SlideShare a Scribd company logo

Open-VPN Server

M
Manish Kc

The document describes the steps to set up an OpenVPN server with Easy-RSA on a Linux system. It involves: 1. Installing OpenVPN and Easy-RSA packages and configuring Easy-RSA parameters and keys like CA, server, client, DH. 2. Generating certificates and keys for the OpenVPN server and client. 3. Configuring the OpenVPN server file with settings for port, protocol, network, authentication and other parameters. 4. Enabling port forwarding, starting the OpenVPN service, and verifying logs as the service starts.

Engineering
1 of 18
Download to read offline
Open VPN Scenario Server IP Address  192.168.132.21 Client IP Address  192.168.132.20 Step 1 - Install OpenVPN and Easy-RSA Install OpenVPN & easy-rsa on the server. # yum install epel-release openvpn easy-rsa –y Step 2 - Configure Easy-RSA 3 In this step, we will will configure easy-rsa by creating new 'vars' file. The 'vars' file contains the Easy-RSA settings. Go to the '/etc/openvpn/' directory and copy the 'easy-rsa' script. # cd /etc/openvpn/ # cp -r /usr/share/easy-rsa /etc/openvpn/ # cd /etc/openvpn/easy-rsa/3/ We will use the parameters in /etc/openvpn/rsa/vars to indicate the values for our keys and certificates. Change the values according to your needs. # vim vars # chmod +x vars # cd /etc/openvpn/easy-rsa/3/ export KEY_COUNTRY="NP" export KEY_PROVINCE="KTM" export KEY_CITY="Kathmandu" export KEY_ORG="F1soft" export KEY_EMAIL="manish.kc@f1soft.com" export KEY_EMAIL=manish.kc@f1soft.com export KEY_CN=f1soft export KEY_NAME="f1soft" export KEY_OU="f1soft"
Step 3 - Build OpenVPN Keys We will build the OpenVPN keys based on the easy-rsa 'vars' file that we've created. We will build the CA key, Server and Client keys, DH and CRL PEM file. We will build all those keys using the 'easyrsa' command line. Go to the '/etc/openvpn/easy-rsa/3' directory. # cd /etc/openvpn/easy-rsa/3/ Initialization and Build CA # ./easyrsa init-pki # ./easyrsa build-ca [root@localhost 3]# ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/3/pki [root@localhost 3]# ./easyrsa build-ca Generating a 2048 bit RSA private key ..........+++ ...................................................................+++ writing new private key to '/etc/openvpn/easy-rsa/3/pki/private/ca.key.h5pdSfY8qR' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/3/pki/ca.crt
Build key for Server # ./easyrsa gen-req openvpn-server nopass # ./easyrsa sign-req server openvpn-server # openssl verify -CAfile pki/ca.crt pki/issued/openvpn-server.crt [root@localhost 3]# ./easyrsa gen-req openvpn-server nopass Generating a 2048 bit RSA private key ........................................................................+++ ..............+++ writing new private key to '/etc/openvpn/easy-rsa/3/pki/private/openvpn server.key.vzztQHFiy7' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blank For some fields there will be a default value,If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [openvpn-server]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/3/pki/reqs/openvpn-server.req key: /etc/openvpn/easy-rsa/3/pki/private/openvpn-server.key [root@localhost 3]# ./easyrsa sign-req server openvpn-server You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = openvpn-server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from ./openssl-1.0.cnf Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:' openvpn-server ' Certificate is to be certified until Jul 22 15:50:28 2029 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/openvpn-server.crt [root@localhost 3]# openssl verify -CAfile pki/ca.crt pki/issued/openvpn-server.crt pki/issued/openvpn-server.crt: OK
Build key for Client # ./easyrsa gen-req client01 nopass # ./easyrsa sign-req client client01 # openssl verify -CAfile pki/ca.crt pki/issued/client01.crt [root@localhost 3]# ./easyrsa gen-req client01 nopass Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key .......................+++ ......................+++ writing new private key to '/etc/openvpn/easy-rsa/3/pki/private/client01.key.dOKxCAo7ET' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client01]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/3/pki/reqs/client01.req key: /etc/openvpn/easy-rsa/3/pki/private/client01.key [root@localhost 3]# ./easyrsa sign-req client client01 Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject= commonName = client01 Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from ./openssl-1.0.cnf Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'client01' Certificate is to be certified until Jul 22 16:28:50 2029 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/client01.crt [root@localhost 3]# openssl verify -CAfile pki/ca.crt pki/issued/client01.crt pki/issued/client01.crt: OK
Build Diffie-Hellman Key # ./easyrsa gen-dh [root@localhost 3]# ./easyrsa gen-dh Note: using Easy-RSA configuration from: ./vars Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ................................................................................................................................................................................... .+.....................+................................................................+.....................................................................................+ ......................................................................+........................................................................................................... ...............................................................................+.................................................................................................. ................................................................................................................................................................................... .................................+.........................+......................................................................................................+....+....... .+.......................................................................................................................+.........................+............................ ..........................................................................................................................................+...................................+.. .................+.......................................................+....................................+...................+............................................ ................+..........................................................................................................................................................+..... .......................................................................+..........................................+.............................................................. ...........+.............................................................................................................................................................+....... ................................................+................................................................................................................................. ...........................................................................................................+...................................................................... .............................................+...................................................................................................................+............... .......+.......................................................................................................................................................................... ............................................+..................................................................................................................................... .....+................+..................................................+...................................................+....+...+...................................... ..........................................................................................+....................................................................................... ....+............................................................................................................................................................................. ...................................................+.................................................................................+........................................... ...............................+...........+...................... ...........+........................+..................................++*++* DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3/pki/dh.pem
