Verschillen

Dit geeft de verschillen weer tussen de geselecteerde revisie en de huidige revisie van de pagina.

--- technische_naslag:sid:roer [2025/05/26 11:38] – OpenVPN michelle
+++ technische_naslag:sid:roer [2026/06/04 20:33] (huidige) – Layout verbeteringen michelle
@@ Regel 1: / Regel 1: @@
-===== Introductie =====
+====== Introductie ======
 Al jaren draai ik thuis een servertje, vroeger was dat nogal uitgebreid met diverse netwerk-segmenten waarvoor 't ding router was en had ik mijn eigen mailserver en wat niet meer draaien. Tegenwoordig is het vooral een veredelde NAS, maar wel op een echte server die energiezuinig is met z'n SSD's en een echte distributie erop:
@@ Regel 5: / Regel 5: @@
   * Hardware: HP Proliant Microserver Gen10+
   * Storage: 2x Western Digital Red 2TB SSD
-  * OS: Debian GNU/Linux 12 ("bookworm")
+  * OS: Debian GNU/Linux 13 //trixie// (ge-upgrade van Debian GNU/Linux 12 //bookworm//)
-===== Installatie en Configuratie =====
+====== Installatie en Configuratie ======
-==== Webserver: Apache2 ====
+===== Webserver: Apache2 =====
 Met Let's Encrypt certificaat:
@@ Regel 15: / Regel 15: @@
   * [[https://www.server-world.info/en/note?os=Debian_12&p=ssl&f=2|ServerWorld.info Let's Encrypt HowTo]]
-==== OpenVPN ====
+===== OpenVPN =====
-<code bash>
+==== Installeer OpenVPN server ====
-root@roer:~/bin# ./ubuntu-22.04-lts-vpn-server.sh
-Welcome to the OpenVPN installer!
-The git repository is available at: https://github.com/angristan/openvpn-install
-I need to ask you a few questions before starting the setup.
+Hiervoor gebruik ik een handig scrippie: [[https://github.com/angristan/openvpn-install]]
-You can leave the default options and just press enter if you are ok with them.
+Download het geval en maak het executable:
-I need to know the IPv4 address of the network interface you want OpenVPN listening to.
+<code bash>
-Unless your server is behind NAT, it should be your public IPv4 address.
+curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
-IP address: 192.168.1.2
+chmod +x openvpn-install.sh
+</code>
-It seems this server is behind NAT. What is its public IPv4 address or hostname?
+Voer het uit en gebruik het meest de defaults:
-We need it for the clients to connect to the server.
-Public IPv4 address or hostname: roer.vlet.net
-Checking for IPv6 connectivity...
+<code bash>
+michelle@roer:~/bin$ sudo ./openvpn-install.sh install
+[INFO] === OpenVPN Non-Interactive Install ===
+[INFO] Running in non-interactive mode with the following settings:
+[INFO]   ENDPOINT=77.171.80.214
+[INFO]   ENDPOINT_TYPE=4
+[INFO]   CLIENT_IPV4=y
+[INFO]   CLIENT_IPV6=n
+[INFO]   VPN_SUBNET_IPV4=10.8.0.0
+[INFO]   VPN_SUBNET_IPV6=fd42:42:42:42::
+[INFO]   PORT=1194
+[INFO]   PROTOCOL=udp
+[INFO]   DNS=cloudflare
+[INFO]   MULTI_CLIENT=n
+[INFO]   AUTH_MODE=pki
+[INFO]   CLIENT=client
+[INFO]   CLIENT_CERT_DURATION_DAYS=3650
+[INFO]   SERVER_CERT_DURATION_DAYS=3650
+[INFO] Setting up official OpenVPN repository...
+> apt-get update
+> apt-get install -y ca-certificates curl
+> mkdir -p /etc/apt/keyrings
+> curl -fsSL https://swupdate.openvpn.net/repos/repo-public.gpg -o /etc/apt/keyrings/openvpn-repo-public.asc
+[INFO] Updating package lists with new repository...
+> apt-get update
+[INFO] OpenVPN official repository configured
+[INFO] Installing OpenVPN and dependencies...
