OpenVPN Config Problem (PIA)

    Quote from Reddirt

    I see this is a PIA issue so I contacted them. I found this issued has been around for some time so maybe it's time for them to correct it.

    I'm not sure it will be fixable. The CRL function in OpenSSL is an important part of the overall SSL security scheme and the certs that were revoked have bad dates (it could even be the reason they were revoked) and preventing the use of revoked certs is normal and correct. However OpenSSL also validates the dates in the certs and thus (also correctly) shows an error. It probably requires a code change in OpenVPN to downgrade the cert error to a warning if the bad cert is a CRL cert, but that kind of change will be politically complicated to get made, and then you need to persuade distro maintainers to adopt an arguably weaker security configuration as the default for their OpenVPN package to not inconvenience only-PIA users. I would expect most maintainers to middle-finger the idea on principle, so I doubt that will ever happen (and PIA will know this, hence the inaction on the issue).

    Wireguard is so much nicer than OpenVPN :)

    Quote from Grasshopper

    How does invalid date get updated/corrected in crl?

    It cannot be, hence the problem. The only way to avoid this is not fcuking up your certs with incorrect dates in the first place; then if or when you need to revoke them in the future the revoked certs have valid dates.

    Thus the suggested workaround is to remove/disable the CRL function in the OpenVPN config. It's a bad workaround because CRLs have security purpose, but you have no alternative.

    WireGuard does not depend on OpenSSL so it will not have the same issue with bad CRL certs (as they are not used). If it has issues they will be entirely WireGuard issues.

    It certainly sounds like wireguard would be a much better long term solution. I agree with Chewitt that PIA needs to fix the problem they introduced in the first place.

    Has anyone put together a step by step wireguard install for a VPN (for dummies) like myself?

    This old dog would like to learn some new tricks. I'm able to ssh into my LE Rpi5 V12.2 no problem. First thing I noticed is no "storage" folder or directory. So again making an assumption storage is the top or root directory? I can cd /storage but doesn't seem to do anything. Just questions here. I want to eventually setup Wireguard and want to make sure I understand the stuff under the hood so to speak. Are there hidden folders or directories? I found lots of info on running scripts and so forth just want to be clear on file structure.

    Quote from Reddirt

    I can cd /storage but doesn't seem to do anything.

    The root user's home folder is /storage so when you login, this is where you are. If you then "cd /storage" you change directory to the same one you are already in. Hence it (correctly) doesn't seem to do anything.

    Just to clarify all LE builds 13.x forward will find the same Openvpn/PIA issue? A real shame as they have been a really good VPN service at a reasonable price for years. I'm trying to understand Wireguard and if read this correctly it could replace OpenVpn and still utilize PIA as a service? Over the years Openvpn has made using a VPN so seamless and easy I'm hoping Wireguard might do the same.

    If you use the default PIA config with the problem CRL certs on LE13 and newer (with new OpenSSL) the problems will exist. If you run LE12 the problem should not exist (as older OpenSSL is used). On LE13 and newer if you remove the problem CRL bits from the default PIA config the problem is worked-around and the config will work. On this topic I think we reached the "You can lead a horse to water, but you can't make it drink" point. The workaround requires 30-seconds' worth of effort. It's up to you though.

    On a deeper technical level WireGuard is quite different to OpenVPN but from a high-level user perspective they achieve the same thing and most commercial services support both. If you want to explore that there are setup instructions in the wiki. I'm going to pass on the opportunity to spoon-feed instructions or debate that further though.

    No debate necessary. I've reloaded the RPi5 with LE 12.02 and all is well again. As for Wireguard I'm on a mission to figure it out and make it happen. No spoons needed here just friendly advice.