Hi Andrew!
TLS is another extra encryption mode off OpenVPN.
In the Client Config comment or delete this out:
tls-auth ta.key 1
Also look for another lines starting with "tls".
Then it should work.
I copy-pasted a part from the OpenVPN documentation which describes how you
may generate the certificates and keys on a linux box:
---quote---
Build RSA Certificates and Keys
OpenVPN has two secure modes, one based on SSL/TLS security using RSA
certificates and keys, the other using a pre-shared static key. While
SSL/TLS + RSA keys is arguably the most secure option, static keys have
the benefit of simplicity. If you want to use RSA keys, read on. For
static keys, jump forward to the Build Pre-Shared Static Key section.
We will build RSA certificates and keys using the openssl command,
included in the OpenSSL library distribution.
RSA certificates are public keys that also have other secure fields
embedded in them such as the Common Name or email address of the
certificate holder. OpenVPN provides the ability to write scripts to
test these fields prior to authentication. For more information, see the
--tls-verify option in the openvpn man page.
In our example we will follow the apache convention of using the .crt
file extension to denote certificate files and the .key file extension
to denote private key files. Private key files must always be kept
secure. Certificate files can be freely published or shared.
Select one machine such as Office to be the key management machine.
First edit the /usr/share/ssl/openssl.cnf file (this file may exist in a
different place, so use locate openssl.cnf to find it).
You may want to make some changes to this file:
* Make a directory to serve as your key working area and change dir
to point to it.
* Consider increasing default_days so your VPN doesn't mysteriously
stop working after exactly one year.
* Set certificate and private_key to point to your master
certificate authority certificate and private key files which we will
presently generate. In the examples below, we will assume that your
certificate authority certificate is named my-ca.crt and your
certificate authority private key is named my-ca.key.
* Note the files index.txt and serial. Initialize index.txt to be
empty and serial to contain an initial serial number such as 01.
* If you are paranoid about key sizes, increase default_bits to
2048. OpenVPN will have no problem handling a 2048 bit RSA key if you
have built OpenVPN with pthread support, to enable background processing
of RSA keys. You can still use large keys even without pthread support,
but you will see some latency degradation on the tunnel during SSL/TLS
key negotiations. For a good article on choosing an RSA key size, see
the April 2002 issue of Bruce Schneier's Crypto-Gram Newsletter.
After openssl.cnf has been edited, create your master certificate
authority certificate/private-key pair:
openssl req -nodes -new -x509 -keyout my-ca.key -out my-ca.crt -days 3650
This will create a master certificate authority certificate/private-key
pair valid for 10 years.
Now create certificate/private-key pairs for both Home and Office:
openssl req -nodes -new -keyout office.key -out office.csr
openssl ca -out office.crt -in office.csr
openssl req -nodes -new -keyout home.key -out home.csr
openssl ca -out home.crt -in home.csr
Now copy home.crt, home.key, and my-ca.crt to Home over a secure
channel, though actually only .key files should be considered non-public.
Now create Diffie Hellman parameters on Office with the following command:
openssl dhparam -out dh1024.pem 1024
Increase the bit size from 1024 to 2048 if you also increased it in
openssl.cnf.
For the paranoid, consider omitting the -nodes option on the openssl
commands above. This will cause each private key to be encrypted with a
password, making the keys secure even if someone broke onto your server
and stole your private key files. The downside of this approach is that
every time you run OpenVPN, you will need to type in the password. For
more information see the --askpass option in the openvpn man page.
If you find manual RSA key management confusing, note that OpenVPN will
interoperate with any X509 certificate management tool or service
including the commercial CAs such as Thawte or Verisign. Check out the
OpenCA project for an example of what's being done with certificate/key
management in the Open Source realm.
In addition, the OpenVPN distribution contains a small set of scripts
which can be used to simplify RSA certificate and key management.
---end of quote----
Andrew Thrift schrieb:
>I used these certificates but still get:
>
>Jan 24 18:45:33 openvpn[79]: 10.0.50.56:6025 TLS Error: TLS key negotiation
>failed to occur within 60 seconds (check your network connectivity)
>Jan 24 18:45:33 openvpn[79]: 10.0.50.56:6025 TLS Error: TLS handshake failed
>Jan 24 18:45:33 openvpn[79]: 10.0.50.56:6025 TLS Error: TLS handshake failed
>
>in the logs on the server m0n0wall.
>
>and yes I have opened 5000 UDP
>
>
>Any ideas?
>
>
>
>
>
>On Mon, 25 Oct 2004 08:21, Andre Maoro wrote:
>
>
>>Thanks a lot.
>>Should open my eyes when looking for answers :)
>>
>>Andreas Busch schrieb:
>>
>>
>>>you can find test certificates in the linux Source Tarball on
>>>http://openvpn.sf.net
>>>an howto to generate own certificates is allso published on
>>>http://openvpn.sf.net
>>>
>>>please be carefull with the test certificates the are public and very
>>>dangerous for an produktiv employment
>>>
>>>Andre Maoro schrieb:
>>>
>>>
>>>>Hi!
>>>>First of all, great job Manuel! I love m0n0 and the new features in
>>>>1.2b2 are great!
>>>>Thank you!
>>>>
>>>>Now to my question:
>>>>
>>>>I'm using OpenVPN a whole time now, but now monowall supports it itself,
>>>>which is in fact really cool, but I can't get it to run with this SSL
>>>>stuff.
>>>>I always used the static key method to authenticate my clients, but mono
>>>>wants that I use the safe way, but I'm really not familiar with SSL.
>>>>I spend this afternoon with reading the readme files an trying around,
>>>>but I didn't get it to run.
>>>>
>>>>Is there anyone who could tell me, what exactly I have to do?
>>>>I need to know, which certificates and keys I need either for the
>>>>server (mono)
>>>>and also for my clients. Some are windows boxes, some of them are
>>>>running linux.
>>>>I also have a linux box, which is my current OpenVPN server, so I
>>>>have all the
>>>>tools I need to generate those certificates etc.
>>>>
>>>>It would be great, if anyone would tell me step-by-step what I have
>>>>to do, to generate
>>>>the certificates and keys and which of them I have to give to my
>>>>clients and where
>>>>they have to put them.
>>>>
>>>>Or is there a way to use the easier method with the static keys? I
>>>>know that this
>>>>isn't really safe, but it's safe enough for my purpose...
>>>>
>>>>Thanks in advance and please excuse my english ;)
>>>>
>>>>Greets,
>>>>Andre
>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>
>>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
| 