+> apt-get install -y openvpn iptables openssl curl ca-certificates tar dnsutils socat
+[INFO] Data Channel Offload (DCO) is not available (requires OpenVPN 2.6+ and kernel support)
+> mkdir -p /etc/openvpn/server
+> curl -fL --retry 5 -o /tmp/easy-rsa.gsLkP3.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.2.6/EasyRSA-3.2.6.tgz
+[INFO] Verifying Easy-RSA checksum...
+> mkdir -p /etc/openvpn/server/easy-rsa
+> tar xzf /tmp/easy-rsa.gsLkP3.tgz --strip-components=1 --no-same-owner --directory /etc/openvpn/server/easy-rsa
+> rm -f /tmp/easy-rsa.gsLkP3.tgz
+[INFO] Initializing PKI...
+> ./easyrsa init-pki
+[INFO] Building CA...
+> ./easyrsa --batch --req-cn=cn_jPf4c13rKvpdCoX7 build-ca nopass
+[INFO] Building server certificate...
+> ./easyrsa --batch build-server-full server_JtWaiX0iDcYANtAt nopass
+> ./easyrsa gen-crl
+[INFO] Generating TLS key...
+> openvpn --genkey tls-crypt-v2-server /etc/openvpn/server/tls-crypt-v2.key
+[INFO] Copying certificates...
+> cp pki/ca.crt pki/private/ca.key pki/issued/server_JtWaiX0iDcYANtAt.crt pki/private/server_JtWaiX0iDcYANtAt.key /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server
+> chmod 644 /etc/openvpn/server/crl.pem
+[INFO] Generating server configuration...
+> mkdir -p /etc/openvpn/server/ccd
+> mkdir -p /var/log/openvpn
+[INFO] Enabling IP forwarding...
+> mkdir -p /etc/sysctl.d
+> sysctl --system
+[INFO] Configuring OpenVPN service...
+> cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
+> sed -i s|LimitNPROC|#LimitNPROC| /etc/systemd/system/openvpn-server@.service
+> sed -i /\[Service\]/a RuntimeDirectory=openvpn-server /etc/systemd/system/openvpn-server@.service
+> systemctl daemon-reload
+> systemctl enable openvpn-server@server
+> systemctl restart openvpn-server@server
+[INFO] Configuring firewall rules...
+> mkdir -p /etc/iptables
+> chmod +x /etc/iptables/add-openvpn-rules.sh
+> chmod +x /etc/iptables/rm-openvpn-rules.sh
+> systemctl daemon-reload
+> systemctl enable iptables-openvpn
+> systemctl start iptables-openvpn
+[INFO] Creating client template...
+[INFO] Generating first client certificate...
+[INFO] Generating client certificate...
+> ./easyrsa --batch build-client-full client nopass
+[OK] Client client added and is valid for 3650 days.
+> cp /etc/openvpn/server/client-template.txt /home/michelle/client.ovpn
+[OK] The configuration file has been written to /home/michelle/client.ovpn.
+[INFO] Download the .ovpn file and import it in your OpenVPN client.
+[OK] If you want to add more clients, you simply need to run this script another time!
+</code>
-Your host appears to have IPv6 connectivity.
+==== Open poort op Fritz!Box firewall ====
-Do you want to enable IPv6 support (NAT)? [y/n]: y
+Vervolgens moet ik op mijn **Fritz!Box** wel deze **poort openen** natuurlijk!
-What port do you want OpenVPN to listen to?
+  * Poortnummer: 1194
-) Default: 1194
+  * Protocol: UDP
-) Custom
-) Random [49152-65535]
-Port choice [1-3]: 1
-What protocol do you want OpenVPN to use?
+==== Configureer OpenVPN server ====
-UDP is faster. Unless it is not available, you shouldn't use TCP.
-) UDP
-) TCP
-Protocol [1-2]: 1
-What DNS resolvers do you want to use with the VPN?
