Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
endor56705yYeah, OpenVPN is a mess to set up right, and even the docs don't make your life much easier
-
endor56705y@kescherRant but how usable and stable is it?
The official site and repo put a lot of emphasis on the "this is still alpha software" part, and it seems there are still many features missing.
How has your experience with Wireguard been so far? And how cross-platform is it, really? (Not talking about "techically a client exists", but "ok this is actually reasonably good and usable") -
Linux434905yBetter to not use the built in shit regarding certificate in any product, ever.
I dont get what it so hard with openssl -
Condor323365y@Linux I've just never used OpenSSL directly for it, admittedly... But at this rate I think I should learn about it... These scripts are boilerplate that I don't really want to have to rely upon.
-
@endor Witeguard, in its current stae, is much more production-ready than any version of OpenVPN you can find right now.
-
Linux434905y@Condor
It is actually really simple.
I wrote about the basics:
https://blogs.linux.pizza/how-to-pr...
Was just reading some of the OpenVPN scripts to renew a certificate where I forgot to source the vars file first (apparently OpenVPN stores those in a separate file that you always have to source first, and I tend to forget it sometimes).
Reading the revoke-full script that OpenVPN provides, it's just bash so I can read it no problem. But traversing through it and trying to understand it... Horrible! There's a test file in $RT named keys/revoke-test.pem. It's not used anywhere in OpenVPN for anything useful as far as I'm aware. The script however - the script that's running on a production server! - attempts to remove this file. It doesn't exist. Test files do (or at least should) not exist in production. They're not supposed to be there.
It exports empty variables. Some of them are set by the sourced vars file, some aren't. Not entirely sure why it's exporting variables as empty when they're uninitialized, or why it doesn't just unset the ones that are initialized.
And finally it goes ahead and revokes the key file that I'm actually concerned about through regular OpenSSL and verifies it.
Not to mention that the lack of the sourced vars file, which admittedly I should think about in the current status quo, if it *always* needs to be sourced anyway... Why doesn't the script do that itself then? One less thing to go wrong. But hey, proper design?
Gore. I don't have any other words for it.
And before anyone tells me that I should go and fix it if I'm so worried about it. Remember, I am not a developer. That's the job of the developers that made this in the first place.
rant