On Wed, Aug 16, 2023 at 6:27 PM, Jochen Bern <jochen.b...@binect.de> wrote: On 16.08.23 15:05, Jason Long wrote: > I used > "https://www.howtoforge.com/how-to-install-and-configure-openvpn-server-on-debian-10/"; > tutorial to create my OpenVPN server.
(No date on the article ... no date on the comments ... OpenVPN version not shown anywhere ... according to one systemctl output, probably written in September 2019, when Debian 10 and OpenSSL 1.1.1c were in fact current ... still using /etc/openvpn instead of /etc/openvpn/server and /etc/openvpn/client, respectively ... no mention of doing a "systemctl enable openvpn@ConfigFileBaseName" on the server ... no explicit description of what the VPN set up is supposed to *do* (apparently: secure Inet access for a road warrior, no other servers at the site hosting the VPN peer, no communication back to the clients) ... no discussion of how he came to pick 10.8.0.0/24 for the tunnel IPs, how (far) to check for IP conflicts, how many clients you can accomodate with that /24 ...) ... word of warning: Just because the how-to doesn't ask you to enter something at > Common Name (eg: your user, host, or server name) [client]: >and later has you type in > ./easyrsa sign-req client client >doesn't mean that you want all client certs to be >named "client", or - >even worse - use the same client cert for them >all. Make those *unique* >- ideally per device, not just per user. >However, if you worked along *that* how-to, your >CA certificate is >indeed using the CN of "server" (not "Server", but >that might be a >liberty that MS took). Exactly the same as the >server cert. X-C > Common Name (eg: your user, host, or server name) [Easy-RSA CA]:server > About the server log [...] > # cat /var/log/openvpn/virt1.log > 2023-08-16 06:23:18 WARNING: --topology >net30 support for server configs > with IPv4 >pools will be removed in a future release. >Please migrate to > --topology subnet as soon as >possible. >[...] > 2023-08-16 06:23:18 Initialization Sequence Completed >That shows us the startup phase of the >OpenVPN server. In order to check >what the server thinks about the cert the client >presents, you'll have >to have the client make an attempt to connect, >and then grab the logs >from *those* couple seconds. >Kind regards, >-- >Jochen Bern >Systemingenieur >Binect GmbH Hi Jochen,Thank you for your advice about the How-to articles.Can you answer my questions? 1- What is the difference between /etc/openvpn and /etc/openvpn/server directories? I put my server.conf file in the /etc/openvpn directory and it worked. 2- You said "./easyrsa sign-req client client", make those unique ideally per device, not just per user. How to make it unique per user?If I have 1000 clients, then I must generate 1000 key files??? 3- For the CA certificate, I must use "Server" not "server". May I ask why? Finally, I guess the information that you want from the client side are: Wed Aug 16 11:01:38 2023 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.Wed Aug 16 11:01:38 2023 Note: ovpn-dco-win driver is missing, disabling data channel offload.Wed Aug 16 11:01:38 2023 OpenVPN 2.6.5 [git:v2.6.5/cbc9e0ce412e7b42] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Jun 13 2023Wed Aug 16 11:01:38 2023 Windows version 6.1 (Windows 7), amd64 executableWed Aug 16 11:01:38 2023 library versions: OpenSSL 3.1.1 30 May 2023, LZO 2.10Wed Aug 16 11:01:38 2023 DCO version: v0Wed Aug 16 11:01:38 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25343Wed Aug 16 11:01:38 2023 Need hold release from management interface, waiting...Wed Aug 16 11:01:38 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1031Wed Aug 16 11:01:38 2023 MANAGEMENT: CMD 'state on'Wed Aug 16 11:01:38 2023 MANAGEMENT: CMD 'log on all'Wed Aug 16 11:01:38 2023 MANAGEMENT: CMD 'echo on all'Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'bytecount 5'Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'state'Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'hold off'Wed Aug 16 11:01:39 2023 MANAGEMENT: CMD 'hold release'Wed Aug 16 11:01:39 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.20:2000Wed Aug 16 11:01:39 2023 Socket Buffers: R=[8192->8192] S=[8192->8192]Wed Aug 16 11:01:39 2023 UDPv4 link local: (not bound)Wed Aug 16 11:01:39 2023 UDPv4 link remote: [AF_INET]192.168.1.20:2000Wed Aug 16 11:01:39 2023 MANAGEMENT: >STATE:1692167499,WAIT,,,,,,Wed Aug 16 11:01:39 2023 MANAGEMENT: >STATE:1692167499,AUTH,,,,,,Wed Aug 16 11:01:39 2023 TLS: Initial packet from [AF_INET]192.168.1.20:2000, sid=2e7d21e3 db47853eWed Aug 16 11:01:39 2023 VERIFY OK: depth=1, CN=ServerWed Aug 16 11:01:39 2023 VERIFY KU OKWed Aug 16 11:01:39 2023 Validating certificate extended key usageWed Aug 16 11:01:39 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server AuthenticationWed Aug 16 11:01:39 2023 VERIFY EKU OKWed Aug 16 11:01:39 2023 VERIFY OK: depth=0, CN=serverWed Aug 16 11:01:39 2023 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256Wed Aug 16 11:01:39 2023 [server] Peer Connection Initiated with [AF_INET]192.168.1.20:2000Wed Aug 16 11:01:39 2023 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1Wed Aug 16 11:01:39 2023 TLS: tls_multi_process: initial untrusted session promoted to trustedWed Aug 16 11:01:39 2023 AUTH: Received control message: AUTH_FAILEDWed Aug 16 11:01:39 2023 SIGUSR1[soft,auth-failure] received, process restartingWed Aug 16 11:01:39 2023 MANAGEMENT: >STATE:1692167499,RECONNECTING,auth-failure,,,,,Wed Aug 16 11:01:39 2023 Restart pause, 1 second(s) _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
