|
|
Hi, I've been a happy openvpn user for quite a while now, but I recently decided to change my network layout and this required recertification so I figured i'd 'tweak' my config a bit. I currently have a working 2.09 openwrt openvpn build as a server using the tap interface unbridged. And my a 2.07 ebuid on my gentoo box. I could use it as a device with it's own ip and maybe bridge it (i used to do this before) but i only want clients to be able to communicate with eachother) so left it 'floating' so to speak. (Quick question in between, I read everywhere that I should use bridging with the tap device, but If i'd add a simple route, Packets would traverse up the tunnel normally anyway right? e.g. I have 10.* network configured on my router for my LAN, and the tap interface has 192.168.13.1 as it's own ip. If i add a simple route to the 192.168.13/24 network via tap0 i could simple access the network from any of my hosts connected to the router with a 10.* ip correct?) So what always has been bothering me with my current setup is that I always get the warning that i'm not protected against the mitm attack. So with the afforementioned upgrade, I decided it was time to look into this and 'fix' it if possible. >From the link http://openvpn.net/howto.html#mitm I get that with the pre 2.1 built, I'd simply use the *build-key-server* script found in the easy-rsa dir and enable the *ns-cert-type server* flag in my client config file. (the only difference would be to use *remote-cert-tls server* with 2.1 right?). So here's what I've done, as I figure it's all in the key's creation segment and such. first I'll load the vars and runa clean-all and verify the key dir is empty. Check. then, ./build-ca; ./build-inter inter; ./build-dh. Now, I used to run ./buil-req server; ./sign-req server for the server cert, followed by ./build-req client1; ./sign-req client1; ./build-req client2; ./sign-req client2 etc for the clients. a simple run of: openssl verify -CAfile ca.crt -purpose sslclient server.crt, client1.crt etc gave no errors. generate a ta.key and copy crt/key files to my test boxen, start server, start clients, all go! And that's what my setup looked like since openvpn 2.0. Now I tried the following, ./build-ca; ./build-inter inter; ./build-dh, followed by a ./build-key-server server; ./build-key-server client1 etc. openssl verify -CAfile ca.crt -purpose sslclient server.crt now gave an error. This error was simply resolved with a ./sign-req server (doesn't the build-key-server script do this by default? it did commit something to the database). However, building and signing all keys/certs still resulted in errors, something a long the lines of: Sun Jun 3 18:03:50 2007 1.x.y.3:33078 VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=xx/ST=xx/L=xxxx/O=xx/OU=xxx/CN=oliver/emailAddress=xxx@xxxxxxx Sun Jun 3 18:03:50 2007 1.x.y.3:33078 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:lib(20):func(137):reason(178) Sun Jun 3 18:03:50 2007 1.x.y.3:33078 TLS Error: TLS object -> incoming plaintext read error Sun Jun 3 18:03:50 2007 1.x.y.3:33078 TLS Error: TLS handshake failed One more thing i'll try tomorrow, which I only noticed while reading this e-mail, mix-n-match. ./build-key-server server only for my server certificate, and ./sign-req it. and for my clients use the old ./build-req client1; ./sign-req client1 it. Though I'd appreciate early feedback in telling me that's wrong aswell. So where am I going wrong here? Why doesn't the howto mention MitM attacks anywhere? If it's so easy, then the writings about it are to complicated :) or very easly over read. If the solution I pointed out is 'the' solution, mention it in the howto, 'build the server certificate with script a, and build the clients with script b. and don't forget to sign all certicicate's includeing the servers! to check certicicates use openssl verify -CAfile ca.crt -purpose sslserver server.crt and openssl verify -CAfile ca.crt -purpose sslclient client.crt to check your scripts' Thanks, ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |