After my vpn stopping working due to changes in openssl, i reinstalled it on a newer raspberry pi and tried to move my keys over – this didn’t work, first due to the diffie hellman only being 1024 bytes, then for some reason my client couldn’t negotiate tls, so rather than invest time getting the old keys working, i thought i’d just regenerate a new set – it’s not a bad thing.
The setup for keys via easy-rsa has changed since i last setup my pi, a quick search didn’t show up instructions for the new version, so i thought i would post this – for my own reference if nothing else.
- After installing openvpn and easy-rsa, copy the easy-rsa directory into your openvpn directory: cp -r /usr/share/easy-rsa /etc/openvpn
- Goto /etc/openvpn/easy-rsa and copy vars .example to vars – cp vars.example vars
- Edit vars and set appropriate settings – i used the default values for everything – i noticed the default key length was 2048, so i shouldn’t hit the same issue with diffie hellman again
- I then ran:
- ./easyrsa init-pki
- ./easyrsa build-ca
- ./easyrsa gen-dh (this took ages….run in screen next time!)
- ./easyrsa build-server-full VPNSERVERNAME
- ./easyrsa build-client-full CLIENTNAME
- openvpn –genkey –secret ta.key
- ./easyrsa gen-crl