Hello all!
I didn't start an openVPN connection between FreeBSD and Windows 2k operating systems.
Software versions are:
Freebsd6.4 Openvpn 2.0.6_9 Openssl 0.9.7e - integrated in the FreeBSD system
win2000 openvpn 2.1 gui
The openssl.cnf and script for keys generation with commands are listed below. I have got receive all needed files after script execution. Config's of FreeBSD server and Windows2000 client are downstream in the topic.
I try to start the connection from client side and have given these errors:
Code:
Fri Dec 19 11:01:21 2008 OpenVPN 2.1_rc13 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Oct 7 2008
Fri Dec 19 11:01:21 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Dec 19 11:01:21 2008 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Fri Dec 19 11:01:21 2008 Control Channel Authentication: using 'c:\program files\openvpn\config\ta.key' as a OpenVPN static key file
Fri Dec 19 11:01:21 2008 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 19 11:01:21 2008 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 19 11:01:21 2008 LZO compression initialized
Fri Dec 19 11:01:21 2008 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Dec 19 11:01:21 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Dec 19 11:01:21 2008 Local Options hash (VER=V4): '504e774e'
Fri Dec 19 11:01:21 2008 Expected Remote Options hash (VER=V4): '14168603'
Fri Dec 19 11:01:21 2008 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Dec 19 11:01:21 2008 UDPv4 link local (bound): [undef]:1194
Fri Dec 19 11:01:21 2008 UDPv4 link remote: 192.168.0.2:1194
Fri Dec 19 11:01:21 2008 TLS: Initial packet from 192.168.0.2:1194, sid=7beb943a e65adbb7
Fri Dec 19 11:01:21 2008 VERIFY ERROR: depth=0, error=self signed certificate: /O=design/CN=srv.design.org
Fri Dec 19 11:01:21 2008 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Fri Dec 19 11:01:21 2008 TLS Error: TLS object -> incoming plaintext read error
Fri Dec 19 11:01:21 2008 TLS Error: TLS handshake failed
Fri Dec 19 11:01:21 2008 TCP/UDP: Closing socket
Fri Dec 19 11:01:21 2008 SIGUSR1[soft,tls-error] received, process restarting
Fri Dec 19 11:01:21 2008 Restart pause, 2 second(s)
Server's log:
Code:
Fri Dec 19 11:02:43 2008 us=374189 192.168.0.1:1194 Re-using SSL/TLS context
Fri Dec 19 11:02:43 2008 us=374255 192.168.0.1:1194 LZO compression initialized
Fri Dec 19 11:02:43 2008 us=374444 192.168.0.1:1194 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Fri Dec 19 11:02:43 2008 us=374509 192.168.0.1:1194 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Dec 19 11:02:43 2008 us=374614 192.168.0.1:1194 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Fri Dec 19 11:02:43 2008 us=374672 192.168.0.1:1194 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Fri Dec 19 11:02:43 2008 us=374744 192.168.0.1:1194 Local Options hash (VER=V4): '14168603'
Fri Dec 19 11:02:43 2008 us=374813 192.168.0.1:1194 Expected Remote Options hash (VER=V4): '504e774e'
RFri Dec 19 11:02:43 2008 us=374988 192.168.0.1:1194 TLS: Initial packet from 192.168.0.1:1194, sid=6ff3eefe 3f2a32d4
WRRWWWWRWRWRWRWRWRWRWRWRFri Dec 19 11:02:45 2008 us=512761 192.168.0.1:1194 TLS: new session incoming connection from 192.168.0.1:1194
WWWWWRRWWWWRWRWRWRWRWRWRWRWRFri Dec 19 11:02:47 2008 us=693153 192.168.0.1:1194 TLS: new session incoming connection from 192.168.0.1:1194
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
openssl.cnf:
Code:
# $FreeBSD: src/crypto/openssl/apps/openssl.cnf,v 1.7 2005/02/25 05:49:43 nectar Exp $
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /usr/local/etc/openvpn # Where everything is kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file
new_certs_dir = $dir/certs # default place for new certs
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/privkey.key # The private key
RANDFILE = $dir/private/.rand # private random number file
default_days = 3650 # how long to certify for
default_crl_days= 365 # how long before next CRL
default_md = md5 # which md to use
unique_subject = yes # Set to 'no' to allow certs with same subject
policy = policy_any
x509_extensions = user_extensions # The extentions to add to the cert
[ policy_any ]
organizationName = match
organizationalUnitName = optional
commonName = supplied
#localityName = match
[ req ]
default_bits = 2048
default_keyfile = privkey.key
distinguished_name = req_distinguished_name
x509_extensions = CA_extensions
[ req_distinguished_name ]
#countryName = Country Name (2 letter code)
#countryName_default = AU
#countryName_min = 2
#countryName_max = 2
#localityName = Locality Name (eg, city)
organizationName = Organization Name (must mach CA)
organizationName_default = Company
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (common FQDN, ORG or YOUR name)
commonName_max = 64
#emailAddress = Email Address
#emailAddress_max = 64
[ user_extensions ]
basicConstraints = CA:FALSE
#subjectKeyIdentifier = hash
#authorityKeyIdentifier = keyid,issuer:always
[ CA_extensions ]
basicConstraints = CA:TRUE
#subjectKeyIdentifier = hash
#authorityKeyIdentifier = keyid:always,issuer:always
[ server ]
basicConstraints = CA:FALSE
nsCertType = server
Code:
#!/bin/sh
# SSH keygen script
# The Common Name must be match with server's FQDN
DIR=/usr/local/etc/openvpn
OPENSSL=/usr/local/etc/openvpn/openssl.cnf
KEYLENGTH=2048
OUT=/home/ftp/pub
cd ${DIR}
# Configs of remote clients /ccd
# Server and client certs /certs
# CRL - certificate revocation list /crl
# Closed keys of certs for a server and clients /keys
# Closed key form subscribed certificate - CA /private
# certs requests (limit access rights to keys and private directories) /req
mkdir ccd certs crl keys private req
echo "Creating directores..."
echo "${DIR}/ccd"
echo "${DIR}/certs"
echo "${DIR}/crl"
echo "${DIR}/keys"
echo "${DIR}/private"
echo "${DIR}/req"
echo ""
echo "01" >> serial
echo "Creating files..."
echo "${DIR}/serial"
touch index.txt
echo "${DIR}/index.txt"
echo ""
# Generating key and sert
openssl req -config ${OPENSSL} -new -nodes -x509 -keyout private/privkey.key -out ca.crt -days 3650
# Server certificates
# Generate shared server key and cert
openssl req -config ${OPENSSL} -new -nodes -keyout keys/server.key -out req/server.pem
# For creation of server's cert need to sign CA
# For make CA cert roll-over easier add option -selfsign
# and set unique_subject=no in the openssl.cnf file
openssl ca -config ${OPENSSL} -extensions server -out certs/server.crt -infiles req/server.pem
# Diffie-Hellman params generation
openssl dhparam -out dh${KEYLENGTH}.pem ${KEYLENGTH}
# Client keys and certificates
openssl req -config ${OPENSSL} -new -nodes -keyout keys/Kclient.key -out req/Rclient.pem
openssl ca -batch -config ${OPENSSL} -out certs/Cclient.crt -infiles req/Rclient.pem
# List of certificate revocation list (CRL)
openssl ca -config ${OPENSSL} -gencrl -out crl/crl.pem
# List of revoke certs
#openssl ca -config ${OPENSSL} -revoke certs/Cclient.crt
# HMAC key generation
openvpn --genkey --secret ta.key
openssl verify -CAfile ca.crt certs/Cclient.crt
# Client configuration
cd ${DIR}/ccd
echo ""
echo "Adding client's configuration to the $DIR/ccd/client"
echo 'push "route 192.168.0.0 255.255.255.0"' >> client
echo ""
cd $DIR
chmod -R 600 keys private
echo "Starting OpenVPN server..."
/usr/local/etc/rc.d/openvpn restart
echo ""
# Copy user keys
echo "Copying user keys..."
echo ""
cp certs/Cclient.crt $OUT
cp keys/Kclient.key $OUT
cp ca.crt $OUT
cp ta.key $OUT
Server's configuration openvpn.conf
Code:
dev tun0
local 192.168.0.2
port 1194
proto udp
server 10.0.0.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
route 192.168.0.0 255.255.255.0
client-config-dir ccd
client-to-client
max-clients 10
tls-server
dh /usr/local/etc/openvpn/dh2048.pem
ca /usr/local/etc/openvpn/ca.crt
cert /usr/local/etc/openvpn/certs/server.crt
key /usr/local/etc/openvpn/keys/server.key
crl-verify /usr/local/etc/openvpn/crl/crl.pem
tls-auth /usr/local/etc/openvpn/ta.key 0
#cipher BF-CBC # Blowfish (default)
#cipher AES-128-CBC # AES
#cipher DES-EDE3-CBC # Triple-DES
comp-lzo
keepalive 10 120
tun-mtu 1500
mssfix 1450
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 5
mute 10
Client's configuration client.ovpn
Code:
# Client receive infirmation from server
client
dev tun
proto udp
remote 192.168.0.2 1194
tls-client
tls-remote srv.design.org
ca "c:\\program files\\openvpn\\config\\ca.crt"
cert "c:\\program files\\openvpn\\config\\Cclient.crt"
key "c:\\program files\\openvpn\\config\\Kclient.key"
tls-auth "c:\\program files\\openvpn\\config\\ta.key" 1
ns-cert-type server
comp-lzo
tun-mtu 1500
mssfix 1450
verb 3
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
