Fedora Linux Support Community & Resources Center
  #1  
Old 22nd May 2012, 01:26 PM
seabird Offline
Registered User
 
Join Date: Jan 2009
Location: Den Bosch, Netherlands
Posts: 282
windows_7ie
OpenVPN certificates

Hi everyone,

I am trying to set up a openvpn server on my server according to a tutorial of linux format (magazine). It tells me to edit the vars for the certificates but I stumble acros 2 sets of vars.

in the directory /usr/share/openvpn/ there are 2 subfolders: 1.0 and 2.0
both comes with their own, slightly different vars file.

1.0
Code:
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY=KG
export KEY_PROVINCE=NA
export KEY_CITY=BISHKEK
export KEY_ORG="OpenVPN-TEST"
export KEY_EMAIL="me@myhost.mydomain"
2.0
Code:
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US" NL
export KEY_PROVINCE="CA" NB
export KEY_CITY="SanFrancisco" MyCity 
export KEY_ORG="Fort-Funston" MyServer
export KEY_EMAIL="me@myhost.mydomain" me@email.com
export KEY_EMAIL=mail@host.domain ???
export KEY_CN=changeme MyServer
export KEY_NAME=changeme Server
export KEY_OU=changeme MyServer
export PKCS11_MODULE_PATH=changeme ????
export PKCS11_PIN=1234 pinofmychoice??
Which to edit? does it make a difference?Turns out 2.0 is the one to edit. Are the red answers correct? what should they say? Certificates always confuse the crap out of me ........
__________________
OS: Fedora 16
Casing: Chenbro RM21508B
Mainboard: ATX D2778
Processor: Intel Xeon W3550 (8 core)
Memory: 6Gb DDR3, ECC, 1333 MHz, PC3-10600
HD #1: OCZ Vertex 3 60Gb
Storage Drives: 4x 2Tb WD20EARS + 2x 2Tb WD20EARX
Graphics: Nvidia GeForce 210 Silent
PCI Card: Promise FastTrak TX4

Last edited by seabird; 22nd May 2012 at 01:53 PM.
Reply With Quote
  #2  
Old 22nd May 2012, 01:56 PM
beaker_ Offline
Registered User
 
Join Date: Nov 2008
Location: Canada
Posts: 2,372
windows_7firefox
Re: OpenVPN certificates

If you don't know the difference then use 2.0. Also, don't modify /usr/openvpn/easy-rsa/. Copy it to a safe place, make your changes, and run the scripts from there. Also read the README.
Reply With Quote
  #3  
Old 22nd May 2012, 01:58 PM
seabird Offline
Registered User
 
Join Date: Jan 2009
Location: Den Bosch, Netherlands
Posts: 282
windows_7ie
Re: OpenVPN certificates

Quote:
Originally Posted by beaker_ View Post
If you don't know the difference then use 2.0. Also, don't modify /usr/openvpn/easy-rsa/. Copy it to a safe place, make your changes, and run the scripts from there. Also read the README.
Thank you, I did copy the files to /etc/openvpn before the edit. Also found that the 2.0 edit is the best way to go but now unsure how to answer each one
__________________
OS: Fedora 16
Casing: Chenbro RM21508B
Mainboard: ATX D2778
Processor: Intel Xeon W3550 (8 core)
Memory: 6Gb DDR3, ECC, 1333 MHz, PC3-10600
HD #1: OCZ Vertex 3 60Gb
Storage Drives: 4x 2Tb WD20EARS + 2x 2Tb WD20EARX
Graphics: Nvidia GeForce 210 Silent
PCI Card: Promise FastTrak TX4
Reply With Quote
  #4  
Old 22nd May 2012, 02:02 PM
beaker_ Offline
Registered User
 
Join Date: Nov 2008
Location: Canada
Posts: 2,372
windows_7firefox
Re: OpenVPN certificates

Quote:
export PKCS11_MODULE_PATH=changeme ????
export PKCS11_PIN=1234 pinofmychoice??
Are from the "PKCS11 fixes" section. Use what you like. You should be more worried about
"export KEY_SIZE=" and I strongly recommend 2048 or better. Remember, you're creating your own CA here, atleast I think you're heading that way, so you use whatever you want. The only requirement is: it has to make sense to you because you may use those properties later.
Reply With Quote
  #5  
Old 22nd May 2012, 02:04 PM
seabird Offline
Registered User
 
Join Date: Jan 2009
Location: Den Bosch, Netherlands
Posts: 282
windows_7ie
Re: OpenVPN certificates

so, if I understand correctly, this is where they will be stored? or should they refer to a path? Yes, I am creating my own certificates here (or I am trying atleast.... )
__________________
OS: Fedora 16
Casing: Chenbro RM21508B
Mainboard: ATX D2778
Processor: Intel Xeon W3550 (8 core)
Memory: 6Gb DDR3, ECC, 1333 MHz, PC3-10600
HD #1: OCZ Vertex 3 60Gb
Storage Drives: 4x 2Tb WD20EARS + 2x 2Tb WD20EARX
Graphics: Nvidia GeForce 210 Silent
PCI Card: Promise FastTrak TX4
Reply With Quote
  #6  
Old 22nd May 2012, 02:22 PM
beaker_ Offline
Registered User
 
Join Date: Nov 2008
Location: Canada
Posts: 2,372
windows_7firefox
Re: OpenVPN certificates

Don't sweet it. Shrug you're shoulders and say, 'I'll blow this certificate authority away a dozen times before I'm comfortable anyway.'

For the impatient:
http://openvpn.net/index.php/open-so...ion/howto.html

In it's simplest form, it reduces to:

source ./vars
./clean-all
./build-ca
./build-key-server WhatEverNameYouLike
./build-key SomeDescriptiveName
./build-key-pass SomeDescriptiveNameButHeBetterKnowThePassword
./build-dh
Maybe I'll build a key for tls also. Yeah I forget the exact syntax.


Two days later and I want to add another client.
source ./vars
./build-key or ./build-key-pass depending on what I want. But don't do a clean-all!

Everything gets dumped into "keys" and it's your job to either copy things where you need them or build a script and let it do the work for you. Do a clean-all only when you want to blow everything away and restart from scratch.
Reply With Quote
  #7  
Old 22nd May 2012, 02:27 PM
seabird Offline
Registered User
 
Join Date: Jan 2009
Location: Den Bosch, Netherlands
Posts: 282
windows_7ie
Re: OpenVPN certificates

Thank you for this. I have tried to deal with certificates before and still have the grey hairs to proof it.

Creating the certificates I somewhat understand, but I never edited a vars file meaning I typed ALOT!!!!!

looking at the vars most things make sense, but still lost at the

export KEY_EMAIL=mail@host.domain
export PKCS11_MODULE_PATH=changeme

What to do with these??

Everytime someone comes up with certs I shiver a bit.....
__________________
OS: Fedora 16
Casing: Chenbro RM21508B
Mainboard: ATX D2778
Processor: Intel Xeon W3550 (8 core)
Memory: 6Gb DDR3, ECC, 1333 MHz, PC3-10600
HD #1: OCZ Vertex 3 60Gb
Storage Drives: 4x 2Tb WD20EARS + 2x 2Tb WD20EARX
Graphics: Nvidia GeForce 210 Silent
PCI Card: Promise FastTrak TX4
Reply With Quote
  #8  
Old 22nd May 2012, 03:11 PM
beaker_ Offline
Registered User
 
Join Date: Nov 2008
Location: Canada
Posts: 2,372
windows_7firefox
Re: OpenVPN certificates

Code:
export KEY_EMAIL=mail@host.domain
export PKCS11_MODULE_PATH=changeme
KEY_EMAIL
I normally use a descriptive email so I default it to my own and then enter an address for the client/server/satellite when I build the key.

PKCS11_MODULE_PATH=changeme
It's an option and Win/Lin/BSB remember. Are you using PKCS11? If you don't know, then you're not, so leave it unchanged. If you removed the comment mark, then you've already chased and installed the modules. So enter the path. See README.

---------- Post added at 11:01 AM ---------- Previous post was at 10:40 AM ----------

oops. looks like I've followed the line to generate web certificates.

The simplest explanation I can give is:
- if you're using the build-ca, build-key, build-key-server scripts then it's a non-issue.
- if you're using the pkitool script, then it is an issue and I've never used it. It'll take a while for me to dig it up.

---------- Post added at 11:11 AM ---------- Previous post was at 11:01 AM ----------

Sorry for the double posting:

From the README you need opensc so..., in my case CentOS:

opensc-0.12.2-2.el6.i686
Repo : epel-6
Matched from:
Filename : /usr/lib/pkcs11/opensc-pkcs11.so
Filename : /usr/lib/opensc-pkcs11.so

Let yum do the work in Fedora.


