Re: OpenVPN & Debian Stretch
- Date: Wed, 5 Sep 2018 08:51:23 -0400
- From: Dan Ritter <dsr@xxxxxxxxxxxxxxxx>
- Subject: Re: OpenVPN & Debian Stretch
On Wed, Sep 05, 2018 at 06:56:44AM -0400, Wayne Sallee wrote:
> On 09/05/2018 06:30 AM, Dan Purgert wrote:
> > Dan Ritter wrote:
> > > On Wed, Sep 05, 2018 at 12:29:02AM -0000, Dan Purgert wrote:
> > > > Dan Ritter wrote:
> > > > > On Tue, Sep 04, 2018 at 07:42:58PM -0400, Wayne Sallee wrote:
> > > > > > Has anyone set up OpenVPN with ssh-keygen -t rsa ?
> > > > > >
> > > > > Technically, you can do that.
> > > > ssh-keygen generates ssh keys, not x.509 certificates ...
> > > An x.509 cert contains an RSA key signed by a CA. openssl can do
> > > the signing, at which point you've half-reimplemented easy-rsa.
> > >
> > > -dsr-
> > Sure - but it just seems silly to use ssh-keygen, then openssl to
> > convert it to the right format when openssl (or the easy-rsa wrapper
> > thereto) can do all the work for you in one go.
> Ok, then it would be better to use openssl instead of ssh-keygen?
> I'm looking at putting OpenVPN on an established server, and wondering if it
> is really nessesary to install easy-rsa when I already have established ways
> of generating ssh keys.
easy-rsa is basically a series of scripts to get openssl to do
the right thing for you, consistently.
Alternatively, look into installing wireguard from unstable. (It
won't drag in anything weird.) Wireguard matches your conception
of how a VPN should work -- and is currently being integrated
into the Linux kernel, because practically everybody likes it
better than OpenVPN, and most people prefer it to IPsec.