port 1011 proto udp dev tun1 daemon writepid /var/run/openvpn.pid ca /etc/openvpn/certs/ca.pem cert /etc/openvpn/certs/cert.pem key /etc/openvpn/certs/.key dh /etc/openvpn/certs/dh1024.pem server 192.168.240.8 255.255.255.248 client-config-dir /etc/openvpn/ccd ccd-exclusive push "route 10.10.50.32 255.255.255.224" client-to-client keepalive 10 120 comp-lzo tls-auth /etc/openvpn/certs/ta.key 0 # This file is secret cipher AES-256-CBC max-clients 5 user nobody group nogroup persist-key persist-tun log /var/log/openvpn/vpn.log status /var/log/openvpn/vpn.status verb 4 mute 10
# To create the dh512.pem or dh1024.pem:
% # openssl gendh -rand rand.dat -out dh1024.pem % openssl dhparam -check -text -5 512 -out dh512.pem % openssl dhparam -check -text -5 1024 -out dh1024.pem
#/bin/sh ########################################################### # checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se> # # This script will authenticate OpenVPN users against # a plain text file. The passfile should simply contain # one row per user with the username first followed by # one or more space(s) or tab(s) and then the password. PASSFILE="/etc/openvpn/psw-file" LOG_FILE="/var/log/openvpn-password.log" TIME_STAMP=`date "+%Y-%m-%d %T"` ########################################################### if [ ! -r "${PASSFILE}" ]; then echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE} exit 1 fi CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}` if [ "${CORRECT_PASSWORD}" = "" ]; then echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1 fi if [ "${password}" = "${CORRECT_PASSWORD}" ]; then echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE} exit 0 fi echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE} exit 1
Generate individual certs out of .pk12 cert
openssl pkcs12 -nocerts -in default.p12 -out userkey.pem openssl pkcs12 -nokeys -clcerts -in default.p12 -out usercert.pem openssl pkcs12 -nokeys -cacerts -in default.p12 -out userca.pem
- not tested!
openssl pkcs12 -in old.p12 | openssl pkcs12 -export -out new.p12
Then, you should type in:
- alternative way
#!/bin/bash echo Exporting private KEY openssl pkcs12 -nocerts -in $1 -out userkey.pem echo Exporting public cert openssl pkcs12 -nokeys -clcerts -in $1 -out usercert.pem echo Exporting CA Cert openssl pkcs12 -nokeys -cacerts -in $1 -out userca.pem echo Creating new PKCS12 cert openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -certfile userca.pem -name "FOOBAR" -out $2