Good Luck
Reply With Quote
  #9  
Old 22nd May 2012, 03:23 PM
errorxp Offline
Registered User
 
Join Date: Jul 2007
Posts: 371
linuxfirefox
Re: OpenVPN certificates

Actually you could use the static key generation approach and skip messing with the certs altogether.
Look here: http://openvpn.net/index.php/open-so...ini-howto.html
__________________
these command lines are like casino slot machines, every time I input commands NOTHING HAPPENS
Reply With Quote
  #10  
Old 23rd May 2012, 10:23 AM
seabird Offline
Registered User
 
Join Date: Jan 2009
Location: Den Bosch, Netherlands
Posts: 282
windows_7ie
Re: OpenVPN certificates

Hi, just a quick update from my side. I guess I did manage the certificates. Moved them all to /etc/openvpn/

edited the config file:
Code:
;local a.b.c.d

port 1194

;proto tcp
proto udp

;dev tap
dev tun

;dev-node MyTap

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/2.0/keys/server.key  # This file should be kept secret

dh /etc/openvpn/dh2048.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

;server-bridge

;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248

;client-config-dir ccd
;route 10.9.0.0 255.255.255.252

;learn-address ./script

;push "redirect-gateway def1 bypass-dhcp"

;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

;client-to-client

;duplicate-cn

keepalive 10 120

;tls-auth ta.key 0 # This file is secret

;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

comp-lzo

;max-clients 100

;user nobody
;group nobody

persist-key
persist-tun

status openvpn-status.log

;log         openvpn.log
;log-append  openvpn.log

verb 3

;mute 20
started the server and forwarded port 1194 to my server
Code:
ay 23 10:59:13 server openvpn[11581]: OpenVPN 2.2.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep  9 2011
May 23 10:59:13 server openvpn[11581]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
May 23 10:59:13 server openvpn[11581]: Diffie-Hellman initialized with 2048 bit key
May 23 10:59:13 server openvpn[11581]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
May 23 10:59:13 server openvpn[11581]: Socket Buffers: R=[212992->131072] S=[212992->131072]
May 23 10:59:13 server openvpn[11581]: ROUTE default_gateway=192.168.178.1
May 23 10:59:13 server kernel: [131744.742244] tun: Universal TUN/TAP device driver, 1.6
May 23 10:59:13 server kernel: [131744.742250] tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
May 23 10:59:13 server openvpn[11581]: TUN/TAP device tun0 opened
May 23 10:59:13 server openvpn[11581]: TUN/TAP TX queue length set to 100
May 23 10:59:13 server openvpn[11581]: /sbin/ip link set dev tun0 up mtu 1500
May 23 10:59:13 server openvpn[11581]: /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
May 23 10:59:13 server openvpn[11581]: /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
May 23 10:59:13 server openvpn[11581]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
May 23 10:59:13 server openvpn[11590]: UDPv4 link local (bound): [undef]:1194
May 23 10:59:13 server openvpn[11590]: UDPv4 link remote: [undef]
May 23 10:59:13 server openvpn[11590]: MULTI: multi_init called, r=256 v=256
May 23 10:59:13 server openvpn[11590]: IFCONFIG POOL: base=10.8.0.4 size=62
May 23 10:59:13 server openvpn[11590]: IFCONFIG POOL LIST
May 23 10:59:13 server openvpn[11590]: Initialization Sequence Completed
The server is listed in the ifconfig:
Code:
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
so far so good. Now I wanted to connect my (non-jailbroken) iphone to the server ...... stuck!!!

Any help is appreciated
__________________
OS: Fedora 16
Casing: Chenbro RM21508B
Mainboard: ATX D2778
Processor: Intel Xeon W3550 (8 core)
Memory: 6Gb DDR3, ECC, 1333 MHz, PC3-10600
HD #1: OCZ Vertex 3 60Gb
Storage Drives: 4x 2Tb WD20EARS + 2x 2Tb WD20EARX
Graphics: Nvidia GeForce 210 Silent
PCI Card: Promise FastTrak TX4
Reply With Quote
Reply

Tags
certificates, openvpn, vars

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
FC16 x86_64 - nm-openvpn-service-openvpn-helper did not receive a valid IP4 hyperplus Using Fedora 1 29th January 2012 06:44 PM
SSL and Certificates seabird Security and Privacy 7 14th December 2011 01:11 PM
FC4 and SSL Certificates D@ Mick Servers & Networking 1 7th October 2005 02:55 PM


Current GMT-time: 11:21 (Monday, 01-09-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat