Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place! |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
06-19-2016, 12:43 AM
|
#16
|
Senior Member
Registered: Jan 2007
Location: Wild West Wales, UK
Distribution: Linux Mint 22 MATE, Peppermint OS-Devuan, EndeavourOS
Posts: 4,264
|
msdosslave,
Quote:
Nano is pure revelation. It's just made exactly what I need.
|
Pleased to hear it.
|
|
|
06-24-2016, 01:56 AM
|
#17
|
LQ Newbie
Registered: Jun 2016
Posts: 12
Original Poster
Rep:
|
Here I am again
So after vi problem I faced another one:
The tut requires following action:
Quote:
cd /etc/openvpn/
make-cadir easy-rsa
ln -s /etc/openvpn/easy-rsa/keys /etc/openvpn/keys
cd easy-rsa
. ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
openvpn --genkey --secret tls.key
./build-key client1
cd /etc/openvpn
mkdir client
cp /etc/openvpn/keys/ca.crt .
cp /etc/openvpn/keys/client1.key .
cp /etc/openvpn/keys/client1.crt .
cp /etc/openvpn/keys/dh2048.pem .
cp /etc/openvpn/keys/tls.key .
|
So my questions are:
1) ln -s /etc/openvpn/easy-rsa/keys /etc/openvpn/keys
When I'm trying to create this link it's nothing going on. It's not appearing at /etc/openvpn/
And /etc/openvpn/easy-rsa/keys is empty too. Does this command just creating a shortcut to the folder? If so may I make it manually as a shortcut. If not - what's my mistake?
2) cd easy-rsa
. ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
When I cd to easy-rsa it goes fine but what this mean?
Are this lines commands or output? Just don't understand.
. ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
3) openvpn --genkey --secret tls.key
./build-key client1
Again (command or line?) - the key seems generated normally but what's that?
./build-key client1
|
|
|
06-24-2016, 08:31 AM
|
#18
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,962
|
Be sure that you have a clear understanding, uhh, of how Linux commands work in general. When doing OpenVPN, it's really important that you clearly understand "the big picture." That you are not "merely reciting commands" without first understanding what they are and what they do. Believe me, I know how difficult it is! But you really want to be asking: "what" is this step doing, and "why" am I doing it? After each step, poke-around in the directory to see which files appeared. And, so on.
For instance, when using "ln -s" to create a symbolic link, the file that is the first argument should exist, and thence, should remain.
Each of the commands that begins with "./" is executing a command in the home directory at that time (easy-rsa). Unlike Windows, Linux does not assume that the mere mention of the name of an executable file in the current directory is your directive to execute that file. The "openvpn" command, on the other hand, is on the $PATH, so it will be found and executed.
Each of the "./" commands are scripts, and it might be useful to you to read them, using the "less" command.
Here is a play-by-play of each command you're executing:
. ./vars (or my preferred way to say the same thing: source ./vars ...)
Executes a series of "export" commands to define a set of environment-variables which provide configuration parameters to the remaining steps.
./clean-all
Wipes out everything! But, this is what you want if you're starting from scratch.
./build-ca
Builds a "self-signed Certifying Authority (CA)," which will be used to sign all of the keys that you generate. To cause a server to recognize and accept your keys as valid, you install the ca.crt (public) file that is generated in this step. Any key signed by that CA will be considered legitimate.
./build-key-server server
Builds the public and private keys for a server (coincidentally ...) named server, and marks those keys as "server keys." Clients can be instructed only to connect to a host which presents this type of key, so that another client can't impersonate the server and become a "man in the middle."
./build-dh
This startlingly time-consuming step (a 4096-bit key can take several hours ...) produces the Diffie-Hellman secrets ( "ook VPN voodoo no grok" ) that provide the basic security.
The next steps, not yet mentioned, will be to generate client keys for each unique party that is going to be authorized to connect to the server. The distinguishing feature is the CN = Common Name attribute. Each client should have a unique CN, hence a unique certificate, and OpenVPN should be instructed not to allow multiple simultaneous connections under the same CN name. This is what gives you uniquely revocable certificates.
One thing to remember about crypto is that it is specifically designed to be obtuse. Especially from the client's point-of-view. OpenVPN is much better than IPSec/raccoon (IMHO ...) in what it puts into its server side logs, but even then(!), crypto technologies are circumspect even in "what they log ... anywhere."
The entire point is to give a would-be intruder absolutely nothing to go on. No indication of what is wrong; of why it isn't working. (In the case of OpenVPN tls-auth, no indication that the server is even there!) When you present exactly the right (non-revoked) credentials in exactly the right way, the door opens, and data passes through unimpeded (unless the certificate is subsequently revoked, in which case the door slams shut). If anything is the slightest bit wrong, nothing happens, and there is purposely(!) "no suggestion as to why."
I feel your pain. I felt it, too. (Still do. We all do.)
Last edited by sundialsvcs; 06-24-2016 at 08:38 AM.
|
|
2 members found this post helpful.
|
06-24-2016, 09:37 AM
|
#19
|
LQ Newbie
Registered: Jun 2016
Posts: 12
Original Poster
Rep:
|
Thanks for so quick reply. Yes it's so hard to understand the logic. In process of reading. Will get back soon.
upd
to sundialsvcs
That was really helpful. Seems I finished 1st part of this. Trying to make it work.
I faced another problem, I cant zip a folder as it says no such file or directory. So I just saved it on my local disc, zipped and moved back . That's fine for now.
Regarding
Quote:
Be sure that you have a clear understanding
|
I don't even hope to understand this next couple months. I learn in process with LQ help and seems it works.
Thanks again for your help everybody.
I don't close the topic as I feel I'll be back very very soon)
Last edited by msdosslave; 06-24-2016 at 08:50 PM.
|
|
|
03-11-2017, 04:39 PM
|
#20
|
LQ Newbie
Registered: Jun 2016
Posts: 12
Original Poster
Rep:
|
I got some free time and returned to these Ovpn dragon.
Still need some help. Please check this:
I got a server side Openvpn installed on ovz 1gb ram
Then generated sert for client
installed openvpn client on VM, inserted sert .ovpn and connected
It worked and tray openvpn icon got in green light. However the problem is: it's not working as it should work. No real connection going through it.
I got log:
Quote:
Sat Mar 11 08:38:34 2017 OpenVPN 2.3.6_XP_32bit_ECC i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [IPv6] built on Jan 25 2015
Sat Mar 11 08:38:34 2017 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Enter Management Password:
Sat Mar 11 08:38:34 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sat Mar 11 08:38:34 2017 Need hold release from management interface, waiting...
Sat Mar 11 08:38:34 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sat Mar 11 08:38:34 2017 MANAGEMENT: CMD 'state on'
Sat Mar 11 08:38:34 2017 MANAGEMENT: CMD 'log all on'
Sat Mar 11 08:38:34 2017 MANAGEMENT: CMD 'hold off'
Sat Mar 11 08:38:34 2017 MANAGEMENT: CMD 'hold release'
Sat Mar 11 08:38:35 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]111.111.111.111:1194
Sat Mar 11 08:38:35 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Mar 11 08:38:35 2017 UDP link local: (not bound)
Sat Mar 11 08:38:35 2017 UDP link remote: [AF_INET]111.111.111.111:1194
Sat Mar 11 08:38:35 2017 MANAGEMENT: >STATE:1489239515,WAIT,,,
Sat Mar 11 08:38:35 2017 MANAGEMENT: >STATE:1489239515,AUTH,,,
Sat Mar 11 08:38:35 2017 TLS: Initial packet from [AF_INET]111.111.111.111:1194, sid=405e70e3 6994f60a
Sat Mar 11 08:38:40 2017 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Sat Mar 11 08:38:40 2017 VERIFY OK: nsCertType=SERVER
Sat Mar 11 08:38:40 2017 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=server, name=CLIENTNAME, emailAddress=mail@host.domain
Sat Mar 11 08:38:46 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Mar 11 08:38:46 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 11 08:38:46 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Mar 11 08:38:46 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 11 08:38:46 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Mar 11 08:38:46 2017 [server] Peer Connection Initiated with [AF_INET]111.111.111.111:1194
Sat Mar 11 08:38:47 2017 MANAGEMENT: >STATE:1489239527,GET_CONFIG,,,
Sat Mar 11 08:38:49 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Mar 11 08:38:49 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 4.2.2.2,route 10.0.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.0.6 10.0.0.5'
Sat Mar 11 08:38:49 2017 OPTIONS IMPORT: timers and/or timeouts modified
Sat Mar 11 08:38:49 2017 OPTIONS IMPORT: --ifconfig/up options modified
Sat Mar 11 08:38:49 2017 OPTIONS IMPORT: route options modified
Sat Mar 11 08:38:49 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Mar 11 08:38:49 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Mar 11 08:38:49 2017 MANAGEMENT: >STATE:1489239529,ASSIGN_IP,,10.0.0.6,
Sat Mar 11 08:38:49 2017 open_tun, tt->ipv6=0
Sat Mar 11 08:38:49 2017 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{E91D4DA6-6350-4974-B2C2-EE8CB87003B6}.tap
Sat Mar 11 08:38:49 2017 TAP-Windows Driver Version 9.9
Sat Mar 11 08:38:49 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.0.6/255.255.255.252 on interface {B821D4DA6-4550-4974-B2C2-EE8CB87003B6} [DHCP-serv: 10.0.0.5, lease-time: 31536000]
Sat Mar 11 08:38:49 2017 Successful ARP Flush on interface [12] {B82D4DA6-4550-4974-B2C2-EE8CB87003B6}
Sat Mar 11 08:38:55 2017 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Sat Mar 11 08:38:55 2017 C:\Windows\system32\route.exe ADD 111.111.111.111 MASK 255.255.255.255 192.168.111.222
Sat Mar 11 08:38:55 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Sat Mar 11 08:38:55 2017 Route addition via IPAPI succeeded [adaptive]
Sat Mar 11 08:38:55 2017 C:\Windows\system32\route.exe ADD 192.168.111.233 MASK 255.255.255.255 192.168.111.222 IF 11
Sat Mar 11 08:38:55 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Sat Mar 11 08:38:55 2017 Route addition via IPAPI succeeded [adaptive]
Sat Mar 11 08:38:55 2017 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.0.0.5
Sat Mar 11 08:38:55 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sat Mar 11 08:38:55 2017 Route addition via IPAPI succeeded [adaptive]
Sat Mar 11 08:38:55 2017 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.0.0.5
Sat Mar 11 08:38:55 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sat Mar 11 08:38:55 2017 Route addition via IPAPI succeeded [adaptive]
Sat Mar 11 08:38:55 2017 MANAGEMENT: >STATE:1489239535,ADD_ROUTES,,,
Sat Mar 11 08:38:55 2017 C:\Windows\system32\route.exe ADD 10.0.0.1 MASK 255.255.255.255 10.0.0.5
Sat Mar 11 08:38:55 2017 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Sat Mar 11 08:38:55 2017 Route addition via IPAPI succeeded [adaptive]
Sat Mar 11 08:38:55 2017 Initialization Sequence Completed
Sat Mar 11 08:38:55 2017 MANAGEMENT: >STATE:1489239535,CONNECTED,SUCCESS,10.0.0.6,111.111.111.111
Sat Mar 11 09:38:46 2017 TLS: soft reset sec=0 bytes=57922/0 pkts=798/0
Sat Mar 11 09:38:51 2017 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Sat Mar 11 09:38:51 2017 VERIFY OK: nsCertType=SERVER
Sat Mar 11 09:38:51 2017 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=server, name=CLIENTNAME, emailAddress=mail@host.domain
Sat Mar 11 09:39:05 2017 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Mar 11 09:39:05 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 11 09:39:05 2017 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Mar 11 09:39:05 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Mar 11 09:39:05 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Mar 11 09:47:37 2017 [server] Inactivity timeout (--ping-restart), restarting
Sat Mar 11 09:47:37 2017 SIGUSR1[soft,ping-restart] received, process restarting
Sat Mar 11 09:47:37 2017 MANAGEMENT: >STATE:1489243657,RECONNECTING,ping-restart,,
Sat Mar 11 09:47:37 2017 Restart pause, 5 second(s)
Sat Mar 11 09:47:42 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]111.111.111.111:1194
Sat Mar 11 09:47:42 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Mar 11 09:47:42 2017 UDP link local: (not bound)
Sat Mar 11 09:47:42 2017 UDP link remote: [AF_INET]111.111.111.111:1194
Sat Mar 11 09:47:42 2017 MANAGEMENT: >STATE:1489243662,WAIT,,,
Sat Mar 11 09:48:42 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Mar 11 09:48:42 2017 TLS Error: TLS handshake failed
Sat Mar 11 09:48:42 2017 SIGUSR1[soft,tls-error] received, process restarting
Sat Mar 11 09:48:42 2017 MANAGEMENT: >STATE:1489243722,RECONNECTING,tls-error,,
Sat Mar 11 09:48:42 2017 Restart pause, 5 second(s)
Sat Mar 11 09:48:47 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]111.111.111.111:1194
Sat Mar 11 09:48:47 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat Mar 11 09:48:47 2017 UDP link local: (not bound)
Sat Mar 11 09:48:47 2017 UDP link remote: [AF_INET]111.111.111.111:1194
Sat Mar 11 09:48:47 2017 MANAGEMENT: >STATE:1489243727,WAIT,,,
|
Real working log should look like this I think:
Quote:
Fri Mar 10 15:38:30 2017 OpenVPN 2.3.14 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec 7 2016
Fri Mar 10 15:38:30 2017 Windows version 5.1 (Windows XP) 32bit
Fri Mar 10 15:38:30 2017 library versions: OpenSSL 1.0.2i 22 Sep 2016, LZO 2.09
Enter Management Password:
Fri Mar 10 15:38:31 2017 Control Channel Authentication: tls-auth using INLINE static key file
Fri Mar 10 15:38:31 2017 UDPv4 link local: [undef]
Fri Mar 10 15:38:31 2017 UDPv4 link remote: [AF_INET]111.111.111.111:443
Fri Mar 10 15:38:36 2017 [server] Peer Connection Initiated with [AF_INET]111.111.111.111:443
Fri Mar 10 15:38:39 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Mar 10 15:38:39 2017 open_tun, tt->ipv6=0
Fri Mar 10 15:38:39 2017 TAP-WIN32 device [Local Area Connection 78] opened: \\.\Global\{B83DAB0D-3DA0-4464-BE89-GTSA67A04EBB}.tap
Fri Mar 10 15:38:39 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 10.17.0.0/10.17.0.113/255.255.0.0 [SUCCEEDED]
Fri Mar 10 15:38:39 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.17.0.113/255.255.0.0 on interface {B83DAB0D-3DA0-4464-BE89-BE89-GTSA67A04EBB} [DHCP-serv: 10.17.255.254, lease-time: 31536000]
Fri Mar 10 15:38:39 2017 Successful ARP Flush on interface [6] {B83DAB0D-3DA0-4464-BE89-BE89-GTSA67A04EBB}
Fri Mar 10 15:38:44 2017 Initialization Sequence Completed
Fri Mar 10 15:38:44 2017 Start net commands...
Fri Mar 10 15:38:44 2017 F:\WINDOWS\system32\net.exe stop dnscache
Fri Mar 10 15:38:44 2017 ERROR: Windows ipconfig command failed: returned error code 2
Fri Mar 10 15:38:44 2017 F:\WINDOWS\system32\net.exe start dnscache
Fri Mar 10 15:38:44 2017 ERROR: Windows ipconfig command failed: returned error code 2
Fri Mar 10 15:38:44 2017 F:\WINDOWS\system32\ipconfig.exe /flushdns
Fri Mar 10 15:38:45 2017 F:\WINDOWS\system32\ipconfig.exe /registerdns
Fri Mar 10 15:38:45 2017 End net commands...
|
I'm not even sure I see right errors. If you can see on 1st sight any problem just let me know.
Thank you very much.
|
|
|
03-12-2017, 04:08 AM
|
#21
|
LQ Newbie
Registered: Jun 2016
Posts: 12
Original Poster
Rep:
|
UPD: Tried reinstall with different tutorial and stuck at another place:
Incoming packet rejected from [AF_INET]172.16.1.1:1194[2], expected peer address: [AF_INET]111.111.111.111:1194
Reading this 2 hours or more on boards and nothing.
Still need advices. Thanks
|
|
|
All times are GMT -5. The time now is 01:51 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|