[CentOS] VPN suggestions centos 6, 7
david at daku.org
Mon Apr 18 14:33:51 UTC 2016
>I would like to have my windows 7 laptop communicate with my home
>server via a VPN, in such a way that it appears to be "inside" my
>home network. It should not only let me appear to be at home for
>any external query, but also let me access my computers inside my home.
>I already have this working using M$'s PPTP using my home Centos 6
>gateway/router as the PoPToP server. However, I am concerned about
>the privacy/security of such a connection.
>I have seen discussions of OpenVPN, OpenSwan, LibreVPN, StrongSwan
>(and probably others I haven't noted). I'd be interested in hearing
>from anyone who wishes to comment about which to use, with the
>1) As noted, it should be secure (anti NSA?)
>2) Works on Centos 6 and Centos 7 and Windows 7 (and for the
>future, Windows 10)
>3) Can be set up on the server with command line interfaces only (no GUI)
>And, should not be a nightmare to set up.
FOLLOWUP & REPORT
I had lots of suggestions, and the most persuasive was to try
OpenVPN. I already had a CA working, so issuing certificates was
easy. The HOW-TO guides were less helpful than I could hope, but
comparing several of them, applying common sense, and trying things
out, I arrived at a dead-end. Here's essentially what happened:
- None of the HOW-TOs were very clear about the need to add some
attributes to a certificate, keyUsage and extendedKeyUsage. They had
different values for server and client. OpenSSL documentation was a
big vague on how to add them, but I think I did - the print out of
the entity certificates showed the values. The attempt to connect
failed. The client log is below. I think it's complaining that the
CA certificate doesn't have the ke Usage extension, which makes no
sense to me. Such an extension should be in the end-entity
certificate, not the CA's, unless I'm wrong. I checked the server
and really think that the certificates are in the right place.
To review the situation:
Client: A windows 7 laptop, and it definitely moves around.
Server: Centos 6 running in my home.
Protocol is TCP
Client log, some details replace with XXXXX
Mon Apr 18 05:34:47 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL
(OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 10 2016
Mon Apr 18 05:34:47 2016 Windows version 6.1 (Windows 7)
Mon Apr 18 05:34:47 2016 library versions: OpenSSL 1.0.1s 1 Mar 2016, LZO 2.09
Enter Management Password:
Mon Apr 18 05:34:47 2016 MANAGEMENT: TCP Socket listening on
Mon Apr 18 05:34:47 2016 Need hold release from management interface,
Mon Apr 18 05:34:48 2016 MANAGEMENT: Client connected from
Mon Apr 18 05:34:48 2016 MANAGEMENT: CMD 'state on'
Mon Apr 18 05:34:48 2016 MANAGEMENT: CMD 'log all on'
Mon Apr 18 05:34:48 2016 MANAGEMENT: CMD 'hold off'
Mon Apr 18 05:34:48 2016 MANAGEMENT: CMD 'hold release'
Mon Apr 18 05:34:48 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Apr 18 05:34:48 2016 MANAGEMENT: >STATE:1460982888,RESOLVE,,,
Mon Apr 18 05:34:48 2016 Attempting to establish TCP connection with
Mon Apr 18 05:34:48 2016 MANAGEMENT: >STATE:1460982888,TCP_CONNECT,,,
Mon Apr 18 05:34:49 2016 TCP connection established with [AF_INET]X.X.X.X:1194
Mon Apr 18 05:34:49 2016 TCPv4_CLIENT link local: [undef]
Mon Apr 18 05:34:49 2016 TCPv4_CLIENT link remote: [AF_INET]X.X.X.X:1194
Mon Apr 18 05:34:49 2016 MANAGEMENT: >STATE:1460982889,WAIT,,,
Mon Apr 18 05:34:49 2016 MANAGEMENT: >STATE:1460982889,AUTH,,,
Mon Apr 18 05:34:49 2016 TLS: Initial packet from
[AF_INET]X.X.X.X:1194, sid=63eed44a 8be061de
Mon Apr 18 05:34:50 2016 VERIFY OK: depth=1, C=US, ST=California,
L=San Francisco, OU=Certificate Authority, O=XXXX, CN=X.X.X
Mon Apr 18 05:34:50 2016 Certificate does not have key usage extension
Mon Apr 18 05:34:50 2016 VERIFY KU ERROR
Mon Apr 18 05:34:50 2016 TLS_ERROR: BIO read tls_read_plaintext
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Apr 18 05:34:50 2016 TLS Error: TLS object -> incoming plaintext read error
Mon Apr 18 05:34:50 2016 TLS Error: TLS handshake failed
More information about the CentOS