I can't do the instructions for installing OpenVPN
when I get to this part, it stops working.
cd /etc/openvpn/easy-rsa/2.0/
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/clean-all
. /etc/openvpn/easy-rsa/2.0/build-ca
When I do this,
cd /etc/openvpn/easy-rsa/2.0/
it works fine.
But when I do this,
. /etc/openvpn/easy-rsa/2.0/vars
it says````
NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys
I tried````
sudo . /etc/openvpn/easy-rsa/2.0/vars
but this is what I get:
sudo: .: command not found
What am I supposed to do here?
9 Replies
Inquisitor Sasha, I'm not quite sure what you were trying to fix. The "NOTE" seems fine. It's just informational - letting you know what directory the keys are being kept in (so letting you know which directory clean will, well, clean). The indicated folder seems like the right one if you're using the library guide. Did you run into problems using the subsequent commands?
All vars does is establish some environment variables (which you edited earlier in the library guide) that the remaining operations utilize. It doesn't take any other actions on its own aside from setting those variables.
– David
@db3l:
kyhwana, actually the space should be fine - dot (.) is an alias for "source" which executes the script commands in the specified file. It's important (particularly with vars) that the script be executed in the context of the current shell environment.
Inquisitor Sasha, I'm not quite sure what you were trying to fix. The "NOTE" seems fine. It's just informational - letting you know what directory the keys are being kept in (so letting you know which directory clean will, well, clean). The indicated folder seems like the right one if you're using the library guide. Did you run into problems using the subsequent commands?
All vars does is establish some environment variables (which you edited earlier in the library guide) that the remaining operations utilize. It doesn't take any other actions on its own aside from setting those variables.
– David
Thank you for explaining that. The third command does not work.
When I run
. /etc/openvpn/easy-rsa/2.0/clean-all
I get:
sasha@einstein:/etc/openvpn/easy-rsa/2.0$ . /etc/openvpn/easy-rsa/2.0/clean-all
mkdir: cannot create directory ‘/etc/openvpn/easy-rsa/2.0/keys’: Permission denied
sasha@einstein:/etc/openvpn/easy-rsa/2.0$ sudo . /etc/openvpn/easy-rsa/2.0/clean-all
[sudo] password for sasha:
sudo: .: command not found
sasha@einstein:/etc/openvpn/easy-rsa/2.0$
@Inquisitor Sasha:
When I run
. /etc/openvpn/easy-rsa/2.0/clean-all
I get:sasha@einstein:/etc/openvpn/easy-rsa/2.0$ . /etc/openvpn/easy-rsa/2.0/clean-all mkdir: cannot create directory ‘/etc/openvpn/easy-rsa/2.0/keys’: Permission denied sasha@einstein:/etc/openvpn/easy-rsa/2.0$ sudo . /etc/openvpn/easy-rsa/2.0/clean-all [sudo] password for sasha: sudo: .: command not found sasha@einstein:/etc/openvpn/easy-rsa/2.0$
Ah ok, yes, in general you want to work entirely as root if you are going to manage your keys under /etc. But in this case using sudo command by command isn't a good idea since the environment won't get shared (unless you use -E with sudo). Plus the "." error is because "." or "source" is a built-in shell command not a separate executable.
What you can do however, is switch to root in general first (using either a plain "su" or if your system is only built for sudo, "sudo -s"). That will give you a root shell from which you can execute any number of commands. Just be careful and realize that anything you type is being executed as root. Then follow the commands in the guide. Ctrl-D or "exit" when done will exit out of the root shell. It's best to switch to root before starting with any commands (particularly vars) to ensure you have the right environment set up.
To be honest though, although it deviates from the guide, if it were me, I'd probably manage the keys under some other account than root (that way you don't need to be root to perform the regular operations). There's no requirement that you store your keys under /etc/openvpn (though you should restrict protections on the keys folder to whatever account you do use to manage it), so if you move the easy-rsa directory (or re-copy from examples) to somewhere that your regular account has access, you can follow the guide under your own account. Alternatively, if you like having it all under /etc/openvpn, you could "chown -R" the easy-rsa directory to your own account so you can still manage things there without having to become root.
– David
I'd agree to use root instead of sudo, however the entire path should not be needed for executing scripts (provided they have the executable permission). Since the tutorial says to cd to the same directory as the scripts, you should be able to use:
sudo ./clean-all
with no space beween the . and /. If they are setup as proper scripts, that should work no problem.
@Piki:
Properly, it should be "su -", not "su" (the - instructs it to set environmental variables).
Well, "properly" depends on your needs. That attempts to match a login environment, which isn't really necessary here. Plus, switching back from root's home directory could get annoying. I agree that there are cases when you may want that behavior depending on what activities you plan on doing as root, but in this case it's just to run some scripts within a constrained environment.
> I'd agree to use root instead of sudo, however the entire path should not be needed for executing scripts (provided they have the executable permission). Since the tutorial says to cd to the same directory as the scripts, you should be able to use:
sudo ./clean-all
with no space beween the . and /. If they are setup as proper scripts, that should work no problem.
Not quite in this case. There are environment variables used to set defaults for the various openvpn easy-rsa scripts that sudo won't maintain (without -E). That is, vars sets up a series of environment variables that later scripts depend on. Your sudo command above would run clean-all without those variables set.
That's why it's simplest to switch to a root shell (or whatever environment you can then run all commands in) before doing anything else, since then sourcing vars will properly set up the common environment for the commands to follow.
I do think it's true that vars is the only script critical to directly source in the current shell - the rest can be run as regular scripts if desired, although sourcing them (as the library article shows) should be fine too. As long as however they are run maintains the parent environment.
– David
root@einstein:~# . /etc/openvpn/easy-rsa/2.0/build-ca
-su: /root/pkitool: No such file or directory
EDIT
Nevermind, I forgot to switch out of root's home directory. Should I just delete the "keys" directory that's there now?
@db3l:
@Piki:Properly, it should be "su -", not "su" (the - instructs it to set environmental variables).
Well, "properly" depends on your needs. That attempts to match a login environment, which isn't really necessary here. Plus, switching back from root's home directory could get annoying. I agree that there are cases when you may want that behavior depending on what activities you plan on doing as root, but in this case it's just to run some scripts within a constrained environment.
From a newbie's perspective, it's usually better just to include the "-" just because you won't know what you'll run into (or in my case, how long I'll spend troubleshooting one of my services
@db3l:
> I'd agree to use root instead of sudo, however the entire path should not be needed for executing scripts (provided they have the executable permission). Since the tutorial says to cd to the same directory as the scripts, gyou should be able to use:sudo ./clean-all
with no space beween the . and /. If they are setup as proper scripts, that should work no problem.
Not quite in this case. There are environment variables used to set defaults for the various openvpn easy-rsa scripts that sudo won't maintain (without -E). That is, vars sets up a series of environment variables that later scripts depend on. Your sudo command above would run clean-all without those variables set.That's why it's simplest to switch to a root shell (or whatever environment you can then run all commands in) before doing anything else, since then sourcing vars will properly set up the common environment for the commands to follow.
I wasn't aware the openvpn scripts needed their own variables. I'm giving bad advice then
@Inquisitor Sasha:
Nevermind, I forgot to switch out of root's home directory. Should I just delete the "keys" directory that's there now?
Sure, it's not needed. Though it's only created by clean-all, so presumably you had to run that again once in the right directory.
If you find yourself forgetting to switch to the easy-rsa folder regularly, you can edit the vars file and replace the EASY_RSA definition near the top with your actual easy-rsa location (e.g., /etc/openvpn/easy-rsa) rather than the default definition of "pwd
" which uses the current directory. Then you can execute the scripts from any current directory.
– David