[CentOS] VPN suggestions centos 6, 7

david david at daku.org
Tue Apr 19 19:06:40 UTC 2016

At 08:57 AM 4/19/2016, you wrote:
>On Tue, 19 Apr 2016, david wrote:
>>At 09:09 AM 4/18/2016, you wrote:
>>>On Mon, 18 Apr 2016, david wrote:
>>> > > I had lots of suggestions, and the most persuasive was to try 
>>> OpenVPN.  I > already had a CA working, so issuing certificates 
>>> was easy.  The HOW-TO > guides were less helpful than I could 
>>> hope, but comparing several of > them, applying common sense, and 
>>> trying things out, I arrived at a > dead-end. Here's essentially what happened:
>>> > > - None of the HOW-TOs were very clear about the need to add 
>>> some > attributes to a certificate, keyUsage and 
>>> extendedKeyUsage.  They had > different values for server and 
>>> client.  OpenSSL documentation was a big > vague on how to add 
>>> them, but I think I did - the print out of the entity > 
>>> certificates showed the values.  The attempt to connect 
>>> failed.  The > client log is below.  I think it's complaining 
>>> that the CA certificate > doesn't have the ke Usage extension, 
>>> which makes no sense to me.  Such an > extension should be in the 
>>> end-entity certificate, not the CA's, unless > I'm wrong.  I 
>>> checked the server and really think that the certificates > are 
>>> in the right place.
>>>Here's how I managed that in my openssl.cnf file. Lots of bits 
>>>ellided for clarity's sake:
>>>### start ###
>>>[ ca ]
>>>default_ca = CA_default
>>>[ CA_default ]
>>>x509_extensions = server_cert
>>>[ server_cert ]
>>>keyUsage = nonRepudiation, dataEncipherment, digitalSignature, 
>>>extendedKeyUsage = serverAuth, clientAuth
>>>nsCertType = server, client
>>>### end ###
>>>I think the nsCertType directive may be unnecessary these days, 
>>>but I keep it around because it doesn't hurt anything.
>>>The important bit is the extendedKeyUsage line; I'm pretty sure 
>>>that an OpenVPN server needs the serverAuth extension. For 
>>>instance, here is the X509 extensions configuration for a server 
>>>used by EasyRSA:
>>>    basicConstraints = CA:FALSE
>>>    subjectKeyIdentifier = hash
>>>    authorityKeyIdentifier = keyid,issuer:always
>>>    extendedKeyUsage = serverAuth,clientAuth
>>>    keyUsage = digitalSignature,keyEncipherment
>>>You can ask openssl to tell you the purpose of a certificate:
>>>[bash]$ openssl x509 -noout -purpose -in cert.pem  | grep SSL
>>>SSL client : Yes
>>>SSL client CA : No
>>>SSL server : Yes
>>>SSL server CA : No
>>>Netscape SSL server : Yes
>>>Netscape SSL server CA : No
>>>Anyway, those are the extensions that should do away with these errors:
>>> > Mon Apr 18 05:34:50 2016 VERIFY OK: depth=1, C=US, 
>>> ST=California, L=San > Francisco, OU=Certificate Authority, O=XXXX, CN=X.X.X
>>> > Mon Apr 18 05:34:50 2016 Certificate does not have key usage extension
>>>Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/
>>Two things...
>>First, the diagnostic I got referenced the server's CA certificate. 
>>And that confuses me.
>I'm not sure that's actually what the log is indicating. I think 
>there's a mismatch between what extensions the server certificate 
>says it can provide and what the client is expecting.
>Can you provide the SSL/TLS parts of your client configuration?
>In particular, I expect you'll have a "remote-cert-tls server" 
>directive. I'd suggest commenting that out (or replacing it with 
>"ns-cert-type server") and trying again.
>If that succeeds, you'll probably need to review your CA configuration.

I'm not sure what you mean by the SSL/TLS parts of client 
configuration.  Here's what I have for openvpn
Configuration files... comment lines removed

The client file at
c:\program files\OpenVPN\config\client.opvn
dev tun
remote X.X.X 1194
resolv-retry infinite
ca "C:\\Program Files\\OpenVPN\\config\\bla.ca"
cert "C:\\Program Files\\OpenVPN\\config\\bla.crt"
key "C:\\Program Files\\OpenVPN\\config\\bla.key"
remote-cert-tls server
verb 3

The Server file at
ca              /etc/pki/tls/certs/ca-bundle.crt
cert            /etc/pki/tls/certs/localhost.crt
dev             tun
dh              /etc/pki/tls/private/dh.pem
keepalive       10 120
key             /etc/pki/tls/private/localhost.key
port            1194
proto           tcp-server
push            "dhcp-option DNS"
push            "redirect-gateway def1 bypass-dhcp"
#log            openvpn.log
verb            4
user            nobody
group           nobody
local a.b.c.d


More information about the CentOS mailing list