Optional: Generate the CRL Key The CRL (Certificate Revoking List) key will be used for revoking the client key. If you have multiple client certificates on your vpn server, and you want to revoke some key, you just need to revoke using the easy-rsa command. If you want to revoke some key, run the command as below. # ./easyrsa revoke someone # ./easyrsa gen-crl [root@localhost 3]# ./easyrsa revoke client02 Note: using Easy-RSA configuration from: ./vars Please confirm you wish to revoke the certificate with the following subject: subject= commonName = client02 Type the word 'yes' to continue, or any other input to abort. Continue with revocation: yes Using configuration from ./openssl-1.0.cnf Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key: Revoking Certificate D2A6B677A78A2C506D676D0C0EEFDF5F. Data Base Updated IMPORTANT!!! Revocation was successful. You must run gen-crl and upload a CRL to your infrastructure in order to prevent the revoked cert from being accepted. [root@localhost 3]# ./easyrsa gen-crl Note: using Easy-RSA configuration from: ./vars Using configuration from ./openssl-1.0.cnf Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key: An updated CRL has been created. CRL file: /etc/openvpn/easy-rsa/3/pki/crl.pem
Copy Certificates Files All certificates have been generated, now copy the certificate files and PEM files. Copy Server Key and Certificate. # cp pki/ca.crt /etc/openvpn/server/ # cp pki/issued/openvpn-server.crt /etc/openvpn/server/ # cp pki/private/openvpn-server.key /etc/openvpn/server/ Copy client01 Key and Certificate. # cp pki/ca.crt /etc/openvpn/client/ # cp pki/issued/client01.crt /etc/openvpn/client/ # cp pki/private/client01.key /etc/openvpn/client/ Copy DH and CRL Key. # cp pki/dh.pem /etc/openvpn/server/ # cp pki/crl.pem /etc/openvpn/server/
Step 4 - Configure OpenVPN # OpenVPN Port, Protocol and the Tun port 1194 proto udp dev tun # OpenVPN Server Certificate - CA, server key and certificate ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/f1soft.crt key /etc/openvpn/server/f1soft.key #DH and CRL key dh /etc/openvpn/server/dh.pem crl-verify /etc/openvpn/server/crl.pem # To revoke someone permission # Network Configuration - Internal network which is assigned when connected to open-vpn server 20.20.20.0 255.255.255.0 # we have assigned 20.20.20.0/24 subnet Network Range for client # Redirect all Connection through open-vpn Server push "redirect-gateway def1" # Using the DNS of Google Server push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" # Enable multiple client to connect with same Certificate key duplicate-cn # TLS Security cipher AES-256-CBC tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA- WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 auth SHA512 auth-nocache # Other Configuration keepalive 20 60 persist-key persist-tun comp-lzo yes daemon user nobody group nobody # OpenVPN Log log-append /var/log/openvpn.log verb 3
In this step, we will create new configuration 'server.conf' for the openvpn server. Go to the '/etc/openvpn/' directory and create new configuration file 'server.conf' using vi. # cd /etc/openvpn/ # vim server.conf Save and exit. The configuration for OpenVPN has been created. Step 5 - Enable Port-Forwarding In this step, we will enable Port-forwarding kernel module. Enable the port-forwarding kernel module by running following commands. # echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf # sysctl –p Starting & Stopping the Service Start the openvpn service and enable it to launch automatically everytime at system boot. Note: what name.conf you create at step 4 will be the service i.e. if you create test.conf the you have to start using systemctl start openvpn@test # systemctl start openvpn@server # systemctl enable openvpn@server [root@localhost ~]# systemctl status openvpn@server ● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2019-07-28 06:15:20 +0545; 29s ago Main PID: 6840 (openvpn) Status: "Initialization Sequence Completed" CGroup: /system.slice/system-openvpn.slice/openvpn@server.service └─6840 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf Jul 28 06:15:19 localhost.localdomain systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Applicati...r...Jul 28 06:15:20 localhost.localdomain systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Applicatio...ver.Hint: Some lines were ellipsized, use -l to show in full.
Logs while starting the server Sun Jul 28 06:47:45 2019 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019 Sun Jul 28 06:47:45 2019 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06 Sun Jul 28 06:47:45 2019 Diffie-Hellman initialized with 2048 bit key Sun Jul 28 06:47:45 2019 ROUTE_GATEWAY 192.168.132.2/255.255.255.0 IFACE=ens33 HWADDR=00:50:56:3e:36:15 Sun Jul 28 06:47:45 2019 TUN/TAP device tun0 opened Sun Jul 28 06:47:45 2019 TUN/TAP TX queue length set to 100 Sun Jul 28 06:47:45 2019 /sbin/ip link set dev tun0 up mtu 1500 Sun Jul 28 06:47:45 2019 /sbin/ip addr add dev tun0 local 20.20.20.1 peer 20.20.20.2 Sun Jul 28 06:47:45 2019 /sbin/ip route add 20.20.20.0/24 via 20.20.20.2 Sun Jul 28 06:47:45 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET Sun Jul 28 06:47:45 2019 Socket Buffers: R=[212992->212992] S=[212992->212992] Sun Jul 28 06:47:45 2019 UDPv4 link local (bound): [AF_INET][undef]:1194 Sun Jul 28 06:47:45 2019 UDPv4 link remote: [AF_UNSPEC] Sun Jul 28 06:47:45 2019 GID set to nobody Sun Jul 28 06:47:45 2019 UID set to nobody Sun Jul 28 06:47:45 2019 MULTI: multi_init called, r=256 v=256 Sun Jul 28 06:47:45 2019 IFCONFIG POOL: base=20.20.20.4 size=62, ipv6=0 Sun Jul 28 06:47:45 2019 Initialization Sequence Completed
Client Configuration Linux Copy the files from the Server /etc/openvpn/client to client server 192.168.132.120 ca .crt, client01.crt, client01.key # vi client01.opvn Start open-vpn client using # openvpn --config client01.opvn To run in background simply add & i.e. # openvpn --config client01.opvn & Client dev tun proto udp remote 192.168.132.21 1194 # IP of open-vpn server # enable certificate verification method remote-cert-tls server ca ca.crt cert client01.crt key client01.key cipher AES-256-CBC auth SHA512 auth-nocache tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC- SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 resolv-retry infinite compress lzo nobind persist-key persist-tun mute-replay-warnings verb 3
Client logs while connecting to open-vpn server root@localhost client]# openvpn --config client01.ovpn Sun Jul 28 13:22:57 2019 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019 Sun Jul 28 13:22:57 2019 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06 Sun Jul 28 13:22:57 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.132.21:1194 Sun Jul 28 13:22:57 2019 Socket Buffers: R=[212992->212992] S=[212992->212992] Sun Jul 28 13:22:57 2019 UDP link local: (not bound) Sun Jul 28 13:22:57 2019 UDP link remote: [AF_INET]192.168.132.21:1194 Sun Jul 28 13:22:57 2019 TLS: Initial packet from [AF_INET]192.168.132.21:1194, sid=61588936 583f6808 Sun Jul 28 13:22:57 2019 VERIFY OK: depth=1, CN=f1soft.com Sun Jul 28 13:22:57 2019 VERIFY KU OK Sun Jul 28 13:22:57 2019 Validating certificate extended key usage Sun Jul 28 13:22:57 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sun Jul 28 13:22:57 2019 VERIFY EKU OK Sun Jul 28 13:22:57 2019 VERIFY OK: depth=0, CN=f1soft.com Sun Jul 28 13:22:57 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM- SHA384, 2048 bit RSA Sun Jul 28 13:22:57 2019 [f1soft.com] Peer Connection Initiated with [AF_INET]192.168.132.21:1194 Sun Jul 28 13:22:59 2019 SENT CONTROL [f1soft.com]: 'PUSH_REQUEST' (status=1) Sun Jul 28 13:22:59 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp- option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 20.20.20.1,topology net30,ping 20,ping-restart 60,ifconfig 20.20.20.6 20.20.20.5,peer-id 0,cipher AES-256-GCM' Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: timers and/or timeouts modified Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: --ifconfig/up options modified Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: route options modified Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: peer-id set Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: adjusting link_mtu to 1625 Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: data channel crypto options modified Sun Jul 28 13:22:59 2019 Data Channel: using negotiated cipher 'AES-256-GCM' Sun Jul 28 13:22:59 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jul 28 13:22:59 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jul 28 13:22:59 2019 ROUTE_GATEWAY 192.168.132.2/255.255.255.0 IFACE=ens33 HWADDR=00:0c:29:47:82:03 Sun Jul 28 13:22:59 2019 TUN/TAP device tun0 opened Sun Jul 28 13:22:59 2019 TUN/TAP TX queue length set to 100 Sun Jul 28 13:22:59 2019 /sbin/ip link set dev tun0 up mtu 1500 Sun Jul 28 13:22:59 2019 /sbin/ip addr add dev tun0 local 20.20.20.6 peer 20.20.20.5 Sun Jul 28 13:22:59 2019 /sbin/ip route add 192.168.132.21/32 dev ens33 Sun Jul 28 13:22:59 2019 /sbin/ip route add 0.0.0.0/1 via 20.20.20.5 Sun Jul 28 13:22:59 2019 /sbin/ip route add 128.0.0.0/1 via 20.20.20.5 Sun Jul 28 13:22:59 2019 /sbin/ip route add 20.20.20.1/32 via 20.20.20.5 Sun Jul 28 13:22:59 2019 Initialization Sequence Completed
