Differences

This shows you the differences between two versions of the page.

--- openvpn [2007/06/05 17:02]
a created
+++ openvpn [2009/06/23 09:35] (current)
193.164.137.40
@@ Line 1: / Line 1: @@
+===== Simple configuration =====
+=== Server side ===
+   port 1011
+   proto udp
+   dev tun1
+   daemon
+   writepid /var/run/openvpn.pid
+   ca /etc/openvpn/certs/ca.pem
+   cert /etc/openvpn/certs/cert.pem
+   key /etc/openvpn/certs/.key
+   dh /etc/openvpn/certs/dh1024.pem
+   server 192.168.240.8 255.255.255.248
+   client-config-dir /etc/openvpn/ccd
+   ccd-exclusive
+   push "route 10.10.50.32 255.255.255.224"
+   client-to-client
+   keepalive 10 120
+   comp-lzo
+   tls-auth /etc/openvpn/certs/ta.key 0 # This file is secret
+   cipher AES-256-CBC
+   max-clients 5
+   user nobody
+   group nogroup
+   persist-key
+   persist-tun
+   log     /var/log/openvpn/vpn.log
+   status  /var/log/openvpn/vpn.status
+   verb 4
+   mute 10
 # To create the dh512.pem  or dh1024.pem:
         % # openssl gendh -rand rand.dat -out dh1024.pem
         % openssl dhparam -check -text -5 512     -out   dh512.pem
         % openssl dhparam -check -text -5 1024  -out  dh1024.pem
+===== authenticate OpenVPN users against a plain text file =====
+<code bash| >
+#/bin/sh
+###########################################################
+# checkpsw.sh (C) 2004 Mathias Sundman <mathias@openvpn.se>
+#
+# This script will authenticate OpenVPN users against
+# a plain text file. The passfile should simply contain
+# one row per user with the username first followed by
+# one or more space(s) or tab(s) and then the password.
+PASSFILE="/etc/openvpn/psw-file"
+LOG_FILE="/var/log/openvpn-password.log"
+TIME_STAMP=`date "+%Y-%m-%d %T"`
+###########################################################
+if [ ! -r "${PASSFILE}" ]; then
+  echo "${TIME_STAMP}: Could not open password file \"${PASSFILE}\" for reading." >> ${LOG_FILE}
+  exit 1
+fi
+CORRECT_PASSWORD=`awk '!/^;/&&!/^#/&&$1=="'${username}'"{print $2;exit}' ${PASSFILE}`
+if [ "${CORRECT_PASSWORD}" = "" ]; then
+  echo "${TIME_STAMP}: User does not exist: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
+  exit 1
+fi
+if [ "${password}" = "${CORRECT_PASSWORD}" ]; then
+  echo "${TIME_STAMP}: Successful authentication: username=\"${username}\"." >> ${LOG_FILE}
+  exit 0
+fi
+echo "${TIME_STAMP}: Incorrect password: username=\"${username}\", password=\"${password}\"." >> ${LOG_FILE}
+exit 1
+</code>
+===== OpenSSL / SSL stuff =====
+**Generate individual certs out of .pk12 cert**
+   openssl pkcs12 -nocerts -in default.p12 -out userkey.pem
+   openssl pkcs12 -nokeys -clcerts -in default.p12 -out usercert.pem
+   openssl pkcs12 -nokeys -cacerts -in default.p12 -out userca.pem
+==== change PKCS12 password using OpenSSL ====
+FIXME - **not tested!**
+   openssl pkcs12 -in old.p12 | openssl pkcs12 -export -out new.p12
+Then, you should type in:
+  - Old import password
+  - PEM password
+  - PEM password again
+  - PEM password again twice
+  - New export password
+FIXME - alternative way
+<code>
+#!/bin/bash
+echo Exporting private KEY
+openssl pkcs12 -nocerts -in $1 -out userkey.pem
+echo Exporting public cert
+openssl pkcs12 -nokeys -clcerts -in $1 -out usercert.pem
+echo Exporting CA Cert
+openssl pkcs12 -nokeys -cacerts -in $1 -out userca.pem
+echo Creating new PKCS12 cert
+openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -certfile userca.pem -name "FOOBAR" -out $2
+</code>