[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Going mad trying to figure out RSA/TLS encryption


  • Subject: [Openvpn-users] Going mad trying to figure out RSA/TLS encryption
  • From: Rupert Heesom <rupert@xxxxxxxxxxxxx>
  • Date: Fri, 18 Feb 2005 02:28:26 +0000

Hi  :-(

I'm trying to install OpenVPN between a linux server and WinXP client.  I'm using v2 of OpenVPN cause my XP is sp2.

I've managed to get a shared key 1 - 1 tunnel working, but I want to 1- many VPN from the linux server.  Thus I'm trying to get TLS encryption working with all those keys, certs, etc.

I've read through multiple sets of docs multiple times, but I'm still somewhat confused....

Using the "easy-rsa" scripts that come with the source, I've managed to successfully run build-ca, build-inter (although I understand not strictly necessary), and build-dh.  build-key-server doesn't seem to like being signed.  I keep getting an error that the TXT database can't be updated, Error 2.  

I noticed that the intermediate cert was being signed, so I tried revoking the sig from the Intermed crt.   Suddenly using sign-req actually worked for the main ServerCert.crt - the "TXT" database was updated.

Having said all the above, I still don't know what I'm doing - don't understand much of what the "signing" is about etc.

All I'm really looking for is a SIMPLE writeup of how RSA/TLS encryption is supposed to work.  Most of the docs are in too much depth to be any use.    All I need to know is 1) Which files to generate and how  2)  Where each file goes - server or client  3)  How to ensure that the conf files are specified correctly for both server and client.

I'm sure there's no simple docs lying around - they all seem to be for written by engineers who don't know how to think simply anymore!   Perhaps there is someone who wouldn't mind a QUICK tutorial?

In the meantime I'll muddle on and see how far I get... !

--
Rupert Heesom <rupert@xxxxxxxxxxxxx>