|
Size: 147
Comment:
|
← Revision 13 as of 2019-01-09 21:33:08 ⇥
Size: 3365
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| = OpenVpn Notes and example = | = OpenVpn Notes and example = |
| Line 5: | Line 5: |
| * Using more than one CA, stacked in same file https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains * 2018 - Using PSK(pre-shared keys) only a point to point link can be established, for a server with multiple clients use CA and certs. * 2018 Python script to gen self-signed certs and client certs [[https://github.com/diepes/openvpn-inline-config-generator]] * idea is to create them, throw away cakey, deploy config. When adding re-gen or [[https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains|stack server CA]] == Routing == * Using TUN(L3) the routing is messy if there are subnets at both ends, have to fiddle with ccd files per client, inserting iroute custom OpenVPN junk. * Would have been perfect :( if we could create a new tun-x interface per connecting client, allowing the full power of Linux routing, and firewalling. * Using TAP(L2) (./) very similar, but now mac's (and broadcasts) traverse the vpn. * Allows running of routing protocols, e.g. ospf, and adding static routes to client IP's on the server. (fix ip's with {{{ifconfig-pool-persist ipp.txt}}}) * The compression should reduce the impact of the ethernet headers. == Errors == * 2019-OpenVPN tunnel restarts with log {{{ Wed Jan 9 20:04:24 2019 [vpn01] Inactivity timeout (--ping-restart), restarting Wed Jan 9 20:04:24 2019 SIGUSR1[soft,ping-restart] received, process restarting Wed Jan 9 20:04:24 2019 Restart pause, 2 second(s) }}} * keepalive ping going missing ? * Problem tracked to 2 clients using same cert, kicking each other off. * Solved by allowing multiple clients with same cert add to config: "duplicate-cn" * 2018-OpenVPN dies with errors in log {{{ NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device. : ERROR: Linux route delete command failed: external program exited with error status: 2 : Linux ip addr del failed: external program exited with error status: 2 ROUTE_GATEWAY 10.x.y.z/255.255.255.224 IFACE=eth0 HWADDR=06:bb:33:11:55:14 }}} * Try to fix by adding to config {{{ ifconfig-pool-persist }}} * On Ubunt 16.04 edit vim /lib/systemd/system/openvpn@.service , add {{{ [Service] Restart=always RestartSec=30 }}} * {{{ VERIFY ERROR: depth=1, error=unhandled critical extension: CN= }}} * and {{{ OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed }}} * verify with {{{ $ openssl verify -CAfile ca.pem server.pem CN = test_ca_20180712_20h31 error 34 at 1 depth lookup: unhandled critical extension error server.pem: verification failed }}} * X509v3 Subject Key Identifier: critical * {{{ openvpn: VERIFY ERROR: depth=0, could not extract X509 subject string from certificate }}} * Caused by not adding a CN to the certificate when created. * {{{ openvpn[...]: TLS Error: Unroutable control packet received from [AF_INET] ... (si=3 op=P_CONTROL_V1) }}} * Add '''client''' to config in addition to tls-client to allow client to accept ip from server * remove '''topology''' mode setting from client.' |
|
| Line 8: | Line 63: |
| ---- CategoryVpnTunnel |
OpenVpn Notes and example
- Linux VPN using ssl for encryption, with clients for Android and Windows.
Using more than one CA, stacked in same file https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains
- 2018 - Using PSK(pre-shared keys) only a point to point link can be established, for a server with multiple clients use CA and certs.
2018 Python script to gen self-signed certs and client certs https://github.com/diepes/openvpn-inline-config-generator
idea is to create them, throw away cakey, deploy config. When adding re-gen or stack server CA
Routing
- Using TUN(L3) the routing is messy if there are subnets at both ends, have to fiddle with ccd files per client, inserting iroute custom OpenVPN junk.
Would have been perfect
if we could create a new tun-x interface per connecting client, allowing the full power of Linux routing, and firewalling.
Using TAP(L2)
very similar, but now mac's (and broadcasts) traverse the vpn. Allows running of routing protocols, e.g. ospf, and adding static routes to client IP's on the server. (fix ip's with ifconfig-pool-persist ipp.txt)
- The compression should reduce the impact of the ethernet headers.
Errors
2019-OpenVPN tunnel restarts with log
Wed Jan 9 20:04:24 2019 [vpn01] Inactivity timeout (--ping-restart), restarting Wed Jan 9 20:04:24 2019 SIGUSR1[soft,ping-restart] received, process restarting Wed Jan 9 20:04:24 2019 Restart pause, 2 second(s)
- keepalive ping going missing ?
- Problem tracked to 2 clients using same cert, kicking each other off.
- Solved by allowing multiple clients with same cert add to config: "duplicate-cn"
2018-OpenVPN dies with errors in log
NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device. : ERROR: Linux route delete command failed: external program exited with error status: 2 : Linux ip addr del failed: external program exited with error status: 2 ROUTE_GATEWAY 10.x.y.z/255.255.255.224 IFACE=eth0 HWADDR=06:bb:33:11:55:14
Try to fix by adding to config
ifconfig-pool-persist
On Ubunt 16.04 edit vim /lib/systemd/system/openvpn@.service , add
[Service] Restart=always RestartSec=30
VERIFY ERROR: depth=1, error=unhandled critical extension: CN=
and OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
verify with
$ openssl verify -CAfile ca.pem server.pem CN = test_ca_20180712_20h31 error 34 at 1 depth lookup: unhandled critical extension error server.pem: verification failed
- X509v3 Subject Key Identifier: critical
openvpn: VERIFY ERROR: depth=0, could not extract X509 subject string from certificate
- Caused by not adding a CN to the certificate when created.
openvpn[...]: TLS Error: Unroutable control packet received from [AF_INET] ... (si=3 op=P_CONTROL_V1)
Add client to config in addition to tls-client to allow client to accept ip from server
remove topology mode setting from client.'
...