LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-19-2016, 12:43 AM   #16
beachboy2
Senior Member
 
Registered: Jan 2007
Location: Wild West Wales, UK
Distribution: Linux Mint 22 MATE, Peppermint OS-Devuan, EndeavourOS
Posts: 4,264
Blog Entries: 48

Rep: Reputation: 1578Reputation: 1578Reputation: 1578Reputation: 1578Reputation: 1578Reputation: 1578Reputation: 1578Reputation: 1578Reputation: 1578Reputation: 1578Reputation: 1578
Thumbs up


msdosslave,

Quote:
Nano is pure revelation. It's just made exactly what I need.
Pleased to hear it.
 
Old 06-24-2016, 01:56 AM   #17
msdosslave
LQ Newbie
 
Registered: Jun 2016
Posts: 12

Original Poster
Rep: Reputation: Disabled
Here I am again

So after vi problem I faced another one:

The tut requires following action:

Quote:
cd /etc/openvpn/

make-cadir easy-rsa
ln -s /etc/openvpn/easy-rsa/keys /etc/openvpn/keys

cd easy-rsa

. ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh


openvpn --genkey --secret tls.key

./build-key client1



cd /etc/openvpn

mkdir client

cp /etc/openvpn/keys/ca.crt .
cp /etc/openvpn/keys/client1.key .
cp /etc/openvpn/keys/client1.crt .
cp /etc/openvpn/keys/dh2048.pem .
cp /etc/openvpn/keys/tls.key .
So my questions are:

1) ln -s /etc/openvpn/easy-rsa/keys /etc/openvpn/keys
When I'm trying to create this link it's nothing going on. It's not appearing at /etc/openvpn/
And /etc/openvpn/easy-rsa/keys is empty too. Does this command just creating a shortcut to the folder? If so may I make it manually as a shortcut. If not - what's my mistake?

2) cd easy-rsa

. ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh

When I cd to easy-rsa it goes fine but what this mean?
Are this lines commands or output? Just don't understand.

. ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh

3) openvpn --genkey --secret tls.key

./build-key client1


Again (command or line?) - the key seems generated normally but what's that?

./build-key client1
 
Old 06-24-2016, 08:31 AM   #18
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,962
Blog Entries: 4

Rep: Reputation: 4025Reputation: 4025Reputation: 4025Reputation: 4025Reputation: 4025Reputation: 4025Reputation: 4025Reputation: 4025Reputation: 4025Reputation: 4025Reputation: 4025
Be sure that you have a clear understanding, uhh, of how Linux commands work in general. When doing OpenVPN, it's really important that you clearly understand "the big picture." That you are not "merely reciting commands" without first understanding what they are and what they do. Believe me, I know how difficult it is! But you really want to be asking: "what" is this step doing, and "why" am I doing it? After each step, poke-around in the directory to see which files appeared. And, so on.

For instance, when using "ln -s" to create a symbolic link, the file that is the first argument should exist, and thence, should remain.

Each of the commands that begins with "./" is executing a command in the home directory at that time (easy-rsa). Unlike Windows, Linux does not assume that the mere mention of the name of an executable file in the current directory is your directive to execute that file. The "openvpn" command, on the other hand, is on the $PATH, so it will be found and executed.

Each of the "./" commands are scripts, and it might be useful to you to read them, using the "less" command.

Here is a play-by-play of each command you're executing:

. ./vars (or my preferred way to say the same thing: source ./vars ...)
Executes a series of "export" commands to define a set of environment-variables which provide configuration parameters to the remaining steps.

./clean-all
Wipes out everything! But, this is what you want if you're starting from scratch.

./build-ca
Builds a "self-signed Certifying Authority (CA)," which will be used to sign all of the keys that you generate. To cause a server to recognize and accept your keys as valid, you install the ca.crt (public) file that is generated in this step. Any key signed by that CA will be considered legitimate.

./build-key-server server
Builds the public and private keys for a server (coincidentally ...) named server, and marks those keys as "server keys." Clients can be instructed only to connect to a host which presents this type of key, so that another client can't impersonate the server and become a "man in the middle."

./build-dh
This startlingly time-consuming step (a 4096-bit key can take several hours ...) produces the Diffie-Hellman secrets ( "ook VPN voodoo no grok" ) that provide the basic security.

The next steps, not yet mentioned, will be to generate client keys for each unique party that is going to be authorized to connect to the server. The distinguishing feature is the CN = Common Name attribute. Each client should have a unique CN, hence a unique certificate, and OpenVPN should be instructed not to allow multiple simultaneous connections under the same CN name. This is what gives you uniquely revocable certificates.