Server logs while connecting to open-vpn server Sun Jul 28 06:55:55 2019 192.168.132.20:50282 TLS: Initial packet from [AF_INET]192.168.132.20:50282, sid=229911de 9b6d7502 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 VERIFY OK: depth=1, CN=f1soft.com Sun Jul 28 06:55:55 2019 192.168.132.20:50282 VERIFY OK: depth=0, CN=f1soft Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_VER=2.4.7 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_PLAT=linux Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_PROTO=2 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_NCP=2 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_LZ4=1 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_LZ4v2=1 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_LZO=1 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_COMP_STUB=1 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_COMP_STUBv2=1 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_TCPNL=1 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA- AES256-GCM-SHA384, 2048 bit RSA Sun Jul 28 06:55:55 2019 192.168.132.20:50282 [f1soft] Peer Connection Initiated with [AF_INET]192.168.132.20:50282 Sun Jul 28 06:55:55 2019 f1soft/192.168.132.20:50282 MULTI_sva: pool returned IPv4=20.20.20.10, IPv6=(Not enabled) Sun Jul 28 06:55:55 2019 f1soft/192.168.132.20:50282 MULTI: Learn: 20.20.20.10 -> f1soft/192.168.132.20:50282 Sun Jul 28 06:55:55 2019 f1soft/192.168.132.20:50282 MULTI: primary virtual IP for f1soft/192.168.132.20:50282: 20.20.20.10 Sun Jul 28 06:55:56 2019 f1soft/192.168.132.20:50282 PUSH: Received control message: 'PUSH_REQUEST' Sun Jul 28 06:55:56 2019 f1soft/192.168.132.20:50282 SENT CONTROL [f1soft]: 'PUSH_REPLY,redirect- gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 20.20.20.1,topology net30,ping 20,ping-restart 60,ifconfig 20.20.20.10 20.20.20.9,peer-id 1,cipher AES-256-GCM' (status=1) Sun Jul 28 06:55:56 2019 f1soft/192.168.132.20:50282 Data Channel: using negotiated cipher 'AES-256- GCM' Sun Jul 28 06:55:56 2019 f1soft/192.168.132.20:50282 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jul 28 06:55:56 2019 f1soft/192.168.132.20:50282 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Windows Download open-vpn gui from https://openvpn.net/community-downloads/ Create a file named client01.ovpn Client dev tun proto udp remote 192.168.132.21 1194 # IP of open-vpn server # enable certificate verification method remote-cert-tls server ca ca.crt cert client01.crt key client01.key cipher AES-256-CBC auth SHA512 auth-nocache tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC- SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 resolv-retry infinite compress lzo nobind persist-key persist-tun mute-replay-warnings verb 3 #Use the filename ca.crt under ca, client.01.crt under cert, client01.key under key <ca> </ca> <cert> </cert> <key> </key
Logs of client in windows Sun Jul 28 13:34:02 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019 Sun Jul 28 13:34:02 2019 Windows version 6.2 (Windows 8 or greater) 64bit Sun Jul 28 13:34:02 2019 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10 Enter Management Password: Sun Jul 28 13:34:02 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Sun Jul 28 13:34:02 2019 Need hold release from management interface, waiting... Sun Jul 28 13:34:02 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Sun Jul 28 13:34:02 2019 MANAGEMENT: CMD 'state on' Sun Jul 28 13:34:02 2019 MANAGEMENT: CMD 'log all on' Sun Jul 28 13:34:02 2019 MANAGEMENT: CMD 'echo all on' Sun Jul 28 13:34:02 2019 MANAGEMENT: CMD 'bytecount 5' Sun Jul 28 13:34:02 2019 MANAGEMENT: CMD 'hold off' Sun Jul 28 13:34:02 2019 MANAGEMENT: CMD 'hold release' Sun Jul 28 13:34:02 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.132.21:1194 Sun Jul 28 13:34:02 2019 Socket Buffers: R=[65536->65536] S=[65536->65536] Sun Jul 28 13:34:02 2019 UDP link local: (not bound) Sun Jul 28 13:34:02 2019 UDP link remote: [AF_INET]192.168.132.21:1194 Sun Jul 28 13:34:02 2019 MANAGEMENT: >STATE:1564300142,WAIT,,,,,, Sun Jul 28 13:34:02 2019 MANAGEMENT: >STATE:1564300142,AUTH,,,,,, Sun Jul 28 13:34:02 2019 TLS: Initial packet from [AF_INET]192.168.132.21:1194, sid=f41be3ac d2ff3b47 Sun Jul 28 13:34:02 2019 VERIFY OK: depth=1, CN=f1soft.com Sun Jul 28 13:34:02 2019 VERIFY KU OK Sun Jul 28 13:34:02 2019 Validating certificate extended key usage Sun Jul 28 13:34:02 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sun Jul 28 13:34:02 2019 VERIFY EKU OK Sun Jul 28 13:34:02 2019 VERIFY OK: depth=0, CN=f1soft.com Sun Jul 28 13:34:02 2019 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Sun Jul 28 13:34:02 2019 [f1soft.com] Peer Connection Initiated with [AF_INET]192.168.132.21:1194 Sun Jul 28 13:34:03 2019 MANAGEMENT: >STATE:1564300143,GET_CONFIG,,,,,, Sun Jul 28 13:34:03 2019 SENT CONTROL [f1soft.com]: 'PUSH_REQUEST' (status=1) Sun Jul 28 13:34:03 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp- option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 20.20.20.1,topology net30,ping 20,ping-restart 60,ifconfig 20.20.20.6 20.20.20.5,peer-id 0,cipher AES-256-GCM' Sun Jul 28 13:34:03 2019 OPTIONS IMPORT: timers and/or timeouts modified Sun Jul 28 13:34:03 2019 OPTIONS IMPORT: --ifconfig/up options modified Sun Jul 28 13:34:03 2019 OPTIONS IMPORT: route options modified Sun Jul 28 13:34:03 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modifiedSun Jul 28 13:34:03 2019 OPTIONS IMPORT: peer-id set Sun Jul 28 13:34:03 2019 OPTIONS IMPORT: adjusting link_mtu to 1625 Sun Jul 28 13:34:03 2019 OPTIONS IMPORT: data channel crypto options modified Sun Jul 28 13:34:03 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Jul 28 13:34:03 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jul 28 13:34:03 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jul 28 13:34:03 2019 interactive service msg_channel=604 Sun Jul 28 13:34:03 2019 ROUTE_GATEWAY 10.20.222.1/255.255.255.0 I=14 HWADDR=28:d2:44:71:04:ef Sun Jul 28 13:34:03 2019 open_tun Sun Jul 28 13:34:03 2019 TAP-WIN32 device [Ethernet 2] opened: .Global{D4A1E2D0-2F5A-4E79-B928- 04BB0AF5D34F}.tap Sun Jul 28 13:34:03 2019 TAP-Windows Driver Version 9.23 Sun Jul 28 13:34:03 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 20.20.20.6/255.255.255.252 on interface {D4A1E2D0-2F5A-4E79-B928-04BB0AF5D34F} [DHCP-serv: 20.20.20.5, lease-time: 31536000] Sun Jul 28 13:34:03 2019 Successful ARP Flush on interface [27] {D4A1E2D0-2F5A-4E79-B928-04BB0AF5D34F} Sun Jul 28 13:34:04 2019 MANAGEMENT: >STATE:1564300144,ASSIGN_IP,,20.20.20.6,,,, Sun Jul 28 13:34:09 2019 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up Sun Jul 28 13:34:09 2019 C:Windowssystem32route.exe ADD 192.168.132.21 MASK 255.255.255.255 10.20.222.1 Sun Jul 28 13:34:09 2019 Route addition via service succeeded Sun Jul 28 13:34:09 2019 C:Windowssystem32route.exe ADD 0.0.0.0 MASK 128.0.0.0 20.20.20.5 Sun Jul 28 13:34:09 2019 Route addition via service succeeded Sun Jul 28 13:34:09 2019 C:Windowssystem32route.exe ADD 128.0.0.0 MASK 128.0.0.0 20.20.20.5 Sun Jul 28 13:34:09 2019 Route addition via service succeeded Sun Jul 28 13:34:09 2019 MANAGEMENT: >STATE:1564300149,ADD_ROUTES,,,,,, Sun Jul 28 13:34:09 2019 C:Windowssystem32route.exe ADD 20.20.20.1 MASK 255.255.255.255 20.20.20.5 Sun Jul 28 13:34:09 2019 Route addition via service succeeded Sun Jul 28 13:34:09 2019 Initialization Sequence Completed Sun Jul 28 13:34:09 2019 MANAGEMENT: >STATE:1564300149,CONNECTED,SUCCESS,20.20.20.6,192.168.132.21,1194,,
Server logs while connecting to open-vpn server Sun Jul 28 07:09:36 2019 192.168.132.1:58348 TLS: Initial packet from [AF_INET]192.168.132.1:58348, sid=484d086a b6f6f99a Sun Jul 28 07:09:42 2019 192.168.132.1:58348 VERIFY OK: depth=1, CN=f1soft.com Sun Jul 28 07:09:42 2019 192.168.132.1:58348 VERIFY OK: depth=0, CN=f1soft Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_VER=2.4.7 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_PLAT=win Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_PROTO=2 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_NCP=2 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_LZ4=1 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_LZ4v2=1 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_LZO=1 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_COMP_STUB=1 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_COMP_STUBv2=1 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_TCPNL=1 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_GUI_VER=OpenVPN_GUI_11 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA- AES256-GCM-SHA384, 2048 bit RSA Sun Jul 28 07:09:42 2019 192.168.132.1:58348 [f1soft] Peer Connection Initiated with [AF_INET]192.168.132.1:58348 Sun Jul 28 07:09:42 2019 f1soft/192.168.132.1:58348 MULTI_sva: pool returned IPv4=20.20.20.6, IPv6=(Not enabled) Sun Jul 28 07:09:42 2019 f1soft/192.168.132.1:58348 MULTI: Learn: 20.20.20.6 -> f1soft/192.168.132.1:58348 Sun Jul 28 07:09:42 2019 f1soft/192.168.132.1:58348 MULTI: primary virtual IP for f1soft/192.168.132.1:58348: 20.20.20.6 Sun Jul 28 07:09:43 2019 f1soft/192.168.132.1:58348 PUSH: Received control message: 'PUSH_REQUEST' Sun Jul 28 07:09:43 2019 f1soft/192.168.132.1:58348 SENT CONTROL [f1soft]: 'PUSH_REPLY,redirect- gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 20.20.20.1,topology net30,ping 20,ping-restart 60,ifconfig 20.20.20.6 20.20.20.5,peer-id 0,cipher AES-256-GCM' (status=1) Sun Jul 28 07:09:43 2019 f1soft/192.168.132.1:58348 Data Channel: using negotiated cipher 'AES-256-GCM' Sun Jul 28 07:09:43 2019 f1soft/192.168.132.1:58348 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jul 28 07:09:43 2019 f1soft/192.168.132.1:58348 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Problem May Faced 1) No server certificate verification method has been enabled. Add the following line to your client configuration: # remote-cert-tls server 2) VERIFY ERROR: depth=1, error=certificate is not yet valid: CN=ChangeMe Just set the correct time and date in both your client and server systems, it has nothing to do with OpenVPN or this script.

