[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] man in the middle (mitm) attacks.

  • Subject: Re: [Openvpn-users] man in the middle (mitm) attacks.
  • From: Oliver Schinagl <oliver@xxxxxxxxxxx>
  • Date: Mon, 04 Jun 2007 15:53:39 +0200

Heh, I did solve it with that last method.

So i would recommend replacing the bit about mitm attacks on the howto with:

You can build your server certificates with the *build-key-server*
script (see the easy-rsa <http://openvpn.net/easyrsa.html> documentation
for more info). This will designate the certificate as a server-only
certificate by setting the right attributes. The client certificates
still need to be built with the *build-req* script and be signed with
the *sign-req* scripts. Now add the following line to your client

Optionally a mention could me made such as:
To test your certificates you can use the following commands.
For the server certificate:  openssl verify -CAfile ca.crt -purpose
sslserver server.crt
For the client certicicate: openssl verify -CAfile ca.crt -purpose
sslclient clientN.crt

Will the annoying 'IMPORTANT' message be removed starting with 2.1? (Mon
Jun  4 15:44:20 2007 IMPORTANT: OpenVPN's default port number is now
1194, based on an official port number assignment by IANA.  OpenVPN
2.0-beta16 and earlier used 5000 as the default port. I'm speaking off.)
I reccon that at 2.1 people should 'know' this by then?



Oliver Schinagl wrote:
> Hi, I've been a happy openvpn user for quite a while now, but I recently
> decided to change my network layout and this required recertification so
> I figured i'd 'tweak' my config a bit.
> I currently have a working 2.09 openwrt openvpn build as a server using
> the tap interface unbridged. And my a 2.07 ebuid on my gentoo box. I
> could use it as a device with it's own ip and maybe bridge it (i used to
> do this before) but i only want clients to be able to communicate with
> eachother) so left it 'floating' so to speak. (Quick question in
> between, I read everywhere that I should use bridging with the tap
> device, but If i'd add a simple route, Packets would traverse up the
> tunnel normally anyway right? e.g. I have 10.* network configured on my
> router for my LAN, and the tap interface has as it's own
> ip. If i add a simple route to the 192.168.13/24 network via tap0 i
> could simple access the network from any of my hosts connected to the
> router with a 10.* ip correct?)
> So what always has been bothering me with my current setup is that I
> always get the warning that i'm not protected against the mitm attack.
> So with the afforementioned upgrade, I decided it was time to look into
> this and 'fix' it if possible.
> >From the link http://openvpn.net/howto.html#mitm I get that with the pre
> 2.1 built, I'd simply use the *build-key-server* script found in the
> easy-rsa dir and enable the *ns-cert-type server* flag in my client
> config file. (the only difference would be to use *remote-cert-tls
> server* with 2.1 right?). So here's what I've done, as I figure it's all
> in the key's creation segment and such.
> first I'll load the vars and runa clean-all and verify the key dir is
> empty. Check.
> then, ./build-ca; ./build-inter inter; ./build-dh.
> Now, I used to run ./buil-req server; ./sign-req server for the server
> cert, followed by ./build-req client1; ./sign-req client1; ./build-req
> client2; ./sign-req client2 etc for the clients.
> a simple run of: openssl verify -CAfile ca.crt -purpose sslclient
> server.crt, client1.crt etc gave no errors. generate a ta.key and copy
> crt/key files to my test boxen, start server, start clients, all go! And
> that's what my setup looked like since openvpn 2.0.
> Now I tried the following, ./build-ca; ./build-inter inter; ./build-dh,
> followed by a ./build-key-server server; ./build-key-server client1 etc.
> openssl verify -CAfile ca.crt -purpose sslclient server.crt now gave an
> error. This error was simply resolved with a ./sign-req server (doesn't
> the build-key-server script do this by default? it did commit something
> to the database).
> However, building and signing all keys/certs still resulted in errors,
> something a long the lines of:
> Sun Jun  3 18:03:50 2007 1.x.y.3:33078 VERIFY ERROR: depth=0,
> error=unsupported certificate purpose:
> /C=xx/ST=xx/L=xxxx/O=xx/OU=xxx/CN=oliver/emailAddress=xxx@xxxxxxx
> Sun Jun  3 18:03:50 2007 1.x.y.3:33078 TLS_ERROR: BIO read
> tls_read_plaintext error: error:140890B2:lib(20):func(137):reason(178)
> Sun Jun  3 18:03:50 2007 1.x.y.3:33078 TLS Error: TLS object -> incoming
> plaintext read error
> Sun Jun  3 18:03:50 2007 1.x.y.3:33078 TLS Error: TLS handshake failed
> One more thing i'll try tomorrow, which I only noticed while reading
> this e-mail, mix-n-match.
> ./build-key-server server only for my server certificate, and ./sign-req
> it. and for my clients use the old ./build-req client1; ./sign-req
> client1 it. Though I'd appreciate early feedback in telling me that's
> wrong aswell.
> So where am I going wrong here? Why doesn't the howto mention MitM
> attacks anywhere? If it's so easy, then the writings about it are to
> complicated :) or very easly over read. If the solution I pointed out is
> 'the' solution, mention it in the howto, 'build the server certificate
> with script a, and build the clients with script b. and don't forget to
> sign all certicicate's includeing the servers! to check certicicates use
> openssl verify -CAfile ca.crt -purpose sslserver server.crt and openssl
> verify -CAfile ca.crt -purpose sslclient client.crt to check your scripts'
> Thanks,
> Oliver
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users

Openvpn-users mailing list