OpenVPN / PiVPN suddenly broken

[AdvancedFollower]

It was working fine a couple of days ago, but suddenly it stopped working.

First, I started getting this error on the clients:

Code: Select all

 Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

I hadn't changed anything on the client or DietPi, the error appeared out of the blue.

So I uninstalled OpenVPN and PiVPN and tried to re-install them using dietpi-software.
The first sign that something was wrong was an error message during the install:

Code: Select all

Can't open /etc/openvpn/easy-rsa/keys/index.txt.attr for reading, No such file or directory
1995810208:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('/etc/openvpn/easy-rsa/keys/index.txt.attr','r')
1995810208:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:

However the install proceeded after this error.

After the reboot, trying to run pivpn -a I get:

Code: Select all

cat: /etc/pivpn/INSTALL_USER: No such file or directory
Enter a Name for the Client:

Then it tries to copy the ovpn file to "/home//ovpns".
I created the INSTALL_USER file and wrote my username inside it, this stopped that first error message and it copies the file to /home/<myusername>/ovpns instead.

Now it fails at:

Code: Select all

Write out database with 1 new entries
Data Base Updated
spawn openssl rsa -in pki/private/grew.key -aes128 -out pki/private/grew.key
Enter pass phrase for pki/private/grew.key:
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Client's cert found: grew.crt
Client's Private Key found: grew.key
CA public Key found: ca.crt
tls-auth Private Key found: ta.key
cat: Default.txt: No such file or directory


========================================================
Done! grew.ovpn successfully created!

I do get the .ovpn file now, but it doesn't contain any OpenVPN settings, just the certificates/keys. Not what I would call "successfully" created.

[WarHawk]

hmmm...do you have any of those directories listed in the error log?

Are the permissions also set correctly?

[AdvancedFollower]

hmmm...do you have any of those directories listed in the error log?

Are the permissions also set correctly?

I didn't have an INSTALL_USER file, but it stopped complaining about that after I manually created it. It seems the script reads the username from this file, so if it's missing it tries to copy the ovpn file to /home//ovpns.

I seem to have a Default.txt file under /etc/.pivpn/ (not /etc/pivpn).

Edit:
Also, I don't know whether this applies to DietPi: https://www.sitepoint.com/setting-up-a- ... pberry-pi/

However I never get to the step about choosing Public IP or DNS. Once the keys are generated, it says the installation is complete and reboots. That might explain why certain configuration files are missing?

Edit: Seems to be related to this issue: https://github.com/pivpn/pivpn/issues/566

I guess I'll go back to an older SD card image I backed up and then try to solve the actual certificate error I was getting without trying to re-install PiVPN. It seems the PiVPN install script is currently broken.

[kingswindsor]

I've had the same problem but found the solution. This got me going in the right direction:
https://forums.openvpn.net/viewtopic.php?t=26308

The easyrsa folder on DietPi is at /etc/openvpn/easy-rsa/easyrsa
So the command to run is
/etc/openvpn/easy-rsa/easyrsa gen-crl

It will tell you where it has saved the new crl.pem file.
Copy the new crl.pem to the folder where the old one is
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem

It didn't work at that point because the owner and group were not root:root for some reason. So I fixed it by running
cd /etc/openvpn
chown root:root crl.pem

Hope that works for others.

[AdvancedFollower]

For me, I fixed it by manually downloading the PiVPN script to the Pi and running it from the console. Not exactly sure what changes when doing that, but this put all the files in the right directories and took me through all the required steps instead of bombing out int the middle of the PiVPN script.

[kingswindsor]

@AdvancedFollower
When you run the PiVPN script again, do you have to create/distribute new keys or have you a way to re-use the existing keys which are already in place?