+Daarna nog wat eigen aanpassingen gedaan aan de server config:
-) Current system resolvers (from /etc/resolv.conf)
-) Self-hosted DNS Resolver (Unbound)
-) Cloudflare (Anycast: worldwide)
-) Quad9 (Anycast: worldwide)
-) Quad9 uncensored (Anycast: worldwide)
-) FDN (France)
-) DNS.WATCH (Germany)
-) OpenDNS (Anycast: worldwide)
-) Google (Anycast: worldwide)
-) Yandex Basic (Russia)
-) AdGuard DNS (Anycast: worldwide)
-) NextDNS (Anycast: worldwide)
-) Custom
-DNS [1-12]: 1
-Do you want to use compression? It is not recommended since the VORACLE attack makes use of it.
+<code bash>
-Enable compression? [y/n]: n
+michelle@roer:~$ sudo egrep '^server|^push|^\#\#' /etc/openvpn/server.conf
+##server 10.8.0.0 255.255.255.0
+server 192.168.3.0 255.255.255.0
+push "dhcp-option DNS 192.168.1.1"
+push "route 192.168.1.0 255.255.255.0"
+##push "redirect-gateway def1 bypass-dhcp"
+</code>
-Do you want to customize encryption settings?
+==== Maak OpenVPN client config ====
-Unless you know what you're doing, you should stick with the default parameters provided by the script.
-Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
-See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.
-Customize encryption settings? [y/n]: n
+<code bash>
+michelle@roer:~/bin$ sudo ./openvpn-install.sh client add MichelleJanse
-Okay, that was all I needed. We are ready to setup your OpenVPN server now.
+=== New Client Setup ===
-You will be able to generate a client at the end of the installation.
-Press any key to continue...
-Ophalen:1 http://security.debian.org/debian-security bookworm-security InRelease [48,0 kB]
-Geraakt:2 http://ftp.nl.debian.org/debian bookworm InRelease
-Ophalen:3 http://ftp.nl.debian.org/debian bookworm-updates InRelease [55,4 kB]
-kB opgehaald in 0s (287 kB/s)
-Pakketlijsten worden ingelezen... Klaar
-Pakketlijsten worden ingelezen... Klaar
-Boom van vereisten wordt opgebouwd... Klaar
-De statusinformatie wordt gelezen... Klaar
-ca-certificates is reeds de nieuwste versie (20230311).
-gnupg is reeds de nieuwste versie (2.2.40-1.1).
-gnupg staat ingesteld op handmatig geïnstalleerd.
-opgewaardeerd, 0 nieuw geïnstalleerd, 0 te verwijderen en 0 niet opgewaardeerd.
-Pakketlijsten worden ingelezen... Klaar
-Boom van vereisten wordt opgebouwd... Klaar
-De statusinformatie wordt gelezen... Klaar
-iptables is reeds de nieuwste versie (1.8.9-2).
-iptables staat ingesteld op handmatig geïnstalleerd.
-openssl is reeds de nieuwste versie (3.0.16-1~deb12u1).
-openssl staat ingesteld op handmatig geïnstalleerd.
-wget is reeds de nieuwste versie (1.21.3-1+deb12u1).
-ca-certificates is reeds de nieuwste versie (20230311).
-curl is reeds de nieuwste versie (7.88.1-10+deb12u12).
-De volgende extra pakketten zullen geïnstalleerd worden:
-  easy-rsa libccid libnl-genl-3-200 libpcsclite1 libpkcs11-helper1 opensc opensc-pkcs11 pcscd
-Voorgestelde pakketten:
-  pcmciautils resolvconf openvpn-dco-dkms openvpn-systemd-resolved
-De volgende NIEUWE pakketten zullen geïnstalleerd worden:
-  easy-rsa libccid libnl-genl-3-200 libpcsclite1 libpkcs11-helper1 opensc opensc-pkcs11 openvpn pcscd
-opgewaardeerd, 9 nieuw geïnstalleerd, 0 te verwijderen en 0 niet opgewaardeerd.
-Er moeten 2.575 kB aan archieven opgehaald worden.
-Na deze bewerking zal er 7.776 kB extra schijfruimte gebruikt worden.
