|
||||||||
Sorry, I thought you were using config files on a non-m0n0 box. m0n0 itself should make it for you, but it seems that there are connectivity problems, just as the syslog already told you. Be sure, that you have a rule, which allows inbound traffic to the OpenVPN port on your m0n0. I first also forget this fact. Just enabling the OpenVPN server does not add corresponding rules for inbound OpenVPN traffic, so you have to make this on your own. Just add a WAN rule, which says, that all TCP or UDP traffic is allowed to dest port 5000(?). Hope, this helps.... Greets, Andre Andrew Thrift schrieb: >OK how do I edit these files?? > > >I am using m0n0wall's web gui ? > >I have used the example keys from the linux source tarball. > > >On Mon, 25 Oct 2004 18:27, Andre Maoro wrote: > > >>Hi Andrew! >>TLS is another extra encryption mode off OpenVPN. >>In the Client Config comment or delete this out: >> >>tls-auth ta.key 1 >> >>Also look for another lines starting with "tls". >>Then it should work. >> >>I copy-pasted a part from the OpenVPN documentation which describes how you >>may generate the certificates and keys on a linux box: >> >>---quote--- >> >>Build RSA Certificates and Keys >>OpenVPN has two secure modes, one based on SSL/TLS security using RSA >>certificates and keys, the other using a pre-shared static key. While >>SSL/TLS + RSA keys is arguably the most secure option, static keys have >>the benefit of simplicity. If you want to use RSA keys, read on. For >>static keys, jump forward to the Build Pre-Shared Static Key section. >> >>We will build RSA certificates and keys using the openssl command, >>included in the OpenSSL library distribution. >> >>RSA certificates are public keys that also have other secure fields >>embedded in them such as the Common Name or email address of the >>certificate holder. OpenVPN provides the ability to write scripts to >>test these fields prior to authentication. For more information, see the >>--tls-verify option in the openvpn man page. >> >>In our example we will follow the apache convention of using the .crt >>file extension to denote certificate files and the .key file extension >>to denote private key files. Private key files must always be kept >>secure. Certificate files can be freely published or shared. >> >>Select one machine such as Office to be the key management machine. >> >>First edit the /usr/share/ssl/openssl.cnf file (this file may exist in a >>different place, so use locate openssl.cnf to find it). >> >>You may want to make some changes to this file: >> >> * Make a directory to serve as your key working area and change dir >>to point to it. >> * Consider increasing default_days so your VPN doesn't mysteriously >>stop working after exactly one year. >> * Set certificate and private_key to point to your master >>certificate authority certificate and private key files which we will >>presently generate. In the examples below, we will assume that your >>certificate authority certificate is named my-ca.crt and your >>certificate authority private key is named my-ca.key. >> * Note the files index.txt and serial. Initialize index.txt to be >>empty and serial to contain an initial serial number such as 01. >> * If you are paranoid about key sizes, increase default_bits to >>2048. OpenVPN will have no problem handling a 2048 bit RSA key if you >>have built OpenVPN with pthread support, to enable background processing >>of RSA keys. You can still use large keys even without pthread support, >>but you will see some latency degradation on the tunnel during SSL/TLS >>key negotiations. For a good article on choosing an RSA key size, see >>the April 2002 issue of Bruce Schneier's Crypto-Gram Newsletter. >> >>After openssl.cnf has been edited, create your master certificate >>authority certificate/private-key pair: >> >>openssl req -nodes -new -x509 -keyout my-ca.key -out my-ca.crt -days 3650 >> >>This will create a master certificate authority certificate/private-key >>pair valid for 10 years. >> >>Now create certificate/private-key pairs for both Home and Office: >> >>openssl req -nodes -new -keyout office.key -out office.csr >>openssl ca -out office.crt -in office.csr >>openssl req -nodes -new -keyout home.key -out home.csr >>openssl ca -out home.crt -in home.csr >> >>Now copy home.crt, home.key, and my-ca.crt to Home over a secure >>channel, though actually only .key files should be considered non-public. >> >>Now create Diffie Hellman parameters on Office with the following command: >> >>openssl dhparam -out dh1024.pem 1024 >> >>Increase the bit size from 1024 to 2048 if you also increased it in >>openssl.cnf. >> >>For