|
|
Heh, I did solve it with that last method. So i would recommend replacing the bit about mitm attacks on the howto with: You can build your server certificates with the *build-key-server* script (see the easy-rsa <http://openvpn.net/easyrsa.html> documentation for more info). This will designate the certificate as a server-only certificate by setting the right attributes. The client certificates still need to be built with the *build-req* script and be signed with the *sign-req* scripts. Now add the following line to your client configuration: Optionally a mention could me made such as: To test your certificates you can use the following commands. For the server certificate: openssl verify -CAfile ca.crt -purpose sslserver server.crt For the client certicicate: openssl verify -CAfile ca.crt -purpose sslclient clientN.crt P.S. Will the annoying 'IMPORTANT' message be removed starting with 2.1? (Mon Jun 4 15:44:20 2007 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. I'm speaking off.) I reccon that at 2.1 people should 'know' this by then? Thanks, Oliver Oliver Schinagl wrote: > Hi, I've been a happy openvpn user for quite a while now, but I recently > decided to change my network layout and this required recertification so > I figured i'd 'tweak' my config a bit. > > I currently have a working 2.09 openwrt openvpn build as a server using > the tap interface unbridged. And my a 2.07 ebuid on my gentoo box. I > could use it as a device with it's own ip and maybe bridge it (i used to > do this before) but i only want clients to be able to communicate with > eachother) so left it 'floating' so to speak. (Quick question in > between, I read everywhere that I should use bridging with the tap > device, but If i'd add a simple route, Packets would traverse up the > tunnel normally anyway right? e.g. I have 10.* network configured on my > router for my LAN, and the tap interface has 192.168.13.1 as it's own > ip. If i add a simple route to the 192.168.13/24 network via tap0 i > could simple access the network from any of my hosts connected to the > router with a 10.* ip correct?) > > So what always has been bothering me with my current setup is that I > always get the warning that i'm not protected against the mitm attack. > So with the afforementioned upgrade, I decided it was time to look into > this and 'fix' it if possible. > > > >From the link http://openvpn.net/howto.html#mitm I get that with the pre > 2.1 built, I'd simply use the *build-key-server* script found in the > easy-rsa dir and enable the *ns-cert-type server* flag in my client > config file. (the only difference would be to use *remote-cert-tls > server* with 2.1 right?). So here's what I've done, as I figure it's all > in the key's creation segment and such. > > first I'll load the vars and runa clean-all and verify the key dir is > empty. Check. > then, ./build-ca; ./build-inter inter; ./build-dh. > Now, I used to run ./buil-req server; ./sign-req server for the server > cert, followed by ./build-req client1; ./sign-req client1; ./build-req > client2; ./sign-req client2 etc for the clients. > a simple run of: openssl verify -CAfile ca.crt -purpose sslclient > server.crt, client1.crt etc gave no errors. generate a ta.key and copy > crt/key files to my test boxen, start server, start clients, all go! And > that's what my setup looked like since openvpn 2.0. > > Now I tried the following, ./build-ca; ./build-inter inter; ./build-dh, > followed by a ./build-key-server server; ./build-key-server client1 etc. > openssl verify -CAfile ca.crt -purpose sslclient server.crt now gave an > error. This error was simply resolved with a ./sign-req server (doesn't > the build-key-server script do this by default? it did commit something > to the database). > > However, building and signing all keys/certs still resulted in errors, > something a long the lines of: > Sun Jun 3 18:03:50 2007 1.x.y.3:33078 VERIFY ERROR: depth=0, > error=unsupported certificate purpose: > /C=xx/ST=xx/L=xxxx/O=xx/OU=xxx/CN=oliver/emailAddress=xxx@xxxxxxx > Sun Jun 3 18:03:50 2007 1.x.y.3:33078 TLS_ERROR: BIO read > tls_read_plaintext error: error:140890B2:lib(20):func(137):reason(178) > Sun Jun 3 18:03:50 2007 1.x.y.3:33078 TLS Error: TLS object -> incoming > plaintext read error > Sun Jun 3 18:03:50 2007 1.x.y.3:33078 TLS Error: TLS handshake failed > > One more thing i'll try tomorrow, which I only noticed while reading > this e-mail, mix-n-match. > > ./build-key-server server only for my server certificate, and ./sign-req > it. and for my clients use the old ./build-req client1; ./sign-req > client1 it. Though I'd appreciate early feedback in telling me that's > wrong aswell. > > So where am I going wrong here? Why doesn't the howto mention MitM > attacks anywhere? If it's so easy, then the writings about it are to > complicated :) or very easly over read. If the solution I pointed out is > 'the' solution, mention it in the howto, 'build the server certificate > with script a, and build the clients with script b. and don't forget to > sign all certicicate's includeing the servers! to check certicicates use > openssl verify -CAfile ca.crt -purpose sslserver server.crt and openssl > verify -CAfile ca.crt -purpose sslclient client.crt to check your scripts' > > Thanks, > > Oliver > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx > https://lists.sourceforge.net/lists/listinfo/openvpn-users > ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |