[ previous ] [ next ] [ threads ]
 
 From:  Andre Maoro <andre at maoro dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 1.2b2 - OpenVPN Certificates and Keys. How?
 Date:  Mon, 25 Oct 2004 07:27:42 +0200
Hi Andrew!
TLS is another extra encryption mode off OpenVPN.
In the Client Config comment or delete this out:

tls-auth ta.key 1

Also look for another lines starting with "tls".
Then it should work.

I copy-pasted a part from the OpenVPN documentation which describes how you
may generate the certificates and keys on a linux box:

---quote---

Build RSA Certificates and Keys
OpenVPN has two secure modes, one based on SSL/TLS security using RSA 
certificates and keys, the other using a pre-shared static key. While 
SSL/TLS + RSA keys is arguably the most secure option, static keys have 
the benefit of simplicity. If you want to use RSA keys, read on. For 
static keys, jump forward to the Build Pre-Shared Static Key section.

We will build RSA certificates and keys using the openssl command, 
included in the OpenSSL library distribution.

RSA certificates are public keys that also have other secure fields 
embedded in them such as the Common Name or email address of the 
certificate holder. OpenVPN provides the ability to write scripts to 
test these fields prior to authentication. For more information, see the 
--tls-verify option in the openvpn man page.

In our example we will follow the apache convention of using the .crt 
file extension to denote certificate files and the .key file extension 
to denote private key files. Private key files must always be kept 
secure. Certificate files can be freely published or shared.

Select one machine such as Office to be the key management machine.

First edit the /usr/share/ssl/openssl.cnf file (this file may exist in a 
different place, so use locate openssl.cnf to find it).

You may want to make some changes to this file:

    * Make a directory to serve as your key working area and change dir 
to point to it.
    * Consider increasing default_days so your VPN doesn't mysteriously 
stop working after exactly one year.
    * Set certificate and private_key to point to your master 
certificate authority certificate and private key files which we will 
presently generate. In the examples below, we will assume that your 
certificate authority certificate is named my-ca.crt and your 
certificate authority private key is named my-ca.key.
    * Note the files index.txt and serial. Initialize index.txt to be 
empty and serial to contain an initial serial number such as 01.
    * If you are paranoid about key sizes, increase default_bits to 
2048. OpenVPN will have no problem handling a 2048 bit RSA key if you 
have built OpenVPN with pthread support, to enable background processing 
of RSA keys. You can still use large keys even without pthread support, 
but you will see some latency degradation on the tunnel during SSL/TLS 
key negotiations. For a good article on choosing an RSA key size, see 
the April 2002 issue of Bruce Schneier's Crypto-Gram Newsletter.

After openssl.cnf has been edited, create your master certificate 
authority certificate/private-key pair:

openssl req -nodes -new -x509 -keyout my-ca.key -out my-ca.crt -days 3650

This will create a master certificate authority certificate/private-key 
pair valid for 10 years.

Now create certificate/private-key pairs for both Home and Office:

openssl req -nodes -new -keyout office.key -out office.csr
openssl ca -out office.crt -in office.csr
openssl req -nodes -new -keyout home.key -out home.csr
openssl ca -out home.crt -in home.csr

Now copy home.crt, home.key, and my-ca.crt to Home over a secure 
channel, though actually only .key files should be considered non-public.

Now create Diffie Hellman parameters on Office with the following command:

openssl dhparam -out dh1024.pem 1024

Increase the bit size from 1024 to 2048 if you also increased it in 
openssl.cnf.

For the paranoid, consider omitting the -nodes option on the openssl 
commands above. This will cause each private key to be encrypted with a 
password, making the keys secure even if someone broke onto your server 
and stole your private key files. The downside of this approach is that 
every time you run OpenVPN, you will need to type in the password. For 
more information see the --askpass option in the openvpn man page.

If you find manual RSA key management confusing, note that OpenVPN will 
interoperate with any X509 certificate management tool or service 
including the commercial CAs such as Thawte or Verisign. Check out the 
OpenCA project for an example of what's being done with certificate/key 
management in the Open Source realm.

In addition, the OpenVPN distribution contains a small set of scripts 
which can be used to simplify RSA certificate and key management.

---end of quote----


Andrew Thrift schrieb:

>I used these certificates but still get:
>
>Jan 24 18:45:33 	openvpn[79]: 10.0.50.56:6025 TLS Error: TLS key negotiation 
>failed to occur within 60 seconds (check your network connectivity)
>Jan 24 18:45:33 	openvpn[79]: 10.0.50.56:6025 TLS Error: TLS handshake failed
>Jan 24 18:45:33 	openvpn[79]: 10.0.50.56:6025 TLS Error: TLS handshake failed
>
>in the logs on the server m0n0wall.
>
>and yes I have opened 5000 UDP
>
>
>Any ideas?
>
>
>
>
>
>On Mon, 25 Oct 2004 08:21, Andre Maoro wrote:
>  
>
>>Thanks a lot.
>>Should open my eyes when looking for answers :)
>>
>>Andreas Busch schrieb:
>>    
>>
>>>you can find test certificates in the linux  Source Tarball on
>>>http://openvpn.sf.net
>>>an howto to generate  own  certificates  is allso published on
>>>http://openvpn.sf.net
>>>
>>>please be carefull with the test certificates the are public and very
>>>dangerous for an produktiv employment
>>>
>>>Andre Maoro schrieb:
>>>      
>>>
>>>>Hi!
>>>>First of all, great job Manuel! I love m0n0 and the new features in
>>>>1.2b2 are great!
>>>>Thank you!
>>>>
>>>>Now to my question:
>>>>
>>>>I'm using OpenVPN a whole time now, but now monowall supports it itself,
>>>>which is in fact really cool, but I can't get it to run with this SSL
>>>>stuff.
>>>>I always used the static key method to authenticate my clients, but mono
>>>>wants that I use the safe way, but I'm really not familiar with SSL.
>>>>I spend this afternoon with reading the readme files an trying around,
>>>>but I didn't get it to run.
>>>>
>>>>Is there anyone who could tell me, what exactly I have to do?
>>>>I need to know, which certificates and keys I need either for the
>>>>server (mono)
>>>>and also for my clients. Some are windows boxes, some of them are
>>>>running linux.
>>>>I also have a linux box, which is my current OpenVPN server, so I
>>>>have all the
>>>>tools I need to generate those certificates etc.
>>>>
>>>>It would be great, if anyone would tell me step-by-step what I have
>>>>to do, to generate
>>>>the certificates and keys and which of them I have to give to my
>>>>clients and where
>>>>they have to put them.
>>>>
>>>>Or is there a way to use the easier method with the static keys? I
>>>>know that this
>>>>isn't really safe, but it's safe enough for my purpose...
>>>>
>>>>Thanks in advance and please excuse my english ;)
>>>>
>>>>Greets,
>>>>Andre
>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>        
>>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>      
>>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>    
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>  
>