-Ophalen:1 http://ftp.nl.debian.org/debian bookworm/main amd64 libccid amd64 1.5.2-1 [367 kB]
-Ophalen:2 http://ftp.nl.debian.org/debian bookworm/main amd64 libpcsclite1 amd64 1.9.9-2 [49,7 kB]
-Ophalen:3 http://ftp.nl.debian.org/debian bookworm/main amd64 pcscd amd64 1.9.9-2 [89,7 kB]
-Ophalen:4 http://ftp.nl.debian.org/debian bookworm/main amd64 easy-rsa all 3.1.0-1 [54,8 kB]
-Ophalen:5 http://ftp.nl.debian.org/debian bookworm/main amd64 libnl-genl-3-200 amd64 3.7.0-0.2+b1 [21,6 kB]
-Ophalen:6 http://ftp.nl.debian.org/debian bookworm/main amd64 libpkcs11-helper1 amd64 1.29.0-1 [51,2 kB]
-Ophalen:7 http://ftp.nl.debian.org/debian bookworm/main amd64 opensc-pkcs11 amd64 0.23.0-0.3+deb12u2 [917 kB]
-Ophalen:8 http://ftp.nl.debian.org/debian bookworm/main amd64 opensc amd64 0.23.0-0.3+deb12u2 [372 kB]
-Ophalen:9 http://ftp.nl.debian.org/debian bookworm/main amd64 openvpn amd64 2.6.3-1+deb12u3 [652 kB]
-.575 kB opgehaald in 0s (9.244 kB/s)
-Voorconfigureren van pakketten ...
-Voorheen niet geselecteerd pakket libccid wordt geselecteerd.
-(Database wordt ingelezen ... 74274 bestanden en mappen momenteel geïnstalleerd.)
-Uitpakken van .../0-libccid_1.5.2-1_amd64.deb wordt voorbereid...
-Bezig met uitpakken van libccid (1.5.2-1) ...
-Voorheen niet geselecteerd pakket libpcsclite1:amd64 wordt geselecteerd.
-Uitpakken van .../1-libpcsclite1_1.9.9-2_amd64.deb wordt voorbereid...
-Bezig met uitpakken van libpcsclite1:amd64 (1.9.9-2) ...
-Voorheen niet geselecteerd pakket pcscd wordt geselecteerd.
-Uitpakken van .../2-pcscd_1.9.9-2_amd64.deb wordt voorbereid...
-Bezig met uitpakken van pcscd (1.9.9-2) ...
-Voorheen niet geselecteerd pakket easy-rsa wordt geselecteerd.
-Uitpakken van .../3-easy-rsa_3.1.0-1_all.deb wordt voorbereid...
-Bezig met uitpakken van easy-rsa (3.1.0-1) ...
-Voorheen niet geselecteerd pakket libnl-genl-3-200:amd64 wordt geselecteerd.
-Uitpakken van .../4-libnl-genl-3-200_3.7.0-0.2+b1_amd64.deb wordt voorbereid...
-Bezig met uitpakken van libnl-genl-3-200:amd64 (3.7.0-0.2+b1) ...
-Voorheen niet geselecteerd pakket libpkcs11-helper1:amd64 wordt geselecteerd.
-Uitpakken van .../5-libpkcs11-helper1_1.29.0-1_amd64.deb wordt voorbereid...
-Bezig met uitpakken van libpkcs11-helper1:amd64 (1.29.0-1) ...
-Voorheen niet geselecteerd pakket opensc-pkcs11:amd64 wordt geselecteerd.
-Uitpakken van .../6-opensc-pkcs11_0.23.0-0.3+deb12u2_amd64.deb wordt voorbereid...
-Bezig met uitpakken van opensc-pkcs11:amd64 (0.23.0-0.3+deb12u2) ...
-Voorheen niet geselecteerd pakket opensc wordt geselecteerd.
-Uitpakken van .../7-opensc_0.23.0-0.3+deb12u2_amd64.deb wordt voorbereid...
-Bezig met uitpakken van opensc (0.23.0-0.3+deb12u2) ...
-Voorheen niet geselecteerd pakket openvpn wordt geselecteerd.
-Uitpakken van .../8-openvpn_2.6.3-1+deb12u3_amd64.deb wordt voorbereid...
-Bezig met uitpakken van openvpn (2.6.3-1+deb12u3) ...
-Instellen van libccid (1.5.2-1) ...