Recommended

Configuring apache, php, my sql, ftp, ssl, ip tables phpmyadmin and server mo...
Configuring apache, php, my sql, ftp, ssl, ip tables phpmyadmin and server mo...Configuring apache, php, my sql, ftp, ssl, ip tables phpmyadmin and server mo...
Configuring apache, php, my sql, ftp, ssl, ip tables phpmyadmin and server mo...
Chanaka Lasantha
 
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slides
kj teoh
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
APNIC
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfs
phanleson
 
5.Dns Rpc Nfs 2
5.Dns Rpc Nfs 25.Dns Rpc Nfs 2
5.Dns Rpc Nfs 2
phanleson
 
Content Navigation
Content NavigationContent Navigation
Content Navigation
sanjoysanyal
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Dan York
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practice
kuchinskaya
 

Recommended

Configuring apache, php, my sql, ftp, ssl, ip tables phpmyadmin and server mo...
Configuring apache, php, my sql, ftp, ssl, ip tables phpmyadmin and server mo...Configuring apache, php, my sql, ftp, ssl, ip tables phpmyadmin and server mo...
Configuring apache, php, my sql, ftp, ssl, ip tables phpmyadmin and server mo...
Chanaka Lasantha
 
dns-sec-4-slides
dns-sec-4-slidesdns-sec-4-slides
dns-sec-4-slides
kj teoh
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
APNIC
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfs
phanleson
 
5.Dns Rpc Nfs 2
5.Dns Rpc Nfs 25.Dns Rpc Nfs 2
5.Dns Rpc Nfs 2
phanleson
 
Content Navigation
Content NavigationContent Navigation
Content Navigation
sanjoysanyal
 
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Deploying New DNSSEC Algorithms (IEPG@IETF93 - July 2015)
Dan York
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practice
kuchinskaya
 
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
Deploy360 Programme (Internet Society)
 
4Developers: Dns vs webapp
4Developers: Dns vs webapp4Developers: Dns vs webapp
4Developers: Dns vs webapp
PROIDEA
 
main
mainmain
main
Omar Faruk Sazib
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
Shumon Huque
 
DNS-SD Extentions
DNS-SD ExtentionsDNS-SD Extentions
DNS-SD Extentions
Nina Buchina
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
Understanding the DNS & DNSSEC
Understanding the DNS & DNSSECUnderstanding the DNS & DNSSEC
Understanding the DNS & DNSSEC
ICANN
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption security
Men and Mice
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
Men and Mice
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
Men and Mice
 
Static Typing in Vault
Static Typing in VaultStatic Typing in Vault
Static Typing in Vault
GlynnForrest
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice
 
Let's encrypt
Let's encryptLet's encrypt
Let's encrypt
書廷 林
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the Internet
RIPE NCC
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
Men and Mice
 
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyNginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Amit Aggarwal
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
NGINX, Inc.
 
Rhel5
Rhel5Rhel5
Rhel5
Yash Gulati
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
Andrejs Vorobjovs
 

More Related Content

What's hot

ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
Deploy360 Programme (Internet Society)
 
4Developers: Dns vs webapp
4Developers: Dns vs webapp4Developers: Dns vs webapp
4Developers: Dns vs webapp
PROIDEA
 
main
mainmain
main
Omar Faruk Sazib
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
Shumon Huque
 
DNS-SD Extentions
DNS-SD ExtentionsDNS-SD Extentions
DNS-SD Extentions
Nina Buchina
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
Understanding the DNS & DNSSEC
Understanding the DNS & DNSSECUnderstanding the DNS & DNSSEC
Understanding the DNS & DNSSEC
ICANN
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption security
Men and Mice
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
Men and Mice
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
Men and Mice
 
Static Typing in Vault
Static Typing in VaultStatic Typing in Vault
Static Typing in Vault
GlynnForrest
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice
 
Let's encrypt
Let's encryptLet's encrypt
Let's encrypt
書廷 林
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the Internet
RIPE NCC
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
RootedCON
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
Men and Mice
 
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyNginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Amit Aggarwal
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
NGINX, Inc.
 

What's hot (20)

ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
 
4Developers: Dns vs webapp
4Developers: Dns vs webapp4Developers: Dns vs webapp
4Developers: Dns vs webapp
 
main
mainmain
main
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
 
DNS-SD Extentions
DNS-SD ExtentionsDNS-SD Extentions
DNS-SD Extentions
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
 
Understanding the DNS & DNSSEC
Understanding the DNS & DNSSECUnderstanding the DNS & DNSSEC
Understanding the DNS & DNSSEC
 
The CAA-Record for increased encryption security
The CAA-Record for increased encryption securityThe CAA-Record for increased encryption security
The CAA-Record for increased encryption security
 
Namespaces for Local Networks
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
 
Windows Server 2016 Webinar
Windows Server 2016 WebinarWindows Server 2016 Webinar
Windows Server 2016 Webinar
 
Static Typing in Vault
Static Typing in VaultStatic Typing in Vault
Static Typing in Vault
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
 
Let's encrypt
Let's encryptLet's encrypt
Let's encrypt
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the Internet
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]Carlos García - Pentesting Active Directory Forests [rooted2019]
Carlos García - Pentesting Active Directory Forests [rooted2019]
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse ProxyNginx A High Performance Load Balancer, Web Server & Reverse Proxy
Nginx A High Performance Load Balancer, Web Server & Reverse Proxy
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
 
High Availability Content Caching with NGINX
High Availability Content Caching with NGINXHigh Availability Content Caching with NGINX
High Availability Content Caching with NGINX
 

Similar to Open-VPN Server

Rhel5
Rhel5Rhel5
Rhel5
Yash Gulati
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
Andrejs Vorobjovs
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptography
behrad eslamifar
 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
zznate
 
Adobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideAdobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL Guide
RapidSSLOnline.com
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB
 
Hardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoia
zznate
 
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
DataStax Academy
 
Radius
RadiusRadius
Radius
Paras Bhati
 
How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7
VCP Muthukrishna
 
How to setup OpenVPN Server and Client on Ubuntu 14.04
How to setup OpenVPN Server and Client on Ubuntu 14.04How to setup OpenVPN Server and Client on Ubuntu 14.04
How to setup OpenVPN Server and Client on Ubuntu 14.04
VEXXHOST Private Cloud
 
Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8
Kaan Aslandağ
 
Upgrade ipa to rhel 7
Upgrade ipa to rhel 7Upgrade ipa to rhel 7
Upgrade ipa to rhel 7
Amjad Yaseen
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
CheapSSLsecurity
 
NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)
Marcel Cattaneo
 
Install ldap server
Install ldap serverInstall ldap server
Install ldap server
Mawardi 12
 
Install ldap server
Install ldap serverInstall ldap server
Install ldap server
Mawardi 12
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21
Max Kleiner
 
Java security
Java securityJava security
Java security
Bart Blommaerts
 
TLS and Certificates
TLS and CertificatesTLS and Certificates
TLS and Certificates
Karri Huhtanen
 

Similar to Open-VPN Server (20)

Rhel5
Rhel5Rhel5
Rhel5
 
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
OTN tour 2015 Experience in implementing SSL between oracle db and oracle cli...
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptography
 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
 
Adobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideAdobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL Guide
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
 
Hardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoia
 
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
 
Radius
RadiusRadius
Radius
 
How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7
 
How to setup OpenVPN Server and Client on Ubuntu 14.04
How to setup OpenVPN Server and Client on Ubuntu 14.04How to setup OpenVPN Server and Client on Ubuntu 14.04
How to setup OpenVPN Server and Client on Ubuntu 14.04
 
Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8Configuration of Self Signed SSL Certificate For CentOS 8
Configuration of Self Signed SSL Certificate For CentOS 8
 
Upgrade ipa to rhel 7
Upgrade ipa to rhel 7Upgrade ipa to rhel 7
Upgrade ipa to rhel 7
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
 
NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)
 
Install ldap server
Install ldap serverInstall ldap server
Install ldap server
 
Install ldap server
Install ldap serverInstall ldap server
Install ldap server
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21
 
Java security
Java securityJava security
Java security
 
TLS and Certificates
TLS and CertificatesTLS and Certificates
TLS and Certificates
 

Recently uploaded

ACRP 4-09 Risk Assessment Method to Support Modification of Airfield Separat...
ACRP 4-09 Risk Assessment Method to Support Modification of Airfield Separat...ACRP 4-09 Risk Assessment Method to Support Modification of Airfield Separat...
ACRP 4-09 Risk Assessment Method to Support Modification of Airfield Separat...
Mukeshwaran Balu
 
A review on techniques and modelling methodologies used for checking electrom...
A review on techniques and modelling methodologies used for checking electrom...A review on techniques and modelling methodologies used for checking electrom...
A review on techniques and modelling methodologies used for checking electrom...
nooriasukmaningtyas
 
6th International Conference on Machine Learning & Applications (CMLA 2024)
6th International Conference on Machine Learning & Applications (CMLA 2024)6th International Conference on Machine Learning & Applications (CMLA 2024)
6th International Conference on Machine Learning & Applications (CMLA 2024)
ClaraZara1
 
Embedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoringEmbedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoring
IJECEIAES
 
International Conference on NLP, Artificial Intelligence, Machine Learning an...
International Conference on NLP, Artificial Intelligence, Machine Learning an...International Conference on NLP, Artificial Intelligence, Machine Learning an...
International Conference on NLP, Artificial Intelligence, Machine Learning an...
gerogepatton
 
Series of visio cisco devices Cisco_Icons.ppt
Series of visio cisco devices Cisco_Icons.pptSeries of visio cisco devices Cisco_Icons.ppt
Series of visio cisco devices Cisco_Icons.ppt
PauloRodrigues104553
 
Manufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptxManufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptx
Madan Karki
 
Literature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptxLiterature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptx
Dr Ramhari Poudyal
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
kandramariana6
 
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesHarnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Christina Lin
 
Heat Resistant Concrete Presentation ppt
Heat Resistant Concrete Presentation pptHeat Resistant Concrete Presentation ppt
Heat Resistant Concrete Presentation ppt
mamunhossenbd75
 
CSM Cloud Service Management Presentarion
CSM Cloud Service Management PresentarionCSM Cloud Service Management Presentarion
CSM Cloud Service Management Presentarion
rpskprasana
 
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
awadeshbabu
 
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...
University of Maribor
 
Question paper of renewable energy sources
Question paper of renewable energy sourcesQuestion paper of renewable energy sources
Question paper of renewable energy sources
mahammadsalmanmech
 
Understanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine LearningUnderstanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine Learning
SUTEJAS
 
2. Operations Strategy in a Global Environment.ppt
2. Operations Strategy in a Global Environment.ppt2. Operations Strategy in a Global Environment.ppt
2. Operations Strategy in a Global Environment.ppt
PuktoonEngr
 
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
IEEE Aerospace and Electronic Systems Society as a Graduate Student MemberIEEE Aerospace and Electronic Systems Society as a Graduate Student Member
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
VICTOR MAESTRE RAMIREZ
 
basic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdfbasic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdf
NidhalKahouli2
 
sieving analysis and results interpretation
sieving analysis and results interpretationsieving analysis and results interpretation
sieving analysis and results interpretation
ssuser36d3051
 

Recently uploaded (20)

ACRP 4-09 Risk Assessment Method to Support Modification of Airfield Separat...
ACRP 4-09 Risk Assessment Method to Support Modification of Airfield Separat...ACRP 4-09 Risk Assessment Method to Support Modification of Airfield Separat...
ACRP 4-09 Risk Assessment Method to Support Modification of Airfield Separat...
 
A review on techniques and modelling methodologies used for checking electrom...
A review on techniques and modelling methodologies used for checking electrom...A review on techniques and modelling methodologies used for checking electrom...
A review on techniques and modelling methodologies used for checking electrom...
 
6th International Conference on Machine Learning & Applications (CMLA 2024)
6th International Conference on Machine Learning & Applications (CMLA 2024)6th International Conference on Machine Learning & Applications (CMLA 2024)
6th International Conference on Machine Learning & Applications (CMLA 2024)
 
Embedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoringEmbedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoring
 
International Conference on NLP, Artificial Intelligence, Machine Learning an...
International Conference on NLP, Artificial Intelligence, Machine Learning an...International Conference on NLP, Artificial Intelligence, Machine Learning an...
International Conference on NLP, Artificial Intelligence, Machine Learning an...
 
Series of visio cisco devices Cisco_Icons.ppt
Series of visio cisco devices Cisco_Icons.pptSeries of visio cisco devices Cisco_Icons.ppt
Series of visio cisco devices Cisco_Icons.ppt
 
Manufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptxManufacturing Process of molasses based distillery ppt.pptx
Manufacturing Process of molasses based distillery ppt.pptx
 
Literature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptxLiterature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptx
 
132/33KV substation case study Presentation
132/33KV substation case study Presentation132/33KV substation case study Presentation
132/33KV substation case study Presentation
 
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesHarnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
 
Heat Resistant Concrete Presentation ppt
Heat Resistant Concrete Presentation pptHeat Resistant Concrete Presentation ppt
Heat Resistant Concrete Presentation ppt
 
CSM Cloud Service Management Presentarion
CSM Cloud Service Management PresentarionCSM Cloud Service Management Presentarion
CSM Cloud Service Management Presentarion
 
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
[JPP-1] - (JEE 3.0) - Kinematics 1D - 14th May..pdf
 
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...
 
Question paper of renewable energy sources
Question paper of renewable energy sourcesQuestion paper of renewable energy sources
Question paper of renewable energy sources
 
Understanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine LearningUnderstanding Inductive Bias in Machine Learning
Understanding Inductive Bias in Machine Learning
 
2. Operations Strategy in a Global Environment.ppt
2. Operations Strategy in a Global Environment.ppt2. Operations Strategy in a Global Environment.ppt
2. Operations Strategy in a Global Environment.ppt
 
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
IEEE Aerospace and Electronic Systems Society as a Graduate Student MemberIEEE Aerospace and Electronic Systems Society as a Graduate Student Member
IEEE Aerospace and Electronic Systems Society as a Graduate Student Member
 
basic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdfbasic-wireline-operations-course-mahmoud-f-radwan.pdf
basic-wireline-operations-course-mahmoud-f-radwan.pdf
 
sieving analysis and results interpretation
sieving analysis and results interpretationsieving analysis and results interpretation
sieving analysis and results interpretation
 

