openVPN ignoring the forged certificates for the default

  • hi all
    machine:
    virtual machhine running on esxi5.5 (god bless the snapshots.....)
    omv 1.0 updated from Fedaykin
    openVPN completelly reinstalled (uninstalled plugin and apt-get remove --purge on openvpn package)
    Here is the issue:
    I created new ca-cert, key, etc using both
    the openvpn guide for wheezy (via shell from /etc/openvpn/easy-rsa/2.0/) and
    and the omv webgui plugin


    I created and downloaded the client config, but when I connect, from the log I still read the defaul config

    Code
    Tue Oct 14 09:24:26 2014 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
    Tue Oct 14 09:24:26 2014 VERIFY OK: nsCertType=SERVER


    which off course is neither the webgui created nor the shell created one nor the one I was using under Fedaykin

    • Offizieller Beitrag

    Those are the default certificates created by the plugin own CA and keys. The plugin is aimed to be very very simple and fast use. The plugin will create certificates, keys with CN with the default CA. If you delete a certificate for a user it will go the CRL to avoid that client from reconnecting. Changing this behaviour is redesigning the plugin as far as I am concern.


    You can modify the server.conf to point to your own cert's, but the OMV plugin will still rewrite the config every reboot.


    Where were your certificates/keys located? the plugin looks for /etc/openvpn/keys/ and cannot be changed, so you need to move them there and change the name for the config one. I'll take a look at my openvpn plugin, I'll delete my deafult certs and check if I can reconstruct with my own ones.


    If you want more advanced use with your own certificates and options you may want to look the OpenvpnAS.

    • Offizieller Beitrag

    I've just recreated the certificate, keys and dh parameters, using easy-rsa. After creation move them to /etc/openvpn/keys (make sure the folder is empty). If your server key/certificate was created with a different name like waterloo.crt, you need to rename it to server.crt, .key and .csr also.
    The openvpn plugin will create the certificates/keys for clients using that CA and show them in the webUI. If you delete a user/client his certificate key will go to CRL.
    Hope that it helps

    • Offizieller Beitrag

    It will create a user client certificate and key. If you press download it will give you a bundle, that contains CA, client certificate and key, and config file to use with openvpn-gui in windows or tunnelblick with mac.
    If you don't want that client to connect anymore, if you delete his certifcate from the OMV webUI plugin, it will go to the CRL (control revocation list) to be banned/blocked from connecting to the server. This plugin is a very simple approach to a PKI, but it works.
    You can read more about PKI here, once you finish you'll understand better how openvpn works.

  • So what is the "create certificate" funcion in the webgui for?


    what is it for? It should be to create the Server Certificate Authority, but it's ignored, at least by the openvpn server feature


    As Subzero79 wrote, it just creates a self-signed SSL certificate to use for a HTTPS Connection for your webinterface or the FTPS Service.


    Greetings
    David

    "Well... lately this forum has become support for everything except omv" [...] "And is like someone is banning Google from their browsers"


    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    Upload Logfile via WebGUI/CLI
    #openmediavault on freenode IRC | German & English | GMT+1
    Absolutely no Support via PM!

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!