Mailinglist Archive: opensuse (1318 mails)

[Patrik Hasibuan <patrikhasibuan@xxxxxxxxx>]

Hi Theo.

You solved my problem. Thank you thousand times.....

I really appreciate your help.

Best regards,
Patrik Hasibuan.
--- On Sat, 11/1/08, Theo van Werkhoven <t.v.werkhoven@xxxxxxxxx> wrote:

> From: Theo van Werkhoven <t.v.werkhoven@xxxxxxxxx>
> Subject: Re: [opensuse] Building VPN network with OpenVPN and 
> OpenSuSE11-->TLS negotiation.
> To: opensuse@xxxxxxxxxxxx
> Date: Saturday, November 1, 2008, 9:41 AM
> Patrik Hasibuan wrote:
> > But the client still can not connect to the
> openvpn-server. The error message is about TLS problem.
> I've tried to browse in the internet looking for the
> solution. It seems many people have the same problem.
> > What should I do now? What steps should I actually do
> to make the TLS negotiation works properly?
> > I put the content of my current 'client.conf'
> and the '/var/log/messages'. 
> > =========
> > Here's on the client-side.
> > =========
> > sussy-MND:~ # cat /etc/openvpn/client.conf
> [..]
> > ns-cert-type client
>                ^^^^^^
> Have you, sorry to be brute, even bothered to read
> openvpn's man page?
>        --ns-cert-type client|server
>               Require that peer certificate was signed with
> an explicit nsCertType des-
>               ignation of "client" or
> "server".
>
>               This  is  a  useful  security option for
> clients, to ensure that the host
>               they connect with is a designated server.
>
>               See the easy-rsa/build-key-server script for
> an example of how to  gener-
>               ate a certificate with the nsCertType field
> set to "server".
>
>               If the server certificate's nsCertType
> field is set to "server", then the
>               clients can verify this with --ns-cert-type
> server.
>
>               This is an important security precaution to
> protect against a man-in-the-
>               middle  attack  where an authorized client
> attempts to connect to another
>               client by impersonating the server.  The
> attack is  easily  prevented  by
>               having  clients verify the server certificate
> using any one of --ns-cert-
>               type, --tls-remote, or --tls-verify.
>
> Thus ns-sert-type must be 'server' on the
> clients' side.
>
> > =========
> > Here's on the server-side.
> > =========
> > mysussy:~ # cat /etc/openvpn/server.conf
> > local 219.83.114.179
>
> This *is* the server's external IP address right? To be
> clear: it must be the address of
> the WAN (external) interface, so if you're using e.g. a
> NAT device (e.g. an ADSL modem),
> you must set the address on the 'inside', e.g.
> 10.0.0.138.
>
> > ns-cert-type server
>
> This doesn't belong in the server's config file.
>
> > mysussy:~ # tail -n 40 /var/log/messages
> > Nov  1 10:07:59 mysussy kernel: ll header:
> ff:ff:ff:ff:ff:ff:00:0e:0c:3e:9e:86:08:06
>
> And you need to wise-up your firewall or your route-table.
>
> Theo
> -- 
> Theo v. Werkhoven,  NL (ICBM 52 13 26N , 4 29 47E).
> A casual stroll through the lunatic asylum shows that faith
> does not
> prove anything.
>         Friedrich Nietzsche
>         German philosopher (1844 - 1900)
> -- 
> To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
> For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx


      

-- 
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx