#format wiki #language en = OpenVpn Notes and example = * Linux VPN using ssl for encryption, with clients for Android and Windows. * Using more than one CA, stacked in same file https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains * 2018 - Using PSK(pre-shared keys) only a point to point link can be established, for a server with multiple clients use CA and certs. * 2018 Python script to gen self-signed certs and client certs [[https://github.com/diepes/openvpn-inline-config-generator]] * idea is to create them, throw away cakey, deploy config. When adding re-gen or [[https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains|stack server CA]] == Routing == * Using TUN(L3) the routing is messy if there are subnets at both ends, have to fiddle with ccd files per client, inserting iroute custom OpenVPN junk. * Would have been perfect :( if we could create a new tun-x interface per connecting client, allowing the full power of Linux routing, and firewalling. * Using TAP(L2) (./) very similar, but now mac's (and broadcasts) traverse the vpn. * Allows running of routing protocols, e.g. ospf, and adding static routes to client IP's on the server. (fix ip's with {{{ifconfig-pool-persist ipp.txt}}}) * The compression should reduce the impact of the ethernet headers. == Errors == * 2019-OpenVPN tunnel restarts with log {{{ Wed Jan 9 20:04:24 2019 [vpn01] Inactivity timeout (--ping-restart), restarting Wed Jan 9 20:04:24 2019 SIGUSR1[soft,ping-restart] received, process restarting Wed Jan 9 20:04:24 2019 Restart pause, 2 second(s) }}} * keepalive ping going missing ? * Problem tracked to 2 clients using same cert, kicking each other off. * Solved by allowing multiple clients with same cert add to config: "duplicate-cn" * 2018-OpenVPN dies with errors in log {{{ NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device. : ERROR: Linux route delete command failed: external program exited with error status: 2 : Linux ip addr del failed: external program exited with error status: 2 ROUTE_GATEWAY 10.x.y.z/255.255.255.224 IFACE=eth0 HWADDR=06:bb:33:11:55:14 }}} * Try to fix by adding to config {{{ ifconfig-pool-persist }}} * On Ubunt 16.04 edit vim /lib/systemd/system/openvpn@.service , add {{{ [Service] Restart=always RestartSec=30 }}} * {{{ VERIFY ERROR: depth=1, error=unhandled critical extension: CN= }}} * and {{{ OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed }}} * verify with {{{ $ openssl verify -CAfile ca.pem server.pem CN = test_ca_20180712_20h31 error 34 at 1 depth lookup: unhandled critical extension error server.pem: verification failed }}} * X509v3 Subject Key Identifier: critical * {{{ openvpn: VERIFY ERROR: depth=0, could not extract X509 subject string from certificate }}} * Caused by not adding a CN to the certificate when created. * {{{ openvpn[...]: TLS Error: Unroutable control packet received from [AF_INET] ... (si=3 op=P_CONTROL_V1) }}} * Add '''client''' to config in addition to tls-client to allow client to accept ip from server * remove '''topology''' mode setting from client.' ... ---- CategoryVpnTunnel