One thing to remember about crypto is that it is specifically designed to be obtuse. Especially from the client's point-of-view. OpenVPN is much better than IPSec/raccoon (IMHO ...) in what it puts into its server side logs, but even then(!), crypto technologies are circumspect even in "what they log ... anywhere."

The entire point is to give a would-be intruder absolutely nothing to go on. No indication of what is wrong; of why it isn't working. (In the case of OpenVPN tls-auth, no indication that the server is even there!) When you present exactly the right (non-revoked) credentials in exactly the right way, the door opens, and data passes through unimpeded (unless the certificate is subsequently revoked, in which case the door slams shut). If anything is the slightest bit wrong, nothing happens, and there is purposely(!) "no suggestion as to why."

I feel your pain. I felt it, too. (Still do. We all do.)

Last edited by sundialsvcs; 06-24-2016 at 08:38 AM.
 
2 members found this post helpful.
Old 06-24-2016, 09:37 AM   #19
msdosslave
LQ Newbie
 
Registered: Jun 2016
Posts: 12

Original Poster
Rep: Reputation: Disabled
Thanks for so quick reply. Yes it's so hard to understand the logic. In process of reading. Will get back soon.

upd
to sundialsvcs

That was really helpful. Seems I finished 1st part of this. Trying to make it work.

I faced another problem, I cant zip a folder as it says no such file or directory. So I just saved it on my local disc, zipped and moved back . That's fine for now.

Regarding
Quote:
Be sure that you have a clear understanding
I don't even hope to understand this next couple months. I learn in process with LQ help and seems it works.

Thanks again for your help everybody.
I don't close the topic as I feel I'll be back very very soon)

Last edited by msdosslave; 06-24-2016 at 08:50 PM.
 
Old 03-11-2017, 04:39 PM   #20
msdosslave
LQ Newbie
 
Registered: Jun 2016
Posts: 12

Original Poster
Rep: Reputation: Disabled
I got some free time and returned to these Ovpn dragon.

Still need some help. Please check this:

I got a server side Openvpn installed on ovz 1gb ram
Then generated sert for client

installed openvpn client on VM, inserted sert .ovpn and connected

It worked and tray openvpn icon got in green light. However the problem is: it's not working as it should work. No real connection going through it.

I got log:

