Contradicting OpenVPN Guides

I've followed this this guide to the letter, but it leaves me with being unable to route traffic.

The newer guide posted here omits the various warnings (eg not using port 1194) but am unsure if it it would result in a usable configuration.

Is it possible to use a Linux VM instead and upload the generated certificates, ca, etc?

Using the configuration generated by the older guide results in newer versions of OpenVPN complaining that the cipher used is too weak and to regenerate the certificates.

Does the version of easyrsa included with OpenWRT nightlies still suffer from this bug (producing insecure certificates)?

I'm using head revision r11266.

Which frontend is better for Mac users: MacGPG or GnuPG?

The first guide is on web archive, so it doesn’t surprise me it’s outdated. The second is on the current wiki.

With security, at some point, you should take the time to understand why decisions are made and make ones that match you own needs. As an example, use of a non-standard port is “security through obscurity “ which many believe adds no additional security,mainly just complexity.

macOS includes OpenSSL tooling. GPG is probably available through “brew” (Homebrew) or the other package managers. It is not needed to set up OpenVPN.

1 Like

Sidenote, sometimes this is not really avoidable, if say you want to reach multiple internal hosts via SSH from the WAN side using port 22 for all is going to be "interesting"*, but in general I agree with @jeff, changing ports will at best rid you of the very low-key attacks attempts only (those that restrict themselves to canonical port numbers).

*) interesting, not necessarily feasible.

And now I get an error message when running init-pki:

rm: can't remove '/etc/easy-rsa/pki': I/O error

Easy-RSA error:

Removal of PKI dir failed. Check/correct errors above

When try to manually remove the directory I get

rmdir: '/etc/easy-rsa/pki': I/O error

I think there might be filesystem corruption. If so, how does fix it when fsck isn't in a package?

Check the file permissions with ls -l and, if needed chmod +w

Make sure you still have at least 192 kB free on your overlay.

If not, some prayer and a reflash is in order.

On the side note, I now use the jump-host feature of OpenSSH to access multiple hosts. Configuring it in ssh_config (as I recall) makes it transparent on the remote’s command line.


Thanks for the pointer, will have a look at that.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.