624
Comment:
|
2311
|
Deletions are marked like this. | Additions are marked like this. |
Line 5: | Line 5: |
* Using more than one CA, stacked in same file https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains * 2018 - Using PSK(pre-shared keys) only a point to point link can be established, for a server with multiple clients use CA and certs. * 2018 Python script to gen self-signed certs and client certs [[https://gist.github.com/diepes/a7c3a53ed94c587803e20e6576ea4525#file-openvpn_gen-py]] * idea is to create them, throw away cakey, deploy config. When adding re-gen or [[https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains|stack server CA]] == Routing == * Using TUN(L3) the routing is messy if there are subnets at both ends, have to fiddle with ccd files per client, inserting iroute custom OpenVPN junk. * Would have been perfect :( if we could create a new tun-x interface per connecting client, allowing the full power of Linux routing, and firewalling. * Using TAP(L2) (./) very similar, but now mac's (and broadcasts) traverse the vpn. * Allows running of routing protocols, e.g. ospf, and adding static routes to client IP's on the server. (fix ip's with {{{ifconfig-pool-persist ipp.txt}}}) * The compression should reduce the impact of the ethernet headers. |
|
Line 8: | Line 19: |
* {{{ VERIFY ERROR: depth=1, error=unhandled critical extension: CN= }}} * and {{{ OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed }}} * verify with {{{ $ openssl verify -CAfile ca.pem server.pem CN = test_ca_20180712_20h31 error 34 at 1 depth lookup: unhandled critical extension error server.pem: verification failed }}} * X509v3 Subject Key Identifier: critical |
OpenVpn Notes and example
- Linux VPN using ssl for encryption, with clients for Android and Windows.
Using more than one CA, stacked in same file https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains
- 2018 - Using PSK(pre-shared keys) only a point to point link can be established, for a server with multiple clients use CA and certs.
2018 Python script to gen self-signed certs and client certs https://gist.github.com/diepes/a7c3a53ed94c587803e20e6576ea4525#file-openvpn_gen-py
idea is to create them, throw away cakey, deploy config. When adding re-gen or stack server CA
Routing
- Using TUN(L3) the routing is messy if there are subnets at both ends, have to fiddle with ccd files per client, inserting iroute custom OpenVPN junk.
Would have been perfect if we could create a new tun-x interface per connecting client, allowing the full power of Linux routing, and firewalling.
Using TAP(L2) very similar, but now mac's (and broadcasts) traverse the vpn.
Allows running of routing protocols, e.g. ospf, and adding static routes to client IP's on the server. (fix ip's with ifconfig-pool-persist ipp.txt)
- The compression should reduce the impact of the ethernet headers.
Errors
VERIFY ERROR: depth=1, error=unhandled critical extension: CN=
and OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
verify with
$ openssl verify -CAfile ca.pem server.pem CN = test_ca_20180712_20h31 error 34 at 1 depth lookup: unhandled critical extension error server.pem: verification failed
- X509v3 Subject Key Identifier: critical
openvpn: VERIFY ERROR: depth=0, could not extract X509 subject string from certificate
- Caused by not adding a CN to the certificate when created.
openvpn[...]: TLS Error: Unroutable control packet received from [AF_INET] ... (si=3 op=P_CONTROL_V1)
Add client to config in addition to tls-client to allow client to accept ip from server
remove topology mode setting from client.'
...