Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Making OpenVPN key creation easier until we get a GUI

    OpenVPN
    11
    22
    36.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sullrich
      last edited by

      Info moved here:
      http://doc.pfsense.org/index.php/Easyrsa_for_pfSense

      1 Reply Last reply Reply Quote 0
      • JeGrJ
        JeGr LAYER 8 Moderator
        last edited by

        Just a short question on this Scott:
        Will this be included in further snapshots (or beta2) or is it "download-only" at the moment? No problems with download, just curious.
        But thanks a lot for making it work, that will definitly save some time.

        Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by

          No it will remain download only.  The solution is a GUI that does all of this automatically.

          1 Reply Last reply Reply Quote 0
          • A
            akong
            last edited by

            When I run ./build-key clientXXXX
            I got a error message.
            EASY_RSA: Undefined variable.
            How to fix it?

            1 Reply Last reply Reply Quote 0
            • S
              sullrich
              last edited by

              Replace the build-keys contents with:

              #!/bin/tcsh
              
              # Make a certificate/private key pair using a locally generated
              # root certificate.
              
              source ./vars
              setenv EASY_RSA $EASY_RSA
              "$EASY_RSA/pkitool" --interact $*
              
              
              1 Reply Last reply Reply Quote 0
              • G
                gmckinney
                last edited by

                Just curious - is any further work being done on automating the key generation process???

                gm…

                1 Reply Last reply Reply Quote 0
                • ?
                  Guest
                  last edited by

                  gui would be sweet, any ETA?

                  regards /f

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich
                    last edited by

                    Maybe in the next 3-4 months…  Stay tuned!

                    1 Reply Last reply Reply Quote 0
                    • G
                      gmckinney
                      last edited by

                      @sullrich:

                      Maybe in the next 3-4 months…  Stay tuned!

                      Let me know if there is anything I can do to help out - this would be a very nice addition but I keep getting side-tracked with other RL items.  Any thoughts on "how" to maintain the key sets - should there be multiple CA keys or just limit to one CA and everything builds/tests off of that one keyset???

                      I have some ideas but get really gummed up in the details (grin)…

                      gm...

                      1 Reply Last reply Reply Quote 0
                      • S
                        sullrich
                        last edited by

                        Most likely only one CA.  But I am open to ideas.

                        1 Reply Last reply Reply Quote 0
                        • G
                          gmckinney
                          last edited by

                          I suppose your target is for both the embedded and the HD install version for the OpenVPN stuff…

                          Probably one CA would be a good starting point - keeps the internal side of things less complex - at least in the beginning for a GUI interface otherwise you need a method to keep track of what CA is used for which server and client keys.  I realize that is not too difficult to do but if you have one CA to each server instance or client instance and someone decides they want to have 100+ VPN clients then things get a little big in terms of the storage for all the keys involved.  This would especially be true in an embedded environment.

                          One other question - are you still looking at an auto installer for say Windows clients using NSIS ?  It looks rather interesting but I have just started looking at it myself - have you done anything with it yet?

                          addendum...

                          It looks like compiling the makensis for pfsense will be a little involved - If I am following the general instructions correctly (http://nsis.sourceforge.net/Docs/AppendixG.html#G) it looks like a pre-compiled version originally for Windows is picked apart so the makensis has access to the Windows specific pieces when the nsis script is "compiled".  From what I have figured out this is what is needed to allow creating a Windows installer for an OpenVPN client configuration on a Windows OS based machine - is this a correct interpretation on my part???
                          It seems this would be the only way to have the installer program create the installation exe with all the parts needed for an OpenVPN client installer.

                          gm...

                          1 Reply Last reply Reply Quote 0
                          • S
                            sullrich
                            last edited by

                            @gmckinney:

                            I suppose your target is for both the embedded and the HD install version for the OpenVPN stuff…

                            Yep.

                            @gmckinney:

                            Probably one CA would be a good starting point - keeps the internal side of things less complex - at least in the beginning for a GUI interface otherwise you need a method to keep track of what CA is used for which server and client keys.  I realize that is not too difficult to do but if you have one CA to each server instance or client instance and someone decides they want to have 100+ VPN clients then things get a little big in terms of the storage for all the keys involved.  This would especially be true in an embedded environment.

                            Good points.  Might just start out with one CA and work our way up.  I need to view the project specs again, however.

                            @gmckinney:

                            One other question - are you still looking at an auto installer for say Windows clients using NSIS ?  It looks rather interesting but I have just started looking at it myself - have you done anything with it yet?

                            Yep.

                            @gmckinney:

                            addendum…

                            It looks like compiling the makensis for pfsense will be a little involved - If I am following the general instructions correctly (http://nsis.sourceforge.net/Docs/AppendixG.html#G) it looks like a pre-compiled version originally for Windows is picked apart so the makensis has access to the Windows specific pieces when the nsis script is "compiled".  From what I have figured out this is what is needed to allow creating a Windows installer for an OpenVPN client configuration on a Windows OS based machine - is this a correct interpretation on my part???
                            It seems this would be the only way to have the installer program create the installation exe with all the parts needed for an OpenVPN client installer.

                            gm...

                            I guess.  I haven't really looked too closely at it.  Sounds like you know more than I do at this point about this portion :)

                            1 Reply Last reply Reply Quote 0
                            • A
                              Accounts
                              last edited by

                              @sullrich:

                              to utilize it, simply run this command from a shell:

                              fetch -o - http://www.pfsense.com/~sullrich/tools/easyrsa.txt | /bin/sh

                              404 file not found…..

                              1 Reply Last reply Reply Quote 0
                              • S
                                sullrich
                                last edited by

                                fetch -o http://files.pfsense.org/extras/easyrsa.txt | /bin/sh

                                1 Reply Last reply Reply Quote 0
                                • V
                                  videoman
                                  last edited by

                                  Has there been any update to this?

                                  I looks like there is a project that may be easy to integrate into PFSense…

                                  http://sourceforge.net/projects/php-ca

                                  Just wondering...

                                  -VideoMan

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    cwfnetman
                                    last edited by

                                    What would be very nice would be if someone could port the "Zerina" OpenVPN admin gui package to pfSense. If you don't know what Zerina is, it's a web interface ad-in package for the IPCop and Smoothwall Linux based firewall distros.  Zerina makes the creating and managing of OpenVPN road warrior configs, including all the certificates, ip addressing and routing tasks, and all that stuff, trivially easy.

                                    1 Reply Last reply Reply Quote 0
                                    • N
                                      nosborne
                                      last edited by

                                      Thanks for these scripts, this is working great.  Can you include a revoke-full script too?  Or is there a revoke option in the pkitool that I'm not seeing?

                                      Thanks!

                                      1 Reply Last reply Reply Quote 0
                                      • R
                                        running
                                        last edited by

                                        I have finally found how to make that work… took a long time to understand but now i am good (bether) :)

                                        The question of how to revoke is not answered yet can anyone help on how to do that since there is not anything in pkitool and there is no revoke option.

                                        Tank you for your help and patience!

                                        1 Reply Last reply Reply Quote 0
                                        • J
                                          johii
                                          last edited by

                                          No expert but i think your right, it does look exactly the same as what was in my mind when i read gui for openVPN in pfsense. But with out the pfsense colors ;)

                                          I wouldn't mind working on it, but i wouldn't know where to start :D

                                          1 Reply Last reply Reply Quote 0
                                          • R
                                            running
                                            last edited by

                                            Anyone as a fix for that? Master sullrich surely as an idea ;)

                                            Thank's

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.