[[openvpn]]
Trace:
Show page
AdminRecent ChangesSitemap

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
openvpn [2008/01/18 13:17]
a 		openvpn [2009/06/23 09:35] (current)
193.164.137.40
Line 34: Line 34:
         % openssl dhparam -check -text -5 512     -out   dh512.pem         % openssl dhparam -check -text -5 512     -out   dh512.pem
         % openssl dhparam -check -text -5 1024  -out  dh1024.pem         % openssl dhparam -check -text -5 1024  -out  dh1024.pem
 +
 +===== authenticate OpenVPN users against a plain text file =====
 +<code bash| >
 +#/bin/sh
 +###########################################################
 +# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
 +#
 +# This script will authenticate OpenVPN users against
 +# a plain text file. The passfile should simply contain
 +# one row per user with the username first followed by
 +# one or more space(s) or tab(s) and then the password.
 +
 +PASSFILE="/etc/openvpn/psw-file"
 +LOG_FILE="/var/log/openvpn-password.log"
 +TIME_STAMP=`date "+%Y-%m-%d %T"`
 +
 +###########################################################
 +
 +if [ ! -r "${PASSFILE}" ]; then
 +  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
 +  exit 1
 +fi
 +
 +CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
 +
 +if [ "${CORRECT_PASSWORD}" = "" ]; then 
 +  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
 +  exit 1
 +fi
 +
 +if [ "${password}" = "${CORRECT_PASSWORD}" ]; then 
 +  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
 +  exit 0
 +fi
 +
 +echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
 +exit 1
 +</code>
 +
 +
 +
 +===== OpenSSL / SSL stuff =====
 +
 +**Generate individual certs out of .pk12 cert**
 +
 +   openssl pkcs12 -nocerts -in default.p12 -out userkey.pem
 +   openssl pkcs12 -nokeys -clcerts -in default.p12 -out usercert.pem
 +   openssl pkcs12 -nokeys -cacerts -in default.p12 -out userca.pem
 +
 +
 +
 +==== change PKCS12 password using OpenSSL ====
 +
 +FIXME - **not tested!**
 +
 +   openssl pkcs12 -in old.p12 | openssl pkcs12 -export -out new.p12
 +
 +Then, you should type in:
 +  - Old import password
 +  - PEM password
 +  - PEM password again
 +  - PEM password again twice
 +  - New export password
 +
 +FIXME - alternative way
 +
 +<code>
 +#!/bin/bash
 +echo Exporting private KEY
 +openssl pkcs12 -nocerts -in $1 -out userkey.pem
 +echo Exporting public cert
 +openssl pkcs12 -nokeys -clcerts -in $1 -out usercert.pem
 +echo Exporting CA Cert
 +openssl pkcs12 -nokeys -cacerts -in $1 -out userca.pem
 +echo Creating new PKCS12 cert
 +openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -certfile userca.pem -name "FOOBAR" -out $2
 +</code>
 +
openvpn.1200658650.txt.gz ยท Last modified: 2009/05/25 00:34 (external edit)
Show pageOld revisions
Media ManagerBack to top
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready