From e7e5b855460fd036db425bb73657b5492bcbf63c Mon Sep 17 00:00:00 2001
From: Valerio Bozzolan <nsa+gitspam@succhia.cz>
Date: Tue, 17 Jun 2025 07:22:00 +0200
Subject: [PATCH 1/6] OpenVPN: fix typo in path 'etc/openvpn' reported by
 @panlinux

Ref https://github.com/canonical/ubuntu-server-documentation/pull/296/files#r2150915189
---
 how-to/security/install-openvpn.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/how-to/security/install-openvpn.md b/how-to/security/install-openvpn.md
index 0088fe36..ad1313dd 100644
--- a/how-to/security/install-openvpn.md
+++ b/how-to/security/install-openvpn.md
@@ -122,7 +122,7 @@ key myservername.key
 dh dh.pem
 ```
 
-Complete this set with a TLS Authentication (TA) key in `etc/openvpn` for `tls-auth` like this:
+Complete this set with a TLS Authentication (TA) key in `/etc/openvpn` for `tls-auth` like this:
 
 ```bash
 sudo openvpn --genkey --secret ta.key

From 5c859ae60e0313d159209aae7fa533943770c29a Mon Sep 17 00:00:00 2001
From: Valerio Bozzolan <nsa+gitspam@succhia.cz>
Date: Sun, 15 Jun 2025 22:22:59 +0200
Subject: [PATCH 2/6] OpenVPN: fix position of server.conf since Ubuntu 22.04
 LTS

Ref https://github.com/canonical/ubuntu-server-documentation/issues/216
---
 how-to/security/install-openvpn.md | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/how-to/security/install-openvpn.md b/how-to/security/install-openvpn.md
index ad1313dd..8781e128 100644
--- a/how-to/security/install-openvpn.md
+++ b/how-to/security/install-openvpn.md
@@ -100,13 +100,18 @@ Since the client certificates and keys are only required on the client machine,
 Included with your OpenVPN installation are these (and many more) sample configuration files:
 
 ```bash
-root@server:/# ls -l /usr/share/doc/openvpn/examples/sample-config-files/
-total 68
--rw-r--r-- 1 root root 3427 2011-07-04 15:09 client.conf
--rw-r--r-- 1 root root 4141 2011-07-04 15:09 server.conf.gz
+root@server:/# ls /usr/share/doc/openvpn/examples/sample-config-files/*
+/usr/share/doc/openvpn/examples/sample-config-files/client.conf
+/usr/share/doc/openvpn/examples/sample-config-files/server.conf
 ```
 
-Start by copying and unpacking `server.conf.gz` to `/etc/openvpn/server.conf`:
+Start by copying the example server configuration to `/etc/openvpn/server.conf`:
+
+```bash
+sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/myserver.conf
+```
+
+In Ubuntu 20.04 or older, do this instead:
 
 ```bash
 sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/myserver.conf.gz

From 5a82051d17a94fa23cc85b555ea7fa40622e0fec Mon Sep 17 00:00:00 2001
From: Valerio Bozzolan <nsa+gitspam@succhia.cz>
Date: Sun, 15 Jun 2025 22:23:46 +0200
Subject: [PATCH 3/6] OpenVPN: add explicit tls-auth server configuration

Ref https://github.com/canonical/ubuntu-server-documentation/issues/216
---
 how-to/security/install-openvpn.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/how-to/security/install-openvpn.md b/how-to/security/install-openvpn.md
index 8781e128..052cb896 100644
--- a/how-to/security/install-openvpn.md
+++ b/how-to/security/install-openvpn.md
@@ -125,6 +125,7 @@ ca ca.crt
 cert myservername.crt
 key myservername.key
 dh dh.pem
+tls-auth ta.key 0
 ```
 
 Complete this set with a TLS Authentication (TA) key in `/etc/openvpn` for `tls-auth` like this:

From d89fb00b7b97a9e587630cf7cfc0ba0ff3c6d17e Mon Sep 17 00:00:00 2001
From: Valerio Bozzolan <nsa+gitspam@succhia.cz>
Date: Sun, 15 Jun 2025 22:24:37 +0200
Subject: [PATCH 4/6] OpenVPN: fix deprecated genkey usage

Avoid the following OpenVPN deprecation notice while generating the key:

    DEPRECATED OPTION: The option --secret is deprecated.
    WARNING: Using --genkey --secret filename is DEPRECATED.  Use --genkey secret filename instead.

