Openvpn

From My Mnemonic Rhyme
Jump to navigation Jump to search

Links

Create client certificate on 1blue server

cd /etc/openvpn
/usr/share/easy-rsa/easyrsa build-client-full Legion2

copy

Legion2.crt Legion2.key ta.key ca.cert

to client.

remove password

openssl rsa -in Legion2.key -out Legion2mod.key

OpenVPN Key erstellen (ohne EasyRSA)

openssl req -days 3650 -nodes -new -keyout client.key -out client.csr -config ca.cnf
openssl ca -days 3650 -in client.csr -out client.crt -config ca.cnf

passwort via file

askpass /etc/openvpn/pass.txt

OpenVPN init Script

nowadays openvpn starts via systemd 

sudo systemctl start openvpn@client.service

Startup error under Debian/Ubuntu

create systemd dropin: 

systemctl edit openvpn@

[Service]
LimitNPROC=infinity

old init hints

/etc/init.d/openvpn 

# Source defaults file; edit that file to configure this script.
#AUTOSTART="all"
AUTOSTART="client"

Zertifikat überprüfen

/usr/sbin# ./ssl-cert-check -c

Fallback

#!/bin/bash
# Modiefied PPP Test Script for fallback OVPN

host1="192.168.0.1"
# host2 wird nach /tmp/ovpn_tmp geschrieben!
host2="fw-01.smt-obdf.de"

function pingtest()
{
  # $1 wird als Hostname verwendet
  unset test
  test=`ping -c1 -s8 "$1" 2>&1 | grep -e "unreachable" -e "unknown" -e "denied" -e "permited" -e "100% packet loss"`
}

if [ `cat /tmp/ovpn_tmp` == "2" ];
then
  echo "OVPN: Normal check on $host1"
  pingtest $host1
  echo $test
  if [ -n "$test" ];
  then
    echo "OVPN: Try to restart $host1 after DC"
    /etc/init.d/openvpn stop
    /etc/init.d/openvpn start smt1
    echo "1" > /tmp/ovpn_tmp
  fi
exit 0
fi
pingtest $host1
if [ "$test" == "" ];
then
  echo "OVPN: $host1 up"
elif [ -n "$test" ];
then
  pingtest $host2
  echo $test
  if [ "$test" == "" ];
  then
    echo "OVPN: $host2 reachable! Starting"
    /etc/init.d/openvpn stop
    /etc/init.d/openvpn start smt2
    echo "2" > /tmp/ovpn_tmp
  elif [ -n "$test" ];
  then
    echo "OVPN: $host2 also down"
    echo "DSL reconnect!"
  fi


Zertifikat sperren

Ansicht gesperrter und aktiver Zertifikate

/usr/ssl/index.txt

alle gesperrten Zerifikate werden mit R (Revoke) gekennzeichnet alle aktiven mit V (Verify)

Sperren von Zerifikaten

/usr/ssl/make_crl {Zerifikatname}.crt

Wichig nach Sperrung die Datei /usr/ssl/crls/crl.pem nach /etc/openvpn/crls/ kopieren und /etc/init.d/openvpn restart druchführen Um die Sperrliste zu aktivieren.

pkitool

Usage: pkitool [options...] [common-name]
Options:
  --batch    : batch mode (default)
  --keysize  : Set keysize
      size   : size (default=1024)
  --interact : interactive mode
  --server   : build server cert
  --initca   : build root CA
  --inter    : build intermediate CA
  --pass     : encrypt private key with password
  --csr      : only generate a CSR, do not sign
  --sign     : sign an existing CSR
  --pkcs12   : generate a combined PKCS#12 file
  --pkcs11   : generate certificate on PKCS#11 token
      lib    : PKCS#11 library
      slot   : PKCS#11 slot
      id     : PKCS#11 object id (hex string)
      label  : PKCS#11 object label
Standalone options:
  --pkcs11-slots   : list PKCS#11 slots
      lib    : PKCS#11 library
  --pkcs11-objects : list PKCS#11 token objects
      lib    : PKCS#11 library
      slot   : PKCS#11 slot
  --pkcs11-init    : initialize PKCS#11 token DANGEROUS!!!
      lib    : PKCS#11 library
      slot   : PKCS#11 slot
      label  : PKCS#11 token label
Notes:
  Please edit the vars script to reflect your configuration,
  then source it with "source ./vars".
  Next, to start with a fresh PKI configuration and to delete any
  previous certificates and keys, run "./clean-all".
  Finally, you can run this tool (pkitool) to build certificates/keys.
  In order to use PKCS#11 interface you must have opensc-0.10.0 or higher.
Generated files and corresponding OpenVPN directives:
(Files will be placed in the $KEY_DIR directory, defined in ./vars)
  ca.crt     -> root certificate (--ca)
  ca.key     -> root key, keep secure (not directly used by OpenVPN)
  .crt files -> client/server certificates (--cert)
  .key files -> private keys, keep secure (--key)
  .csr files -> certificate signing request (not directly used by OpenVPN)
  dh1024.pem or dh2048.pem -> Diffie Hellman parameters (--dh)
Examples:
  pkitool --initca          -> Build root certificate
  pkitool --initca --pass   -> Build root certificate with password-protected key
  pkitool --server server1  -> Build "server1" certificate/key
  pkitool client1           -> Build "client1" certificate/key
  pkitool --pass client2    -> Build password-protected "client2" certificate/key
  pkitool --pkcs12 client3  -> Build "client3" certificate/key in PKCS#12 format
  pkitool --csr client4     -> Build "client4" CSR to be signed by another CA
  pkitool --sign client4    -> Sign "client4" CSR
  pkitool --inter interca   -> Build an intermediate key-signing certificate/key
                               Also see ./inherit-inter script.
  pkitool --pkcs11 /usr/lib/pkcs11/lib1 0 010203 "client5 id" client5
                              -> Build "client5" certificate/key in PKCS#11 token
Typical usage for initial PKI setup.  Build myserver, client1, and client2 cert/keys.
Protect client2 key with a password.  Build DH parms.  Generated files in ./keys :
  [edit vars with your site-specific info]
  source ./vars
  ./clean-all
  ./build-dh     -> takes a long time, consider backgrounding
  ./pkitool --initca
  ./pkitool --server myserver
  ./pkitool client1
  ./pkitool --pass client2
Typical usage for adding client cert to existing PKI:
  source ./vars
  ./pkitool client-new

SSL Cert Check

#!/bin/bash
CERT=`cat /usr/ssl/cert-check-list`
CERT=($CERT)
for ((i=0; i<${#CERT[*]}; i++)) do
ssl-cert-check -e systemcheck@smt.de -q -a -c /usr/ssl/newcerts/${CERT[i]} -x 15
#ssl-cert-check -c /usr/ssl/newcerts/${CERT[i]}
done
Retrieved from "https://www.tobias-weiss.org/wiki/index.php?title=Openvpn&oldid=293"