tls-crypt: use the already generated ta.key on generate a new one with openvpn --genkey --secret
-----Original Message----- From: The Doctor [mailto:doc...@doctor.nl2k.ab.ca] Sent: Saturday, April 4, 2020 4:05 PM To: Dajka Tam?s <vi...@vipernet.hu> Cc: 'Gert Doering' <g...@greenie.muc.de>; 'openvpn users list' <openvpn-users@lists.sourceforge.net> Subject: Re: [Openvpn-users] First time set up using openvpn On Sat, Apr 04, 2020 at 03:18:44PM +0200, Dajka Tam?s wrote: > Hi, > > pam is not that bad :) We use it with LDAP (over TLS) on many > machines, however, to get TLS to work properly you either have to > disable cert verification or install the proper CA on every node. > > I use the pam plugin with radius backend now, it was working out-of-the-box. > > Anyway, if you want to use PAM as an auth backend, I suggest you set > it up/try it with another authenticator, like SSH. Debugging radius is > easy, you add 'debug' in the corresponting pam module line and if > you're using freeradius, simply run it from command line with '-X' and > you'll see what's going on. > Later on that. > About tls-auth: I suggest you use tls-crypt instead of tls-auth, it's > a bit more advanced. > > In server.conf: > > tls-crypt tls-crypt.key > > In client.conf: > > <tls-crypt> > [[[ THE CONTENTS OF THE KEY OF tls-crypt.key - USING INLINE IS GOOD > ]]] </tls-crypt> > Got you. What about generating tls-crypt.key? > > Cheers, > > Tom > > -----Original Message----- > From: The Doctor via Openvpn-users > [mailto:openvpn-users@lists.sourceforge.net] > Sent: Saturday, April 4, 2020 2:55 PM > To: Gert Doering <g...@greenie.muc.de> > Cc: openvpn-users@lists.sourceforge.net > Subject: Re: [Openvpn-users] First time set up using openvpn > > On Sat, Apr 04, 2020 at 09:24:24AM +0200, Gert Doering wrote: > > Hi, > > > > On Fri, Apr 03, 2020 at 05:30:23PM -0600, The Doctor via > > Openvpn-users > wrote: > > > tls-auth /usr/local/etc/openvpn/server/ta.key 0 # This file is > > > secret > > > > If you have this on the server... > > > > > ;tls-auth /usr/local/etc/openvpn/server/ta.key 1 > > > > ... you MUST have it on the client as well. > > > > Step 1. > > > > verb 9 > > > > this is way too high for normal debugging, use "verb 4" :-) > > > > As soon as you have the TLS-Auth part sorted out - there is no > > authentication backend configured on the server, so it won't do LDAP > > or radius. As for "how to do this", there's many possible ways > > - you can use a plugin (plugin_auth_pam is a good start, and then > > pam_radius or pam_ldap), or a script (--auth-user-pass-verify, see > > the man page), ... > > > > pam has always been problematic even on SASl, hence why I avoid it. > > > gert > > -- > > "If was one thing all people took for granted, was conviction that > > if you feed honest figures into a computer, honest figures come out. > > Never doubted it myself till I met a computer with a sense of humor." > > Robert A. Heinlein, The Moon is a Harsh > > Mistress > > > > Gert Doering - Munich, Germany > g...@greenie.muc.de > > > > -- > Member - Liberal International This is doctor@@nl2k.ab.ca Ici > doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President > Republic!Beware AntiChrist rising! > https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on > Atheism Those who cannot win on facts rely upon slander. -unknown > > > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users > -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on Atheism Those who cannot win on facts rely upon slander. -unknown _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
