Differences between revisions 8 and 9

OpenVpn Notes and example

Linux VPN using ssl for encryption, with clients for Android and Windows.
Using more than one CA, stacked in same file https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains
2018 - Using PSK(pre-shared keys) only a point to point link can be established, for a server with multiple clients use CA and certs.
2018 Python script to gen self-signed certs and client certs https://gist.github.com/diepes/a7c3a53ed94c587803e20e6576ea4525#file-openvpn_gen-py
- idea is to create them, throw away cakey, deploy config. When adding re-gen or stack server CA

Routing

Using TUN(L3) the routing is messy if there are subnets at both ends, have to fiddle with ccd files per client, inserting iroute custom OpenVPN junk.
- Would have been perfect if we could create a new tun-x interface per connecting client, allowing the full power of Linux routing, and firewalling.
Using TAP(L2) very similar, but now mac's (and broadcasts) traverse the vpn.
- Allows running of routing protocols, e.g. ospf, and adding static routes to client IP's on the server. (fix ip's with ifconfig-pool-persist ipp.txt)
- The compression should reduce the impact of the ethernet headers.

VERIFY ERROR: depth=1, error=unhandled critical extension: CN=
- and OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
  - verify with
```
$ openssl verify -CAfile ca.pem server.pem 
CN = test_ca_20180712_20h31
error 34 at 1 depth lookup: unhandled critical extension
error server.pem: verification failed
```
    - X509v3 Subject Key Identifier: critical
openvpn: VERIFY ERROR: depth=0, could not extract X509 subject string from certificate
- Caused by not adding a CN to the certificate when created.
openvpn[...]: TLS Error: Unroutable control packet received from [AF_INET] ... (si=3 op=P_CONTROL_V1)
- Add client to config in addition to tls-client to allow client to accept ip from server
- remove topology mode setting from client.'

...

-  ⇤ ← Revision 8 as of 2018-07-12 10:07:10 → 
  Size: 1661
  Editor: PieterSmit
  Comment:
+   ← Revision 9 as of 2018-07-15 06:10:38 → ⇥
  Size: 2311
  Editor: PieterSmit
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 8:
-   * idea is to create them, thow away ca key, deploy config.  When adding re-gen or [[https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains|stack server CA]]
+   * idea is to create them, throw away cakey, deploy config.  When adding re-gen or [[https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains|stack server CA]]

== Routing ==
 * Using TUN(L3) the routing is messy if there are subnets at both ends, have to fiddle with ccd files per client, inserting iroute custom OpenVPN junk.
   * Would have been perfect :( if we could create a new tun-x interface per connecting client, allowing the full power of Linux routing, and firewalling.
 * Using TAP(L2) (./) very similar, but now mac's (and broadcasts) traverse the vpn.
   * Allows running of routing protocols, e.g. ospf, and adding static routes to client IP's on the server. (fix ip's with {{{ifconfig-pool-persist ipp.txt}}})
   * The compression should reduce the impact of the ethernet headers.