Not familiar with --outform argument. Will have to look into it. Presume you are doing site to site/network to network? Or are you setting this up for end users to terminate to? I've done the latter many many times, but not net to net. Happy to provide docs if you/nanog like. I think that everyone should run a vpn to secure remote access to services they are operating. You integrating this with an existing ski infrastructure? If so is it openssl based? Or maybe ad based? Lots of openvpn variables.... Might be worth starting a new thread on the subject. As I said, I feel its vital for folks to have a deep familiarity with openvpn and best practices etc. ------Original Message------ From: Randy Bush To: Charles Wyble Cc: nanog@nanog.org Subject: Re: dns interceptors Sent: Feb 14, 2010 7:10 PM
I run openvpn on my linux box to do exactly that.
i am in the midst of setting up some openvpn servers now, westin, ashburn, tokyo, but westin first. having problems sorting in what --outform it wants the bleeping certs. randy Sent via BlackBerry from T-Mobile
end user to network having probs with certs, i.e. what --outform it wants. not finding in docs. tried raw, but now guessing pem. same for client and server server ca.crt server.crt server.key client ca.crt client.crt client.key and i presume i have to dump all client.crt files in the server's ../openvpn dir, but under what names? or does it just wantonly trust anyone under that ca? randy
Randy Bush wrote:
end user to network
having probs with certs, i.e. what --outform it wants. not finding in docs. tried raw, but now guessing pem. same for client and server
server ca.crt server.crt server.key
client ca.crt client.crt client.key
and i presume i have to dump all client.crt files in the server's ../openvpn dir, but under what names? or does it just wantonly trust anyone under that ca?
randy
What error is getting logged? They are just normal cert's and should be in the keys directory under openvpn's user directory. OpenVPN includes scripts that can make the certificates for you under the directory easy-rsa
On Sun, Feb 14, 2010 at 7:29 PM, Randy Bush <randy@psg.com> wrote:
end user to network
having probs with certs, i.e. what --outform it wants. not finding in docs. tried raw, but now guessing pem. same for client and server
Use the easy-rsa stuff and it will do all the hard work for you. http://openvpn.net/index.php/open-source/documentation/howto.html Scott
having probs with certs, i.e. what --outform it wants. not finding in docs. tried raw, but now guessing pem. same for client and server Use the easy-rsa stuff and it will do all the hard work for you. http://openvpn.net/index.php/open-source/documentation/howto.html
we have a pki we know and love but i am trying/disecting easy-rsa to see what it is doing randy
Am 15.02.2010 um 04:29 schrieb Randy Bush:
and i presume i have to dump all client.crt files in the server's ../openvpn dir, but under what names? or does it just wantonly trust anyone under that ca?
Any cert signed by that CA. Use --cclient-config-dir to limit which CNs are acceptable, and to add custom configs per client on the server. On the client, use --tls-remote to limit which CN the client will accept when connecting to the server. On the server, you can also roll your own script to inspected the certificate presented by the client, and act on that. Stefan -- Stefan Bethke <stb@lassitu.de> Fon +49 151 14070811
participants (5)
-
charles@knownelement.com -
Larry Brower -
Randy Bush -
Scott Howard -
Stefan Bethke