# configuring OpenVPN on 9.1



## jkuiper (Aug 14, 2013)

I've installed OpenVPN with `pkg_add -r openvpn`. I created /usr/local/etc/openvpn. I copied /usr/local/share/doc/openvpn/easy-rsa. I changed to 2.0. When building the server certificate, problems exist. This is the error message:

```
Using configuration from /usr/local/etc/openvpn/easy-rsa/2.0/openssl-0.9.8.cnf
unable to load number from /usr/local/etc/openvpn/easy-rsa/2.0/keys/serial
error while loading serial number
7241:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:/usr/src/
secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/f_int.c:215:
```
Strange thing is, OpenSSL 1.x is installed, but openssl-0.9.8.cnf is used. index.txt and serial are created by using touch.

I have several OpenVPN versions installed and configured on other Linux/Windows servers, but FreeBSD gives me the first problems I can't solve.

Please help.


----------



## junovitch@ (Aug 15, 2013)

I've had no issues building my keys on 9.1-RELEASE before.  Here are my abbreviated notes from my current setup.  Just curious, what are you getting from /usr/local/share/doc/openvpn/easy-rsa?  That doesn't exist on my install or in the current pkg-plist files for either security/openvpn or security/easy-rsa.  What version got installed from `pkg_add -r openvpn`?  The default OpenSSL is 0.9.8 per the release notes at http://www.freebsd.org/releases/9.1R/relnotes.html or the openssl() man page so that looks about right.  


```
portmaster security/openvpn
cp -Rv /usr/local/share/easy-rsa/ /usr/local/etc/openvpn-ca
cd /usr/local/etc/openvpn-ca

# Setup vars as needed
vi vars
bash
. ./vars
./clean-all
./build-dh
./build-ca
./build-key-server server.domain.name
./build-key client.domain.name
/usr/local/sbin/openvpn --genkey --secret keys/ta.key
```


----------



## jkuiper (Aug 16, 2013)

Okay. I've installed FreeBSD again, so I have a clean system. I installed OpenVPN 2.2 with `pkg_add -r`. /usr/local/share/easy-rsa/ doesn't exist, but I found the scripts and copied them to /usr/local/etc/openvpn using `cp -R /usr/local/share/doc/openvpn/ /usr/local/etc/openvpn/`. The configuration files are not executable, so I have to give them permissions (+x). I changed the vars file and built the keys without problems.

Maybe I've installed openssl_1.0.0 as an upgrade. I don't know what I have done. First I built OpenVPN from source, but that gave a mess. A clean system gave me the right choices.

Thanks for your help.

But why is FreeBSD still using OpenSSL 0.98?


----------



## junovitch@ (Aug 16, 2013)

The current version of security/openvpn in ports is at 2.3.2 according to Freshports and that is what I have installed.  The layout must have changed a bit probably to include +x permissions.  OpenSSL 0.9.8 is in base so it won't change unless there is a security issue.  The latest 9.2-RC's probably have a newer version.


----------



## DutchDaemon (Aug 16, 2013)

The base OpenSSL should already be patched, regardless of version.


----------

