Table of Contents

Simple configuration

Server side

 port 1011
 proto udp
 dev tun1
 daemon
 writepid /var/run/openvpn.pid
 ca /etc/openvpn/certs/ca.pem
 cert /etc/openvpn/certs/cert.pem
 key /etc/openvpn/certs/.key
 dh /etc/openvpn/certs/dh1024.pem
 server 192.168.240.8 255.255.255.248
 client-config-dir /etc/openvpn/ccd
 ccd-exclusive
 push "route 10.10.50.32 255.255.255.224"
 client-to-client
 keepalive 10 120
 comp-lzo
 tls-auth /etc/openvpn/certs/ta.key 0 # This file is secret
 cipher AES-256-CBC        
 max-clients 5
 user nobody
 group nogroup
 persist-key
 persist-tun
 log     /var/log/openvpn/vpn.log
 status  /var/log/openvpn/vpn.status
 verb 4
 mute 10

# To create the dh512.pem or dh1024.pem:

      % # openssl gendh -rand rand.dat -out dh1024.pem
      % openssl dhparam -check -text -5 512     -out   dh512.pem
      % openssl dhparam -check -text -5 1024  -out  dh1024.pem

authenticate OpenVPN users against a plain text file

#/bin/sh
###########################################################
# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
#
# This script will authenticate OpenVPN users against
# a plain text file. The passfile should simply contain
# one row per user with the username first followed by
# one or more space(s) or tab(s) and then the password.

PASSFILE="/etc/openvpn/psw-file"
LOG_FILE="/var/log/openvpn-password.log"
TIME_STAMP=`date "+%Y-%m-%d %T"`

###########################################################

if [ ! -r "${PASSFILE}" ]; then
  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
  exit 1
fi

CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`

if [ "${CORRECT_PASSWORD}" = "" ]; then 
  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
  exit 1
fi

if [ "${password}" = "${CORRECT_PASSWORD}" ]; then 
  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
  exit 0
fi

echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
exit 1

OpenSSL / SSL stuff

Generate individual certs out of .pk12 cert

 openssl pkcs12 -nocerts -in default.p12 -out userkey.pem
 openssl pkcs12 -nokeys -clcerts -in default.p12 -out usercert.pem
 openssl pkcs12 -nokeys -cacerts -in default.p12 -out userca.pem

change PKCS12 password using OpenSSL

FIXME - not tested!

 openssl pkcs12 -in old.p12 | openssl pkcs12 -export -out new.p12

Then, you should type in:

  1. Old import password
  2. PEM password
  3. PEM password again
  4. PEM password again twice
  5. New export password

FIXME - alternative way

#!/bin/bash
echo Exporting private KEY
openssl pkcs12 -nocerts -in $1 -out userkey.pem
echo Exporting public cert
openssl pkcs12 -nokeys -clcerts -in $1 -out usercert.pem
echo Exporting CA Cert
openssl pkcs12 -nokeys -cacerts -in $1 -out userca.pem
echo Creating new PKCS12 cert
openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -certfile userca.pem -name "FOOBAR" -out $2