• OpenVpn

OpenVpn Notes and example

• Linux VPN using ssl for encryption, with clients for Android and Windows.

• Using more than one CA, stacked in same file https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains

• 2018 - Using PSK(pre-shared keys) only a point to point link can be established, for a server with multiple clients use CA and certs.

• 2018 Python script to gen self-signed certs and client certs https://github.com/diepes/openvpn-inline-config-generator

  • idea is to create them, throw away cakey, deploy config. When adding re-gen or stack server CA

Routing

• Using TUN(L3) the routing is messy if there are subnets at both ends, have to fiddle with ccd files per client, inserting iroute custom OpenVPN junk.

  • Would have been perfect if we could create a new tun-x interface per connecting client, allowing the full power of Linux routing, and firewalling.

• Using TAP(L2) very similar, but now mac's (and broadcasts) traverse the vpn.

  • Allows running of routing protocols, e.g. ospf, and adding static routes to client IP's on the server. (fix ip's with ifconfig-pool-persist ipp.txt)

  • The compression should reduce the impact of the ethernet headers.

Errors

• 2019-OpenVPN tunnel restarts with log

  Wed Jan  9 20:04:24 2019 [vpn01] Inactivity timeout (--ping-restart), restarting
  Wed Jan  9 20:04:24 2019 SIGUSR1[soft,ping-restart] received, process restarting
  Wed Jan  9 20:04:24 2019 Restart pause, 2 second(s)

  • keepalive ping going missing ?
  • Problem tracked to 2 clients using same cert, kicking each other off.
  • Solved by allowing multiple clients with same cert add to config: "duplicate-cn"

• 2018-OpenVPN dies with errors in log

  NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
  : ERROR: Linux route delete command failed: external program exited with error status: 2
  : Linux ip addr del failed: external program exited with error status: 2
  ROUTE_GATEWAY 10.x.y.z/255.255.255.224 IFACE=eth0 HWADDR=06:bb:33:11:55:14

  • Try to fix by adding to config

           ifconfig-pool-persist

  • On Ubunt 16.04 edit vim /lib/systemd/system/openvpn@.service , add

    [Service]
    Restart=always
    RestartSec=30

•  VERIFY ERROR: depth=1, error=unhandled critical extension: CN= 

  • and  OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed 

    • verify with

      $ openssl verify -CAfile ca.pem server.pem 
      CN = test_ca_20180712_20h31
      error 34 at 1 depth lookup: unhandled critical extension
      error server.pem: verification failed

      • X509v3 Subject Key Identifier: critical

•  openvpn: VERIFY ERROR: depth=0, could not extract X509 subject string from certificate 

  • Caused by not adding a CN to the certificate when created.

•  openvpn[...]: TLS Error: Unroutable control packet received from [AF_INET] ... (si=3 op=P_CONTROL_V1) 

  • Add client to config in addition to tls-client to allow client to accept ip from server

  • remove topology mode setting from client.'

...

CategoryVpnTunnel