openVPN ignoring the forged certificates for the default

    • OMV 1.0
    • openVPN ignoring the forged certificates for the default

      hi all
      machine:
      virtual machhine running on esxi5.5 (god bless the snapshots.....)
      omv 1.0 updated from Fedaykin
      openVPN completelly reinstalled (uninstalled plugin and apt-get remove --purge on openvpn package)
      Here is the issue:
      I created new ca-cert, key, etc using both
      the openvpn guide for wheezy (via shell from /etc/openvpn/easy-rsa/2.0/) and
      and the omv webgui plugin

      I created and downloaded the client config, but when I connect, from the log I still read the defaul config

      Source Code

      1. Tue Oct 14 09:24:26 2014 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
      2. Tue Oct 14 09:24:26 2014 VERIFY OK: nsCertType=SERVER

      which off course is neither the webgui created nor the shell created one nor the one I was using under Fedaykin
    • Those are the default certificates created by the plugin own CA and keys. The plugin is aimed to be very very simple and fast use. The plugin will create certificates, keys with CN with the default CA. If you delete a certificate for a user it will go the CRL to avoid that client from reconnecting. Changing this behaviour is redesigning the plugin as far as I am concern.

      You can modify the server.conf to point to your own cert's, but the OMV plugin will still rewrite the config every reboot.


      Where were your certificates/keys located? the plugin looks for /etc/openvpn/keys/ and cannot be changed, so you need to move them there and change the name for the config one. I'll take a look at my openvpn plugin, I'll delete my deafult certs and check if I can reconstruct with my own ones.

      If you want more advanced use with your own certificates and options you may want to look the OpenvpnAS.
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server

      The post was edited 2 times, last by subzero79 ().

    • I've just recreated the certificate, keys and dh parameters, using easy-rsa. After creation move them to /etc/openvpn/keys (make sure the folder is empty). If your server key/certificate was created with a different name like waterloo.crt, you need to rename it to server.crt, .key and .csr also.
      The openvpn plugin will create the certificates/keys for clients using that CA and show them in the webUI. If you delete a user/client his certificate key will go to CRL.
      Hope that it helps
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • It will create a user client certificate and key. If you press download it will give you a bundle, that contains CA, client certificate and key, and config file to use with openvpn-gui in windows or tunnelblick with mac.
      If you don't want that client to connect anymore, if you delete his certifcate from the OMV webUI plugin, it will go to the CRL (control revocation list) to be banned/blocked from connecting to the server. This plugin is a very simple approach to a PKI, but it works.
      You can read more about PKI here, once you finish you'll understand better how openvpn works.
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server
    • I understand that's for secure https webUI connection. I don't use it personally, so I don't know if you can use it in other sections of OMV. Maybe one of the mods can answer your question.

      edit: You can also use it in FTPS.
      New wiki
      chat support at #openmediavault@freenode IRC | Spanish & English | GMT+10
      telegram.me/openmediavault broadcast channel
      openmediavault discord server

      The post was edited 1 time, last by subzero79 ().

    • ice.man wrote:

      So what is the "create certificate" funcion in the webgui for?


      ice.man wrote:

      what is it for? It should be to create the Server Certificate Authority, but it's ignored, at least by the openvpn server feature


      As Subzero79 wrote, it just creates a self-signed SSL certificate to use for a HTTPS Connection for your webinterface or the FTPS Service.

      Greetings
      David
      "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"

      Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.


      Upload Logfile via WebGUI/CLI
      #openmediavault on freenode IRC | German & English | GMT+1
      Absolutely no Support via PM!

      I host parts of the omv-extras.org Repository, the OpenMediaVault Live Demo and the pre-built PXE Images. If you want you can take part and help covering the costs by having a look at my profile page.