[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] SSL/TLS Configuration

  • Subject: [Openvpn-users] SSL/TLS Configuration
  • From: Doug Lytle <support@xxxxxxxxxx>
  • Date: Sun, 12 Sep 2004 19:19:27 -0400
I was wondering if somebody could look over my configuration and pick it apart and also answer a question or two.

First what I have done:

1). Created Master CA with 2048bit crypt.
openssl -req -nodes -new -x509 -keyout server-ca.key -out server-ca.crt -days 3650

2).   Created Server side Private Key and Public Certificate:

Server:
openssl req -nodes -new -keyout vpnserver.key -out vpnserver.csr
openssl ca -out vpnserver.crt -in vpnserver.csr
3). Created Client side Private Key and Public Certificate:

   Client:

openssl req -nodes -new -keyout d.lytle.laptop.key -out d.lytle.laptop.csr
openssl ca -out d.lytle.laptop.crt -in d.lytle.laptop.csr

4).   Created the initial dh2048.pem file:

            openssl dhparam -out dh2048.pem 2048

5). Copy the dh2048.pem into the /etc/openvpn/keys directory
6). Copy the master-ca.crt, vpnserver.key and vpnserver.crt into the /etc/openvpn/keys directory
7). Copy the d.lytle.laptop.key and .crt files to my configs directory on my WinXP laptop

Setup the following configuration on the server:

## Device Type
dev tap9

## Server mode
tls-server

## UDP Port
port 5015

## Change ROOT to the openvpn directory
chroot /etc/openvpn

## User and Group to run the process as
user nobody
group nogroup

## Client Configs
client-config-dir clients

## Server's Subnet
ifconfig 192.168.200.100 255.255.255.0

## Pool of Addresses available to clients
ifconfig-pool 192.168.200.101 192.168.200.200

## Authentication
dh keys/dh2048.pem

## Public Certificate Authority
ca keys/private/server-ca.crt

## Server's Public Certificate
cert keys/vpnserver.crt

## Server's Private Key
key keys/vpnserver.key

## Compression on
comp-lzo

## Restart Control
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key

-----snip-----

This all seems to work fine, except when I got up this morning, the tap9 was down, the contents of my keys directory was empty and I had an error message that my certificate had expired. The date/time on that box is fine and it's the same box the certificates were created on.

Any suggestions would be appreciated.

Doug




____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users