In short:

    #Bad:  'sudo openvpn --genkey --secret ta.key'
    #Good: 'sudo openvpn --genkey   secret ta.key'

Ref https://github.com/canonical/ubuntu-server-documentation/issues/216
---
 how-to/security/install-openvpn.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/how-to/security/install-openvpn.md b/how-to/security/install-openvpn.md
index 052cb896..3f1916a7 100644
--- a/how-to/security/install-openvpn.md
+++ b/how-to/security/install-openvpn.md
@@ -131,7 +131,7 @@ tls-auth ta.key 0
 Complete this set with a TLS Authentication (TA) key in `/etc/openvpn` for `tls-auth` like this:
 
 ```bash
-sudo openvpn --genkey --secret ta.key
+sudo openvpn --genkey secret ta.key
 ```
 
 Edit `/etc/sysctl.conf` and uncomment the following line to enable IP forwarding:

From be8ab66fc0678c37f0a5d7bd976b7aaadbc25829 Mon Sep 17 00:00:00 2001
From: Valerio Bozzolan <nsa+gitspam@succhia.cz>
Date: Sun, 15 Jun 2025 22:25:12 +0200
Subject: [PATCH 5/6] OpenVPN: troubleshooting: mention pitfall about
 "tls-auth" 1 VS 0

If you get this error:

    TLS Error: cannot locate HMAC in incoming packet from ...

Very probably you will appreciate the added entry in the troubleshooting list.

Ref https://github.com/canonical/ubuntu-server-documentation/issues/216
---
 how-to/security/install-openvpn.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/how-to/security/install-openvpn.md b/how-to/security/install-openvpn.md
index 3f1916a7..d45b43f7 100644
--- a/how-to/security/install-openvpn.md
+++ b/how-to/security/install-openvpn.md
@@ -346,6 +346,7 @@ If the above didn't work for you, check the following:
 - Client and server must use same protocol and port, e.g. UDP port 1194, see `port` and `proto` config options.
 - Client and server must use the same compression configuration, see `comp-lzo` config option.
 - Client and server must use same config regarding bridged vs. routed mode, see `server vs server-bridge` config option
+- Client must use the config `tls-auth` with index `1` (example client config: `tls-auth ta.key 1`), but server must use `tls-auth` with index `0` (example server config: `tls-auth ta.key 0`).
 
 ## Advanced configuration
 

From 693a975b354d9d149d3c88ddf7b2d26b00f6acfd Mon Sep 17 00:00:00 2001
From: Valerio Bozzolan <nsa+gitspam@succhia.cz>
Date: Tue, 17 Jun 2025 08:04:40 +0200
Subject: [PATCH 6/6] OpenVPN: fix missing /usr/share/doc under Docker

Ref https://github.com/canonical/ubuntu-server-documentation/issues/216#issuecomment-2978945494
---
 how-to/security/install-openvpn.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/how-to/security/install-openvpn.md b/how-to/security/install-openvpn.md
index d45b43f7..3ad97bec 100644
--- a/how-to/security/install-openvpn.md
+++ b/how-to/security/install-openvpn.md
@@ -105,6 +105,16 @@ root@server:/# ls /usr/share/doc/openvpn/examples/sample-config-files/*
 /usr/share/doc/openvpn/examples/sample-config-files/server.conf
 ```
 
+If these files under `/usr/share/doc/*` are not available:
+
+> Official minimal environments like Ubuntu Docker are optimized to never install stuff like documentation files (you probably also have not `sudo` there, etc).
+> To re-install the necessary documentation, at this point you can run these commands, as the root user:
+>
+> ```bash
+> echo 'path-include=/usr/share/doc/openvpn/examples/*' > /etc/dpkg/dpkg.cfg.d/my-openvpn
+> apt install --reinstall openvpn
+> ```
+
 Start by copying the example server configuration to `/etc/openvpn/server.conf`:
 
 ```bash