[ previous ] [ next ] [ threads ]
 
 From:  Andre Maoro <andre at maoro dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 1.2b2 - OpenVPN Certificates and Keys. How?
 Date:  Mon, 25 Oct 2004 22:45:47 +0200
Sorry, I thought you were using config files on a non-m0n0 box.
m0n0 itself should make it for you, but it seems that there are 
connectivity problems,
just as the syslog already told you.
Be sure, that you have a rule, which allows inbound traffic to the 
OpenVPN port on your m0n0.
I first also forget this fact. Just enabling the OpenVPN server does not 
add corresponding rules
for inbound OpenVPN traffic, so you have to make this on your own.
Just add a WAN rule, which says, that all TCP or UDP traffic is allowed 
to dest port 5000(?).
Hope, this helps....

Greets,
Andre

Andrew Thrift schrieb:

>OK how do I edit these files??
>
>
>I am using m0n0wall's web gui ?
>
>I have used the example keys from the linux source tarball.
>
>
>On Mon, 25 Oct 2004 18:27, Andre Maoro wrote:
>  
>
>>Hi Andrew!
>>TLS is another extra encryption mode off OpenVPN.
>>In the Client Config comment or delete this out:
>>
>>tls-auth ta.key 1
>>
>>Also look for another lines starting with "tls".
>>Then it should work.
>>
>>I copy-pasted a part from the OpenVPN documentation which describes how you
>>may generate the certificates and keys on a linux box:
>>
>>---quote---
>>
>>Build RSA Certificates and Keys
>>OpenVPN has two secure modes, one based on SSL/TLS security using RSA
>>certificates and keys, the other using a pre-shared static key. While
>>SSL/TLS + RSA keys is arguably the most secure option, static keys have
>>the benefit of simplicity. If you want to use RSA keys, read on. For
>>static keys, jump forward to the Build Pre-Shared Static Key section.
>>
>>We will build RSA certificates and keys using the openssl command,
>>included in the OpenSSL library distribution.
>>
>>RSA certificates are public keys that also have other secure fields
>>embedded in them such as the Common Name or email address of the
>>certificate holder. OpenVPN provides the ability to write scripts to
>>test these fields prior to authentication. For more information, see the
>>--tls-verify option in the openvpn man page.
>>
>>In our example we will follow the apache convention of using the .crt
>>file extension to denote certificate files and the .key file extension
>>to denote private key files. Private key files must always be kept
>>secure. Certificate files can be freely published or shared.
>>
>>Select one machine such as Office to be the key management machine.
>>
>>First edit the /usr/share/ssl/openssl.cnf file (this file may exist in a
>>different place, so use locate openssl.cnf to find it).
>>
>>You may want to make some changes to this file:
>>
>>    * Make a directory to serve as your key working area and change dir
>>to point to it.
>>    * Consider increasing default_days so your VPN doesn't mysteriously
>>stop working after exactly one year.
>>    * Set certificate and private_key to point to your master
>>certificate authority certificate and private key files which we will
>>presently generate. In the examples below, we will assume that your
>>certificate authority certificate is named my-ca.crt and your
>>certificate authority private key is named my-ca.key.
>>    * Note the files index.txt and serial. Initialize index.txt to be
>>empty and serial to contain an initial serial number such as 01.
>>    * If you are paranoid about key sizes, increase default_bits to
>>2048. OpenVPN will have no problem handling a 2048 bit RSA key if you
>>have built OpenVPN with pthread support, to enable background processing
>>of RSA keys. You can still use large keys even without pthread support,
>>but you will see some latency degradation on the tunnel during SSL/TLS
>>key negotiations. For a good article on choosing an RSA key size, see
>>the April 2002 issue of Bruce Schneier's Crypto-Gram Newsletter.
>>
>>After openssl.cnf has been edited, create your master certificate
>>authority certificate/private-key pair:
>>
>>openssl req -nodes -new -x509 -keyout my-ca.key -out my-ca.crt -days 3650
>>
>>This will create a master certificate authority certificate/private-key
>>pair valid for 10 years.
>>
>>Now create certificate/private-key pairs for both Home and Office:
>>
>>openssl req -nodes -new -keyout office.key -out office.csr
>>openssl ca -out office.crt -in office.csr
>>openssl req -nodes -new -keyout home.key -out home.csr
>>openssl ca -out home.crt -in home.csr
>>
>>Now copy home.crt, home.key, and my-ca.crt to Home over a secure
>>channel, though actually only .key files should be considered non-public.
>>
>>Now create Diffie Hellman parameters on Office with the following command:
>>
>>openssl dhparam -out dh1024.pem 1024
>>
>>Increase the bit size from 1024 to 2048 if you also increased it in
>>openssl.cnf.
>>
>>For the paranoid, consider omitting the -nodes option on the openssl
>>commands above. This will cause each private key to be encrypted with a
>>password, making the keys secure even if someone broke onto your server
>>and stole your private key files. The downside of this approach is that
>>every time you run OpenVPN, you will need to type in the password. For
>>more information see the --askpass option in the openvpn man page.
>>
>>If you find manual RSA key management confusing, note that OpenVPN will
>>interoperate with any X509 certificate management tool or service
>>including the commercial CAs such as Thawte or Verisign. Check out the
>>OpenCA project for an example of what's being done with certificate/key
>>management in the Open Source realm.
>>
>>In addition, the OpenVPN distribution contains a small set of scripts
>>which can be used to simplify RSA certificate and key management.
>>
>>---end of quote----
>>
>>Andrew Thrift schrieb:
>>    
>>
>>>I used these certificates but still get:
>>>
>>>Jan 24 18:45:33 	openvpn[79]: 10.0.50.56:6025 TLS Error: TLS key
>>>negotiation failed to occur within 60 seconds (check your network
>>>connectivity) Jan 24 18:45:33 	openvpn[79]: 10.0.50.56:6025 TLS Error:
>>>TLS handshake failed Jan 24 18:45:33 	openvpn[79]: 10.0.50.56:6025 TLS
>>>Error: TLS handshake failed
>>>
>>>in the logs on the server m0n0wall.
>>>
>>>and yes I have opened 5000 UDP
>>>
>>>
>>>Any ideas?
>>>
>>>On Mon, 25 Oct 2004 08:21, Andre Maoro wrote:
>>>      
>>>
>>>>Thanks a lot.
>>>>Should open my eyes when looking for answers :)
>>>>
>>>>Andreas Busch schrieb:
>>>>        
>>>>
>>>>>you can find test certificates in the linux  Source Tarball on
>>>>>http://openvpn.sf.net
>>>>>an howto to generate  own  certificates  is allso published on
>>>>>http://openvpn.sf.net
>>>>>
>>>>>please be carefull with the test certificates the are public and very
>>>>>dangerous for an produktiv employment
>>>>>
>>>>>Andre Maoro schrieb:
>>>>>          
>>>>>
>>>>>>Hi!
>>>>>>First of all, great job Manuel! I love m0n0 and the new features in
>>>>>>1.2b2 are great!
>>>>>>Thank you!
>>>>>>
>>>>>>Now to my question:
>>>>>>
>>>>>>I'm using OpenVPN a whole time now, but now monowall supports it
>>>>>>itself, which is in fact really cool, but I can't get it to run with
>>>>>>this SSL stuff.
>>>>>>I always used the static key method to authenticate my clients, but
>>>>>>mono wants that I use the safe way, but I'm really not familiar with
>>>>>>SSL. I spend this afternoon with reading the readme files an trying
>>>>>>around, but I didn't get it to run.
>>>>>>
>>>>>>Is there anyone who could tell me, what exactly I have to do?
>>>>>>I need to know, which certificates and keys I need either for the
>>>>>>server (mono)
>>>>>>and also for my clients. Some are windows boxes, some of them are
>>>>>>running linux.
>>>>>>I also have a linux box, which is my current OpenVPN server, so I
>>>>>>have all the
>>>>>>tools I need to generate those certificates etc.
>>>>>>
>>>>>>It would be great, if anyone would tell me step-by-step what I have
>>>>>>to do, to generate
>>>>>>the certificates and keys and which of them I have to give to my
>>>>>>clients and where
>>>>>>they have to put them.
>>>>>>
>>>>>>Or is there a way to use the easier method with the static keys? I
>>>>>>know that this
>>>>>>isn't really safe, but it's safe enough for my purpose...
>>>>>>
>>>>>>Thanks in advance and please excuse my english ;)
>>>>>>
>>>>>>Greets,
>>>>>>Andre
>>>>>>
>>>>>>---------------------------------------------------------------------
>>>>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>>>            
>>>>>>
>>>>>---------------------------------------------------------------------
>>>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>>          
>>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>        
>>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>      
>>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>    
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>  
>