Re: [CentOS] VPN suggestions centos 6, 7

Mon, 18 Apr 2016 07:37:01 -0700 





Folks


I would like to have my windows 7 laptop communicate with my home 
server via a VPN, in such a way that it appears to be "inside" my 
home network.  It should not only let me appear to be at home for 
any external query, but also let me access my computers inside my home.



I already have this working using M$'s PPTP using my home Centos 6 
gateway/router as the PoPToP server.  However, I am concerned about 
the privacy/security of such a connection.



I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan 
(and probably others I haven't noted).  I'd be interested in hearing 
from anyone who wishes to comment about which to use, with the 
following requirements:


1)  As noted, it should be secure (anti NSA?)

2)  Works on Centos 6 and Centos 7 and Windows 7 (and for the 
future, Windows 10)

3)  Can be set up on the server with command line interfaces only (no GUI)

And, should not be a nightmare to set up.

Any thoughts?

David

----------------------------
FOLLOWUP & REPORT


I had lots of suggestions, and the most persuasive was to try 
OpenVPN.  I already had a CA working, so issuing certificates was 
easy.  The HOW-TO guides were less helpful than I could hope, but 
comparing several of them, applying common sense, and trying things 
out, I arrived at a dead-end.  Here's essentially what happened:



- None of the HOW-TOs were very clear about the need to add some 
attributes to a certificate, keyUsage and extendedKeyUsage.  They had 
different values for server and client.  OpenSSL documentation was a 
big vague on how to add them, but I think I did - the print out of 
the entity certificates showed the values.  The attempt to connect 
failed.  The client log is below.  I think it's complaining that the 
CA certificate doesn't have the ke Usage extension, which makes no 
sense to me.  Such an extension should be in the end-entity 
certificate, not the CA's, unless I'm wrong.  I checked the server 
and really think that the certificates are in the right place.


To review the situation:
Client:  A windows 7 laptop, and it definitely moves around.
Server:  Centos 6 running in my home.
Protocol is TCP

Client log, some details replace with XXXXX
---------------------------

Mon Apr 18 05:34:47 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL 
(OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 10 2016

Mon Apr 18 05:34:47 2016 Windows version 6.1 (Windows 7)
Mon Apr 18 05:34:47 2016 library versions: OpenSSL 1.0.1s  1 Mar 2016, LZO 2.09
Enter Management Password:

Mon Apr 18 05:34:47 2016 MANAGEMENT: TCP Socket listening on 
[AF_INET]127.0.0.1:25340
Mon Apr 18 05:34:47 2016 Need hold release from management interface, 
waiting...
Mon Apr 18 05:34:48 2016 MANAGEMENT: Client connected from 
[AF_INET]127.0.0.1:25340

Mon Apr 18 05:34:48 2016 MANAGEMENT: CMD 'state on'
Mon Apr 18 05:34:48 2016 MANAGEMENT: CMD 'log all on'
Mon Apr 18 05:34:48 2016 MANAGEMENT: CMD 'hold off'
Mon Apr 18 05:34:48 2016 MANAGEMENT: CMD 'hold release'
Mon Apr 18 05:34:48 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Apr 18 05:34:48 2016 MANAGEMENT: >STATE:1460982888,RESOLVE,,,

Mon Apr 18 05:34:48 2016 Attempting to establish TCP connection with 
[AF_INET]X.X.X.X:1194 [nonblock]

Mon Apr 18 05:34:48 2016 MANAGEMENT: >STATE:1460982888,TCP_CONNECT,,,
Mon Apr 18 05:34:49 2016 TCP connection established with [AF_INET]X.X.X.X:1194
Mon Apr 18 05:34:49 2016 TCPv4_CLIENT link local: [undef]
Mon Apr 18 05:34:49 2016 TCPv4_CLIENT link remote: [AF_INET]X.X.X.X:1194
Mon Apr 18 05:34:49 2016 MANAGEMENT: >STATE:1460982889,WAIT,,,
Mon Apr 18 05:34:49 2016 MANAGEMENT: >STATE:1460982889,AUTH,,,

Mon Apr 18 05:34:49 2016 TLS: Initial packet from 
[AF_INET]X.X.X.X:1194, sid=63eed44a 8be061de
Mon Apr 18 05:34:50 2016 VERIFY OK: depth=1, C=US, ST=California, 
L=San Francisco, OU=Certificate Authority, O=XXXX, CN=X.X.X

Mon Apr 18 05:34:50 2016 Certificate does not have key usage extension
Mon Apr 18 05:34:50 2016 VERIFY KU ERROR

Mon Apr 18 05:34:50 2016 TLS_ERROR: BIO read tls_read_plaintext 
error: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Mon Apr 18 05:34:50 2016 TLS Error: TLS object -> incoming plaintext read error
Mon Apr 18 05:34:50 2016 TLS Error: TLS handshake failed

_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos






















					Reply via email to