If you are using the IPCop Linux router distribution, and also used the old Zerina add-on to get OpenVPN client support, and have dozens-to-hundreds of client certificates, you might be unwilling to upgrade as there is no official migration path. After discussions in the forums and some experiments I present the following method of migrating close to all OpenVPN settings and certificates.
I don't know how this will affect your pre-existing IPsec networks using certs. You have been warned. I have only tested this on pre-existing OpenVPN-only installations moving to completely fresh identical ones.
You must change all your client settings files anyway if using DEV TAP. Only TUN is supported in IPCop 2.x... at least through the GUI. Instructions still apply, but with an additional layer of upfudgery.
You will have to copy and fill in all "main" and "advanced" settings (routes pushed etc) as the settings file isn't identical between the versions and this is easy to fix anyway. It's the old file /var/ipcop/ovpn/settings that should simply be moved to /var/ipcop/openvpn/settings, but I wouldn't recommend it.
What I would recommend is creating a OpenVPN installation with the exact same configuration (IP range etc) as the old, including creating CA certs of course, and then follow the instructions below to overwrite those files with the ones from the old installation.
Afterwards, we are going to collect all important files from the old installation, copy them to the new system, and distribute them to their new locations and names.
Enter the following commands on the server you are migrating from:
mkdir /root/ovpnmig
cp /var/ipcop/ovpn/ca/cacert.pem /root/ovpnmig/cacert.pem
cp /var/ipcop/ovpn/ca/cakey.pem /root/ovpnmig/cakey.pem
cp /var/ipcop/ovpn/ca/dh1024.pem /root/ovpnmig/dh1024.pem
cp /var/ipcop/ovpn/certs/servercert.pem /root/ovpnmig/servercert.pem
cp /var/ipcop/ovpn/certs/serverkey.pem /root/ovpnmig/serverkey.pem
cp /var/ipcop/ovpn/certs/serial /root/ovpnmig/serial
cp /var/ipcop/ovpn/certs/index.txt /root/ovpnmig/index.txt
cp /var/ipcop/ovpn/certs/index.txt.attr /root/ovpnmig/index.txt.attr
cp /var/ipcop/ovpn/crls/cacrl.pem /root/ovpnmig/cacrl.pem
cp /var/ipcop/ovpn/ovpnconfig /root/ovpnmig/ovpnconfig
cp /var/ipcop/ovpn/certs/*.pem /root/ovpnmig/
cp /var/ipcop/ovpn/certs/*.p12 /root/ovpnmig/
If using Putty, you can copy/paste (right click in Putty) the whole code section above.
Then move the directory /root/ovpnmig to the same location on the new installation, and...
Enter the following commands on the newer 2.x installation:
mv /root/ovpnmig/cacert.pem /var/ipcop/ca/cacert.pem
mv /root/ovpnmig/cakey.pem /var/ipcop/private/cakey.pem
mv /root/ovpnmig/dh1024.pem /var/ipcop/private/dh1024.pem
mv /root/ovpnmig/servercert.pem /var/ipcop/certs/hostcert.pem
mv /root/ovpnmig/serverkey.pem /var/ipcop/certs/hostkey.pem
mv /root/ovpnmig/index.txt /var/ipcop/certs/index.txt
mv /root/ovpnmig/index.txt.attr /var/ipcop/certs/index.txt.attr
mv /root/ovpnmig/serial /var/ipcop/certs/serial
mv /root/ovpnmig/cacrl.pem /var/ipcop/crls/cacrl.pem
mv /root/ovpnmig/ovpnconfig /var/ipcop/openvpn/config
mv /root/ovpnmig/*.pem /var/ipcop/openvpn/certs/
mv /root/ovpnmig/*.p12 /var/ipcop/openvpn/certs/
touch /var/ipcop/openvpn/certs/index.txt
touch /var/ipcop/openvpn/certs/serial
echo 01 > /var/ipcop/openvpn/certs/serial
touch /var/ipcop/vpn/rootcertsettings
echo ROOTCERT_OU= > /var/ipcop/vpn/rootcertsettings
echo ROOTCERT_EMAIL= >> /var/ipcop/vpn/rootcertsettings
echo ROOTCERT_HOSTNAME= >> /var/ipcop/vpn/rootcertsettings
echo ROOTCERT_CITY= >> /var/ipcop/vpn/rootcertsettings
echo ROOTCERT_STATE= >> /var/ipcop/vpn/rootcertsettings
echo ROOTCERT_COUNTRY= >> /var/ipcop/vpn/rootcertsettings
echo ROOTCERT_ORGANIZATION= >> /var/ipcop/vpn/rootcertsettings
chown nobody:nobody /var/ipcop/ca/cacert.pem
chown nobody:nobody /var/ipcop/private/*
chown nobody:nobody /var/ipcop/certs/*
chown nobody:nobody /var/ipcop/crls/cacrl.pem
chown nobody:nobody /var/ipcop/openvpn/config
chown nobody:nobody /var/ipcop/openvpn/certs/*
chown nobody:nobody /var/ipcop/vpn/rootcertsettings
Then edit the settings file:
nano /var/ipcop/vpn/rootcertsettings
...and give values to ROOTCERT_HOSTNAME (same as, well, your root cert, which might be an IP), ROOTCERT_COUNTRY (two-letter country code, such as US or SE) and ROOTCERT_ORGANIZATION (the org named in your root cert). This has the only effect of pre-filling fields when adding new clients, but that is nice to have.
2.0.x introduces something new; .pem files are now not only located in /var/ipcop/openvpn/certs but in /var/ipcop/certs as well. But there, they won't have their real names but rather their "serial-number-names", so that (for example) YourName.pem is duplicated as 12.pem. This seems to have no real use, but it's an observation. If you want to copy the pem files to this location too and change the names manually, you can use /var/ipcop/certs/index.txt to translate. However, it seems to work anyway. YMMV.
|