Mailinglist Archive: opensuse (1318 mails)
| < Previous | Next > |
Re: [opensuse] Building VPN network with OpenVPN and OpenSuSE11-->TLS negotiation.
- From: Theo van Werkhoven <t.v.werkhoven@xxxxxxxxx>
- Date: Sat, 01 Nov 2008 10:41:37 +0100
- Message-id: <490C2451.1040006@xxxxxxxxx>
Patrik Hasibuan wrote:
Have you, sorry to be brute, even bothered to read openvpn's man page?
--ns-cert-type client|server
Require that peer certificate was signed with an explicit
nsCertType des-
ignation of "client" or "server".
This is a useful security option for clients, to ensure that
the host
they connect with is a designated server.
See the easy-rsa/build-key-server script for an example of how to
gener-
ate a certificate with the nsCertType field set to "server".
If the server certificate's nsCertType field is set to "server",
then the
clients can verify this with --ns-cert-type server.
This is an important security precaution to protect against a
man-in-the-
middle attack where an authorized client attempts to connect to
another
client by impersonating the server. The attack is easily
prevented by
having clients verify the server certificate using any one of
--ns-cert-
type, --tls-remote, or --tls-verify.
Thus ns-sert-type must be 'server' on the clients' side.
This *is* the server's external IP address right? To be clear: it must be the
address of
the WAN (external) interface, so if you're using e.g. a NAT device (e.g. an
ADSL modem),
you must set the address on the 'inside', e.g. 10.0.0.138.
This doesn't belong in the server's config file.
And you need to wise-up your firewall or your route-table.
Theo
--
Theo v. Werkhoven, NL (ICBM 52 13 26N , 4 29 47E).
A casual stroll through the lunatic asylum shows that faith does not
prove anything.
Friedrich Nietzsche
German philosopher (1844 - 1900)
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
But the client still can not connect to the openvpn-server. The error message[..]
is about TLS problem. I've tried to browse in the internet looking for the
solution. It seems many people have the same problem.
What should I do now? What steps should I actually do to make the TLS
negotiation works properly?
I put the content of my current 'client.conf' and the '/var/log/messages'.
=========
Here's on the client-side.
=========
sussy-MND:~ # cat /etc/openvpn/client.conf
ns-cert-type client^^^^^^
Have you, sorry to be brute, even bothered to read openvpn's man page?
--ns-cert-type client|server
Require that peer certificate was signed with an explicit
nsCertType des-
ignation of "client" or "server".
This is a useful security option for clients, to ensure that
the host
they connect with is a designated server.
See the easy-rsa/build-key-server script for an example of how to
gener-
ate a certificate with the nsCertType field set to "server".
If the server certificate's nsCertType field is set to "server",
then the
clients can verify this with --ns-cert-type server.
This is an important security precaution to protect against a
man-in-the-
middle attack where an authorized client attempts to connect to
another
client by impersonating the server. The attack is easily
prevented by
having clients verify the server certificate using any one of
--ns-cert-
type, --tls-remote, or --tls-verify.
Thus ns-sert-type must be 'server' on the clients' side.
=========
Here's on the server-side.
=========
mysussy:~ # cat /etc/openvpn/server.conf
local 219.83.114.179
This *is* the server's external IP address right? To be clear: it must be the
address of
the WAN (external) interface, so if you're using e.g. a NAT device (e.g. an
ADSL modem),
you must set the address on the 'inside', e.g. 10.0.0.138.
ns-cert-type server
This doesn't belong in the server's config file.
mysussy:~ # tail -n 40 /var/log/messages
Nov 1 10:07:59 mysussy kernel: ll header:
ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
And you need to wise-up your firewall or your route-table.
Theo
--
Theo v. Werkhoven, NL (ICBM 52 13 26N , 4 29 47E).
A casual stroll through the lunatic asylum shows that faith does not
prove anything.
Friedrich Nietzsche
German philosopher (1844 - 1900)
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |