|
||||||||
OK how do I edit these files?? I am using m0n0wall's web gui ? I have used the example keys from the linux source tarball. On Mon, 25 Oct 2004 18:27, Andre Maoro wrote: > Hi Andrew! > TLS is another extra encryption mode off OpenVPN. > In the Client Config comment or delete this out: > > tls-auth ta.key 1 > > Also look for another lines starting with "tls". > Then it should work. > > I copy-pasted a part from the OpenVPN documentation which describes how you > may generate the certificates and keys on a linux box: > > ---quote--- > > Build RSA Certificates and Keys > OpenVPN has two secure modes, one based on SSL/TLS security using RSA > certificates and keys, the other using a pre-shared static key. While > SSL/TLS + RSA keys is arguably the most secure option, static keys have > the benefit of simplicity. If you want to use RSA keys, read on. For > static keys, jump forward to the Build Pre-Shared Static Key section. > > We will build RSA certificates and keys using the openssl command, > included in the OpenSSL library distribution. > > RSA certificates are public keys that also have other secure fields > embedded in them such as the Common Name or email address of the > certificate holder. OpenVPN provides the ability to write scripts to > test these fields prior to authentication. For more information, see the > --tls-verify option in the openvpn man page. > > In our example we will follow the apache convention of using the .crt > file extension to denote certificate files and the .key file extension > to denote private key files. Private key files must always be kept > secure. Certificate files can be freely published or shared. > > Select one machine such as Office to be the key management machine. > > First edit the /usr/share/ssl/openssl.cnf file (this file may exist in a > different place, so use locate openssl.cnf to find it). > > You may want to make some changes to this file: > > * Make a directory to serve as your key working area and change dir > to point to it. > * Consider increasing default_days so your VPN doesn't mysteriously > stop working after exactly one year. > * Set certificate and private_key to point to your master > certificate authority certificate and private key files which we will > presently generate. In the examples below, we will assume that your > certificate authority certificate is named my-ca.crt and your > certificate authority private key is named my-ca.key. > * Note the files index.txt and serial. Initialize index.txt to be > empty and serial to contain an initial serial number such as 01. > * If you are paranoid about key sizes, increase default_bits to > 2048. OpenVPN will have no problem handling a 2048 bit RSA key if you > have built OpenVPN with pthread support, to enable background processing > of RSA keys. You can still use large keys even without pthread support, > but you will see some latency degradation on the tunnel during SSL/TLS > key negotiations. For a good article on choosing an RSA key size, see > the April 2002 issue of Bruce Schneier's Crypto-Gram Newsletter. > > After openssl.cnf has been edited, create your master certificate > authority certificate/private-key pair: > > openssl req -nodes -new -x509 -keyout my-ca.key -out my-ca.crt -days 3650 > > This will create a master certificate authority certificate/private-key > pair valid for 10 years. > > Now create certificate/private-key pairs for both Home and Office: > > openssl req -nodes -new -keyout office.key -out office.csr > openssl ca -out office.crt -in office.csr > openssl req -nodes -new -keyout home.key -out home.csr > openssl ca -out home.crt -in home.csr > > Now copy home.crt, home.key, and my-ca.crt to Home over a secure > channel, though actually only .key files should be considered non-public. > > Now create Diffie Hellman parameters on Office with the following command: > > openssl dhparam -out dh1024.pem 1024 > > Increase the bit size from 1024 to 2048 if you also increased it in > openssl.cnf. > > For the paranoid, consider omitting the -nodes option on the openssl > commands above. This will cause each private key to be encrypted with a > password, making the keys secure even if someone broke onto your server > and stole your private key files. The downside of this approach is that > every time you run OpenVPN, you will need to type in the password. For > more information see the --askpass option in the openvpn man page. > > If you find manual RSA key management confusing, note that OpenVPN will > interoperate with any X509 certificate management tool or service > including the commercial CAs such as Thawte or Verisign. Check out the > OpenCA project for an example of what's being done with certificate/key > management in the Open Source realm. > > In addition, the OpenVPN distribution contains a small set of scripts > which can be used to simplify RSA certificate and key management. > > ---end of quote---- > > Andrew Thrift schrieb: > >I used these certificates but still get: > > > >Jan 24 18:45:33 openvpn[79]: 10.0.50.56:6025 TLS Error: TLS key > > negotiation failed to occur within 60 seconds (check your network > > connectivity) Jan 24 18:45:33 openvpn[79]: 10.0.50.56:6025 TLS Error: > > TLS handshake failed Jan 24 18:45:33 openvpn[79]: 10.0.50.56:6025 TLS > > Error: TLS handshake failed > > > >in the logs on the server m0n0wall. > > > >and yes I have opened 5000 UDP > > > > > >Any ideas? > > > >On Mon, 25 Oct 2004 08:21, Andre Maoro wrote: > >>Thanks a lot. > >>Should open my eyes when looking for answers :) > >> > >>Andreas Busch schrieb: > >>>you can find test certificates in the linux Source Tarball on > >>>http://openvpn.sf.net > >>>an howto to generate own certificates is allso published on > >>>http://openvpn.sf.net > >>> > >>>please be carefull with the test certificates the are public and very > >>>dangerous for an produktiv employment > >>> > >>>Andre Maoro schrieb: > >>>>Hi! > >>>>First of all, great job Manuel! I love m0n0 and the new features in > >>>>1.2b2 are great! > >>>>Thank you! > >>>> > >>>>Now to my question: > >>>> > >>>>I'm using OpenVPN a whole time now, but now monowall supports it > >>>> itself, which is in fact really cool, but I can't get it to run with > >>>> this SSL stuff. > >>>>I always used the static key method to authenticate my clients, but > >>>> mono wants that I use the safe way, but I'm really not familiar with > >>>> SSL. I spend this afternoon with reading the readme files an trying > >>>> around, but I didn't get it to run. > >>>> > >>>>Is there anyone who could tell me, what exactly I have to do? > >>>>I need to know, which certificates and keys I need either for the > >>>>server (mono) > >>>>and also for my clients. Some are windows boxes, some of them are > >>>>running linux. > >>>>I also have a linux box, which is my current OpenVPN server, so I > >>>>have all the > >>>>tools I need to generate those certificates etc. > >>>> > >>>>It would be great, if anyone would tell me step-by-step what I have > >>>>to do, to generate > >>>>the certificates and keys and which of them I have to give to my > >>>>clients and where > >>>>they have to put them. > >>>> > >>>>Or is there a way to use the easier method with the static keys? I > >>>>know that this > >>>>isn't really safe, but it's safe enough for my purpose... > >>>> > >>>>Thanks in advance and please excuse my english ;) > >>>> > >>>>Greets, > >>>>Andre > >>>> > >>>>--------------------------------------------------------------------- > >>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > >>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > >>> > >>>--------------------------------------------------------------------- > >>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > >>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > >> > >>--------------------------------------------------------------------- > >>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > >>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch |