OpenVPN Config on 1.4

Woodster1975 · January 4, 2022, 10:01pm

Hi All,

Using 1.2 the OpenVPN command ‘set interfaces openvpn vtun0 tls key-file ‘/config/auth/server.key’’ command was used to configure the private key file. Options under 1.3 are:
Possible completions:
auth-key TLS shared secret key for tls-auth
ca-certificate Certificate Authority in PKI configuration
certificate Certificate in PKI configuration
crypt-key Static key to use to authenticate control channel
dh-params Diffie Hellman parameters (server only)
role TLS negotiation role
tls-version-min Specify the minimum required TLS version

How do you setup the private key file in 1.3?

e.khudiyev · January 5, 2022, 7:33am

Hi @Woodster1975 , hope this documentation will help you: Generate X.509 Certificate and Keys

pepe · January 5, 2022, 8:41am

These options are in 1.4
https://docs.vyos.io/en/latest/configuration/interfaces/openvpn.html

Woodster1975 · January 5, 2022, 1:55pm

Yes apologies, version is 1.4. Could not see how to add the certificate private key file.

e.khudiyev · January 5, 2022, 2:35pm

First, you need to generate them using the command “generate pki” on VyOS 1.4 and after that add them to the configuration.These steps are described in the following section: OpenVPN — VyOS 1.4.x (sagitta) documentation

pepe · January 5, 2022, 2:47pm

Or you can add existing ones with “set pki”.
But in the openvpn configuration there are no option for tls-auth. Propebly you must use

openvpn-option “–tls-auth /path/to/keyfile 0”

pepe · January 5, 2022, 3:56pm

Sorry I’m blind, of course there is option for tls-auth it’s “auth-key”.

Woodster1975 · January 5, 2022, 7:04pm

I will try that. I am testing a upgrade from a router running 1.2.7 with an existing OpenVPN server configuration.

domo · January 10, 2024, 10:11pm

Hello all ! I hope everyone is well. I am trying to migrate from 1.2.7 to the new 1.4 rolling. I am having similar issues but from what I understand from the documentation and my painful experience, @e.khudiyev you are recommending that we need to follow the configuration of the “server side” from the documentation then add the ca.crt file into the configuration in raw format in one line correct ? I got pretty far getting configured with the interface up just was failing authentication. Then I ran into some errors and deleted my configuration file to reset the server to start from scratch. Then I reached out to my senior engineer and he mentioned to me that we do not want to use the server as a new ca because we have the ca cert store on a separate server.
But I am guessing in order to set up the below again we need to create the pki structure first and add these files in raw format to the pki ? Or is what I am trying to do not possible ? I wanted to set the below but doesn’t seem like I can from everything I have tried… I would really appreciate your help and hope to hear back from you soon.

set interfaces openvpn vtun0 mode 'server'
set interfaces openvpn vtun0 server subnet '192.168.10.0/24'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ovpn/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/ovpn/server.crt'
set interfaces openvpn vtun0 tls dh-file '/config/auth/ovpn/dh1024.pem'
set interfaces openvpn vtun0 tls key-file '/config/auth/ovpn/server.key'

domo · January 10, 2024, 10:26pm

Hello @Woodster1975 Where you able to figure out how to upgrade from 1.2.7 to 1.4 or anything above?