Open-VPN Server

  • 1. Open VPN Scenario Server IP Address  192.168.132.21 Client IP Address  192.168.132.20 Step 1 - Install OpenVPN and Easy-RSA Install OpenVPN & easy-rsa on the server. # yum install epel-release openvpn easy-rsa –y Step 2 - Configure Easy-RSA 3 In this step, we will will configure easy-rsa by creating new 'vars' file. The 'vars' file contains the Easy-RSA settings. Go to the '/etc/openvpn/' directory and copy the 'easy-rsa' script. # cd /etc/openvpn/ # cp -r /usr/share/easy-rsa /etc/openvpn/ # cd /etc/openvpn/easy-rsa/3/ We will use the parameters in /etc/openvpn/rsa/vars to indicate the values for our keys and certificates. Change the values according to your needs. # vim vars # chmod +x vars # cd /etc/openvpn/easy-rsa/3/ export KEY_COUNTRY="NP" export KEY_PROVINCE="KTM" export KEY_CITY="Kathmandu" export KEY_ORG="F1soft" export KEY_EMAIL="manish.kc@f1soft.com" export KEY_EMAIL=manish.kc@f1soft.com export KEY_CN=f1soft export KEY_NAME="f1soft" export KEY_OU="f1soft"
  • 2. Step 3 - Build OpenVPN Keys We will build the OpenVPN keys based on the easy-rsa 'vars' file that we've created. We will build the CA key, Server and Client keys, DH and CRL PEM file. We will build all those keys using the 'easyrsa' command line. Go to the '/etc/openvpn/easy-rsa/3' directory. # cd /etc/openvpn/easy-rsa/3/ Initialization and Build CA # ./easyrsa init-pki # ./easyrsa build-ca [root@localhost 3]# ./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easy-rsa/3/pki [root@localhost 3]# ./easyrsa build-ca Generating a 2048 bit RSA private key ..........+++ ...................................................................+++ writing new private key to '/etc/openvpn/easy-rsa/3/pki/private/ca.key.h5pdSfY8qR' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/easy-rsa/3/pki/ca.crt
  • 3. Build key for Server # ./easyrsa gen-req openvpn-server nopass # ./easyrsa sign-req server openvpn-server # openssl verify -CAfile pki/ca.crt pki/issued/openvpn-server.crt [root@localhost 3]# ./easyrsa gen-req openvpn-server nopass Generating a 2048 bit RSA private key ........................................................................+++ ..............+++ writing new private key to '/etc/openvpn/easy-rsa/3/pki/private/openvpn server.key.vzztQHFiy7' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blank For some fields there will be a default value,If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [openvpn-server]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/3/pki/reqs/openvpn-server.req key: /etc/openvpn/easy-rsa/3/pki/private/openvpn-server.key [root@localhost 3]# ./easyrsa sign-req server openvpn-server You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 3650 days: subject= commonName = openvpn-server Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from ./openssl-1.0.cnf Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:' openvpn-server ' Certificate is to be certified until Jul 22 15:50:28 2029 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/openvpn-server.crt [root@localhost 3]# openssl verify -CAfile pki/ca.crt pki/issued/openvpn-server.crt pki/issued/openvpn-server.crt: OK
  • 4. Build key for Client # ./easyrsa gen-req client01 nopass # ./easyrsa sign-req client client01 # openssl verify -CAfile pki/ca.crt pki/issued/client01.crt [root@localhost 3]# ./easyrsa gen-req client01 nopass Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key .......................+++ ......................+++ writing new private key to '/etc/openvpn/easy-rsa/3/pki/private/client01.key.dOKxCAo7ET' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [client01]: Keypair and certificate request completed. Your files are: req: /etc/openvpn/easy-rsa/3/pki/reqs/client01.req key: /etc/openvpn/easy-rsa/3/pki/private/client01.key [root@localhost 3]# ./easyrsa sign-req client client01 Note: using Easy-RSA configuration from: ./vars You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 3650 days: subject= commonName = client01 Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from ./openssl-1.0.cnf Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'client01' Certificate is to be certified until Jul 22 16:28:50 2029 GMT (3650 days) Write out database with 1 new entries Data Base Updated Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/client01.crt [root@localhost 3]# openssl verify -CAfile pki/ca.crt pki/issued/client01.crt pki/issued/client01.crt: OK
  • 5. Build Diffie-Hellman Key # ./easyrsa gen-dh [root@localhost 3]# ./easyrsa gen-dh Note: using Easy-RSA configuration from: ./vars Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ................................................................................................................................................................................... .+.....................+................................................................+.....................................................................................+ ......................................................................+........................................................................................................... ...............................................................................+.................................................................................................. ................................................................................................................................................................................... .................................+.........................+......................................................................................................+....+....... .+.......................................................................................................................+.........................+............................ ..........................................................................................................................................+...................................+.. .................+.......................................................+....................................+...................+............................................ ................+..........................................................................................................................................................+..... .......................................................................+..........................................+.............................................................. ...........+.............................................................................................................................................................+....... ................................................+................................................................................................................................. ...........................................................................................................+...................................................................... .............................................+...................................................................................................................+............... .......+.......................................................................................................................................................................... ............................................+..................................................................................................................................... .....+................+..................................................+...................................................+....+...+...................................... ..........................................................................................+....................................................................................... ....+............................................................................................................................................................................. ...................................................+.................................................................................+........................................... ...............................+...........+...................... ...........+........................+..................................++*++* DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3/pki/dh.pem
  • 6. Optional: Generate the CRL Key The CRL (Certificate Revoking List) key will be used for revoking the client key. If you have multiple client certificates on your vpn server, and you want to revoke some key, you just need to revoke using the easy-rsa command. If you want to revoke some key, run the command as below. # ./easyrsa revoke someone # ./easyrsa gen-crl [root@localhost 3]# ./easyrsa revoke client02 Note: using Easy-RSA configuration from: ./vars Please confirm you wish to revoke the certificate with the following subject: subject= commonName = client02 Type the word 'yes' to continue, or any other input to abort. Continue with revocation: yes Using configuration from ./openssl-1.0.cnf Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key: Revoking Certificate D2A6B677A78A2C506D676D0C0EEFDF5F. Data Base Updated IMPORTANT!!! Revocation was successful. You must run gen-crl and upload a CRL to your infrastructure in order to prevent the revoked cert from being accepted. [root@localhost 3]# ./easyrsa gen-crl Note: using Easy-RSA configuration from: ./vars Using configuration from ./openssl-1.0.cnf Enter pass phrase for /etc/openvpn/easy-rsa/3/pki/private/ca.key: An updated CRL has been created. CRL file: /etc/openvpn/easy-rsa/3/pki/crl.pem
