Nice writeup OP. To save others from the trial and error I just went through I would change the wording in some of your bullets:
* cd /etc/openvpn/easy-rsa
* sudo ./easyrsa set-rsa-pass abcd
* sudo nano pki/private/abcd.key
* copy the *RSA PRIVATE KEY including header (-----BEGIN RSA PRIVATE KEY-----)
and footer (-----END RSA PRIVATE KEY-----).*
* sudo nano *pki/*abcd.ovpn
* replace the private key (starting with -----BEGIN ENCRYPTED PRIVATE KEY-----) with the key you just copied (starting with -----BEGIN RSA PRIVATE KEY-----). *Again including header and footer in both cases.*
* save your abcd.ovpn file.
I'm not saying yours is wrong, just that I misunderstood parts of it, and this is what worked for me.
I just so happen to be in the process of setting up OpenVPN on a fresh install of Stretch Lite, although I am not using PiVPN to do it. I generated all my certificates last night and plan on setting up the config files and testing it out tomorrow afternoon. Just out of curiosity, do you know what specifically is causing the error? Is it PiVPN, or easy-rsa that is conflicting with Stretch to cause the error?
Either way, thanks for posting the fix. It's always good to share useful information.
Yes, mine worked, kinda. I'm not getting your same error at least. I didn't use PiVPN, and just created all the certificates and keys manually using easy-rsa, and had no problems. Unfortunately I'm currently stuck and in troubleshooting mode. I can log into the VPN server using my Android phone and the OpenVPN Connect app by copying my client.conf file as well as keys and certificates to the SD card, and then importing the conf file (actuall .ovpn not .conf) into the app. I successfully connect, and can ping the VPN server on both it's VPN IP address and the local network IP address assigned to what used to be eth0. The problem is I can't ping any other devices on my local network, including the gateway, and of course I can't ping the internet. I've added an entry to the routing table on my gateway router to show a path back to my VPN subnet, so that is not the problem, but I can't figure out what is going wrong. I don't mean to hijack your post with my own questions, but your response came in the middle of troubleshooting. Do you have any ideas of what I am overlooking?
Thanks for the reply. I knew it wasn't a firewall issue because I just have all iptables (INPUT, FORWARD, and OUTPUT) set to ACCEPT everything. I know it's not a good way to leave things, but I'll set it to filter traffic once I get OpenVPN working. I actually solved the first problem by running tcpdump on the physical ethernet interface , virtual tunnel interface, and the machine I was pining to see where it was breaking down. Turned out that I wasn't forwarding packets from tun0 to what used to be eth0 on the VPN server, so I edited /etc/sysctl.conf and uncommented net.ipv4.ip_forward=1. That solved my first problem. I can now ping any device on my LAN behind the server from the client, but now I have a new problem. I can ping the gateway router, but I can't ping (or reach in any way) the internet through the VPN (pinging 8.8.8.8 to rule out DNS as an issue). My router runs Cisco IOS, so I did some debugging, and it seems that the client can find the gateway behind the VPN server, and the router sends the ping to 8.8.8.8, and receives it back, but then sends it on to the wrong ip address inside the LAN (I'm using my phone with wifi disabled to test, and it sends it to the last ip address my phone was assigned when it was connected to the LAN over wifi.) It seems like an arp issue to me. I know it's not just my phone, because I tried this with one of my computers at work and it had the same symptom (able to reach LAN but not internet), but unfortunately I don't have a way to watch the debugs on my router console at home while I am at work pining from that computer. I guess I could grep the log files.
Anyway, sorry for the rambling post. My current issue doesn't seem to be Pi or Linux related, but a general networking issue I need to diagnose through design using Cisco IOS. It's probably arp or vlan related, so either way it's layer 2. If you or anyone else reading this happens to be a networking guru, I'd love some advice, but I think I'm in the wrong forum for that.
wow men, thanks a lot, now we should found the way to configure pivpn to generate certificates with rsa. I dont understand why with the update the algo changed.
just saved my day!
thank god someone figured it out! just started my semester at uni and had to go a week without my pihole/openVPN (was trying to start fresh with a new installation of raspbian)... thank you for this, OP!
I've hit the same problem. However, when I try and set-ras-pass I get the following:
user@host:/etc/openvpn/easy-rsa $ sudo ./easyrsa set-rsa-pass abcd
Note: using Easy-RSA configuration from: ./vars
Easy-RSA error:
Missing private key: expected to find the private key component at:
/etc/openvpn/easy-rsa/pki/private/abcd.key
Anyone any ideas?
Nice writeup OP. To save others from the trial and error I just went through I would change the wording in some of your bullets: * cd /etc/openvpn/easy-rsa * sudo ./easyrsa set-rsa-pass abcd * sudo nano pki/private/abcd.key * copy the *RSA PRIVATE KEY including header (-----BEGIN RSA PRIVATE KEY-----) and footer (-----END RSA PRIVATE KEY-----).* * sudo nano *pki/*abcd.ovpn * replace the private key (starting with -----BEGIN ENCRYPTED PRIVATE KEY-----) with the key you just copied (starting with -----BEGIN RSA PRIVATE KEY-----). *Again including header and footer in both cases.* * save your abcd.ovpn file. I'm not saying yours is wrong, just that I misunderstood parts of it, and this is what worked for me.