Quote:
Sat Mar 11 08:38:34 2017 OpenVPN 2.3.6_XP_32bit_ECC i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [IPv6] built on Jan 25 2015
Sat Mar 11 08:38:34 2017 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Enter Management Password:
Sat Mar 11 08:38:34 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Mar 11 08:38:34 2017 Need hold release from management interface, waiting...
Sat Mar 11 08:38:34 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Mar 11 08:38:34 2017 MANAGEMENT: CMD 'state on'
Sat Mar 11 08:38:34 2017 MANAGEMENT: CMD 'log all on'
Sat Mar 11 08:38:34 2017 MANAGEMENT: CMD 'hold off'
Sat Mar 11 08:38:34 2017 MANAGEMENT: CMD 'hold release'
Sat Mar 11 08:38:35 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]111.111.111.111:1194
Sat Mar 11 08:38:35 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Mar 11 08:38:35 2017 UDP link local: (not bound)
Sat Mar 11 08:38:35 2017 UDP link remote: [AF_INET]111.111.111.111:1194
Sat Mar 11 08:38:35 2017 MANAGEMENT: >STATE:1489239515,WAIT,,,
Sat Mar 11 08:38:35 2017 MANAGEMENT: >STATE:1489239515,AUTH,,,
Sat Mar 11 08:38:35 2017 TLS: Initial packet from [AF_INET]111.111.111.111:1194, sid=405e70e3 6994f60a
Sat Mar 11 08:38:40 2017 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Sat Mar 11 08:38:40 2017 VERIFY OK: nsCertType=SERVER
Sat Mar 11 08:38:40 2017 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=server, name=CLIENTNAME, emailAddress=mail@host.domain
Sat Mar 11 08:38:46 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Mar 11 08:38:46 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 11 08:38:46 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Mar 11 08:38:46 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 11 08:38:46 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Mar 11 08:38:46 2017 [server] Peer Connection Initiated with [AF_INET]111.111.111.111:1194
Sat Mar 11 08:38:47 2017 MANAGEMENT: >STATE:1489239527,GET_CONFIG,,,
Sat Mar 11 08:38:49 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Mar 11 08:38:49 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 4.2.2.2,route 10.0.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.0.6 10.0.0.5'
Sat Mar 11 08:38:49 2017 OPTIONS IMPORT: timers and/or timeouts modified
Sat Mar 11 08:38:49 2017 OPTIONS IMPORT: --ifconfig/up options modified
Sat Mar 11 08:38:49 2017 OPTIONS IMPORT: route options modified
Sat Mar 11 08:38:49 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Mar 11 08:38:49 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Mar 11 08:38:49 2017 MANAGEMENT: >STATE:1489239529,ASSIGN_IP,,10.0.0.6,
Sat Mar 11 08:38:49 2017 open_tun, tt->ipv6=0
Sat Mar 11 08:38:49 2017 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{E91D4DA6-6350-4974-B2C2-EE8CB87003B6}.tap
Sat Mar 11 08:38:49 2017 TAP-Windows Driver Version 9.9
Sat Mar 11 08:38:49 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.0.6/255.255.255.252 on interface {B821D4DA6-4550-4974-B2C2-EE8CB87003B6} [DHCP-serv: 10.0.0.5, lease-time: 31536000]
Sat Mar 11 08:38:49 2017 Successful ARP Flush on interface [12] {B82D4DA6-4550-4974-B2C2-EE8CB87003B6}
Sat Mar 11 08:38:55 2017 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Sat Mar 11 08:38:55 2017 C:\Windows\system32\route.exe ADD 111.111.111.111 MASK 255.255.255.255 192.168.111.222
Sat Mar 11 08:38:55 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Sat Mar 11 08:38:55 2017 Route addition via IPAPI succeeded [adaptive]
Sat Mar 11 08:38:55 2017 C:\Windows\system32\route.exe ADD 192.168.111.233 MASK 255.255.255.255 192.168.111.222 IF 11
Sat Mar 11 08:38:55 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Sat Mar 11 08:38:55 2017 Route addition via IPAPI succeeded [adaptive]
Sat Mar 11 08:38:55 2017 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.0.0.5
Sat Mar 11 08:38:55 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sat Mar 11 08:38:55 2017 Route addition via IPAPI succeeded [adaptive]
Sat Mar 11 08:38:55 2017 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.0.0.5
Sat Mar 11 08:38:55 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sat Mar 11 08:38:55 2017 Route addition via IPAPI succeeded [adaptive]
Sat Mar 11 08:38:55 2017 MANAGEMENT: >STATE:1489239535,ADD_ROUTES,,,
Sat Mar 11 08:38:55 2017 C:\Windows\system32\route.exe ADD 10.0.0.1 MASK 255.255.255.255 10.0.0.5
Sat Mar 11 08:38:55 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sat Mar 11 08:38:55 2017 Route addition via IPAPI succeeded [adaptive]
Sat Mar 11 08:38:55 2017 Initialization Sequence Completed
Sat Mar 11 08:38:55 2017 MANAGEMENT: >STATE:1489239535,CONNECTED,SUCCESS,10.0.0.6,111.111.111.111
Sat Mar 11 09:38:46 2017 TLS: soft reset sec=0 bytes=57922/0 pkts=798/0
Sat Mar 11 09:38:51 2017 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Sat Mar 11 09:38:51 2017 VERIFY OK: nsCertType=SERVER
Sat Mar 11 09:38:51 2017 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=server, name=CLIENTNAME, emailAddress=mail@host.domain
Sat Mar 11 09:39:05 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Mar 11 09:39:05 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 11 09:39:05 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Mar 11 09:39:05 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 11 09:39:05 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Mar 11 09:47:37 2017 [server] Inactivity timeout (--ping-restart), restarting
Sat Mar 11 09:47:37 2017 SIGUSR1[soft,ping-restart] received, process restarting
Sat Mar 11 09:47:37 2017 MANAGEMENT: >STATE:1489243657,RECONNECTING,ping-restart,,
Sat Mar 11 09:47:37 2017 Restart pause, 5 second(s)
Sat Mar 11 09:47:42 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]111.111.111.111:1194
Sat Mar 11 09:47:42 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Mar 11 09:47:42 2017 UDP link local: (not bound)
Sat Mar 11 09:47:42 2017 UDP link remote: [AF_INET]111.111.111.111:1194
Sat Mar 11 09:47:42 2017 MANAGEMENT: >STATE:1489243662,WAIT,,,
Sat Mar 11 09:48:42 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Mar 11 09:48:42 2017 TLS Error: TLS handshake failed
Sat Mar 11 09:48:42 2017 SIGUSR1[soft,tls-error] received, process restarting
Sat Mar 11 09:48:42 2017 MANAGEMENT: >STATE:1489243722,RECONNECTING,tls-error,,
Sat Mar 11 09:48:42 2017 Restart pause, 5 second(s)
Sat Mar 11 09:48:47 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]111.111.111.111:1194
Sat Mar 11 09:48:47 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Mar 11 09:48:47 2017 UDP link local: (not bound)
Sat Mar 11 09:48:47 2017 UDP link remote: [AF_INET]111.111.111.111:1194
Sat Mar 11 09:48:47 2017 MANAGEMENT: >STATE:1489243727,WAIT,,,
Real working log should look like this I think:

