Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
openvpn [2007/06/05 17:02] a created |
openvpn [2009/06/23 09:35] (current) 193.164.137.40 |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ===== Simple configuration ===== | ||
+ | === Server side === | ||
+ | port 1011 | ||
+ | proto udp | ||
+ | dev tun1 | ||
+ | | ||
+ | | ||
+ | ca / | ||
+ | cert / | ||
+ | key / | ||
+ | dh / | ||
+ | | ||
+ | | ||
+ | | ||
+ | push "route 10.10.50.32 255.255.255.224" | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | user nobody | ||
+ | group nogroup | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | verb 4 | ||
+ | mute 10 | ||
+ | |||
+ | |||
# To create the dh512.pem | # To create the dh512.pem | ||
% # openssl gendh -rand rand.dat -out dh1024.pem | % # openssl gendh -rand rand.dat -out dh1024.pem | ||
% openssl dhparam -check -text -5 512 | % openssl dhparam -check -text -5 512 | ||
% openssl dhparam -check -text -5 1024 -out dh1024.pem | % openssl dhparam -check -text -5 1024 -out dh1024.pem | ||
+ | |||
+ | ===== authenticate OpenVPN users against a plain text file ===== | ||
+ | <code bash| > | ||
+ | #/bin/sh | ||
+ | ########################################################### | ||
+ | # checkpsw.sh (C) 2004 Mathias Sundman < | ||
+ | # | ||
+ | # This script will authenticate OpenVPN users against | ||
+ | # a plain text file. The passfile should simply contain | ||
+ | # one row per user with the username first followed by | ||
+ | # one or more space(s) or tab(s) and then the password. | ||
+ | |||
+ | PASSFILE="/ | ||
+ | LOG_FILE="/ | ||
+ | TIME_STAMP=`date " | ||
+ | |||
+ | ########################################################### | ||
+ | |||
+ | if [ ! -r " | ||
+ | echo " | ||
+ | exit 1 | ||
+ | fi | ||
+ | |||
+ | CORRECT_PASSWORD=`awk ' | ||
+ | |||
+ | if [ " | ||
+ | echo " | ||
+ | exit 1 | ||
+ | fi | ||
+ | |||
+ | if [ " | ||
+ | echo " | ||
+ | exit 0 | ||
+ | fi | ||
+ | |||
+ | echo " | ||
+ | exit 1 | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | ===== OpenSSL / SSL stuff ===== | ||
+ | |||
+ | **Generate individual certs out of .pk12 cert** | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | |||
+ | |||
+ | ==== change PKCS12 password using OpenSSL ==== | ||
+ | |||
+ | FIXME - **not tested!** | ||
+ | |||
+ | | ||
+ | |||
+ | Then, you should type in: | ||
+ | - Old import password | ||
+ | - PEM password | ||
+ | - PEM password again | ||
+ | - PEM password again twice | ||
+ | - New export password | ||
+ | |||
+ | FIXME - alternative way | ||
+ | |||
+ | < | ||
+ | #!/bin/bash | ||
+ | echo Exporting private KEY | ||
+ | openssl pkcs12 -nocerts -in $1 -out userkey.pem | ||
+ | echo Exporting public cert | ||
+ | openssl pkcs12 -nokeys -clcerts -in $1 -out usercert.pem | ||
+ | echo Exporting CA Cert | ||
+ | openssl pkcs12 -nokeys -cacerts -in $1 -out userca.pem | ||
+ | echo Creating new PKCS12 cert | ||
+ | openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -certfile userca.pem -name " | ||
+ | </ | ||
+ |