Tim, I appreciate the really quick response. > How did you create the NM configuration for that VPN? Can you give > indications how you translated client.conf values to NM mask entries? > Well here is my client.conf: tls-client remote 192.168.7.200 port 1194 proto udp dev tap pull resolv-retry infinite nobind cipher BF-CBC auth SHA1 ca /etc/openvpn/cacert.crt cert /etc/openvpn/client.crt key /etc/openvpn/client.key #daemon user nobody group nogroup ping 15 ping-restart 45 resolv-retry 300 ping-timer-rem persist-tun persist-key #log /var/log/openvpn.log verb 3 I translated this to be Gateway:192.168.7.200 Connection Type: X.509 Certificates CA file /etc/openvpn/cacert.crt Certificate /etc/openvpn/client.crt key /etc/openvpn/client.key And to check Use TAP device > I think the problem may be the following: NM strictly enforces the > server key to be a server key. This means: In the certificate presented > to your client is a flag which denotes the certificate to be a "server" > certificate. This is for the following reason: Imagine a network where a > client has been compromised. If you would not check for the server flag > this client certificate could be used to fake a server (as the > certificate is still valid and signed by the CA). > But in the HOWTO this is _not_ done, and so this may be the reason why > this fails. I strongly recommend to use the easy-rsa suite that comes > with OpenVPN to create keys and signing requests. If you can't do that > consider the following: the line that reads After reading this, that makes perfect sense. > openssl req -nodes -new -keyout server.key -out server.csr > > in the tutorial should be > > openssl req -nodes -new -keyout server.key -out server.csr -extensions > server > I tried on 3 desktops to use that command, but I must be missing a package for server extensions in openssl. If I can't find a box that has this or my missing package, I will just become my own CA and sign my keys that way using easy-rsa. I have a feeling that will probably take care of all my problems. > > I also don't know what the latest versions are that have been compiled > for Ubuntu. Is that really the current version? Check version numbers > from the package (or better: source) with the ones from CVS (cvs.gnome.org). > Looks like we are running NM-0.6.2 with some ubuntu specific patches added. Someone on the forums rolled their own VPN package to add on which sparked my interest with openWRT As of current, Ubuntu doesn't have any repository versions of OpenVPN. It looks like the package was taken from SVN on April-03-2006. Again, I really appreciate the help here. After I have things going well here (hopefully with CACert), I'll contribute to that wiki so that future users can bask in NM's glory :) -Mario
Attachment:
signature.asc
Description: This is a digitally signed message part