date:20170817

Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-17 Thread Mio Vlahović

On 08.08.2017 22:37, Joe Patterson wrote:
> This may be a stupid question but...
> 
> Do any of the openssl cnf files have a comment in them that says 
> "easy-rsa version 2.x"?
> 
> if you do 'echo $KEY_CONFIG', what does it say?
> 

We figured it out... I tried reinstalling easy-rsa with the same 
results... After that, I changed "easy-rsa version 2.x" to "easy-rsa 
version 2.2" and it works as before!

Thank You all for helping us out!

Regards!

-- 
Mio Vlahović
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-17 Thread Mio Vlahović

On 17.08.2017 15:49, Selva wrote:
> 
> 
> On Thu, Aug 17, 2017 at 8:33 AM, Mio Vlahović  > wrote:
> 
> On 15.08.2017 02:13, Selva wrote:
>  > Hi,
>  >
>  > I do not use easy-rsa but the test you posted is not correct..
>  >
>  > # sh -x whichopensslcnf
>  >
>  >
>  > This will fail as whichopensslcnf takes an argument (the root folder
>  > name $EASY_RSA) without which it will be looking at the "root
> directory"
>  >
>  > + cnf=/openssl.cnf
>  > + '[' openssl ']'
>  > + openssl version
>  > + grep -E '0\.9\.6[[:alnum:]]?'
>  > + openssl version
>  > + grep -E '0\.9\.8[[:alnum:]]?'
>  > + openssl version
>  > + grep -E '1\.0\.[[:digit:]][[:alnum:]]?'
>  > + cnf=/openssl-1.0.0.cnf
>  > + echo /openssl-1.0.0.cnf
>  > /openssl-1.0.0.cnf
> 
> [root@vpn 2.0]# sh -x whichopensslcnf $EASY_RSA
> + cnf=/etc/openvpn/easy-rsa/2.0/openssl.cnf
> + '[' openssl ']'
> + openssl version
> + grep -E '0\.9\.6[[:alnum:]]?'
> + openssl version
> + grep -E '0\.9\.8[[:alnum:]]?'
> + openssl version
> + grep -E '1\.0\.[[:digit:]][[:alnum:]]?'
> + cnf=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> + echo /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> + '[' '!' -r /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf ']'
> + exit 0
> 
>  > Anyway, as your openssl version is 1.0.x, the script will use
>  > openssl-1.0.0.cnf. Make sure that is compatible with easy-rsa.
> 
> [root@vpn 2.0]# sh -x build-key test1233
> + export EASY_RSA=/etc/openvpn/easy-rsa/2.0
> + EASY_RSA=/etc/openvpn/easy-rsa/2.0
> + /etc/openvpn/easy-rsa/2.0/pkitool --interact test1233
> pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
> version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> The correct version should have a comment that says: easy-rsa
> version 2.x
> 
> How can we generate new client certificates now? The openssl-1.0.0.cnf
> hasn't been touched, so I can't understand why it is not working
> anymore..
> 
> 
> Your email of Aug 14 showed
> 
>   -rwx--  1 nobody nobody  8247 Aug  8 18:37 openssl-1.0.0.cnf
> 
> So the file has been touched as recently as Aug 8. Does 
> openssl-1.0.0.cnf has the comment
> # For use with easy-rsa version 2.0 
> at the top? If not, it some how got over-written by a wrong file?
> 
> Selva

Well, yes... i tried modifying the first line of that file, as the 
output of the build-key suggested... (easy-rsa version from 2.0 to 2.x)

Regards!

-- 
Mio Vlahović
Linux/Network Administrator @ BCS d.o.o.
GSM: +385 95 6308 809
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-17 Thread Selva

On Thu, Aug 17, 2017 at 8:33 AM, Mio Vlahović  wrote:

> On 15.08.2017 02:13, Selva wrote:
> > Hi,
> >
> > I do not use easy-rsa but the test you posted is not correct..
> >
> > # sh -x whichopensslcnf
> >
> >
> > This will fail as whichopensslcnf takes an argument (the root folder
> > name $EASY_RSA) without which it will be looking at the "root directory"
> >
> > + cnf=/openssl.cnf
> > + '[' openssl ']'
> > + openssl version
> > + grep -E '0\.9\.6[[:alnum:]]?'
> > + openssl version
> > + grep -E '0\.9\.8[[:alnum:]]?'
> > + openssl version
> > + grep -E '1\.0\.[[:digit:]][[:alnum:]]?'
> > + cnf=/openssl-1.0.0.cnf
> > + echo /openssl-1.0.0.cnf
> > /openssl-1.0.0.cnf
>
> [root@vpn 2.0]# sh -x whichopensslcnf $EASY_RSA
> + cnf=/etc/openvpn/easy-rsa/2.0/openssl.cnf
> + '[' openssl ']'
> + openssl version
> + grep -E '0\.9\.6[[:alnum:]]?'
> + openssl version
> + grep -E '0\.9\.8[[:alnum:]]?'
> + openssl version
> + grep -E '1\.0\.[[:digit:]][[:alnum:]]?'
> + cnf=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> + echo /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> + '[' '!' -r /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf ']'
> + exit 0
>
> > Anyway, as your openssl version is 1.0.x, the script will use
> > openssl-1.0.0.cnf. Make sure that is compatible with easy-rsa.
>
> [root@vpn 2.0]# sh -x build-key test1233
> + export EASY_RSA=/etc/openvpn/easy-rsa/2.0
> + EASY_RSA=/etc/openvpn/easy-rsa/2.0
> + /etc/openvpn/easy-rsa/2.0/pkitool --interact test1233
> pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
> version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
> The correct version should have a comment that says: easy-rsa version 2.x
>
> How can we generate new client certificates now? The openssl-1.0.0.cnf
> hasn't been touched, so I can't understand why it is not working anymore..


Your email of Aug 14 showed

 -rwx--  1 nobody nobody  8247 Aug  8 18:37 openssl-1.0.0.cnf

So the file has been touched as recently as Aug 8. Does openssl-1.0.0.cnf
has the comment
# For use with easy-rsa version 2.0 
at the top? If not, it some how got over-written by a wrong file?

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-17 Thread Mio Vlahović

On 08.08.2017 22:37, Joe Patterson wrote:
> This may be a stupid question but...
> 
> Do any of the openssl cnf files have a comment in them that says 
> "easy-rsa version 2.x"?
> 
> if you do 'echo $KEY_CONFIG', what does it say?

Yes, we did try that but with the same result...

[root@vpn 2.0]# echo $KEY_CONFIG
/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

-- 
Mio Vlahović
Linux/Network Administrator @ BCS d.o.o.
GSM: +385 95 6308 809
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Clients can't connect after server reboot

2017-08-17 Thread Mio Vlahović

On 15.08.2017 02:13, Selva wrote:
> Hi,
> 
> I do not use easy-rsa but the test you posted is not correct..
> 
> # sh -x whichopensslcnf
> 
> 
> This will fail as whichopensslcnf takes an argument (the root folder 
> name $EASY_RSA) without which it will be looking at the "root directory"
> 
> + cnf=/openssl.cnf
> + '[' openssl ']'
> + openssl version
> + grep -E '0\.9\.6[[:alnum:]]?'
> + openssl version
> + grep -E '0\.9\.8[[:alnum:]]?'
> + openssl version
> + grep -E '1\.0\.[[:digit:]][[:alnum:]]?'
> + cnf=/openssl-1.0.0.cnf
> + echo /openssl-1.0.0.cnf
> /openssl-1.0.0.cnf

[root@vpn 2.0]# sh -x whichopensslcnf $EASY_RSA
+ cnf=/etc/openvpn/easy-rsa/2.0/openssl.cnf
+ '[' openssl ']'
+ openssl version
+ grep -E '0\.9\.6[[:alnum:]]?'
+ openssl version
+ grep -E '0\.9\.8[[:alnum:]]?'
+ openssl version
+ grep -E '1\.0\.[[:digit:]][[:alnum:]]?'
+ cnf=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
+ echo /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
+ '[' '!' -r /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf ']'
+ exit 0

> Anyway, as your openssl version is 1.0.x, the script will use 
> openssl-1.0.0.cnf. Make sure that is compatible with easy-rsa.

[root@vpn 2.0]# sh -x build-key test1233
+ export EASY_RSA=/etc/openvpn/easy-rsa/2.0
+ EASY_RSA=/etc/openvpn/easy-rsa/2.0
+ /etc/openvpn/easy-rsa/2.0/pkitool --interact test1233
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
The correct version should have a comment that says: easy-rsa version 2.x

How can we generate new client certificates now? The openssl-1.0.0.cnf 
hasn't been touched, so I can't understand why it is not working anymore...

Regards!

-- 
Mio Vlahović
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Openvpn-users Digest, Vol 135, Issue 18

2017-08-17 Thread openvpn

That is a very good idea and could help prevent some misinterpretations of the 
tools results.
Thank you very much!


17. Aug 2017 14:05 by openvpn-users-requ...@lists.sourceforge.net:


> Send Openvpn-users mailing list submissions to
>   > openvpn-users@lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>   > https://lists.sourceforge.net/lists/listinfo/openvpn-users
> or, via email, send a message with subject or body 'help' to
>   > openvpn-users-requ...@lists.sourceforge.net
>
> You can reach the person managing the list at
>   > openvpn-users-ow...@lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Openvpn-users digest..."
>
>
> Today's Topics:
>
>1. Re: OpenVPN security rating tool (Marty G)
>
>
> --
>
> Message: 1
> Date: Wed, 16 Aug 2017 19:00:07 -0400
> From: Marty G <> martygaly...@gmail.com> >
> To: > openvpn-users@lists.sourceforge.net
> Subject: Re: [Openvpn-users] OpenVPN security rating tool
> Message-ID: <> 89cb1a90-7e0e-7689-03f3-6da1a5a7e...@gmail.com> >
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> For "a", one could limit it to the current openvpn version in the script 
> and print a warning about the script being out of date and possibly 
> dangerous if the openvpn version is higher?
>
>
> On 08/16/2017 03:10 AM, > open...@keemail.me>  wrote:
>>
>> Thank you for the feedback!
>>
>> a)
>> You're absolutely right, once the tool is not maintained anymore, it 
>> could give a false sense of security and therefore do more harm than 
>> good. I'll do my best to keep it up-to-date. I'm also to open-source 
>> it on github, therefore any user suggestions will be taken into 
>> consideration.
>>
>> It will not be an online tool for now, although I've considered the 
>> option. I've planned to release the tool via github, for anyone to 
>> download and use it anywhere they want - as some servers may not be 
>> publicly accessible. Depending on the usage of the tool, an online 
>> service would also make sense. However, with the online service, I 
>> want the user data to be handled with in a privacy respecting manner, 
>> so that will require some more work.
>>
>> b)
>> Precisely. The tool can not decide such situation depending options. 
>> Many of which, I've implemented as an informative text, with an 
>> explanation what the option does exactly (e.g. --client-to-client, 
>> which may be a threat or may be very much intended). Other 
>> cryptography based options (e.g. --cipher or --tls-cipher) may also be 
>> deliberately configured in a less secure manner, to achieve a better 
>> compatibility with older devices. The user will be informed about the 
>> less secure options (with an information about the compatibility 
>> trade-off), but in the end the user has to decide what is right for 
>> their specific setup.
>>
>> Kind regards
>>
>>
>> 16. Aug 2017 08:43 by >> a...@unstable.cc>>  <>> mailto:a...@unstable.cc>> >:
>>
>> Hello,
>>
>> On 16/08/17 14:21, >> open...@keemail.me>>  <>> 
>> mailto:open...@keemail.me>> >
>> wrote:
>>
>> Hello,
>>
>> I've developed a Python script to grade OpenVPN server
>> configurations considering the security.
>> The tool mainly focuses on: auth, cipher, tls-cipher, prng,
>> tls-auth, tls-version-min/max, no-replay, no-iv, key-method,
>> ncp-ciphers, ncp-disable, tls-crypt and key-direction.
>>
>> The result is a grade between F and A+ and suggestions on how
>> to enhance the security of the OpenVPN setup.
>>
>> I've tested it with various OpenVPN server configurations, I
>> found online, but I would like to gather some feedback from
>> the community and update the tool accordingly, before
>> releasing it.
>>
>> This tool is intended for server operators, but I'm about to
>> complete a second tool, intended for OpenVPN users.
>>
>> The goal is to help operators to enhance the security of their
>> OpenVPN servers and to help users determine the security of
>> the server they're using.
>>
>> If you're interested in testing the tool and would like to
>> provide some valuable feedback, or have any other questions
>> about the project, please contact me.
>>
>>
>>
>> I am no expert here, but my personal opinion is that such a tool
>> can be
>> a bit dangerous. Here are some thought that just came to my mind:
>>
>> a) you have to be sure you keep it up to date, because a good option X
>> today, might become a bad option tomorrow (i.e. due to a bug being
>> found). Is the tool an online tool? otherwise this means that people
>> having different versions might get different results (due to the
>> previous point). Without talking about when the tool won't be
>>

Re: [Openvpn-users] Clients can't connect after server reboot

Re: [Openvpn-users] Clients can't connect after server reboot

Re: [Openvpn-users] Clients can't connect after server reboot

Re: [Openvpn-users] Clients can't connect after server reboot

Re: [Openvpn-users] Clients can't connect after server reboot

Re: [Openvpn-users] Openvpn-users Digest, Vol 135, Issue 18

6 matches

Site Navigation

Mail list logo

Footer information