Re: OpenVPN setup


I appreciate the really quick response.

> How did you create the NM configuration for that VPN? Can you give
> indications how you translated client.conf values to NM mask entries?

Well here is my client.conf:
port 1194
proto udp
dev tap


resolv-retry infinite

cipher BF-CBC
auth SHA1

ca /etc/openvpn/cacert.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key

user nobody
group nogroup

ping 15
ping-restart 45
resolv-retry 300

#log /var/log/openvpn.log
verb 3

I translated this to be


Connection Type: X.509 Certificates

CA file /etc/openvpn/cacert.crt
Certificate /etc/openvpn/client.crt
key /etc/openvpn/client.key

And to check Use TAP device

> I think the problem may be the following: NM strictly enforces the
> server key to be a server key. This means: In the certificate presented
> to your client is a flag which denotes the certificate to be a "server"
> certificate. This is for the following reason: Imagine a network where a
> client has been compromised. If you would not check for the server flag
> this client certificate could be used to fake a server (as the
> certificate is still valid and signed by the CA).
> But in the HOWTO this is _not_ done, and so this may be the reason why
> this fails. I strongly recommend to use the easy-rsa suite that comes
> with OpenVPN to create keys and signing requests. If you can't do that
> consider the following: the line that reads

After reading this, that makes perfect sense.
> openssl req -nodes -new -keyout server.key -out server.csr
> in the tutorial should be
> openssl req -nodes -new -keyout server.key -out server.csr -extensions
> server
I tried on 3 desktops to use that command, but I must be missing a
package for server extensions in openssl.  If I can't find a box that
has this or my missing package, I will just become my own CA and sign my
keys that way using easy-rsa.  I have a feeling that will probably take
care of all my problems.
> I also don't know what the latest versions are that have been compiled
> for Ubuntu. Is that really the current version? Check version numbers
> from the package (or better: source) with the ones from CVS (

Looks like we are running NM-0.6.2 with some ubuntu specific patches
added.  Someone on the forums rolled their own VPN package to add on
which sparked my interest with openWRT  As of current, Ubuntu doesn't
have any repository versions of OpenVPN.
It looks like the package was taken from SVN on April-03-2006.

Again,  I really appreciate the help here.  After I have things going
well here (hopefully with CACert), I'll contribute to that wiki so that
future users can bask in NM's glory :)


Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]