-Instellen van libpkcs11-helper1:amd64 (1.29.0-1) ...
-Instellen van opensc-pkcs11:amd64 (0.23.0-0.3+deb12u2) ...
-Instellen van libpcsclite1:amd64 (1.9.9-2) ...
-Instellen van libnl-genl-3-200:amd64 (3.7.0-0.2+b1) ...
-Instellen van easy-rsa (3.1.0-1) ...
-Instellen van openvpn (2.6.3-1+deb12u3) ...
-Created symlink /etc/systemd/system/multi-user.target.wants/openvpn.service → /lib/systemd/system/openvpn.service.
-Instellen van opensc (0.23.0-0.3+deb12u2) ...
-Instellen van pcscd (1.9.9-2) ...
-Created symlink /etc/systemd/system/sockets.target.wants/pcscd.socket → /lib/systemd/system/pcscd.socket.
-pcscd.service is a disabled or a static unit, not starting it.
-Bezig met afhandelen van triggers voor mailcap (3.70+nmu1) ...
-Bezig met afhandelen van triggers voor libc-bin (2.36-9+deb12u10) ...
-Bezig met afhandelen van triggers voor man-db (2.11.2-2) ...
-Scanning processes...
-Scanning processor microcode...
-Scanning linux images...
-The processor microcode seems to be up-to-date.
+[INFO] Generating client certificate...
+> ./easyrsa --batch build-client-full MichelleJanse nopass
+[OK] Client MichelleJanse added and is valid for 3650 days.
+> cp /etc/openvpn/server/client-template.txt /home/michelle/MichelleJanse.ovpn
-No services need to be restarted.
+[OK] The configuration file has been written to /home/michelle/MichelleJanse.ovpn.
+[INFO] Download the .ovpn file and import it in your OpenVPN client.
+</code>
-No containers need to be restarted.
+En klaar is Kees. Oh nee: **klaar is de oudste dochter van Kees!!**
-No user sessions are running outdated binaries.
+====== Hardening ======
-No VM guests are running outdated hypervisor (qemu) binaries on this host.
+Nadat de functionaliteit erin zit mag er ook nog wel aan de veiligheid gedaan worden. Want Debian GNU/Linux is out-of-the-box wel aardig in elkaar gestoken maar het kan nog altijd beter!
---2025-05-26 13:38:08--  https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.2/EasyRSA-3.1.2.tgz
-Herleiden van github.com (github.com)... 140.82.121.4
-Verbinding maken met github.com (github.com)|140.82.121.4|:443... verbonden.
-HTTP-verzoek is verzonden; wachten op antwoord... 302 Found
-Locatie: https://objects.githubusercontent.com/github-production-release-asset-2e65be/4519663/c2688102-7cd5-4fcc-b272-083d48dc4b4d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250526%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250526T113808Z&X-Amz-Expires=300&X-Amz-Signature=56754b42dc77d345fbf5a2f431d1a66ad2e6fd0eb342983428c5daa2a2081d89&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.1.2.tgz&response-content-type=application%2Foctet-stream [volgen...]
---2025-05-26 13:38:08--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/4519663/c2688102-7cd5-4fcc-b272-083d48dc4b4d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250526%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250526T113808Z&X-Amz-Expires=300&X-Amz-Signature=56754b42dc77d345fbf5a2f431d1a66ad2e6fd0eb342983428c5daa2a2081d89&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.1.2.tgz&response-content-type=application%2Foctet-stream
-Herleiden van objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
-Verbinding maken met objects.githubusercontent.com (objects.githubusercontent.com)|185.199.109.133|:443... verbonden.
-HTTP-verzoek is verzonden; wachten op antwoord... 200 OK
-Lengte: 68984 (67K) [application/octet-stream]
-Wordt opgeslagen als: ‘/root/easy-rsa.tgz’
-/root/easy-rsa.tgz                                         100%[========================================================================================================================================>]  67,37K  --.-KB/s    in 0,007s
+===== Lynis =====
--05-26 13:38:08 (9,07 MB/s) - '‘/root/easy-rsa.tgz’' opgeslagen [68984/68984]
+Een tooltje om de hardening van het systeem te scannen en met adviezen te komen. Geen daemon maar een check van mijn systeem: kan er qua veiligheid nog wat verbeterd worden? De versie in Debian GNU/Linux loopt achter dus een aparte repo toegevoegd, zoals beschreven op [[https://packages.cisofy.com/community/]]
+<code bash>
+root@roer:~# curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
+root@roer:~# echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
+deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main
+</code>
-Notice
+Daarna een scan draaien:
-------
-'init-pki' complete; you may now create a CA or requests.
-Your newly created PKI dir is:
+<code bash>
-* /etc/openvpn/easy-rsa/pki
+root@roer:~# sudo lynis audit system
+</code>
-* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
+Een malware scanner had ik nog niet, dus.....
-* The preferred location for 'vars' is within the PKI folder.
+==== Extra packages ====
-  To silence this message move your 'vars' file to your PKI
-  or declare your 'vars' file with option: --vars=<FILE>
-* Using x509-types directory: /etc/openvpn/easy-rsa/x509-types
+<code bash>
+root@roer:~# sudo apt install rkhunter apt-show-versions debsums
+</code>
+==== Permissies ====
-* Using SSL: openssl OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025)
+<code bash>
+sudo chmod o-rwx /home/*
+</code>
-* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
+en in <code bash>/etc/login.defs</code> de UMASK op 027 gezet.
-* The preferred location for 'vars' is within the PKI folder.
+==== Blacklist rare modules ====
-  To silence this message move your 'vars' file to your PKI
-  or declare your 'vars' file with option: --vars=<FILE>
-Using configuration from /etc/openvpn/easy-rsa/pki/76b20386/temp.e994fa7e
------
-Notice
+<code bash>
-------
+michelle@lummel:~$ sudo cat /etc/modprobe.d/lynis-blacklist.conf
-CA creation complete and you may now import and sign cert requests.
+install dccp /bin/true
-Your new CA certificate file for publishing is at:
+install sctp /bin/true
-/etc/openvpn/easy-rsa/pki/ca.crt
+install rds /bin/true
+install tipc /bin/true
+</code>
-* Using SSL: openssl OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025)
+==== Purge restanten van packages ====
-* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
+Er slingeren soms nog configuratie-bestanden en andere cruft rond van packages die allang niet meer op het systeem staan. Die herken je in de output van `dpkg -l` doordat ze beginnen met rc. Mik deze weg:
-* The preferred location for 'vars' is within the PKI folder.
+<code bash>
-  To silence this message move your 'vars' file to your PKI
+michelle@roer:~$ dpkg -l | grep ^rc | awk '{ print $2 }' | xargs echo " "
-  or declare your 'vars' file with option: --vars=<FILE>
+  libpython3.10-minimal:amd64 linux-image-6.0.0-5-amd64 linux-image-6.0.0-6-amd64 linux-image-6.1.0-1-amd64 linux-image-6.1.0-10-amd64 linux-image-6.1.0-11-amd64 linux-image-6.1.0-12-amd64 linux-image-6.1.0-13-amd64 linux-image-6.1.0-14-amd64 linux-image-6.1.0-15-amd64 linux-image-6.1.0-16-amd64 linux-image-6.1.0-17-amd64 linux-image-6.1.0-18-amd64 linux-image-6.1.0-2-amd64 linux-image-6.1.0-20-amd64 linux-image-6.1.0-21-amd64 linux-image-6.1.0-22-amd64 linux-image-6.1.0-23-amd64 linux-image-6.1.0-25-amd64 linux-image-6.1.0-26-amd64 linux-image-6.1.0-27-amd64 linux-image-6.1.0-28-amd64 linux-image-6.1.0-29-amd64 linux-image-6.1.0-3-amd64 linux-image-6.1.0-30-amd64 linux-image-6.1.0-31-amd64 linux-image-6.1.0-32-amd64 linux-image-6.1.0-33-amd64 linux-image-6.1.0-34-amd64 linux-image-6.1.0-5-amd64 linux-image-6.1.0-6-amd64 linux-image-6.1.0-7-amd64 linux-image-6.1.0-9-amd64 python3.10-minimal
------
+</code>
-Notice
-------
-Keypair and certificate request completed. Your files are:
-req: /etc/openvpn/easy-rsa/pki/reqs/server_0qKxcCwxJ128Et3H.req
-key: /etc/openvpn/easy-rsa/pki/private/server_0qKxcCwxJ128Et3H.key
-Using configuration from /etc/openvpn/easy-rsa/pki/87f87fc8/temp.6779c4b4
-Check that the request matches the signature
-Signature ok
-The Subject's Distinguished Name is as follows
-commonName            :ASN.1 12:'server_0qKxcCwxJ128Et3H'
-Certificate is to be certified until Aug 29 11:38:09 2027 GMT (825 days)
-Write out database with 1 new entries
-Database updated
-Notice
-------
-Certificate created at:
-* /etc/openvpn/easy-rsa/pki/issued/server_0qKxcCwxJ128Et3H.crt
-Notice
-------
-Inline file created:
-* /etc/openvpn/easy-rsa/pki/inline/server_0qKxcCwxJ128Et3H.inline
-* Using SSL: openssl OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025)
-* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
+===== AppArmor =====
-* The preferred location for 'vars' is within the PKI folder.
