I dont get any errors.. but the Diff command returns no changes. ?!?!?

cp -p easyrsa easyrsa.old
## cat easyrsa.old | perl -pe 's/(\[ "\$\{val.. \*\}" = ")OpenSSL(" ] \|\| die)/$1LibreSSL$2/' > easyrsa
cat easyrsa.old | perl -pe 's/(\[)( "\$\{val.. \*\}" = ")(OpenSSL)(")( ] \|\| die)/$1$2$3$4 -o $2LibreSSL$4$5/' > easyrsa;
diff easyrsa easyrsa.old
291c291
< [ "${val%% *}" = "LibreSSL" ] || die "\
---
[ "${val%% *}" = "OpenSSL" -o "${val%% *}" = "LibreSSL" ] || die "\


ls -alp /etc/openvpn/private/vpn-ta.key || openvpn --genkey --secret /etc/openvpn/private/vpn-ta.key

I can generate the private key


it shows up here...

/etc/openvpn/private/vpn-ta.key

I get right up to here

./easyrsa --batch=0 init-pki # creates empty dirs pki/ pki/private/ pki/reqs/ . batch=1 - overwrite/delete without asking

And it dies horrifically The Diff command does not report any changes.

ki/private/ pki/reqs/ . batch=1 - overwrite/delete without asking <
560871696:error:0E065068:configuration file routines:STR_COPY:variable has no value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_def.c:573:line 3

Easy-RSA error:

Missing or invalid OpenSSL
Expected to find openssl command at: openssl


-----------------------

I've never set up openvpn but just wondering:

DO I need this easy rsa? can this stuff be generated with libre its self? if so what would I need? should i do all this stuff on a linux box with openssl?

any help would be awesome.. thanks