Quote:
Fri Mar 10 15:38:30 2017 OpenVPN 2.3.14 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec 7 2016
Fri Mar 10 15:38:30 2017 Windows version 5.1 (Windows XP) 32bit
Fri Mar 10 15:38:30 2017 library versions: OpenSSL 1.0.2i 22 Sep 2016, LZO 2.09
Enter Management Password:
Fri Mar 10 15:38:31 2017 Control Channel Authentication: tls-auth using INLINE static key file
Fri Mar 10 15:38:31 2017 UDPv4 link local: [undef]
Fri Mar 10 15:38:31 2017 UDPv4 link remote: [AF_INET]111.111.111.111:443
Fri Mar 10 15:38:36 2017 [server] Peer Connection Initiated with [AF_INET]111.111.111.111:443
Fri Mar 10 15:38:39 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Mar 10 15:38:39 2017 open_tun, tt->ipv6=0
Fri Mar 10 15:38:39 2017 TAP-WIN32 device [Local Area Connection 78] opened: \\.\Global\{B83DAB0D-3DA0-4464-BE89-GTSA67A04EBB}.tap
Fri Mar 10 15:38:39 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 10.17.0.0/10.17.0.113/255.255.0.0 [SUCCEEDED]
Fri Mar 10 15:38:39 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.17.0.113/255.255.0.0 on interface {B83DAB0D-3DA0-4464-BE89-BE89-GTSA67A04EBB} [DHCP-serv: 10.17.255.254, lease-time: 31536000]
Fri Mar 10 15:38:39 2017 Successful ARP Flush on interface [6] {B83DAB0D-3DA0-4464-BE89-BE89-GTSA67A04EBB}
Fri Mar 10 15:38:44 2017 Initialization Sequence Completed
Fri Mar 10 15:38:44 2017 Start net commands...
Fri Mar 10 15:38:44 2017 F:\WINDOWS\system32\net.exe stop dnscache
Fri Mar 10 15:38:44 2017 ERROR: Windows ipconfig command failed: returned error code 2
Fri Mar 10 15:38:44 2017 F:\WINDOWS\system32\net.exe start dnscache
Fri Mar 10 15:38:44 2017 ERROR: Windows ipconfig command failed: returned error code 2
Fri Mar 10 15:38:44 2017 F:\WINDOWS\system32\ipconfig.exe /flushdns
Fri Mar 10 15:38:45 2017 F:\WINDOWS\system32\ipconfig.exe /registerdns
Fri Mar 10 15:38:45 2017 End net commands...
I'm not even sure I see right errors. If you can see on 1st sight any problem just let me know.

Thank you very much.
 
Old 03-12-2017, 04:08 AM   #21
msdosslave
LQ Newbie
 
Registered: Jun 2016
Posts: 12

Original Poster
Rep: Reputation: Disabled
UPD: Tried reinstall with different tutorial and stuck at another place:

Incoming packet rejected from [AF_INET]172.16.1.1:1194[2], expected peer address: [AF_INET]111.111.111.111:1194

Reading this 2 hours or more on boards and nothing.

Still need advices. Thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Dual-Boot Ubuntu 15.04/14.10 And Windows 10/8.1/8: Step By Step Tutorial With Screenshots LXer Syndicated Linux News 0 07-15-2015 01:42 AM
LXer: Installation tutorial of XenApp 6.5(Citrix Server) Step by Step LXer Syndicated Linux News 0 05-25-2013 03:11 PM
DISCUSSION: Add a Program to the Applications Menu - A step-by-step tutorial ruguloo LinuxAnswers Discussion 2 04-16-2012 10:51 PM
I need a step by step help to instal Suse 9.3 Pro on the same hdd as XP Home & 2003 suse91pro Linux - General 4 09-07-2005 02:15 PM
Installing Mandrake Linux 10, step by step tutorial for Windows users lucat Linux - Newbie 0 06-12-2004 07:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration