Help with OpenVPN on Slackware (and using OpenSSL)

sauce · 03-05-2007, 01:05 PM

I'm lost at the first step

Creating keys using OpenSSL seems impossible. I'm getting all kinds of errors. I'm using tutorials for other distros though. Anyone have one for Slackware?

MS3FGX · 03-05-2007, 02:46 PM

Could you give us a link to the guide you are trying to use? It would be easier to determine if it will be applicable to Slackware if we could look at it ourselves. Though maybe somebody has a Slackware-specific guide they can link to that will save us the trouble.

sauce · 03-05-2007, 09:52 PM

Here you go:
http://www.skippy.net/trac/wiki/OpenVPN
http://www.skippy.net/trac/wiki/Open...tificate_HOWTO

I got pretty far tonight trying to config it, but here is where I am stuck:

Code:

# openvpn /etc/openvpn/openvpn.conf
Mon Mar  5 22:48:41 2007 OpenVPN 2.0.9 i686-pc-linux [SSL] [LZO] built on Dec 20 2006
Mon Mar  5 22:48:41 2007 Diffie-Hellman initialized with 2048 bit key
Mon Mar  5 22:48:41 2007 WARNING: file '/etc/ssl/keys/mydomain.key' is group or others accessible
Mon Mar  5 22:48:41 2007 Cannot load CA certificate file /etc/ssl/mydomain.request.pem (SSL_CTX_load_verify_locations) (OpenSSL)
Mon Mar  5 22:48:41 2007 Exiting

Googling for "SSL_CTX_load_verify_locations" confuses the hell out of me (so does the man pages that come up), googling for "Cannot load CA certificate file" is useless.

My /etc/openvpn/openvpn.conf:

Code:

port 1194
proto udp
dev tun
ca /etc/ssl/mydomain.request.pem
cert /etc/ssl/certs/mydomain.pem
# This file should be kept secret
key /etc/ssl/keys/mydomain.key
dh /etc/ssl/dh2048.pem
server 10.8.0.0 255.255.255.0
max-clients 5
push "route 192.168.0.0 255.255.255.0"
;push "redirect-gateway def1"
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
mute 20
comp-lzo

sauce · 03-06-2007, 08:50 AM

Bump. Considering the lack of google results, I know this is a real stupid problem on my part, I just can't figure it out...

dunric · 03-06-2007, 01:07 PM

Does exist and can you see the contents of /etc/ssl/mydomain.request.pem certification authority key file ?
How did you created this file ?

sauce · 03-06-2007, 02:29 PM

Code:

$ $ ls -l /etc/ssl/mydomain.request.pem
-rw-r--r-- 1 root root 1054 2007-03-05 22:17 /etc/ssl/mydomain.request.pem

Yes the file exists. If it didn't, it would make a different error like "cannot find cert file"

I created all the files I'm using with CA.pl which is a perl script that comes with OpenSSL. I followed the directions in the tutorial a few posts above.

dunric · 03-07-2007, 04:39 AM

Mentioned error message is strangely brief. When CA file doesn't exist, has no read permissions or invalid contents, message starts similarly but followed with more detailed description including error number.
I'd suggest to increase verbose level of openvpn client (--verb) or if it won't help run it with strace and paste here the tail of output when program aborts.

sauce · 03-07-2007, 12:12 PM

this is the openvpn server, not client

i understand the message is vague. this is why i'm having so much trouble, too.

i uninstalled openvpn package and compiled from source. same error. this is so frustrating.

Code:

# lsmod | grep tun
tun                     7680  0
# cd /home/sean/openvpn-2.0.9
# ./configure && make && make install

... i do all the easy-rsa stuff according to http://openvpn.net/howto.html...

... i copy the sample config and edit to point to the files made from the previous step...

# openvpn /etc/openvpn/openvpn.conf
Wed Mar  7 13:08:48 2007 OpenVPN 2.0.9 i686-pc-linux [SSL] [LZO] built on Mar  7 2007
Wed Mar  7 13:08:48 2007 Diffie-Hellman initialized with 1024 bit key
Wed Mar  7 13:08:48 2007 Cannot load CA certificate file mydomain.csr (SSL_CTX_load_verify_locations) (OpenSSL)
Wed Mar  7 13:08:48 2007 Exiting

and now sometimes, I get this error:

Code:

# openvpn /etc/openvpn/openvpn.conf
Wed Mar  7 13:07:17 2007 OpenVPN 2.0.9 i686-pc-linux [SSL] [LZO] built on Mar  7 2007
Wed Mar  7 13:07:17 2007 Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
Wed Mar  7 13:07:17 2007 Exiting

this is by far the most difficult thing i've ever had to do with my linux box. it's been 3 days now trying to figure this out.

Au_Squirrel · 03-08-2007, 02:39 AM

With OpenVPN they ship it with an Easy RSA certificate creation scripts. I used those scripts to create the files.

From your error messages you don't have the certificates in the directory that is defined in the config file or you have not created them. That error was one I had during my implementation and I rectified it by creating their own director and specifying the full path. For mine I created the /etc/pki/openvpn directory and placed the certificates and keys the server needed in their. I then specified the complete path:

ca /etc/pki/openvpn/ca.crt
etc

I found the key creation scripts placed the files in the creation directory and openvpn appears to use the config file's directory as the path for the certificates.

Regards