[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] man in the middle (mitm) attacks.

  • Subject: [Openvpn-users] man in the middle (mitm) attacks.
  • From: Oliver Schinagl <oliver@xxxxxxxxxxx>
  • Date: Mon, 04 Jun 2007 03:07:04 +0200

Hi, I've been a happy openvpn user for quite a while now, but I recently
decided to change my network layout and this required recertification so
I figured i'd 'tweak' my config a bit.

I currently have a working 2.09 openwrt openvpn build as a server using
the tap interface unbridged. And my a 2.07 ebuid on my gentoo box. I
could use it as a device with it's own ip and maybe bridge it (i used to
do this before) but i only want clients to be able to communicate with
eachother) so left it 'floating' so to speak. (Quick question in
between, I read everywhere that I should use bridging with the tap
device, but If i'd add a simple route, Packets would traverse up the
tunnel normally anyway right? e.g. I have 10.* network configured on my
router for my LAN, and the tap interface has as it's own
ip. If i add a simple route to the 192.168.13/24 network via tap0 i
could simple access the network from any of my hosts connected to the
router with a 10.* ip correct?)

So what always has been bothering me with my current setup is that I
always get the warning that i'm not protected against the mitm attack.
So with the afforementioned upgrade, I decided it was time to look into
this and 'fix' it if possible.

>From the link http://openvpn.net/howto.html#mitm I get that with the pre
2.1 built, I'd simply use the *build-key-server* script found in the
easy-rsa dir and enable the *ns-cert-type server* flag in my client
config file. (the only difference would be to use *remote-cert-tls
server* with 2.1 right?). So here's what I've done, as I figure it's all
in the key's creation segment and such.

first I'll load the vars and runa clean-all and verify the key dir is
empty. Check.
then, ./build-ca; ./build-inter inter; ./build-dh.
Now, I used to run ./buil-req server; ./sign-req server for the server
cert, followed by ./build-req client1; ./sign-req client1; ./build-req
client2; ./sign-req client2 etc for the clients.
a simple run of: openssl verify -CAfile ca.crt -purpose sslclient
server.crt, client1.crt etc gave no errors. generate a ta.key and copy
crt/key files to my test boxen, start server, start clients, all go! And
that's what my setup looked like since openvpn 2.0.

Now I tried the following, ./build-ca; ./build-inter inter; ./build-dh,
followed by a ./build-key-server server; ./build-key-server client1 etc.
openssl verify -CAfile ca.crt -purpose sslclient server.crt now gave an
error. This error was simply resolved with a ./sign-req server (doesn't
the build-key-server script do this by default? it did commit something
to the database).

However, building and signing all keys/certs still resulted in errors,
something a long the lines of:
Sun Jun  3 18:03:50 2007 1.x.y.3:33078 VERIFY ERROR: depth=0,
error=unsupported certificate purpose:
Sun Jun  3 18:03:50 2007 1.x.y.3:33078 TLS_ERROR: BIO read
tls_read_plaintext error: error:140890B2:lib(20):func(137):reason(178)
Sun Jun  3 18:03:50 2007 1.x.y.3:33078 TLS Error: TLS object -> incoming
plaintext read error
Sun Jun  3 18:03:50 2007 1.x.y.3:33078 TLS Error: TLS handshake failed

One more thing i'll try tomorrow, which I only noticed while reading
this e-mail, mix-n-match.

./build-key-server server only for my server certificate, and ./sign-req
it. and for my clients use the old ./build-req client1; ./sign-req
client1 it. Though I'd appreciate early feedback in telling me that's
wrong aswell.

So where am I going wrong here? Why doesn't the howto mention MitM
attacks anywhere? If it's so easy, then the writings about it are to
complicated :) or very easly over read. If the solution I pointed out is
'the' solution, mention it in the howto, 'build the server certificate
with script a, and build the clients with script b. and don't forget to
sign all certicicate's includeing the servers! to check certicicates use
openssl verify -CAfile ca.crt -purpose sslserver server.crt and openssl
verify -CAfile ca.crt -purpose sslclient client.crt to check your scripts'

OpenVPN mailing lists