[plug] OpenVPN with Ubuntu

Kai Jones kaij at kamsc.org.au
Thu Jan 8 16:12:19 WST 2009 

We have the link working now, just have to figure out the routing.

In openssl.cnf we had to change nsCertType option to server or client,
depending where we were activating the openvpn, there's no indiciation
in the howto/faq/man page about changing this variable from server (when
configuring the server key and certificate) to client (when configuring
client keys and certificates).

Woulda thought there'd be a separate server and client file so you
didn't have to run the server key/certificate, then change that setting
to "client" in the nsCertyType option, save and run the cerificate and
key generation for the client files.

Is it just me or does that seem long winded? And, we couldn't find it in
any of the doco's so it took us a lot of digging to figure out where to
actually change those variables.

Also had to comment this line
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

Also working on pushing routes, staff at remote location can ping
machines on our private subnet but we can only ping the virtual
interface on their host, can't get any further.

Cheers
Kai

-----Original Message-----
From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On
Behalf Of Daniel Pittman
Sent: 08 January 2009 10:25
To: plug at plug.org.au
Subject: Re: [plug] OpenVPN with Ubuntu

"Kai Jones" <kaij at kamsc.org.au> writes:

> This is my first bash at configuring VPN, on Ubuntu 8.1, using
> OpenVPN,

The release is '8.10', where 10 is the month of release.

> reading the HOWTO:
> http://openvpn.net/index.php/documentation/howto.html
>
> The box I'm working on is in service so I'm trying to be carefull not
> to break anything, so far I can get it as far as handshaking, with
> this error:
>
> Thu Jan  8 08:27:33 2009 VERIFY ERROR: depth=0, error=unsupported
> certificate purpose:

That snapping sound you can hear is my patience going: the damn
"certificate purpose" stuff is a royal PITA, and almost none of them
cover this part.

[...]

> Maybe I'm using the wrong search terms in google but so far I haven't
> found anything that helps point me in the right direction as to how
> you set a certificate's purpose, where to find something that shows me
> how to make a certicate fit it's purpose (?!) and or how to turn off
> certificate's temporarily just to see if the VPN will at least connect
> without it

Well, it is a feature of the CSR, more or less, and the default is set
by OpenSSL if you are using the CA support that came with the tool.

(For reference, I use xca[1] to manage the CA, and it sucks an awful lot
 less than the default stuff for a small system.)


Anyway, you need to edit the OpenSSL configuration file used when
running the CA and set the 'nsCertType' and 'keyUsage' fields to
whatever specific features you require.

(IIRC, only nsCertType server and client are required, but it has been a
 couple of years since I set up an OpenVPN CA myself.)

Regards,
        Daniel

Footnotes: 
[1]  http://xca.sourceforge.net/

_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au

More information about the plug mailing list