openvpn-install icon indicating copy to clipboard operation
openvpn-install copied to clipboard

Published 20 hours ago verified publisher icon angristan

[Bug]: Add support for Ubuntu 22.04; Generated .ovpn file errors out

Open santosh opened this issue 2 years ago • 5 comments

Make sure your check these beforehand!

  • [X] Issues - https://github.com/angristan/openvpn-install/issues
  • [X] README and FAQ - https://github.com/angristan/openvpn-install
  • [X] Wiki - https://github.com/angristan/openvpn-install/wiki
  • [X] Discussions - https://github.com/angristan/openvpn-install/discussions

Server OS

Ubuntu 22.04

OpenVPN version

2.5.5

Client

Windows 10

What is the bug?

I am running the installation script on Ubuntu 22.04 with default settings. The setup finishes without any error. Even the client .ovpn file generation also finishes without error. But when I try to connect my client to my server, I see this:

image

I tried investigating myself and found this while generating client file:

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

Easy-RSA error:

Missing expected CA file: ca.crt (perhaps you need to run build-ca?)
Run easyrsa without commands for usage and command help.

Client windows-client added.
cat: /etc/openvpn/easy-rsa/pki/ca.crt: No such file or directory
awk: fatal: cannot open file `/etc/openvpn/easy-rsa/pki/issued/windows-client.crt' for reading: No such file or directory
cat: /etc/openvpn/easy-rsa/pki/private/windows-client.key: No such file or directory

I know something is erroring out here. But I don't have much knowledge to proceed debugging.

The installation script used to work without any error on Ubuntu 20.04.

Relevant log output

...
   3) Remove OpenVPN
   4) Exit
Select an option [1-4]: 1

Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name: windows-client

Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
   1) Add a passwordless client
   2) Use a password for the client
Select an option [1-2]: 11
Select an option [1-2]: 1

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/vars
Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

Easy-RSA error:

Missing expected CA file: ca.crt (perhaps you need to run build-ca?)
Run easyrsa without commands for usage and command help.

Client windows-client added.
cat: /etc/openvpn/easy-rsa/pki/ca.crt: No such file or directory
awk: fatal: cannot open file `/etc/openvpn/easy-rsa/pki/issued/windows-client.crt' for reading: No such file or directory
cat: /etc/openvpn/easy-rsa/pki/private/windows-client.key: No such file or directory

The configuration file has been written to /home/ubuntu/windows-client.ovpn.
Download the .ovpn file and import it in your OpenVPN client.

santosh avatar May 04 '22 15:05 santosh

EasyRSA v308 does not support OpenSSL version 3.

TinCanTech avatar May 04 '22 16:05 TinCanTech

Any prediction on how long the wait will be?

Meanwhile is there any workaround except downgrading OpenSSL?

santosh avatar May 05 '22 05:05 santosh

Personally, I think using Ubuntu to test OpenSSL 3 was a bad decision.

I would roll back to Ubuntu 21.

TinCanTech avatar May 05 '22 10:05 TinCanTech

Seems like there has been a lot of progress on OpenVPN/easy-rsa, thanks to @TinCanTech.

Podesta avatar Jun 17 '22 09:06 Podesta

Using SSL: openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022

The reason for this initial problem is that Easy-RSA did not support OpenSSL version 3 until Easy-RSA version 3.1.x

Easy-RSA version 3.1.x now supports OpenSSL version 3. However, I recommend waiting for Easy-RSA version 3.1.1, which is due out very soon.

TinCanTech avatar Jun 17 '22 10:06 TinCanTech

Easy-RSA 3.1.1 is available, tried to change the "local_version" variable in the script from 3.0.7 to 3.1.1 but still getting the same errors. what else needs to be changed? Thanks alot, John.

JohnTar22 avatar Oct 18 '22 06:10 JohnTar22

I prepared a patch for this. Checked on a clean Ubuntu installation with the latest updates installed. Checked with AUTO_INSTALL=y flag.

705c705
< 		local version="3.0.7"
---
> 		local version="3.1.1"
728c728,729
< 		echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>vars
---
> 		# EASYRSA_REQ_CN can only be used by commands build-ca and gen-req
> 		#echo "set_var EASYRSA_REQ_CN $SERVER_CN" >>vars
732c733
< 		./easyrsa --batch build-ca nopass
---
> 		./easyrsa --batch --req-cn=$SERVER_CN build-ca nopass
739c740
< 		./easyrsa build-server-full "$SERVER_NAME" nopass
---
> 		./easyrsa --batch build-server-full "$SERVER_NAME" nopass
894c895
< ncp-ciphers $CIPHER
---
> data-ciphers $CIPHER
1086c1087
< 			./easyrsa build-client-full "$CLIENT" nopass
---
> 			./easyrsa --batch build-client-full "$CLIENT" nopass
1090c1091
< 			./easyrsa build-client-full "$CLIENT"
---
> 			./easyrsa --batch build-client-full "$CLIENT"

I'm not sure about the correctness of this solution, but it works for me.

zerodivisi0n avatar Oct 19 '22 06:10 zerodivisi0n

Sorry for the delay everyone, this is finally fixed in master.

angristan avatar Jan 21 '23 23:01 angristan

Thanks @zerodivisi0n for the patch 🙏

Thanks thanks for the original patch @Abyss-W4tcher

angristan avatar Jan 21 '23 23:01 angristan