the paranoid, consider omitting the -nodes option on the openssl >>commands above. This will cause each private key to be encrypted with a >>password, making the keys secure even if someone broke onto your server >>and stole your private key files. The downside of this approach is that >>every time you run OpenVPN, you will need to type in the password. For >>more information see the --askpass option in the openvpn man page. >> >>If you find manual RSA key management confusing, note that OpenVPN will >>interoperate with any X509 certificate management tool or service >>including the commercial CAs such as Thawte or Verisign. Check out the >>OpenCA project for an example of what's being done with certificate/key >>management in the Open Source realm. >> >>In addition, the OpenVPN distribution contains a small set of scripts >>which can be used to simplify RSA certificate and key management. >> >>---end of quote---- >> >>Andrew Thrift schrieb: >> >> >>>I used these certificates but still get: >>> >>>Jan 24 18:45:33 openvpn[79]: 10.0.50.56:6025 TLS Error: TLS key >>>negotiation failed to occur within 60 seconds (check your network >>>connectivity) Jan 24 18:45:33 openvpn[79]: 10.0.50.56:6025 TLS Error: >>>TLS handshake failed Jan 24 18:45:33 openvpn[79]: 10.0.50.56:6025 TLS >>>Error: TLS handshake failed >>> >>>in the logs on the server m0n0wall. >>> >>>and yes I have opened 5000 UDP >>> >>> >>>Any ideas? >>> >>>On Mon, 25 Oct 2004 08:21, Andre Maoro wrote: >>> >>> >>>>Thanks a lot. >>>>Should open my eyes when looking for answers :) >>>> >>>>Andreas Busch schrieb: >>>> >>>> >>>>>you can find test certificates in the linux Source Tarball on >>>>>http://openvpn.sf.net >>>>>an howto to generate own certificates is allso published on >>>>>http://openvpn.sf.net >>>>> >>>>>please be carefull with the test certificates the are public and very >>>>>dangerous for an produktiv employment >>>>> >>>>>Andre Maoro schrieb: >>>>> >>>>> >>>>>>Hi! >>>>>>First of all, great job Manuel! I love m0n0 and the new features in >>>>>>1.2b2 are great! >>>>>>Thank you! >>>>>> >>>>>>Now to my question: >>>>>> >>>>>>I'm using OpenVPN a whole time now, but now monowall supports it >>>>>>itself, which is in fact really cool, but I can't get it to run with >>>>>>this SSL stuff. >>>>>>I always used the static key method to authenticate my clients, but >>>>>>mono wants that I use the safe way, but I'm really not familiar with >>>>>>SSL. I spend this afternoon with reading the readme files an trying >>>>>>around, but I didn't get it to run. >>>>>> >>>>>>Is there anyone who could tell me, what exactly I have to do? >>>>>>I need to know, which certificates and keys I need either for the >>>>>>server (mono) >>>>>>and also for my clients. Some are windows boxes, some of them are >>>>>>running linux. >>>>>>I also have a linux box, which is my current OpenVPN server, so I >>>>>>have all the >>>>>>tools I need to generate those certificates etc. >>>>>> >>>>>>It would be great, if anyone would tell me step-by-step what I have >>>>>>to do, to generate >>>>>>the certificates and keys and which of them I have to give to my >>>>>>clients and where >>>>>>they have to put them. >>>>>> >>>>>>Or is there a way to use the easier method with the static keys? I >>>>>>know that this >>>>>>isn't really safe, but it's safe enough for my purpose... >>>>>> >>>>>>Thanks in advance and please excuse my english ;) >>>>>> >>>>>>Greets, >>>>>>Andre >>>>>> >>>>>>--------------------------------------------------------------------- >>>>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch >>>>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch >>>>>> >>>>>> >>>>>--------------------------------------------------------------------- >>>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch >>>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch >>>>> >>>>> >>>>--------------------------------------------------------------------- >>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch >>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch >>>> >>>> >>>--------------------------------------------------------------------- >>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch >>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch >>> >>> >>--------------------------------------------------------------------- >>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch >>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch >> >> > >--------------------------------------------------------------------- >To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch >For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > |