The document describes the steps to set up an OpenVPN server with Easy-RSA on a Linux system. It involves:
1. Installing OpenVPN and Easy-RSA packages and configuring Easy-RSA parameters and keys like CA, server, client, DH.
2. Generating certificates and keys for the OpenVPN server and client.
3. Configuring the OpenVPN server file with settings for port, protocol, network, authentication and other parameters.
4. Enabling port forwarding, starting the OpenVPN service, and verifying logs as the service starts.
Configuring apache, php, my sql, ftp, ssl, ip tables phpmyadmin and server mo...Chanaka Lasantha
This document provides instructions for configuring various server applications and services on a Linux server including Apache, PHP, MySQL, FTP, SSL, IPTables, PHPMyAdmin, and server monitoring. It discusses installing and configuring each of these applications and services individually with specific configuration details. The document is intended to provide a complete solution for setting up these common LAMP stack components and services on a Linux server.
This document provides an overview of how DNS lookups generally work, with a focus on DNS security (DNSSEC). It explains the standard DNS lookup process, where a user's request is recursively resolved through root servers, TLD servers, and name servers until an IP address is returned. It then discusses DNSSEC in more detail, explaining the new record types it introduces like DNSKEY, RRSIG, DS, and NSEC to authenticate records and prove non-existence. The document emphasizes that while DNSSEC aims to validate records are authentic, recursive resolvers still may not perform validation, limiting its effectiveness. It also provides steps to configure a zone with DNSSEC.
This document provides an overview of network security concepts related to application layer protocols. It discusses vulnerabilities in DNS, including cache poisoning and domain hijacking attacks. It also covers vulnerabilities in NIS, NetBIOS, and remote procedure call (RPC) protocols that can allow attackers to gain unauthorized access or harvest sensitive information like usernames and passwords. The document recommends using SSL/TLS to authenticate servers and protect against DNS manipulation attacks.
This document provides an overview of network security concepts related to application layer protocols. It discusses vulnerabilities in DNS, including cache poisoning and domain hijacking attacks. It also covers vulnerabilities in NIS, NetBIOS, and remote procedure call (RPC) protocols that can allow attackers to gain unauthorized access or harvest sensitive information like usernames and passwords. The document recommends using SSL/TLS to authenticate servers and protect against DNS manipulation attacks.
The document discusses content network navigation and DNS. It defines navigation, switching, routing and explains how DNS translates hostnames to IP addresses. It describes the components of DNS including the domain name space, name servers, resource records, and resolvers. It explains DNS requests, resolution process and tools like nslookup. It also summarizes load balancing techniques for switches including policies for best available server, persistence and differentiated services.
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
In this talk to the IEPG session at IETF 93 in Prague on 19 July 2015, I outlined some of the challenges associated with deploying new crypto algorithms within DNSSEC and what we potentially need to do to address these challenges.
Jan-Piet Mens gave a presentation on DNSSEC and securing DNS with cryptography. He discussed how DNSSEC works by adding digital signatures to DNS records to authenticate their source and integrity. It provides data origin authentication and integrity but does not encrypt data. He demonstrated how to configure and use DNSSEC with Unbound and PowerDNS to enable validating queries. Attendees were encouraged to set up test environments to better understand DNSSEC.
Configuring apache, php, my sql, ftp, ssl, ip tables phpmyadmin and server mo...Chanaka Lasantha
This document provides instructions for configuring various server applications and services on a Linux server including Apache, PHP, MySQL, FTP, SSL, IPTables, PHPMyAdmin, and server monitoring. It discusses installing and configuring each of these applications and services individually with specific configuration details. The document is intended to provide a complete solution for setting up these common LAMP stack components and services on a Linux server.
This document provides an overview of how DNS lookups generally work, with a focus on DNS security (DNSSEC). It explains the standard DNS lookup process, where a user's request is recursively resolved through root servers, TLD servers, and name servers until an IP address is returned. It then discusses DNSSEC in more detail, explaining the new record types it introduces like DNSKEY, RRSIG, DS, and NSEC to authenticate records and prove non-existence. The document emphasizes that while DNSSEC aims to validate records are authentic, recursive resolvers still may not perform validation, limiting its effectiveness. It also provides steps to configure a zone with DNSSEC.
This document provides an overview of network security concepts related to application layer protocols. It discusses vulnerabilities in DNS, including cache poisoning and domain hijacking attacks. It also covers vulnerabilities in NIS, NetBIOS, and remote procedure call (RPC) protocols that can allow attackers to gain unauthorized access or harvest sensitive information like usernames and passwords. The document recommends using SSL/TLS to authenticate servers and protect against DNS manipulation attacks.
This document provides an overview of network security concepts related to application layer protocols. It discusses vulnerabilities in DNS, including cache poisoning and domain hijacking attacks. It also covers vulnerabilities in NIS, NetBIOS, and remote procedure call (RPC) protocols that can allow attackers to gain unauthorized access or harvest sensitive information like usernames and passwords. The document recommends using SSL/TLS to authenticate servers and protect against DNS manipulation attacks.
The document discusses content network navigation and DNS. It defines navigation, switching, routing and explains how DNS translates hostnames to IP addresses. It describes the components of DNS including the domain name space, name servers, resource records, and resolvers. It explains DNS requests, resolution process and tools like nslookup. It also summarizes load balancing techniques for switches including policies for best available server, persistence and differentiated services.
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Dan York
In this talk to the IEPG session at IETF 93 in Prague on 19 July 2015, I outlined some of the challenges associated with deploying new crypto algorithms within DNSSEC and what we potentially need to do to address these challenges.
Jan-Piet Mens gave a presentation on DNSSEC and securing DNS with cryptography. He discussed how DNSSEC works by adding digital signatures to DNS records to authenticate their source and integrity. It provides data origin authentication and integrity but does not encrypt data. He demonstrated how to configure and use DNSSEC with Unbound and PowerDNS to enable validating queries. Attendees were encouraged to set up test environments to better understand DNSSEC.
11 April 2016 - ION Bangladesh - Jan Zorz set up DNSSEC, DANE, and TLS in his go6lab and then tested the implementations in the top one million Alexa domains. Jan will share his experiences deploying, testing, and evaluating DNSSEC, DANE, and TLS in his own lab and explain the process he used.
The presentation summarizes DNS, SMTP, and POP3 protocols. It discusses configuring a local host file to map IP addresses to hostnames, setting up a DNS server using Bind on Windows 7, and interacting with an email server using SMTP and POP3 commands via Telnet. The objectives are to resolve hostnames, configure DNS, and send emails between mailboxes on the email server. Requirements include networked PCs and servers running Windows 7 with TCP/IP and an email server configured with user mailboxes.
The document is a slide deck for a DNSSEC tutorial presented at the USENIX LISA conference in 2013. It provides an overview of DNSSEC, including how it uses public key cryptography and digital signatures to authenticate DNS data and establish a chain of trust. It also covers topics like configuring DNSSEC in BIND, using the dig tool to perform queries, and prospects for new applications of DNSSEC. The presentation was given by Shumon Huque, an IT director at the University of Pennsylvania.
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
This webinar discusses local name resolution protocols in Windows networks. It focuses on Link Local Multicast Name Resolution (LLMNR) and Peer Name Resolution Protocol (PNRP). LLMNR provides serverless name resolution on the local subnet using multicast queries. PNRP is a peer-to-peer name resolution protocol that operates over IPv6 or IPv4-IPv6 tunnels. The webinar explains how these protocols work, how to configure and use them, and potential security issues to be aware of when using them. It also advertises upcoming Men & Mice training courses on DNS and name resolution topics.
This presentation gives an overview of the Domain Name System (DNS) and what goes into making the DNS secure. This deck also answers the question what is ICANN's role in Domain Name System Security (DNSSEC) deployment?
The CAA-Record for increased encryption securityMen and Mice
The CAA Record (Certification Authority Authorization) is used to signal which certification authority (CA) can issue an x509 certificate for a given domain. CAA creates a DNS mechanism that enables domain name owners to whitelist CAs that are allowed to issue certificates for their hostnames.
Starting from September 2017, certificate issuing CA must support the CAA record.
This explains the CAA record, how it works, how to enter CAA into a zone and how certification authorities are about to use the record.
Google has changed Chrome's code to enforce HTTPS encryption on all ".dev" domains by default. This causes problems for developers who use ".dev" locally without HTTPS. Alternatives for local domain names include subdomains of owned domains, reserved domains like ".test", or protocols besides DNS like LLMNR and mDNS. Unbound and BIND can configure local zones to resolve names without internet access.
A webinar that looks into the new features that the Windows Server 2016 will offer in the DNS, DHCP and IPv6 space.
Showcase of some of the new stuff using the latest tech preview and the aim is to give administrators a quick overview of the Windows Server 2016 and enough information to decide if early adoption is worthwhile.
Static typing in Vault refers to enforcing the structure and location of secrets stored in Vault. This can be achieved by using a script or tool to validate secrets against JSON schemas before they are written or accessed. The schemas define the required properties and structure for different secret types. Using a generic validation tool allows schemas to be centrally defined and ensures secrets match the expected format, reducing errors from incorrectly structured secrets.
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
The DNS protocol has built-in high availability for authoritative DNS servers (this will be better explained in the webinar!), but client machines can see a degraded DNS service if a DNS resolver (caching DNS server) is failing.
In this webinar, we will look into how the DNS clients in popular operating systems (Windows, Linux, macOS/iOS) choose the DNS resolver among a list of available servers, and how a DNS resolver service can be made failure-tolerant with open-source solutions such as “dnsdist” from PowerDNS and “relayd” from OpenBSD.
The document discusses Let's Encrypt, a free and automated certificate authority. It describes how Let's Encrypt aims to make HTTPS more widely used by automating the certificate issuance and renewal process. This is done through the Automatic Certificate Management Environment (ACME) protocol, which allows certificates to be issued at low cost. The protocol automates interactions between certificate authorities and web servers to deploy public key infrastructure. Let's Encrypt has issued over 100 million certificates to help secure websites and aims to make HTTPS the default for all web traffic.
- DNSSEC and RPKI are protocols that aim to secure the core of the Internet by adding authentication and integrity to DNS and routing data.
- DNSSEC works by digitally signing DNS records with private keys, and publishing the signatures and corresponding public keys. It builds a chain of trust from the root zone down by including fingerprints of child keys in parent zones.
- RPKI uses a similar approach to secure routing by digitally signing routing announcements and filtering invalid routes. It establishes a framework for routers to validate the authenticity and authorization of routing information.
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
The document discusses penetration testing of Active Directory forests and trusts. It begins with an introduction to forests, domains, and trust types. It then covers authentication protocols like NTLM and Kerberos across trusts. Next, it discusses techniques for enumerating trusts and mapping the trust relationships. The document outlines common attacks when domain admin privileges are available, such as using Golden Tickets and SID history exploitation. For situations without domain admin, it recommends reconnaissance of trusts and objects to map a path to privileged accounts.
Logging is important for troubleshooting a DNS service. Conveniently with BIND 9, almost all problems will show up somewhere in the log output, but only if the logging is enabled and configured correctly.
In this webinar, we’ll discuss the BIND 9 logging configuration and best practices in searching through large log-files to find the entries of interest. In addition, we’ll release log-management tools used by Men & Mice Services.
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
The focus of this webinar will be to take a deeper look into this local name-resolution system and the implementations for other Unix systems like Linux and FreeBSD. Linux’s new über-Daemon “systemd” supports both mDNS and the Windows LLMNR (Link-Local-Multicast-Name-Resolution). We will also show how well a Systemd-Linux behaves in heterogenous networks running both Windows and macOS.
High Availability Content Caching with NGINXNGINX, Inc.
On-Demand Recording:
https://www.nginx.com/resources/webinars/high-availability-content-caching-nginx/
You trust NGINX to be your web server, but did you know it’s also a high-performance content cache? In fact, the world’s most popular CDNs – CloudFlare, MaxCDN, and Level 3 among them – are built on top of the open source NGINX software.
NGINX content caching can drastically improve the performance of your applications. We’ll start with basic configuration, then move on to advanced concepts and best practices for architecting high availability and capacity in your application infrastructure.
Join this webinar to:
* Enable content caching with the key configuration directives
* Use micro caching with NGINX Plus to cache dynamic content while maintaining low CPU utilization
* Partition your cache across multiple servers for high availability and increased capacity
* Log transactions and troubleshoot your NGINX content cache
This document provides steps to install and configure mod_ssl on CentOS/Fedora/Redhat to enable HTTPS on the Apache web server. It describes generating a self-signed certificate, editing the ssl.conf and httpd.conf configuration files to specify the certificate details and enable SSL, and restarting the Apache server to apply the changes.
11 April 2016 - ION Bangladesh - Jan Zorz set up DNSSEC, DANE, and TLS in his go6lab and then tested the implementations in the top one million Alexa domains. Jan will share his experiences deploying, testing, and evaluating DNSSEC, DANE, and TLS in his own lab and explain the process he used.
The presentation summarizes DNS, SMTP, and POP3 protocols. It discusses configuring a local host file to map IP addresses to hostnames, setting up a DNS server using Bind on Windows 7, and interacting with an email server using SMTP and POP3 commands via Telnet. The objectives are to resolve hostnames, configure DNS, and send emails between mailboxes on the email server. Requirements include networked PCs and servers running Windows 7 with TCP/IP and an email server configured with user mailboxes.
The document is a slide deck for a DNSSEC tutorial presented at the USENIX LISA conference in 2013. It provides an overview of DNSSEC, including how it uses public key cryptography and digital signatures to authenticate DNS data and establish a chain of trust. It also covers topics like configuring DNSSEC in BIND, using the dig tool to perform queries, and prospects for new applications of DNSSEC. The presentation was given by Shumon Huque, an IT director at the University of Pennsylvania.
Part 2 - Local Name Resolution in Windows NetworksMen and Mice
This webinar discusses local name resolution protocols in Windows networks. It focuses on Link Local Multicast Name Resolution (LLMNR) and Peer Name Resolution Protocol (PNRP). LLMNR provides serverless name resolution on the local subnet using multicast queries. PNRP is a peer-to-peer name resolution protocol that operates over IPv6 or IPv4-IPv6 tunnels. The webinar explains how these protocols work, how to configure and use them, and potential security issues to be aware of when using them. It also advertises upcoming Men & Mice training courses on DNS and name resolution topics.
This presentation gives an overview of the Domain Name System (DNS) and what goes into making the DNS secure. This deck also answers the question what is ICANN's role in Domain Name System Security (DNSSEC) deployment?
The CAA-Record for increased encryption securityMen and Mice
The CAA Record (Certification Authority Authorization) is used to signal which certification authority (CA) can issue an x509 certificate for a given domain. CAA creates a DNS mechanism that enables domain name owners to whitelist CAs that are allowed to issue certificates for their hostnames.
Starting from September 2017, certificate issuing CA must support the CAA record.
This explains the CAA record, how it works, how to enter CAA into a zone and how certification authorities are about to use the record.
Google has changed Chrome's code to enforce HTTPS encryption on all ".dev" domains by default. This causes problems for developers who use ".dev" locally without HTTPS. Alternatives for local domain names include subdomains of owned domains, reserved domains like ".test", or protocols besides DNS like LLMNR and mDNS. Unbound and BIND can configure local zones to resolve names without internet access.
A webinar that looks into the new features that the Windows Server 2016 will offer in the DNS, DHCP and IPv6 space.
Showcase of some of the new stuff using the latest tech preview and the aim is to give administrators a quick overview of the Windows Server 2016 and enough information to decide if early adoption is worthwhile.
Static typing in Vault refers to enforcing the structure and location of secrets stored in Vault. This can be achieved by using a script or tool to validate secrets against JSON schemas before they are written or accessed. The schemas define the required properties and structure for different secret types. Using a generic validation tool allows schemas to be centrally defined and ensures secrets match the expected format, reducing errors from incorrectly structured secrets.
DNS High-Availability Tools - Open-Source Load Balancing SolutionsMen and Mice
The DNS protocol has built-in high availability for authoritative DNS servers (this will be better explained in the webinar!), but client machines can see a degraded DNS service if a DNS resolver (caching DNS server) is failing.
In this webinar, we will look into how the DNS clients in popular operating systems (Windows, Linux, macOS/iOS) choose the DNS resolver among a list of available servers, and how a DNS resolver service can be made failure-tolerant with open-source solutions such as “dnsdist” from PowerDNS and “relayd” from OpenBSD.
The document discusses Let's Encrypt, a free and automated certificate authority. It describes how Let's Encrypt aims to make HTTPS more widely used by automating the certificate issuance and renewal process. This is done through the Automatic Certificate Management Environment (ACME) protocol, which allows certificates to be issued at low cost. The protocol automates interactions between certificate authorities and web servers to deploy public key infrastructure. Let's Encrypt has issued over 100 million certificates to help secure websites and aims to make HTTPS the default for all web traffic.
- DNSSEC and RPKI are protocols that aim to secure the core of the Internet by adding authentication and integrity to DNS and routing data.
- DNSSEC works by digitally signing DNS records with private keys, and publishing the signatures and corresponding public keys. It builds a chain of trust from the root zone down by including fingerprints of child keys in parent zones.
- RPKI uses a similar approach to secure routing by digitally signing routing announcements and filtering invalid routes. It establishes a framework for routers to validate the authenticity and authorization of routing information.
Carlos García - Pentesting Active Directory Forests [rooted2019]RootedCON
The document discusses penetration testing of Active Directory forests and trusts. It begins with an introduction to forests, domains, and trust types. It then covers authentication protocols like NTLM and Kerberos across trusts. Next, it discusses techniques for enumerating trusts and mapping the trust relationships. The document outlines common attacks when domain admin privileges are available, such as using Golden Tickets and SID history exploitation. For situations without domain admin, it recommends reconnaissance of trusts and objects to map a path to privileged accounts.
Logging is important for troubleshooting a DNS service. Conveniently with BIND 9, almost all problems will show up somewhere in the log output, but only if the logging is enabled and configured correctly.
In this webinar, we’ll discuss the BIND 9 logging configuration and best practices in searching through large log-files to find the entries of interest. In addition, we’ll release log-management tools used by Men & Mice Services.
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
The focus of this webinar will be to take a deeper look into this local name-resolution system and the implementations for other Unix systems like Linux and FreeBSD. Linux’s new über-Daemon “systemd” supports both mDNS and the Windows LLMNR (Link-Local-Multicast-Name-Resolution). We will also show how well a Systemd-Linux behaves in heterogenous networks running both Windows and macOS.
High Availability Content Caching with NGINXNGINX, Inc.
On-Demand Recording:
https://www.nginx.com/resources/webinars/high-availability-content-caching-nginx/
You trust NGINX to be your web server, but did you know it’s also a high-performance content cache? In fact, the world’s most popular CDNs – CloudFlare, MaxCDN, and Level 3 among them – are built on top of the open source NGINX software.
NGINX content caching can drastically improve the performance of your applications. We’ll start with basic configuration, then move on to advanced concepts and best practices for architecting high availability and capacity in your application infrastructure.
Join this webinar to:
* Enable content caching with the key configuration directives
* Use micro caching with NGINX Plus to cache dynamic content while maintaining low CPU utilization
* Partition your cache across multiple servers for high availability and increased capacity
* Log transactions and troubleshoot your NGINX content cache
This document provides steps to install and configure mod_ssl on CentOS/Fedora/Redhat to enable HTTPS on the Apache web server. It describes generating a self-signed certificate, editing the ssl.conf and httpd.conf configuration files to specify the certificate details and enable SSL, and restarting the Apache server to apply the changes.
This document discusses security concepts like minimizing risk, managing vulnerabilities, and monitoring logs. It then focuses on OpenSSL and cryptography, explaining how to set up an OpenSSL certificate authority (CA) to generate and sign certificates. It covers generating keys, creating certificate signing requests, signing certificates, managing certificate revocation lists, and configuring applications to use the CRL for validation.
Seattle C* Meetup: Hardening cassandra for compliance or paranoiazznate
Details how to secure Apache Cassandra clusters. Covers client to server and server to server encryption, securing management and tooling, using authentication and authorization, as well as options for encryption at rest.
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB
This document provides information on securing MongoDB installations, including common attacks and weaknesses. It discusses various authentication strategies in MongoDB like SCRAM-SHA-1 and x.509 certificates. It also covers user and role management with examples based on a fictional medical clinic application. Additional topics covered include network configuration, using MongoDB Atlas, implementing read-only views, and architectural considerations for a secure system.
Hardening cassandra for compliance or paranoiazznate
Cassandra at rest encryption, inter-node communication encryption, client-server communication encryption, authentication, authorization, and securing JMX management were discussed. The document provided guidance on implementing encryption at rest using commercial and open source options, setting up SSL for inter-node and client-server communication using self-signed certificates, implementing authentication and authorization best practices from RBMS, and securing JMX access.
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).DataStax Academy
Security is always at odds with usability, particularly in the context of operations and development. More so when dealing with a distributed system such as Apache Cassandra. In this presentation, we'll walk through the steps required to completely secure a Cassandra cluster to meet most regulatory and compliance guidelines.
Topics will include:
- Encrypting cross-DC traffic
- Different types of at-rest disk encryption options available (and how to tune them)
- Configuring SSL for inter-cluster communication
- Configuring SSL between clients and the API
- Configuring and managing client authentication
Attendees will leave this presentation with the knowledge required to harden Cassandra to meet most guidelines imposed by regulations and compliance.
This document provides instructions for setting up WiFi authentication and accounting using FreeRADIUS on CentOS 5. It involves generating digital certificates using OpenSSL, installing and configuring FreeRADIUS, and setting up a wireless access point and client devices to use the RADIUS server for WPA1/2 enterprise authentication via EAP/PEAP/TTLS. Key steps include generating server and client certificates signed by a certificate authority, configuring FreeRADIUS configuration files, adding a RADIUS client for the access point, and setting the access point and client devices to point to the RADIUS IP for authentication.
How To Install and Configure Apache SSL on CentOS 7VCP Muthukrishna
This document provides instructions on how to install and configure Apache SSL on CentOS 7. It includes steps to install the httpd package and enable the service, create a self-signed SSL certificate, configure the SSL settings in the Apache configuration file including the certificate and key files, open firewall ports, and validate the SSL configuration. The goal is to securely serve HTTPS traffic from the Apache web server using the newly created SSL certificate.
The purpose of OpenVPN is simple; it allows connecting to other devices within one secure network. It allows to keep online data safe by tunneling them through encrypted servers. So if you’re looking for a reliable, easy-to-use system that is adaptable enough to deal with any operating system, then OpenVPN is a no-brainer.
Presented by VEXXHOST, provider of Openstack based Public and Private Cloud Infrastructure
https://vexxhost.com/
Configuration of Self Signed SSL Certificate For CentOS 8Kaan Aslandağ
This document provides instructions for configuring a self-signed SSL certificate for an Apache web server on CentOS 8. It explains how to install the mod_ssl module, generate a self-signed certificate and key, configure Apache to use the certificate, and set up redirection from HTTP to HTTPS. While self-signed certificates encrypt communication, they do not validate the server identity to browsers and will result in security warnings for users.
“Identity management (IdM) describes the management of individual principals, their
authentication, authorization, and privileges within or across system and enterprise
boundaries with the goal of increasing security and productivity while decreasing cost,
downtime and repetitive tasks.”
I demonstrate in this short guide how to upgrade Red Hat IdM (freeIPA) from rhel 6 into 7.x
This document provides instructions for installing and configuring an LDAP server and phpLDAPadmin on a CentOS system. The key steps include:
1. Installing LDAP server software and configuring the slapd.conf file.
2. Initializing the LDAP directory with a root user and organizational units.
3. Installing and configuring phpLDAPadmin to manage the LDAP server over a web interface.
This document provides instructions for installing and configuring an LDAP server plus phpLDAPadmin on a CentOS system. The key steps include:
1. Installing LDAP server packages and configuring slapd.conf and the LDAP database.
2. Initializing the LDAP directory with a root user and organizational units.
3. Installing a web server and phpLDAPadmin to provide a web interface for managing the LDAP server.
4. Configuring phpLDAPadmin to connect to the LDAP server by editing its config.php file.
The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers.
Most certificates in common use are based on the X.509 v3 certificate standard. First I open the shell with the openssl.exe and MS SDK tools.
This document discusses secure connections in Java using SSL/TLS. It provides information on key concepts like keystores, certificates, and truststores. It also demonstrates how to set up a basic client-server application with mutual authentication using self-signed certificates and keytool to generate and manage the certificates. Troubleshooting tips are provided for common exceptions encountered.
If you think they are easy, you are (probably) doing them wrong. A presentation about issues with TLS and X.509 certificates for Tampere security people (TreSec, @TreSecCommunity) meetup on 21st of March 2018.
A review on techniques and modelling methodologies used for checking electrom...nooriasukmaningtyas
The proper function of the integrated circuit (IC) in an inhibiting electromagnetic environment has always been a serious concern throughout the decades of revolution in the world of electronics, from disjunct devices to today’s integrated circuit technology, where billions of transistors are combined on a single chip. The automotive industry and smart vehicles in particular, are confronting design issues such as being prone to electromagnetic interference (EMI). Electronic control devices calculate incorrect outputs because of EMI and sensors give misleading values which can prove fatal in case of automotives. In this paper, the authors have non exhaustively tried to review research work concerned with the investigation of EMI in ICs and prediction of this EMI using various modelling methodologies and measurement setups.
6th International Conference on Machine Learning & Applications (CMLA 2024)ClaraZara1
6th International Conference on Machine Learning & Applications (CMLA 2024) will provide an excellent international forum for sharing knowledge and results in theory, methodology and applications of on Machine Learning & Applications.
Embedded machine learning-based road conditions and driving behavior monitoringIJECEIAES
Car accident rates have increased in recent years, resulting in losses in human lives, properties, and other financial costs. An embedded machine learning-based system is developed to address this critical issue. The system can monitor road conditions, detect driving patterns, and identify aggressive driving behaviors. The system is based on neural networks trained on a comprehensive dataset of driving events, driving styles, and road conditions. The system effectively detects potential risks and helps mitigate the frequency and impact of accidents. The primary goal is to ensure the safety of drivers and vehicles. Collecting data involved gathering information on three key road events: normal street and normal drive, speed bumps, circular yellow speed bumps, and three aggressive driving actions: sudden start, sudden stop, and sudden entry. The gathered data is processed and analyzed using a machine learning system designed for limited power and memory devices. The developed system resulted in 91.9% accuracy, 93.6% precision, and 92% recall. The achieved inference time on an Arduino Nano 33 BLE Sense with a 32-bit CPU running at 64 MHz is 34 ms and requires 2.6 kB peak RAM and 139.9 kB program flash memory, making it suitable for resource-constrained embedded systems.
International Conference on NLP, Artificial Intelligence, Machine Learning an...gerogepatton
International Conference on NLP, Artificial Intelligence, Machine Learning and Applications (NLAIM 2024) offers a premier global platform for exchanging insights and findings in the theory, methodology, and applications of NLP, Artificial Intelligence, Machine Learning, and their applications. The conference seeks substantial contributions across all key domains of NLP, Artificial Intelligence, Machine Learning, and their practical applications, aiming to foster both theoretical advancements and real-world implementations. With a focus on facilitating collaboration between researchers and practitioners from academia and industry, the conference serves as a nexus for sharing the latest developments in the field.
Literature Review Basics and Understanding Reference Management.pptxDr Ramhari Poudyal
Three-day training on academic research focuses on analytical tools at United Technical College, supported by the University Grant Commission, Nepal. 24-26 May 2024
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesChristina Lin
Traditionally, dealing with real-time data pipelines has involved significant overhead, even for straightforward tasks like data transformation or masking. However, in this talk, we’ll venture into the dynamic realm of WebAssembly (WASM) and discover how it can revolutionize the creation of stateless streaming pipelines within a Kafka (Redpanda) broker. These pipelines are adept at managing low-latency, high-data-volume scenarios.
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...University of Maribor
Slides from talk presenting:
Aleš Zamuda: Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapter and Networking.
Presentation at IcETRAN 2024 session:
"Inter-Society Networking Panel GRSS/MTT-S/CIS
Panel Session: Promoting Connection and Cooperation"
IEEE Slovenia GRSS
IEEE Serbia and Montenegro MTT-S
IEEE Slovenia CIS
11TH INTERNATIONAL CONFERENCE ON ELECTRICAL, ELECTRONIC AND COMPUTING ENGINEERING
3-6 June 2024, Niš, Serbia
Understanding Inductive Bias in Machine LearningSUTEJAS
This presentation explores the concept of inductive bias in machine learning. It explains how algorithms come with built-in assumptions and preferences that guide the learning process. You'll learn about the different types of inductive bias and how they can impact the performance and generalizability of machine learning models.
The presentation also covers the positive and negative aspects of inductive bias, along with strategies for mitigating potential drawbacks. We'll explore examples of how bias manifests in algorithms like neural networks and decision trees.
By understanding inductive bias, you can gain valuable insights into how machine learning models work and make informed decisions when building and deploying them.
1. Open VPN
Scenario
Server IP Address 192.168.132.21
Client IP Address 192.168.132.20
Step 1 - Install OpenVPN and Easy-RSA
Install OpenVPN & easy-rsa on the server.
# yum install epel-release openvpn easy-rsa –y
Step 2 - Configure Easy-RSA 3
In this step, we will will configure easy-rsa by creating new 'vars' file. The 'vars' file contains the
Easy-RSA settings.
Go to the '/etc/openvpn/' directory and copy the 'easy-rsa' script.
# cd /etc/openvpn/
# cp -r /usr/share/easy-rsa /etc/openvpn/
# cd /etc/openvpn/easy-rsa/3/
We will use the parameters in /etc/openvpn/rsa/vars to indicate the values for our keys and
certificates. Change the values according to your needs.
# vim vars
# chmod +x vars
# cd /etc/openvpn/easy-rsa/3/
export KEY_COUNTRY="NP"
export KEY_PROVINCE="KTM"
export KEY_CITY="Kathmandu"
export KEY_ORG="F1soft"
export KEY_EMAIL="manish.kc@f1soft.com"
export KEY_EMAIL=manish.kc@f1soft.com
export KEY_CN=f1soft
export KEY_NAME="f1soft"
export KEY_OU="f1soft"
2. Step 3 - Build OpenVPN Keys
We will build the OpenVPN keys based on the easy-rsa 'vars' file that we've created. We will
build the CA key, Server and Client keys, DH and CRL PEM file.
We will build all those keys using the 'easyrsa' command line. Go to the '/etc/openvpn/easy-rsa/3'
directory.
# cd /etc/openvpn/easy-rsa/3/
Initialization and Build CA
# ./easyrsa init-pki
# ./easyrsa build-ca
[root@localhost 3]# ./easyrsa init-pki
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3/pki
[root@localhost 3]# ./easyrsa build-ca
Generating a 2048 bit RSA private key
..........+++
...................................................................+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/private/ca.key.h5pdSfY8qR'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated into your
certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3/pki/ca.crt
3. Build key for Server
# ./easyrsa gen-req openvpn-server nopass
# ./easyrsa sign-req server openvpn-server
# openssl verify -CAfile pki/ca.crt pki/issued/openvpn-server.crt
[root@localhost 3]# ./easyrsa gen-req openvpn-server nopass
Generating a 2048 bit RSA private key
........................................................................+++
..............+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/private/openvpn
server.key.vzztQHFiy7'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you
can leave some blank
For some fields there will be a default value,If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [openvpn-server]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3/pki/reqs/openvpn-server.req
key: /etc/openvpn/easy-rsa/3/pki/private/openvpn-server.key
[root@localhost 3]# ./easyrsa sign-req server openvpn-server
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request has not been cryptographically
verified. Please be sure it came from a trusted source or that you have verified the request checksum with the
sender.
Request subject, to be signed as a server certificate for 3650 days:
subject=
commonName = openvpn-server
Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:' openvpn-server '
Certificate is to be certified until Jul 22 15:50:28 2029 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/openvpn-server.crt
[root@localhost 3]# openssl verify -CAfile pki/ca.crt pki/issued/openvpn-server.crt
pki/issued/openvpn-server.crt: OK
4. Build key for Client
# ./easyrsa gen-req client01 nopass
# ./easyrsa sign-req client client01
# openssl verify -CAfile pki/ca.crt pki/issued/client01.crt
[root@localhost 3]# ./easyrsa gen-req client01 nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.......................+++
......................+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/private/client01.key.dOKxCAo7ET'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client01]:
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3/pki/reqs/client01.req
key: /etc/openvpn/easy-rsa/3/pki/private/client01.key
[root@localhost 3]# ./easyrsa sign-req client client01
Note: using Easy-RSA configuration from: ./vars
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request has not been cryptographically
verified. Please be sure it came from a trusted source or that you have verified the request checksum with the
sender.
Request subject, to be signed as a client certificate for 3650 days:
subject=
commonName = client01
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client01'
Certificate is to be certified until Jul 22 16:28:50 2029 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/client01.crt
[root@localhost 3]# openssl verify -CAfile pki/ca.crt pki/issued/client01.crt
pki/issued/client01.crt: OK
5. Build Diffie-Hellman Key
# ./easyrsa gen-dh
[root@localhost 3]# ./easyrsa gen-dh
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...................................................................................................................................................................................
.+.....................+................................................................+.....................................................................................+
......................................................................+...........................................................................................................
...............................................................................+..................................................................................................
...................................................................................................................................................................................
.................................+.........................+......................................................................................................+....+.......
.+.......................................................................................................................+.........................+............................
..........................................................................................................................................+...................................+..
.................+.......................................................+....................................+...................+............................................
................+..........................................................................................................................................................+.....
.......................................................................+..........................................+..............................................................
...........+.............................................................................................................................................................+.......
................................................+.................................................................................................................................
...........................................................................................................+......................................................................
.............................................+...................................................................................................................+...............
.......+..........................................................................................................................................................................
............................................+.....................................................................................................................................
.....+................+..................................................+...................................................+....+...+......................................
..........................................................................................+.......................................................................................
....+.............................................................................................................................................................................
...................................................+.................................................................................+...........................................
...............................+...........+...................... ...........+........................+..................................++*++*
DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3/pki/dh.pem
6. Optional: Generate the CRL Key
The CRL (Certificate Revoking List) key will be used for revoking the client key. If you have
multiple client certificates on your vpn server, and you want to revoke some key, you just need
to revoke using the easy-rsa command.
If you want to revoke some key, run the command as below.
# ./easyrsa revoke someone
# ./easyrsa gen-crl
[root@localhost 3]# ./easyrsa revoke client02
Note: using Easy-RSA configuration from: ./vars
Please confirm you wish to revoke the certificate with the following subject:
subject=
commonName = client02
Type the word 'yes' to continue, or any other input to abort.
Continue with revocation: yes
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key:
Revoking Certificate D2A6B677A78A2C506D676D0C0EEFDF5F.
Data Base Updated
IMPORTANT!!!
Revocation was successful. You must run gen-crl and upload a CRL to your infrastructure in order to prevent
the revoked cert from being accepted.
[root@localhost 3]# ./easyrsa gen-crl
Note: using Easy-RSA configuration from: ./vars
Using configuration from ./openssl-1.0.cnf
Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key:
An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/3/pki/crl.pem
7. Copy Certificates Files
All certificates have been generated, now copy the certificate files and PEM files.
Copy Server Key and Certificate.
# cp pki/ca.crt /etc/openvpn/server/
# cp pki/issued/openvpn-server.crt /etc/openvpn/server/
# cp pki/private/openvpn-server.key /etc/openvpn/server/
Copy client01 Key and Certificate.
# cp pki/ca.crt /etc/openvpn/client/
# cp pki/issued/client01.crt /etc/openvpn/client/
# cp pki/private/client01.key /etc/openvpn/client/
Copy DH and CRL Key.
# cp pki/dh.pem /etc/openvpn/server/
# cp pki/crl.pem /etc/openvpn/server/
8. Step 4 - Configure OpenVPN
# OpenVPN Port, Protocol and the Tun
port 1194
proto udp
dev tun
# OpenVPN Server Certificate - CA, server key and certificate
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/f1soft.crt
key /etc/openvpn/server/f1soft.key
#DH and CRL key
dh /etc/openvpn/server/dh.pem
crl-verify /etc/openvpn/server/crl.pem # To revoke someone permission
# Network Configuration - Internal network which is assigned when connected to open-vpn
server 20.20.20.0 255.255.255.0 # we have assigned 20.20.20.0/24 subnet Network Range for client
# Redirect all Connection through open-vpn Server
push "redirect-gateway def1"
# Using the DNS of Google Server
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# Enable multiple client to connect with same Certificate key
duplicate-cn
# TLS Security
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-
WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
# Other Configuration
keepalive 20 60
persist-key
persist-tun
comp-lzo yes
daemon
user nobody
group nobody
# OpenVPN Log
log-append /var/log/openvpn.log
verb 3
9. In this step, we will create new configuration 'server.conf' for the openvpn server.
Go to the '/etc/openvpn/' directory and create new configuration file 'server.conf' using vi.
# cd /etc/openvpn/
# vim server.conf
Save and exit.
The configuration for OpenVPN has been created.
Step 5 - Enable Port-Forwarding
In this step, we will enable Port-forwarding kernel module.
Enable the port-forwarding kernel module by running following commands.
# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
# sysctl –p
Starting & Stopping the Service
Start the openvpn service and enable it to launch automatically everytime at system boot.
Note: what name.conf you create at step 4 will be the service i.e. if you create test.conf the you
have to start using systemctl start openvpn@test
# systemctl start openvpn@server
# systemctl enable openvpn@server
[root@localhost ~]# systemctl status openvpn@server
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2019-07-28 06:15:20 +0545; 29s ago
Main PID: 6840 (openvpn)
Status: "Initialization Sequence Completed"
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─6840 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf
Jul 28 06:15:19 localhost.localdomain systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling
Applicati...r...Jul 28 06:15:20 localhost.localdomain systemd[1]: Started OpenVPN Robust And Highly Flexible
Tunneling Applicatio...ver.Hint: Some lines were ellipsized, use -l to show in full.
10. Logs while starting the server
Sun Jul 28 06:47:45 2019 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO]
[LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Sun Jul 28 06:47:45 2019 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Sun Jul 28 06:47:45 2019 Diffie-Hellman initialized with 2048 bit key
Sun Jul 28 06:47:45 2019 ROUTE_GATEWAY 192.168.132.2/255.255.255.0 IFACE=ens33
HWADDR=00:50:56:3e:36:15
Sun Jul 28 06:47:45 2019 TUN/TAP device tun0 opened
Sun Jul 28 06:47:45 2019 TUN/TAP TX queue length set to 100
Sun Jul 28 06:47:45 2019 /sbin/ip link set dev tun0 up mtu 1500
Sun Jul 28 06:47:45 2019 /sbin/ip addr add dev tun0 local 20.20.20.1 peer 20.20.20.2
Sun Jul 28 06:47:45 2019 /sbin/ip route add 20.20.20.0/24 via 20.20.20.2
Sun Jul 28 06:47:45 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Jul 28 06:47:45 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Jul 28 06:47:45 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Sun Jul 28 06:47:45 2019 UDPv4 link remote: [AF_UNSPEC]
Sun Jul 28 06:47:45 2019 GID set to nobody
Sun Jul 28 06:47:45 2019 UID set to nobody
Sun Jul 28 06:47:45 2019 MULTI: multi_init called, r=256 v=256
Sun Jul 28 06:47:45 2019 IFCONFIG POOL: base=20.20.20.4 size=62, ipv6=0
Sun Jul 28 06:47:45 2019 Initialization Sequence Completed
11. Client Configuration
Linux
Copy the files from the Server /etc/openvpn/client to client server 192.168.132.120
ca .crt, client01.crt, client01.key
# vi client01.opvn
Start open-vpn client using
# openvpn --config client01.opvn
To run in background simply add & i.e.
# openvpn --config client01.opvn &
Client
dev tun
proto udp
remote 192.168.132.21 1194 # IP of open-vpn server
# enable certificate verification method
remote-cert-tls server
ca ca.crt
cert client01.crt
key client01.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-
SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lzo
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
12. Client logs while connecting to open-vpn server
root@localhost client]# openvpn --config client01.ovpn
Sun Jul 28 13:22:57 2019 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)]
[LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Sun Jul 28 13:22:57 2019 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06
Sun Jul 28 13:22:57 2019 TCP/UDP: Preserving recently used remote address:
[AF_INET]192.168.132.21:1194
Sun Jul 28 13:22:57 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Jul 28 13:22:57 2019 UDP link local: (not bound)
Sun Jul 28 13:22:57 2019 UDP link remote: [AF_INET]192.168.132.21:1194
Sun Jul 28 13:22:57 2019 TLS: Initial packet from [AF_INET]192.168.132.21:1194, sid=61588936 583f6808
Sun Jul 28 13:22:57 2019 VERIFY OK: depth=1, CN=f1soft.com
Sun Jul 28 13:22:57 2019 VERIFY KU OK
Sun Jul 28 13:22:57 2019 Validating certificate extended key usage
Sun Jul 28 13:22:57 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web
Server Authentication
Sun Jul 28 13:22:57 2019 VERIFY EKU OK
Sun Jul 28 13:22:57 2019 VERIFY OK: depth=0, CN=f1soft.com
Sun Jul 28 13:22:57 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-
SHA384, 2048 bit RSA
Sun Jul 28 13:22:57 2019 [f1soft.com] Peer Connection Initiated with [AF_INET]192.168.132.21:1194
Sun Jul 28 13:22:59 2019 SENT CONTROL [f1soft.com]: 'PUSH_REQUEST' (status=1)
Sun Jul 28 13:22:59 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-
option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 20.20.20.1,topology net30,ping 20,ping-restart 60,ifconfig
20.20.20.6 20.20.20.5,peer-id 0,cipher AES-256-GCM'
Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: timers and/or timeouts modified
Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: --ifconfig/up options modified
Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: route options modified
Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: peer-id set
Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: adjusting link_mtu to 1625
Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: data channel crypto options modified
Sun Jul 28 13:22:59 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Jul 28 13:22:59 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jul 28 13:22:59 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jul 28 13:22:59 2019 ROUTE_GATEWAY 192.168.132.2/255.255.255.0 IFACE=ens33
HWADDR=00:0c:29:47:82:03
Sun Jul 28 13:22:59 2019 TUN/TAP device tun0 opened
Sun Jul 28 13:22:59 2019 TUN/TAP TX queue length set to 100
Sun Jul 28 13:22:59 2019 /sbin/ip link set dev tun0 up mtu 1500
Sun Jul 28 13:22:59 2019 /sbin/ip addr add dev tun0 local 20.20.20.6 peer 20.20.20.5
Sun Jul 28 13:22:59 2019 /sbin/ip route add 192.168.132.21/32 dev ens33
Sun Jul 28 13:22:59 2019 /sbin/ip route add 0.0.0.0/1 via 20.20.20.5
Sun Jul 28 13:22:59 2019 /sbin/ip route add 128.0.0.0/1 via 20.20.20.5
Sun Jul 28 13:22:59 2019 /sbin/ip route add 20.20.20.1/32 via 20.20.20.5
Sun Jul 28 13:22:59 2019 Initialization Sequence Completed
13. Server logs while connecting to open-vpn server
Sun Jul 28 06:55:55 2019 192.168.132.20:50282 TLS: Initial packet from [AF_INET]192.168.132.20:50282,
sid=229911de 9b6d7502
Sun Jul 28 06:55:55 2019 192.168.132.20:50282 VERIFY OK: depth=1, CN=f1soft.com
Sun Jul 28 06:55:55 2019 192.168.132.20:50282 VERIFY OK: depth=0, CN=f1soft
Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_VER=2.4.7
Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_PLAT=linux
Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_PROTO=2
Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_NCP=2
Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_LZ4=1
Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_LZ4v2=1
Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_LZO=1
Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_COMP_STUB=1
Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_COMP_STUBv2=1
Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_TCPNL=1
Sun Jul 28 06:55:55 2019 192.168.132.20:50282 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-
AES256-GCM-SHA384, 2048 bit RSA
Sun Jul 28 06:55:55 2019 192.168.132.20:50282 [f1soft] Peer Connection Initiated with
[AF_INET]192.168.132.20:50282
Sun Jul 28 06:55:55 2019 f1soft/192.168.132.20:50282 MULTI_sva: pool returned IPv4=20.20.20.10,
IPv6=(Not enabled)
Sun Jul 28 06:55:55 2019 f1soft/192.168.132.20:50282 MULTI: Learn: 20.20.20.10 ->
f1soft/192.168.132.20:50282
Sun Jul 28 06:55:55 2019 f1soft/192.168.132.20:50282 MULTI: primary virtual IP for
f1soft/192.168.132.20:50282: 20.20.20.10
Sun Jul 28 06:55:56 2019 f1soft/192.168.132.20:50282 PUSH: Received control message: 'PUSH_REQUEST'
Sun Jul 28 06:55:56 2019 f1soft/192.168.132.20:50282 SENT CONTROL [f1soft]: 'PUSH_REPLY,redirect-
gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 20.20.20.1,topology net30,ping
20,ping-restart 60,ifconfig 20.20.20.10 20.20.20.9,peer-id 1,cipher AES-256-GCM' (status=1)
Sun Jul 28 06:55:56 2019 f1soft/192.168.132.20:50282 Data Channel: using negotiated cipher 'AES-256-
GCM'
Sun Jul 28 06:55:56 2019 f1soft/192.168.132.20:50282 Outgoing Data Channel: Cipher 'AES-256-GCM'
initialized with 256 bit key
Sun Jul 28 06:55:56 2019 f1soft/192.168.132.20:50282 Incoming Data Channel: Cipher 'AES-256-GCM'
initialized with 256 bit key
14. Windows
Download open-vpn gui from https://openvpn.net/community-downloads/
Create a file named client01.ovpn
Client
dev tun
proto udp
remote 192.168.132.21 1194 # IP of open-vpn server
# enable certificate verification method
remote-cert-tls server
ca ca.crt
cert client01.crt
key client01.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-
SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lzo
nobind
persist-key
persist-tun
mute-replay-warnings
verb 3
#Use the filename ca.crt under ca, client.01.crt under cert, client01.key under key
<ca>
</ca>
<cert>
</cert>
<key>
</key
15. Logs of client in windows
Sun Jul 28 13:34:02 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11]
[AEAD] built on Apr 25 2019
Sun Jul 28 13:34:02 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Jul 28 13:34:02 2019 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Enter Management Password:
Sun Jul 28 13:34:02 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Jul 28 13:34:02 2019 Need hold release from management interface, waiting...
Sun Jul 28 13:34:02 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Jul 28 13:34:02 2019 MANAGEMENT: CMD 'state on'
Sun Jul 28 13:34:02 2019 MANAGEMENT: CMD 'log all on'
Sun Jul 28 13:34:02 2019 MANAGEMENT: CMD 'echo all on'
Sun Jul 28 13:34:02 2019 MANAGEMENT: CMD 'bytecount 5'
Sun Jul 28 13:34:02 2019 MANAGEMENT: CMD 'hold off'
Sun Jul 28 13:34:02 2019 MANAGEMENT: CMD 'hold release'
Sun Jul 28 13:34:02 2019 TCP/UDP: Preserving recently used remote address:
[AF_INET]192.168.132.21:1194
Sun Jul 28 13:34:02 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Jul 28 13:34:02 2019 UDP link local: (not bound)
Sun Jul 28 13:34:02 2019 UDP link remote: [AF_INET]192.168.132.21:1194
Sun Jul 28 13:34:02 2019 MANAGEMENT: >STATE:1564300142,WAIT,,,,,,
Sun Jul 28 13:34:02 2019 MANAGEMENT: >STATE:1564300142,AUTH,,,,,,
Sun Jul 28 13:34:02 2019 TLS: Initial packet from [AF_INET]192.168.132.21:1194, sid=f41be3ac d2ff3b47
Sun Jul 28 13:34:02 2019 VERIFY OK: depth=1, CN=f1soft.com
Sun Jul 28 13:34:02 2019 VERIFY KU OK
Sun Jul 28 13:34:02 2019 Validating certificate extended key usage
Sun Jul 28 13:34:02 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web
Server Authentication
Sun Jul 28 13:34:02 2019 VERIFY EKU OK
Sun Jul 28 13:34:02 2019 VERIFY OK: depth=0, CN=f1soft.com
Sun Jul 28 13:34:02 2019 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384,
2048 bit RSA
Sun Jul 28 13:34:02 2019 [f1soft.com] Peer Connection Initiated with [AF_INET]192.168.132.21:1194
Sun Jul 28 13:34:03 2019 MANAGEMENT: >STATE:1564300143,GET_CONFIG,,,,,,
Sun Jul 28 13:34:03 2019 SENT CONTROL [f1soft.com]: 'PUSH_REQUEST' (status=1)
Sun Jul 28 13:34:03 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-
option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 20.20.20.1,topology net30,ping 20,ping-restart 60,ifconfig
20.20.20.6 20.20.20.5,peer-id 0,cipher AES-256-GCM'
Sun Jul 28 13:34:03 2019 OPTIONS IMPORT: timers and/or timeouts modified
Sun Jul 28 13:34:03 2019 OPTIONS IMPORT: --ifconfig/up options modified
Sun Jul 28 13:34:03 2019 OPTIONS IMPORT: route options modified
Sun Jul 28 13:34:03 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modifiedSun Jul 28
13:34:03 2019 OPTIONS IMPORT: peer-id set
Sun Jul 28 13:34:03 2019 OPTIONS IMPORT: adjusting link_mtu to 1625
Sun Jul 28 13:34:03 2019 OPTIONS IMPORT: data channel crypto options modified
Sun Jul 28 13:34:03 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
16. Sun Jul 28 13:34:03 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jul 28 13:34:03 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Jul 28 13:34:03 2019 interactive service msg_channel=604
Sun Jul 28 13:34:03 2019 ROUTE_GATEWAY 10.20.222.1/255.255.255.0 I=14
HWADDR=28:d2:44:71:04:ef
Sun Jul 28 13:34:03 2019 open_tun
Sun Jul 28 13:34:03 2019 TAP-WIN32 device [Ethernet 2] opened: .Global{D4A1E2D0-2F5A-4E79-B928-
04BB0AF5D34F}.tap
Sun Jul 28 13:34:03 2019 TAP-Windows Driver Version 9.23
Sun Jul 28 13:34:03 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of
20.20.20.6/255.255.255.252 on interface {D4A1E2D0-2F5A-4E79-B928-04BB0AF5D34F} [DHCP-serv:
20.20.20.5, lease-time: 31536000]
Sun Jul 28 13:34:03 2019 Successful ARP Flush on interface [27] {D4A1E2D0-2F5A-4E79-B928-04BB0AF5D34F}
Sun Jul 28 13:34:04 2019 MANAGEMENT: >STATE:1564300144,ASSIGN_IP,,20.20.20.6,,,,
Sun Jul 28 13:34:09 2019 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Sun Jul 28 13:34:09 2019 C:Windowssystem32route.exe ADD 192.168.132.21 MASK 255.255.255.255
10.20.222.1
Sun Jul 28 13:34:09 2019 Route addition via service succeeded
Sun Jul 28 13:34:09 2019 C:Windowssystem32route.exe ADD 0.0.0.0 MASK 128.0.0.0 20.20.20.5
Sun Jul 28 13:34:09 2019 Route addition via service succeeded
Sun Jul 28 13:34:09 2019 C:Windowssystem32route.exe ADD 128.0.0.0 MASK 128.0.0.0 20.20.20.5
Sun Jul 28 13:34:09 2019 Route addition via service succeeded
Sun Jul 28 13:34:09 2019 MANAGEMENT: >STATE:1564300149,ADD_ROUTES,,,,,,
Sun Jul 28 13:34:09 2019 C:Windowssystem32route.exe ADD 20.20.20.1 MASK 255.255.255.255
20.20.20.5
Sun Jul 28 13:34:09 2019 Route addition via service succeeded
Sun Jul 28 13:34:09 2019 Initialization Sequence Completed
Sun Jul 28 13:34:09 2019 MANAGEMENT:
>STATE:1564300149,CONNECTED,SUCCESS,20.20.20.6,192.168.132.21,1194,,
17. Server logs while connecting to open-vpn server
Sun Jul 28 07:09:36 2019 192.168.132.1:58348 TLS: Initial packet from [AF_INET]192.168.132.1:58348,
sid=484d086a b6f6f99a
Sun Jul 28 07:09:42 2019 192.168.132.1:58348 VERIFY OK: depth=1, CN=f1soft.com
Sun Jul 28 07:09:42 2019 192.168.132.1:58348 VERIFY OK: depth=0, CN=f1soft
Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_VER=2.4.7
Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_PLAT=win
Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_PROTO=2
Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_NCP=2
Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_LZ4=1
Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_LZ4v2=1
Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_LZO=1
Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_COMP_STUB=1
Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_COMP_STUBv2=1
Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_TCPNL=1
Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_GUI_VER=OpenVPN_GUI_11
Sun Jul 28 07:09:42 2019 192.168.132.1:58348 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-
AES256-GCM-SHA384, 2048 bit RSA
Sun Jul 28 07:09:42 2019 192.168.132.1:58348 [f1soft] Peer Connection Initiated with
[AF_INET]192.168.132.1:58348
Sun Jul 28 07:09:42 2019 f1soft/192.168.132.1:58348 MULTI_sva: pool returned IPv4=20.20.20.6, IPv6=(Not
enabled)
Sun Jul 28 07:09:42 2019 f1soft/192.168.132.1:58348 MULTI: Learn: 20.20.20.6 ->
f1soft/192.168.132.1:58348
Sun Jul 28 07:09:42 2019 f1soft/192.168.132.1:58348 MULTI: primary virtual IP for
f1soft/192.168.132.1:58348: 20.20.20.6
Sun Jul 28 07:09:43 2019 f1soft/192.168.132.1:58348 PUSH: Received control message: 'PUSH_REQUEST'
Sun Jul 28 07:09:43 2019 f1soft/192.168.132.1:58348 SENT CONTROL [f1soft]: 'PUSH_REPLY,redirect-
gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 20.20.20.1,topology net30,ping
20,ping-restart 60,ifconfig 20.20.20.6 20.20.20.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sun Jul 28 07:09:43 2019 f1soft/192.168.132.1:58348 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Jul 28 07:09:43 2019 f1soft/192.168.132.1:58348 Outgoing Data Channel: Cipher 'AES-256-GCM'
initialized with 256 bit key
Sun Jul 28 07:09:43 2019 f1soft/192.168.132.1:58348 Incoming Data Channel: Cipher 'AES-256-GCM'
initialized with 256 bit key
18. Problem May Faced
1) No server certificate verification method has been enabled.
Add the following line to your client configuration:
# remote-cert-tls server
2) VERIFY ERROR: depth=1, error=certificate is not yet valid: CN=ChangeMe
Just set the correct time and date in both your client and server systems, it has nothing to do with
OpenVPN or this script.