Problem in OpenVPN Basic instructions (and workaround)

czyzczyz · June 26, 2019, 12:12am

The following two instructions in section "2. PKI" failed for me every time.

Generate a keypair and sign locally for vpnserver

easyrsa --batch build-server-full vpnserver nopass

Generate a keypair and sign locally for vpnclient

easyrsa --batch build-client-full vpnclient nopass

With the errors:

Easy-RSA error:

Unknown cert type 'server'

and

Easy-RSA error:

Unknown cert type 'client'

An April 8, 2016 comment on this page, by user RobertLarsen, says he found a solution: "The x509-types directory needed to be located in the same directory as the 'easyrsa' script."

I found that I could only successfully run those two commands after changing directories into /etc/easy-rsa/x509-types, making a symbolic link to the easyrsa script from that directory, and then running the linked copy (that was thus in the same directory as the x509-types files 'server' and 'client').

So these steps were required before invoking 'easyrsa':

# cd /etc/easy-rsa/x509-types
# ln -s /usr/sbin/easyrsa .

And then I'd run the easyrsa script from within that directory, like so:

./easyrsa --batch build-client-full vpnclient nopass

etc.

After that, the rest of the OpenVPN basic instructions worked well. One unrelated addition to the documentation might be a note for those who are not using ddns or have a static IP that they can skip the whole "# Fetch FQDN from DDNS client" section and just set the variable directly, e.g.:

VPN_SERV="domain_name.com"

Regression:
OpenWrt 18.06.1 insomnia r7258-5eb055306f
Linksys WRT3200ACM

# opkg list-installed | grep easy
openvpn-easy-rsa - 3.0.1-1

vgaetera · June 26, 2019, 6:36am

opkg update
opkg upgrade openvpn-easy-rsa

ubus call system board
opkg list-installed openvpn-easy-rsa

czyzczyz · June 26, 2019, 4:54pm

root@Quadramous:~# opkg update
Downloading http://cdn.corifeus.com/openwrt/18.06.1/targets/mvebu/cortexa9/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading http://cdn.corifeus.com/openwrt/18.06.1/targets/mvebu/cortexa9/packages/Packages.sig
Signature check passed.
Downloading http://cdn.corifeus.com/openwrt/18.06.1/packages/arm_cortex-a9_vfpv3/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading http://cdn.corifeus.com/openwrt/18.06.1/packages/arm_cortex-a9_vfpv3/base/Packages.sig
Signature check passed.
Downloading http://cdn.corifeus.com/openwrt/18.06.1/packages/arm_cortex-a9_vfpv3/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading http://cdn.corifeus.com/openwrt/18.06.1/packages/arm_cortex-a9_vfpv3/luci/Packages.sig
Signature check passed.
Downloading http://cdn.corifeus.com/openwrt/18.06.1/packages/arm_cortex-a9_vfpv3/node/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_node
Downloading http://cdn.corifeus.com/openwrt/18.06.1/packages/arm_cortex-a9_vfpv3/node/Packages.sig
Signature check passed.
Downloading http://cdn.corifeus.com/openwrt/18.06.1/packages/arm_cortex-a9_vfpv3/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_packages
Downloading http://cdn.corifeus.com/openwrt/18.06.1/packages/arm_cortex-a9_vfpv3/packages/Packages.sig
Signature check passed.
Downloading http://cdn.corifeus.com/openwrt/18.06.1/packages/arm_cortex-a9_vfpv3/redis/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_redis
Downloading http://cdn.corifeus.com/openwrt/18.06.1/packages/arm_cortex-a9_vfpv3/redis/Packages.sig
Signature check passed.
Downloading http://cdn.corifeus.com/openwrt/18.06.1/packages/arm_cortex-a9_vfpv3/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading http://cdn.corifeus.com/openwrt/18.06.1/packages/arm_cortex-a9_vfpv3/routing/Packages.sig
Signature check passed.
Downloading http://cdn.corifeus.com/openwrt/18.06.1/packages/arm_cortex-a9_vfpv3/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading http://cdn.corifeus.com/openwrt/18.06.1/packages/arm_cortex-a9_vfpv3/telephony/Packages.sig
Signature check passed.
root@Quadramous:~# opkg upgrade openvpn-easy-rsa
root@Quadramous:~# ubus call system board
{
"kernel": "4.14.63",
"hostname": "Quadramous",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT3200ACM",
"board_name": "armada-385-linksys-rango",
"release": {
"distribution": "OpenWrt",
"version": "18.06.1",
"revision": "r7258-5eb055306f",
"target": "mvebu\/cortexa9",
"description": "OpenWrt 18.06.1 insomnia"
}
}
root@Quadramous:~# opkg list-installed openvpn-easy-rsa
openvpn-easy-rsa - 3.0.1-1
root@Quadramous:~#

vgaetera · June 26, 2019, 5:21pm

EasyRSA in the official OpenWrt repository has higher version and looks like it is not affected by the issue.

czyzczyz · June 26, 2019, 5:49pm

Ah, glad to hear it. I think I ended up in an unofficial repository because my router's particular hardware is so problematic and worked best with a custom build.

So it sounds like the OpenVPN Basic Instructions are fine as-is, and with any luck anyone who needs to run openvpn-easy-rsa 3.0.1-1 will find the workaround in this post helpful.

system · July 6, 2019, 5:49pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.