configuring OpenVPN on 9.1

J

jkuiper

I've installed OpenVPN with pkg_add -r openvpn. I created /usr/local/etc/openvpn. I copied /usr/local/share/doc/openvpn/easy-rsa. I changed to 2.0. When building the server certificate, problems exist. This is the error message:
Code: 
Using configuration from /usr/local/etc/openvpn/easy-rsa/2.0/openssl-0.9.8.cnf
unable to load number from /usr/local/etc/openvpn/easy-rsa/2.0/keys/serial
error while loading serial number
7241:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:/usr/src/
secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/f_int.c:215:
Strange thing is, OpenSSL 1.x is installed, but openssl-0.9.8.cnf is used. index.txt and serial are created by using touch.

I have several OpenVPN versions installed and configured on other Linux/Windows servers, but FreeBSD gives me the first problems I can't solve.

Please help.
 
I've had no issues building my keys on 9.1-RELEASE before. Here are my abbreviated notes from my current setup. Just curious, what are you getting from /usr/local/share/doc/openvpn/easy-rsa? That doesn't exist on my install or in the current pkg-plist files for either security/openvpn or security/easy-rsa. What version got installed from pkg_add -r openvpn? The default OpenSSL is 0.9.8 per the release notes at http://www.freebsd.org/releases/9.1R/relnotes.html or the openssl() man page so that looks about right.

Code: 
portmaster security/openvpn
cp -Rv /usr/local/share/easy-rsa/ /usr/local/etc/openvpn-ca
cd /usr/local/etc/openvpn-ca

# Setup vars as needed
vi vars
bash
. ./vars
./clean-all
./build-dh
./build-ca
./build-key-server server.domain.name
./build-key client.domain.name
/usr/local/sbin/openvpn --genkey --secret keys/ta.key
 
Okay. I've installed FreeBSD again, so I have a clean system. I installed OpenVPN 2.2 with pkg_add -r. /usr/local/share/easy-rsa/ doesn't exist, but I found the scripts and copied them to /usr/local/etc/openvpn using cp -R /usr/local/share/doc/openvpn/ /usr/local/etc/openvpn/. The configuration files are not executable, so I have to give them permissions (+x). I changed the vars file and built the keys without problems.

Maybe I've installed openssl_1.0.0 as an upgrade. I don't know what I have done. First I built OpenVPN from source, but that gave a mess. A clean system gave me the right choices.

Thanks for your help.

But why is FreeBSD still using OpenSSL 0.98?
 
The current version of security/openvpn in ports is at 2.3.2 according to Freshports and that is what I have installed. The layout must have changed a bit probably to include +x permissions. OpenSSL 0.9.8 is in base so it won't change unless there is a security issue. The latest 9.2-RC's probably have a newer version.
 
The base OpenSSL should already be patched, regardless of version.
 
You must log in or register to reply here.
Back
Top