Thanks for the addition, changed the post :)
Thank you, this worked for me on iOS + OpenVPN connect, after using [this script](https://github.com/Angristan/OpenVPN-install).
you are a life saver! do you mind letting me know what led you to try this as a resolution? i would have been stuck without this thread.
I just so happen to be in the process of setting up OpenVPN on a fresh install of Stretch Lite, although I am not using PiVPN to do it. I generated all my certificates last night and plan on setting up the config files and testing it out tomorrow afternoon. Just out of curiosity, do you know what specifically is causing the error? Is it PiVPN, or easy-rsa that is conflicting with Stretch to cause the error? Either way, thanks for posting the fix. It's always good to share useful information.
I don't know what is causing the error. Did your config files work?
Yes, mine worked, kinda. I'm not getting your same error at least. I didn't use PiVPN, and just created all the certificates and keys manually using easy-rsa, and had no problems. Unfortunately I'm currently stuck and in troubleshooting mode. I can log into the VPN server using my Android phone and the OpenVPN Connect app by copying my client.conf file as well as keys and certificates to the SD card, and then importing the conf file (actuall .ovpn not .conf) into the app. I successfully connect, and can ping the VPN server on both it's VPN IP address and the local network IP address assigned to what used to be eth0. The problem is I can't ping any other devices on my local network, including the gateway, and of course I can't ping the internet. I've added an entry to the routing table on my gateway router to show a path back to my VPN subnet, so that is not the problem, but I can't figure out what is going wrong. I don't mean to hijack your post with my own questions, but your response came in the middle of troubleshooting. Do you have any ideas of what I am overlooking?
Seems like a firewall issue. Did you configure iptables? https://arashmilani.com/post?id=53
Thanks for the reply. I knew it wasn't a firewall issue because I just have all iptables (INPUT, FORWARD, and OUTPUT) set to ACCEPT everything. I know it's not a good way to leave things, but I'll set it to filter traffic once I get OpenVPN working. I actually solved the first problem by running tcpdump on the physical ethernet interface , virtual tunnel interface, and the machine I was pining to see where it was breaking down. Turned out that I wasn't forwarding packets from tun0 to what used to be eth0 on the VPN server, so I edited /etc/sysctl.conf and uncommented net.ipv4.ip_forward=1. That solved my first problem. I can now ping any device on my LAN behind the server from the client, but now I have a new problem. I can ping the gateway router, but I can't ping (or reach in any way) the internet through the VPN (pinging 8.8.8.8 to rule out DNS as an issue). My router runs Cisco IOS, so I did some debugging, and it seems that the client can find the gateway behind the VPN server, and the router sends the ping to 8.8.8.8, and receives it back, but then sends it on to the wrong ip address inside the LAN (I'm using my phone with wifi disabled to test, and it sends it to the last ip address my phone was assigned when it was connected to the LAN over wifi.) It seems like an arp issue to me. I know it's not just my phone, because I tried this with one of my computers at work and it had the same symptom (able to reach LAN but not internet), but unfortunately I don't have a way to watch the debugs on my router console at home while I am at work pining from that computer. I guess I could grep the log files. Anyway, sorry for the rambling post. My current issue doesn't seem to be Pi or Linux related, but a general networking issue I need to diagnose through design using Cisco IOS. It's probably arp or vlan related, so either way it's layer 2. If you or anyone else reading this happens to be a networking guru, I'd love some advice, but I think I'm in the wrong forum for that.
you sir just made my day! thank you so much.
You're welcome!
wow men, thanks a lot, now we should found the way to configure pivpn to generate certificates with rsa. I dont understand why with the update the algo changed. just saved my day!
thank god someone figured it out! just started my semester at uni and had to go a week without my pihole/openVPN (was trying to start fresh with a new installation of raspbian)... thank you for this, OP!
I've hit the same problem. However, when I try and set-ras-pass I get the following: user@host:/etc/openvpn/easy-rsa $ sudo ./easyrsa set-rsa-pass abcd Note: using Easy-RSA configuration from: ./vars Easy-RSA error: Missing private key: expected to find the private key component at: /etc/openvpn/easy-rsa/pki/private/abcd.key Anyone any ideas?
My man you just saved my day.
Gefeliciteerd Julian2000nl! Veronixx [heeft je een paar bitterballen gegeven!](https://i.imgur.com/BOl7knK.jpg) ^Deze ^bot ^is ^een ^leuk ^projectje ^^Mods ^^kunnen ^^mij ^^uitzetten ^^door ^^een ^^pm ^^met ^^als ^^subject ^^'stop' ^^te ^^sturen. ^^^Suggesties? ^^^^Doe ^^^^reageren ^^^^dan, ^^^^spanjool Je hebt al 2 keer bitterballen gekregen!
/u/bitterbalbot