  • 7. Copy Certificates Files All certificates have been generated, now copy the certificate files and PEM files. Copy Server Key and Certificate. # cp pki/ca.crt /etc/openvpn/server/ # cp pki/issued/openvpn-server.crt /etc/openvpn/server/ # cp pki/private/openvpn-server.key /etc/openvpn/server/ Copy client01 Key and Certificate. # cp pki/ca.crt /etc/openvpn/client/ # cp pki/issued/client01.crt /etc/openvpn/client/ # cp pki/private/client01.key /etc/openvpn/client/ Copy DH and CRL Key. # cp pki/dh.pem /etc/openvpn/server/ # cp pki/crl.pem /etc/openvpn/server/
  • 8. Step 4 - Configure OpenVPN # OpenVPN Port, Protocol and the Tun port 1194 proto udp dev tun # OpenVPN Server Certificate - CA, server key and certificate ca /etc/openvpn/server/ca.crt cert /etc/openvpn/server/f1soft.crt key /etc/openvpn/server/f1soft.key #DH and CRL key dh /etc/openvpn/server/dh.pem crl-verify /etc/openvpn/server/crl.pem # To revoke someone permission # Network Configuration - Internal network which is assigned when connected to open-vpn server 20.20.20.0 255.255.255.0 # we have assigned 20.20.20.0/24 subnet Network Range for client # Redirect all Connection through open-vpn Server push "redirect-gateway def1" # Using the DNS of Google Server push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" # Enable multiple client to connect with same Certificate key duplicate-cn # TLS Security cipher AES-256-CBC tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA- WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 auth SHA512 auth-nocache # Other Configuration keepalive 20 60 persist-key persist-tun comp-lzo yes daemon user nobody group nobody # OpenVPN Log log-append /var/log/openvpn.log verb 3
  • 9. In this step, we will create new configuration 'server.conf' for the openvpn server. Go to the '/etc/openvpn/' directory and create new configuration file 'server.conf' using vi. # cd /etc/openvpn/ # vim server.conf Save and exit. The configuration for OpenVPN has been created. Step 5 - Enable Port-Forwarding In this step, we will enable Port-forwarding kernel module. Enable the port-forwarding kernel module by running following commands. # echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf # sysctl –p Starting & Stopping the Service Start the openvpn service and enable it to launch automatically everytime at system boot. Note: what name.conf you create at step 4 will be the service i.e. if you create test.conf the you have to start using systemctl start openvpn@test # systemctl start openvpn@server # systemctl enable openvpn@server [root@localhost ~]# systemctl status openvpn@server ● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2019-07-28 06:15:20 +0545; 29s ago Main PID: 6840 (openvpn) Status: "Initialization Sequence Completed" CGroup: /system.slice/system-openvpn.slice/openvpn@server.service └─6840 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf Jul 28 06:15:19 localhost.localdomain systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Applicati...r...Jul 28 06:15:20 localhost.localdomain systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Applicatio...ver.Hint: Some lines were ellipsized, use -l to show in full.
  • 10. Logs while starting the server Sun Jul 28 06:47:45 2019 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019 Sun Jul 28 06:47:45 2019 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06 Sun Jul 28 06:47:45 2019 Diffie-Hellman initialized with 2048 bit key Sun Jul 28 06:47:45 2019 ROUTE_GATEWAY 192.168.132.2/255.255.255.0 IFACE=ens33 HWADDR=00:50:56:3e:36:15 Sun Jul 28 06:47:45 2019 TUN/TAP device tun0 opened Sun Jul 28 06:47:45 2019 TUN/TAP TX queue length set to 100 Sun Jul 28 06:47:45 2019 /sbin/ip link set dev tun0 up mtu 1500 Sun Jul 28 06:47:45 2019 /sbin/ip addr add dev tun0 local 20.20.20.1 peer 20.20.20.2 Sun Jul 28 06:47:45 2019 /sbin/ip route add 20.20.20.0/24 via 20.20.20.2 Sun Jul 28 06:47:45 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET Sun Jul 28 06:47:45 2019 Socket Buffers: R=[212992->212992] S=[212992->212992] Sun Jul 28 06:47:45 2019 UDPv4 link local (bound): [AF_INET][undef]:1194 Sun Jul 28 06:47:45 2019 UDPv4 link remote: [AF_UNSPEC] Sun Jul 28 06:47:45 2019 GID set to nobody Sun Jul 28 06:47:45 2019 UID set to nobody Sun Jul 28 06:47:45 2019 MULTI: multi_init called, r=256 v=256 Sun Jul 28 06:47:45 2019 IFCONFIG POOL: base=20.20.20.4 size=62, ipv6=0 Sun Jul 28 06:47:45 2019 Initialization Sequence Completed
  • 11. Client Configuration Linux Copy the files from the Server /etc/openvpn/client to client server 192.168.132.120 ca .crt, client01.crt, client01.key # vi client01.opvn Start open-vpn client using # openvpn --config client01.opvn To run in background simply add & i.e. # openvpn --config client01.opvn & Client dev tun proto udp remote 192.168.132.21 1194 # IP of open-vpn server # enable certificate verification method remote-cert-tls server ca ca.crt cert client01.crt key client01.key cipher AES-256-CBC auth SHA512 auth-nocache tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC- SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 resolv-retry infinite compress lzo nobind persist-key persist-tun mute-replay-warnings verb 3
  • 12. Client logs while connecting to open-vpn server root@localhost client]# openvpn --config client01.ovpn Sun Jul 28 13:22:57 2019 OpenVPN 2.4.7 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019 Sun Jul 28 13:22:57 2019 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06 Sun Jul 28 13:22:57 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.132.21:1194 Sun Jul 28 13:22:57 2019 Socket Buffers: R=[212992->212992] S=[212992->212992] Sun Jul 28 13:22:57 2019 UDP link local: (not bound) Sun Jul 28 13:22:57 2019 UDP link remote: [AF_INET]192.168.132.21:1194 Sun Jul 28 13:22:57 2019 TLS: Initial packet from [AF_INET]192.168.132.21:1194, sid=61588936 583f6808 Sun Jul 28 13:22:57 2019 VERIFY OK: depth=1, CN=f1soft.com Sun Jul 28 13:22:57 2019 VERIFY KU OK Sun Jul 28 13:22:57 2019 Validating certificate extended key usage Sun Jul 28 13:22:57 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sun Jul 28 13:22:57 2019 VERIFY EKU OK Sun Jul 28 13:22:57 2019 VERIFY OK: depth=0, CN=f1soft.com Sun Jul 28 13:22:57 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM- SHA384, 2048 bit RSA Sun Jul 28 13:22:57 2019 [f1soft.com] Peer Connection Initiated with [AF_INET]192.168.132.21:1194 Sun Jul 28 13:22:59 2019 SENT CONTROL [f1soft.com]: 'PUSH_REQUEST' (status=1) Sun Jul 28 13:22:59 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp- option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 20.20.20.1,topology net30,ping 20,ping-restart 60,ifconfig 20.20.20.6 20.20.20.5,peer-id 0,cipher AES-256-GCM' Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: timers and/or timeouts modified Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: --ifconfig/up options modified Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: route options modified Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: peer-id set Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: adjusting link_mtu to 1625 Sun Jul 28 13:22:59 2019 OPTIONS IMPORT: data channel crypto options modified Sun Jul 28 13:22:59 2019 Data Channel: using negotiated cipher 'AES-256-GCM' Sun Jul 28 13:22:59 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jul 28 13:22:59 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jul 28 13:22:59 2019 ROUTE_GATEWAY 192.168.132.2/255.255.255.0 IFACE=ens33 HWADDR=00:0c:29:47:82:03 Sun Jul 28 13:22:59 2019 TUN/TAP device tun0 opened Sun Jul 28 13:22:59 2019 TUN/TAP TX queue length set to 100 Sun Jul 28 13:22:59 2019 /sbin/ip link set dev tun0 up mtu 1500 Sun Jul 28 13:22:59 2019 /sbin/ip addr add dev tun0 local 20.20.20.6 peer 20.20.20.5 Sun Jul 28 13:22:59 2019 /sbin/ip route add 192.168.132.21/32 dev ens33 Sun Jul 28 13:22:59 2019 /sbin/ip route add 0.0.0.0/1 via 20.20.20.5 Sun Jul 28 13:22:59 2019 /sbin/ip route add 128.0.0.0/1 via 20.20.20.5 Sun Jul 28 13:22:59 2019 /sbin/ip route add 20.20.20.1/32 via 20.20.20.5 Sun Jul 28 13:22:59 2019 Initialization Sequence Completed
