https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos

Introduction

This page contains instructions for using OpenVPN project’s own software repositories. For a list of unofficial repositories (e.g. EPEL) please refer to the Unofficial OpenVPN software repositories page.

Latest OpenVPN releases are available in the OpenVPN project’s apt repositories. This allow you to use more up-to-date version of OpenVPN than what is typically available in your distribution’s repositories. Please note that all commands listed below have to be run as root, e.g. using sudo or su.

Pre-built Linux binaries are only available for Debian and Ubuntu. This is so for two reasons:

  • Official Debian and Ubuntu repositories tend to have fairly old OpenVPN versions available
  • The Fedora and Fedora EPEL provides fairly up-to-date OpenVPN releases for supported Fedora and Red Hat Enterprise Linux (including clones such as CentOS, Scientific Linux) releases.

All packages are available in i386 and amd64/x86_64 flavours. Even if a package is built on a particular OS, it does not mean it won’t work on older and/or newer versions of the same distro, or even on a different operating system. If you encountered any issues with the package, please file a new bug report.

Debian / Ubuntu: Using OpenVPN apt repositories

We maintain several OpenVPN (OSS) software repositories. To setup the repositories you need to change to the root user. Typically this is done using sudo:

$ sudo -s

Then import the public GPG key that is used to sign the packages:

$ wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -

Next you need to create a sources.list fragment (as root) so that apt can find the new OpenVPN packages. One way to do it is this:

$ echo "deb http://build.openvpn.net/debian/openvpn/<version> <osrelease> main" > /etc/apt/sources.list.d/openvpn-aptrepo.list

Where <version> can be one of

  1. stable: stable releases only – no alphas, betas or RCs
  2. testing: latest releases, including alphas/betas/RCs
  3. release/2.3: OpenvPN 2.3 releases
  4. release/2.4: OpenVPN 2.4 releases, including alphas/betas/RCs

and <osrelease> depends your distribution:

  • wheezy (Debian 7.x)
  • jessie (Debian 8.x)
  • precise (Ubuntu 12.04)
  • trusty (Ubuntu 14.04)
  • xenial (Ubuntu 16.04)

Examples:

$ echo "deb http://build.openvpn.net/debian/openvpn/testing jessie main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
$ echo "deb http://build.openvpn.net/debian/openvpn/release/2.3 wheezy main" > /etc/apt/sources.list.d/openvpn-aptrepo.list

# used on this server:
echo "deb http://build.openvpn.net/debian/openvpn/stable xenial main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 xenial main" > /etc/apt/sources.list.d/openvpn-aptrepo.list

Now you’re set for installing OpenVPN. Note that packages built for older operating system releases might work just fine on newer release of the same operating system.

Installing OpenVPN

On Debian/Ubuntu use

$ apt-get update && apt-get install openvpn

Notes on expired keys

If the apt signing key expires, apt will complain when refreshing the package cache (e.g. apt-get update). To fix this remove the expired key from apt keychain:

$ apt-key del E158C569

Then add the new key using wget and apt-key as described above. Then verify that the new key is in the keychain:

$ apt-key list
--- snip ---
/etc/apt/trusted.gpg
--------------------
pub   2048R/E158C569 2011-08-03 [expires: 2020-07-25]
uid                  Samuli Seppänen (OpenVPN Technologies, Inc) <samuli@openvpn.net>
sub   2048R/F5699905 2011-08-03 [expires: 2020-07-25]
--- snip ---

What to do when clients can't connect after a period of succesvol connect???

Renew the PEM certificate.
Check first the certificate

# cd /etc/openvpn
Run the next command.
# openssl crl -in crl.pem -text

Check the date... like showing:

root@VPN-TEST:/etc/openvpn# openssl crl -in crl.pem -text
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /CN=ChangeMe
        Last Update: Nov 27 21:13:04 2018 GMT
        Next Update: Nov 27 21:13:04 2019 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                keyid:13:EF:FE:90:68:61:6F:92:16:2D:C9:3E:09:08:2E:7B:5E:C3:AA:6F
                DirName:/CN=ChangeMe
                serial:DF:FB:6D:FD:09:1D:36:EC

When the certificate is expired????

Then run the next command.

# cd /etc/openvpn/easy-rsa
# ./easyrsa gen-crl
# cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem

And restart the server, now client can connect again.