+** ToDo **
-  To silence this message move your 'vars' file to your PKI
-  or declare your 'vars' file with option: --vars=<FILE>
-Using configuration from /etc/openvpn/easy-rsa/pki/81e7987e/temp.40b68fda
-Notice
-------
-An updated CRL has been created.
-CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
--05-26 13:38:09 DEPRECATED OPTION: The option --secret is deprecated.
--05-26 13:38:09 WARNING: Using --genkey --secret filename is DEPRECATED.  Use --genkey secret filename instead.
-* Applying /usr/lib/sysctl.d/50-pid-max.conf ...
-* Applying /etc/sysctl.d/99-openvpn.conf ...
-* Applying /usr/lib/sysctl.d/99-protect-links.conf ...
-* Applying /etc/sysctl.d/99-sysctl.conf ...
-* Applying /etc/sysctl.conf ...
-kernel.pid_max = 4194304
-net.ipv4.ip_forward = 1
-net.ipv6.conf.all.forwarding = 1
-fs.protected_fifos = 1
-fs.protected_hardlinks = 1
-fs.protected_regular = 2
-fs.protected_symlinks = 1
-Created symlink /etc/systemd/system/multi-user.target.wants/openvpn@server.service → /etc/systemd/system/openvpn@.service.
-Created symlink /etc/systemd/system/multi-user.target.wants/iptables-openvpn.service → /etc/systemd/system/iptables-openvpn.service.
-Tell me a name for the client.
-The name must consist of alphanumeric character. It may also include an underscore or a dash.
-Client name: MichelleJanse
-Do you want to protect the configuration file with a password?
-(e.g. encrypt the private key with a password)
-) Add a passwordless client
-) Use a password for the client
-Select an option [1-2]: 1
-* Using SSL: openssl OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025)
-* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
-* The preferred location for 'vars' is within the PKI folder.
-  To silence this message move your 'vars' file to your PKI
-  or declare your 'vars' file with option: --vars=<FILE>
------
-Notice
-------
-Keypair and certificate request completed. Your files are:
-req: /etc/openvpn/easy-rsa/pki/reqs/MichelleJanse.req
-key: /etc/openvpn/easy-rsa/pki/private/MichelleJanse.key
-Using configuration from /etc/openvpn/easy-rsa/pki/8d0039fd/temp.83d1eeb1
-Check that the request matches the signature
-Signature ok
-The Subject's Distinguished Name is as follows
-commonName            :ASN.1 12:'MichelleJanse'
-Certificate is to be certified until Aug 29 11:38:16 2027 GMT (825 days)
-Write out database with 1 new entries
-Database updated
-Notice
-------
-Certificate created at:
-* /etc/openvpn/easy-rsa/pki/issued/MichelleJanse.crt
-Notice
-------
-Inline file created:
-* /etc/openvpn/easy-rsa/pki/inline/MichelleJanse.inline
-Client MichelleJanse added.
-The configuration file has been written to /root/MichelleJanse.ovpn.
-Download the .ovpn file and import it in your OpenVPN client.
-</code>