[ previous ] [ next ] [ threads ]
 
 From:  Andrew Thrift <andrewt at thrift dot kicks dash ass dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 1.2b2 - OpenVPN Certificates and Keys. How?
 Date:  Tue, 26 Oct 2004 08:51:37 +1300
OK how do I edit these files??


I am using m0n0wall's web gui ?

I have used the example keys from the linux source tarball.


On Mon, 25 Oct 2004 18:27, Andre Maoro wrote:
> Hi Andrew!
> TLS is another extra encryption mode off OpenVPN.
> In the Client Config comment or delete this out:
>
> tls-auth ta.key 1
>
> Also look for another lines starting with "tls".
> Then it should work.
>
> I copy-pasted a part from the OpenVPN documentation which describes how you
> may generate the certificates and keys on a linux box:
>
> ---quote---
>
> Build RSA Certificates and Keys
> OpenVPN has two secure modes, one based on SSL/TLS security using RSA
> certificates and keys, the other using a pre-shared static key. While
> SSL/TLS + RSA keys is arguably the most secure option, static keys have
> the benefit of simplicity. If you want to use RSA keys, read on. For
> static keys, jump forward to the Build Pre-Shared Static Key section.
>
> We will build RSA certificates and keys using the openssl command,
> included in the OpenSSL library distribution.
>
> RSA certificates are public keys that also have other secure fields
> embedded in them such as the Common Name or email address of the
> certificate holder. OpenVPN provides the ability to write scripts to
> test these fields prior to authentication. For more information, see the
> --tls-verify option in the openvpn man page.
>
> In our example we will follow the apache convention of using the .crt
> file extension to denote certificate files and the .key file extension
> to denote private key files. Private key files must always be kept
> secure. Certificate files can be freely published or shared.
>
> Select one machine such as Office to be the key management machine.
>
> First edit the /usr/share/ssl/openssl.cnf file (this file may exist in a
> different place, so use locate openssl.cnf to find it).
>
> You may want to make some changes to this file:
>
>     * Make a directory to serve as your key working area and change dir
> to point to it.
>     * Consider increasing default_days so your VPN doesn't mysteriously
> stop working after exactly one year.
>     * Set certificate and private_key to point to your master
> certificate authority certificate and private key files which we will
> presently generate. In the examples below, we will assume that your
> certificate authority certificate is named my-ca.crt and your
> certificate authority private key is named my-ca.key.
>     * Note the files index.txt and serial. Initialize index.txt to be
> empty and serial to contain an initial serial number such as 01.
>     * If you are paranoid about key sizes, increase default_bits to
> 2048. OpenVPN will have no problem handling a 2048 bit RSA key if you
> have built OpenVPN with pthread support, to enable background processing
> of RSA keys. You can still use large keys even without pthread support,
> but you will see some latency degradation on the tunnel during SSL/TLS
> key negotiations. For a good article on choosing an RSA key size, see
> the April 2002 issue of Bruce Schneier's Crypto-Gram Newsletter.
>
> After openssl.cnf has been edited, create your master certificate
> authority certificate/private-key pair:
>
> openssl req -nodes -new -x509 -keyout my-ca.key -out my-ca.crt -days 3650
>
> This will create a master certificate authority certificate/private-key
> pair valid for 10 years.
>
> Now create certificate/private-key pairs for both Home and Office:
>
> openssl req -nodes -new -keyout office.key -out office.csr
> openssl ca -out office.crt -in office.csr
> openssl req -nodes -new -keyout home.key -out home.csr
> openssl ca -out home.crt -in home.csr
>
> Now copy home.crt, home.key, and my-ca.crt to Home over a secure
> channel, though actually only .key files should be considered non-public.
>
> Now create Diffie Hellman parameters on Office with the following command:
>
> openssl dhparam -out dh1024.pem 1024
>
> Increase the bit size from 1024 to 2048 if you also increased it in
> openssl.cnf.
>
> For the paranoid, consider omitting the -nodes option on the openssl
> commands above. This will cause each private key to be encrypted with a
> password, making the keys secure even if someone broke onto your server
> and stole your private key files. The downside of this approach is that
> every time you run OpenVPN, you will need to type in the password. For
> more information see the --askpass option in the openvpn man page.
>
> If you find manual RSA key management confusing, note that OpenVPN will
> interoperate with any X509 certificate management tool or service
> including the commercial CAs such as Thawte or Verisign. Check out the
> OpenCA project for an example of what's being done with certificate/key
> management in the Open Source realm.
>
> In addition, the OpenVPN distribution contains a small set of scripts
> which can be used to simplify RSA certificate and key management.
>
> ---end of quote----
>
> Andrew Thrift schrieb:
> >I used these certificates but still get:
> >
> >Jan 24 18:45:33 	openvpn[79]: 10.0.50.56:6025 TLS Error: TLS key
> > negotiation failed to occur within 60 seconds (check your network
> > connectivity) Jan 24 18:45:33 	openvpn[79]: 10.0.50.56:6025 TLS Error:
> > TLS handshake failed Jan 24 18:45:33 	openvpn[79]: 10.0.50.56:6025 TLS
> > Error: TLS handshake failed
> >
> >in the logs on the server m0n0wall.
> >
> >and yes I have opened 5000 UDP
> >
> >
> >Any ideas?
> >
> >On Mon, 25 Oct 2004 08:21, Andre Maoro wrote:
> >>Thanks a lot.
> >>Should open my eyes when looking for answers :)
> >>
> >>Andreas Busch schrieb:
> >>>you can find test certificates in the linux  Source Tarball on
> >>>http://openvpn.sf.net
> >>>an howto to generate  own  certificates  is allso published on
> >>>http://openvpn.sf.net
> >>>
> >>>please be carefull with the test certificates the are public and very
> >>>dangerous for an produktiv employment
> >>>
> >>>Andre Maoro schrieb:
> >>>>Hi!
> >>>>First of all, great job Manuel! I love m0n0 and the new features in
> >>>>1.2b2 are great!
> >>>>Thank you!
> >>>>
> >>>>Now to my question:
> >>>>
> >>>>I'm using OpenVPN a whole time now, but now monowall supports it
> >>>> itself, which is in fact really cool, but I can't get it to run with
> >>>> this SSL stuff.
> >>>>I always used the static key method to authenticate my clients, but
> >>>> mono wants that I use the safe way, but I'm really not familiar with
> >>>> SSL. I spend this afternoon with reading the readme files an trying
> >>>> around, but I didn't get it to run.
> >>>>
> >>>>Is there anyone who could tell me, what exactly I have to do?
> >>>>I need to know, which certificates and keys I need either for the
> >>>>server (mono)
> >>>>and also for my clients. Some are windows boxes, some of them are
> >>>>running linux.
> >>>>I also have a linux box, which is my current OpenVPN server, so I
> >>>>have all the
> >>>>tools I need to generate those certificates etc.
> >>>>
> >>>>It would be great, if anyone would tell me step-by-step what I have
> >>>>to do, to generate
> >>>>the certificates and keys and which of them I have to give to my
> >>>>clients and where
> >>>>they have to put them.
> >>>>
> >>>>Or is there a way to use the easier method with the static keys? I
> >>>>know that this
> >>>>isn't really safe, but it's safe enough for my purpose...
> >>>>
> >>>>Thanks in advance and please excuse my english ;)
> >>>>
> >>>>Greets,
> >>>>Andre
> >>>>
> >>>>---------------------------------------------------------------------
> >>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >>>
> >>>---------------------------------------------------------------------
> >>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch