Mistake in documentation OpenVPN server

hexes · August 25, 2021, 9:21am

Hello all! In documentation written:

set interfaces openvpn vtun10 tls ca-cert-file /config/auth/openvpn/ca.crt
set interfaces openvpn vtun10 tls cert-file /config/auth/openvpn/server.crt
set interfaces openvpn vtun10 tls key-file /config/auth/openvpn/server.key
set interfaces openvpn vtun10 tls crl-file /config/auth/openvpn/crl.pem
set interfaces openvpn vtun10 tls dh-file /config/auth/openvpn/dh2048.pem

But:

set interfaces openvpn vtun80 tls 
Possible completions:
   auth-key     TLS shared secret key for tls-auth
   ca-certificate
                Certificate Authority in PKI configuration
   certificate  Certificate in PKI configuration
   crypt-key    Static key to use to authenticate control channel
   dh-params    Diffie Hellman parameters (server only)
   role         TLS negotiation role
   tls-version-min
                Specify the minimum required TLS versione here

DavidBoman · August 25, 2021, 10:17am

Hi,

Yes, the documentation needs to be updated with regards to certificate handling. I had the exact same issue as you did. the way to solve it to create (or import) a ca, cert, dh etc. via

set pki ...

For instance - if you crate a certificate called mycert you can do it like this:
set pki certificate mycert certificate '....'

then you can use it like:

set interfaces openvpn vtun80 tls certificate mycert

There is also a helper you can run in command mode to create ca, cert etc.:

generate pki certificate install mycert

Running that command will ask you for some input and will the generate a certificate shown on the console accompanied by the needed CLI-command to configure it, i.e. set pki …

It all works well and is more robust than copying and specifying files but it does need a documentation update.

Best regards,
/David

hexes · August 26, 2021, 5:25am

Thanks for reply, could you show your configuration?
(show pki)
I cant understand, how to configure it. (crt, DH, key files)

DavidBoman · August 26, 2021, 1:47pm

Well… I don’t think it wil lhelp that much as the tricky part is the actual certificates. But my config looks like this:

vyos@vyos# run show configuration commands | grep pki
set pki ca CompanyCA certificate 'BIG BLOCK OF CHARACTERS REPRESENTING THE CA CERTIFICATE'
set pki ca CompanyCA private key 'BIG BLOCK OF CHARACTERS REPRESENTING THE CA CERTIFICATE KEY'
set pki certificate CompanyServer certificate 'BIG BLOCK OF CHARACTERS REPRESENTING THE CERTIFICATE'
set pki certificate CompanyServer private key 'BIG BLOCK OF CHARACTERS REPRESENTING THE CERTIFICATE KEY'
set pki dh DH parameters 'BIG BLOCK OF CHARACTERS REPRESENTING THE DH PARAMETERS'

In addition to that you will also need client certificates signed by your CA.

But the real trick to get it to work is to use the “generate pki …” commands!