Web lists-archives.com

Re: OpenVPN & Debian Stretch






On 09/05/2018 08:51 AM, Dan Ritter wrote:
On Wed, Sep 05, 2018 at 06:56:44AM -0400, Wayne Sallee wrote:

On 09/05/2018 06:30 AM, Dan Purgert wrote:
Dan Ritter wrote:
On Wed, Sep 05, 2018 at 12:29:02AM -0000, Dan Purgert wrote:
Dan Ritter wrote:
On Tue, Sep 04, 2018 at 07:42:58PM -0400, Wayne Sallee wrote:
Has anyone set up OpenVPN with ssh-keygen -t rsa ?

Technically, you can do that.
ssh-keygen generates ssh keys, not x.509 certificates ...
An x.509 cert contains an RSA key signed by a CA. openssl can do
the signing, at which point you've half-reimplemented easy-rsa.

-dsr-
Sure - but it just seems silly to use ssh-keygen, then openssl to
convert it to the right format when openssl (or the easy-rsa wrapper
thereto) can do all the work for you in one go.


Ok, then it would be better to use openssl instead of ssh-keygen?

I'm looking at putting OpenVPN on an established server, and wondering if it
is really nessesary to install easy-rsa when I already have established ways
of generating ssh keys.
easy-rsa is basically a series of scripts to get openssl to do
the right thing for you, consistently.

Do that.

Alternatively, look into installing wireguard from unstable. (It
won't drag in anything weird.) Wireguard matches your conception
of how a VPN should work -- and is currently being integrated
into the Linux kernel, because practically everybody likes it
better than OpenVPN, and most people prefer it to IPsec.

-dsr-



Thanks for the tip about wireguard. It's still beta, but it looks promising.

Wayne Sallee
Wayne@xxxxxxxxxxxxxxx
http://www.WayneSallee.com