  • 13. Server logs while connecting to open-vpn server Sun Jul 28 06:55:55 2019 192.168.132.20:50282 TLS: Initial packet from [AF_INET]192.168.132.20:50282, sid=229911de 9b6d7502 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 VERIFY OK: depth=1, CN=f1soft.com Sun Jul 28 06:55:55 2019 192.168.132.20:50282 VERIFY OK: depth=0, CN=f1soft Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_VER=2.4.7 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_PLAT=linux Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_PROTO=2 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_NCP=2 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_LZ4=1 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_LZ4v2=1 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_LZO=1 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_COMP_STUB=1 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_COMP_STUBv2=1 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 peer info: IV_TCPNL=1 Sun Jul 28 06:55:55 2019 192.168.132.20:50282 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA- AES256-GCM-SHA384, 2048 bit RSA Sun Jul 28 06:55:55 2019 192.168.132.20:50282 [f1soft] Peer Connection Initiated with [AF_INET]192.168.132.20:50282 Sun Jul 28 06:55:55 2019 f1soft/192.168.132.20:50282 MULTI_sva: pool returned IPv4=20.20.20.10, IPv6=(Not enabled) Sun Jul 28 06:55:55 2019 f1soft/192.168.132.20:50282 MULTI: Learn: 20.20.20.10 -> f1soft/192.168.132.20:50282 Sun Jul 28 06:55:55 2019 f1soft/192.168.132.20:50282 MULTI: primary virtual IP for f1soft/192.168.132.20:50282: 20.20.20.10 Sun Jul 28 06:55:56 2019 f1soft/192.168.132.20:50282 PUSH: Received control message: 'PUSH_REQUEST' Sun Jul 28 06:55:56 2019 f1soft/192.168.132.20:50282 SENT CONTROL [f1soft]: 'PUSH_REPLY,redirect- gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 20.20.20.1,topology net30,ping 20,ping-restart 60,ifconfig 20.20.20.10 20.20.20.9,peer-id 1,cipher AES-256-GCM' (status=1) Sun Jul 28 06:55:56 2019 f1soft/192.168.132.20:50282 Data Channel: using negotiated cipher 'AES-256- GCM' Sun Jul 28 06:55:56 2019 f1soft/192.168.132.20:50282 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jul 28 06:55:56 2019 f1soft/192.168.132.20:50282 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
  • 14. Windows Download open-vpn gui from https://openvpn.net/community-downloads/ Create a file named client01.ovpn Client dev tun proto udp remote 192.168.132.21 1194 # IP of open-vpn server # enable certificate verification method remote-cert-tls server ca ca.crt cert client01.crt key client01.key cipher AES-256-CBC auth SHA512 auth-nocache tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC- SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256 resolv-retry infinite compress lzo nobind persist-key persist-tun mute-replay-warnings verb 3 #Use the filename ca.crt under ca, client.01.crt under cert, client01.key under key <ca> </ca> <cert> </cert> <key> </key
  • 15. Logs of client in windows Sun Jul 28 13:34:02 2019 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019 Sun Jul 28 13:34:02 2019 Windows version 6.2 (Windows 8 or greater) 64bit Sun Jul 28 13:34:02 2019 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10 Enter Management Password: Sun Jul 28 13:34:02 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Sun Jul 28 13:34:02 2019 Need hold release from management interface, waiting... Sun Jul 28 13:34:02 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Sun Jul 28 13:34:02 2019 MANAGEMENT: CMD 'state on' Sun Jul 28 13:34:02 2019 MANAGEMENT: CMD 'log all on' Sun Jul 28 13:34:02 2019 MANAGEMENT: CMD 'echo all on' Sun Jul 28 13:34:02 2019 MANAGEMENT: CMD 'bytecount 5' Sun Jul 28 13:34:02 2019 MANAGEMENT: CMD 'hold off' Sun Jul 28 13:34:02 2019 MANAGEMENT: CMD 'hold release' Sun Jul 28 13:34:02 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.132.21:1194 Sun Jul 28 13:34:02 2019 Socket Buffers: R=[65536->65536] S=[65536->65536] Sun Jul 28 13:34:02 2019 UDP link local: (not bound) Sun Jul 28 13:34:02 2019 UDP link remote: [AF_INET]192.168.132.21:1194 Sun Jul 28 13:34:02 2019 MANAGEMENT: >STATE:1564300142,WAIT,,,,,, Sun Jul 28 13:34:02 2019 MANAGEMENT: >STATE:1564300142,AUTH,,,,,, Sun Jul 28 13:34:02 2019 TLS: Initial packet from [AF_INET]192.168.132.21:1194, sid=f41be3ac d2ff3b47 Sun Jul 28 13:34:02 2019 VERIFY OK: depth=1, CN=f1soft.com Sun Jul 28 13:34:02 2019 VERIFY KU OK Sun Jul 28 13:34:02 2019 Validating certificate extended key usage Sun Jul 28 13:34:02 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sun Jul 28 13:34:02 2019 VERIFY EKU OK Sun Jul 28 13:34:02 2019 VERIFY OK: depth=0, CN=f1soft.com Sun Jul 28 13:34:02 2019 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Sun Jul 28 13:34:02 2019 [f1soft.com] Peer Connection Initiated with [AF_INET]192.168.132.21:1194 Sun Jul 28 13:34:03 2019 MANAGEMENT: >STATE:1564300143,GET_CONFIG,,,,,, Sun Jul 28 13:34:03 2019 SENT CONTROL [f1soft.com]: 'PUSH_REQUEST' (status=1) Sun Jul 28 13:34:03 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp- option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 20.20.20.1,topology net30,ping 20,ping-restart 60,ifconfig 20.20.20.6 20.20.20.5,peer-id 0,cipher AES-256-GCM' Sun Jul 28 13:34:03 2019 OPTIONS IMPORT: timers and/or timeouts modified Sun Jul 28 13:34:03 2019 OPTIONS IMPORT: --ifconfig/up options modified Sun Jul 28 13:34:03 2019 OPTIONS IMPORT: route options modified Sun Jul 28 13:34:03 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modifiedSun Jul 28 13:34:03 2019 OPTIONS IMPORT: peer-id set Sun Jul 28 13:34:03 2019 OPTIONS IMPORT: adjusting link_mtu to 1625 Sun Jul 28 13:34:03 2019 OPTIONS IMPORT: data channel crypto options modified Sun Jul 28 13:34:03 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
  • 16. Sun Jul 28 13:34:03 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jul 28 13:34:03 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jul 28 13:34:03 2019 interactive service msg_channel=604 Sun Jul 28 13:34:03 2019 ROUTE_GATEWAY 10.20.222.1/255.255.255.0 I=14 HWADDR=28:d2:44:71:04:ef Sun Jul 28 13:34:03 2019 open_tun Sun Jul 28 13:34:03 2019 TAP-WIN32 device [Ethernet 2] opened: .Global{D4A1E2D0-2F5A-4E79-B928- 04BB0AF5D34F}.tap Sun Jul 28 13:34:03 2019 TAP-Windows Driver Version 9.23 Sun Jul 28 13:34:03 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 20.20.20.6/255.255.255.252 on interface {D4A1E2D0-2F5A-4E79-B928-04BB0AF5D34F} [DHCP-serv: 20.20.20.5, lease-time: 31536000] Sun Jul 28 13:34:03 2019 Successful ARP Flush on interface [27] {D4A1E2D0-2F5A-4E79-B928-04BB0AF5D34F} Sun Jul 28 13:34:04 2019 MANAGEMENT: >STATE:1564300144,ASSIGN_IP,,20.20.20.6,,,, Sun Jul 28 13:34:09 2019 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up Sun Jul 28 13:34:09 2019 C:Windowssystem32route.exe ADD 192.168.132.21 MASK 255.255.255.255 10.20.222.1 Sun Jul 28 13:34:09 2019 Route addition via service succeeded Sun Jul 28 13:34:09 2019 C:Windowssystem32route.exe ADD 0.0.0.0 MASK 128.0.0.0 20.20.20.5 Sun Jul 28 13:34:09 2019 Route addition via service succeeded Sun Jul 28 13:34:09 2019 C:Windowssystem32route.exe ADD 128.0.0.0 MASK 128.0.0.0 20.20.20.5 Sun Jul 28 13:34:09 2019 Route addition via service succeeded Sun Jul 28 13:34:09 2019 MANAGEMENT: >STATE:1564300149,ADD_ROUTES,,,,,, Sun Jul 28 13:34:09 2019 C:Windowssystem32route.exe ADD 20.20.20.1 MASK 255.255.255.255 20.20.20.5 Sun Jul 28 13:34:09 2019 Route addition via service succeeded Sun Jul 28 13:34:09 2019 Initialization Sequence Completed Sun Jul 28 13:34:09 2019 MANAGEMENT: >STATE:1564300149,CONNECTED,SUCCESS,20.20.20.6,192.168.132.21,1194,,
  • 17. Server logs while connecting to open-vpn server Sun Jul 28 07:09:36 2019 192.168.132.1:58348 TLS: Initial packet from [AF_INET]192.168.132.1:58348, sid=484d086a b6f6f99a Sun Jul 28 07:09:42 2019 192.168.132.1:58348 VERIFY OK: depth=1, CN=f1soft.com Sun Jul 28 07:09:42 2019 192.168.132.1:58348 VERIFY OK: depth=0, CN=f1soft Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_VER=2.4.7 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_PLAT=win Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_PROTO=2 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_NCP=2 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_LZ4=1 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_LZ4v2=1 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_LZO=1 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_COMP_STUB=1 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_COMP_STUBv2=1 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_TCPNL=1 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 peer info: IV_GUI_VER=OpenVPN_GUI_11 Sun Jul 28 07:09:42 2019 192.168.132.1:58348 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA- AES256-GCM-SHA384, 2048 bit RSA Sun Jul 28 07:09:42 2019 192.168.132.1:58348 [f1soft] Peer Connection Initiated with [AF_INET]192.168.132.1:58348 Sun Jul 28 07:09:42 2019 f1soft/192.168.132.1:58348 MULTI_sva: pool returned IPv4=20.20.20.6, IPv6=(Not enabled) Sun Jul 28 07:09:42 2019 f1soft/192.168.132.1:58348 MULTI: Learn: 20.20.20.6 -> f1soft/192.168.132.1:58348 Sun Jul 28 07:09:42 2019 f1soft/192.168.132.1:58348 MULTI: primary virtual IP for f1soft/192.168.132.1:58348: 20.20.20.6 Sun Jul 28 07:09:43 2019 f1soft/192.168.132.1:58348 PUSH: Received control message: 'PUSH_REQUEST' Sun Jul 28 07:09:43 2019 f1soft/192.168.132.1:58348 SENT CONTROL [f1soft]: 'PUSH_REPLY,redirect- gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 20.20.20.1,topology net30,ping 20,ping-restart 60,ifconfig 20.20.20.6 20.20.20.5,peer-id 0,cipher AES-256-GCM' (status=1) Sun Jul 28 07:09:43 2019 f1soft/192.168.132.1:58348 Data Channel: using negotiated cipher 'AES-256-GCM' Sun Jul 28 07:09:43 2019 f1soft/192.168.132.1:58348 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sun Jul 28 07:09:43 2019 f1soft/192.168.132.1:58348 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
  • 18. Problem May Faced 1) No server certificate verification method has been enabled. Add the following line to your client configuration: # remote-cert-tls server 2) VERIFY ERROR: depth=1, error=certificate is not yet valid: CN=ChangeMe Just set the correct time and date in both your client and server systems, it has nothing to do with OpenVPN or this script.