Could somebody please show me how to create a set of OpenVPN certificates? (CA/server/client)
by L-28C from LinuxQuestions.org on (#6D2RS)
I'm up to my neck with SEO and ChatGPT giving me all sorts of wrong instructions. Long story short I want to create an OpenVPN server and connect to it with an OpenVPN client. No bells no whistles, I just want the vanilla connection.
I've done this before for connecting to remote VPS servers so I know the general procedure (where to put which keys etc.) but for some reason this time around setting it up on my own machine it utterly refuses to work. I thought the problem was the ancient OpenSSL 1.1.1 on the server but I upgraded that and I still cannot connect.
Server: MX Linux Wildflower / OpenVPN 2.6.5 / OpenSSL 3.0.9
Client: Ubuntu MATE 22.04 / OpenVPN 2.5.1 / OpenSSL 3.0.2
The error, on the client side (via journalctl):
Quote:
The commands I used to create all the files:
Quote:
What the heck am I doing wrong?
I've done this before for connecting to remote VPS servers so I know the general procedure (where to put which keys etc.) but for some reason this time around setting it up on my own machine it utterly refuses to work. I thought the problem was the ancient OpenSSL 1.1.1 on the server but I upgraded that and I still cannot connect.
Server: MX Linux Wildflower / OpenVPN 2.6.5 / OpenSSL 3.0.9
Client: Ubuntu MATE 22.04 / OpenVPN 2.5.1 / OpenSSL 3.0.2
The error, on the client side (via journalctl):
Quote:
| Jul 18 11:19:47 pocket nm-openvpn[10750]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.68:25543 Jul 18 11:19:47 pocket nm-openvpn[10750]: Attempting to establish TCP connection with [AF_INET]192.168.1.68:25543 [nonblock] Jul 18 11:19:47 pocket nm-openvpn[10750]: TCP connection established with [AF_INET]192.168.1.68:25543 Jul 18 11:19:47 pocket nm-openvpn[10750]: TCP_CLIENT link local: (not bound) Jul 18 11:19:47 pocket nm-openvpn[10750]: TCP_CLIENT link remote: [AF_INET]192.168.1.68:25543 Jul 18 11:19:47 pocket nm-openvpn[10750]: VERIFY ERROR: depth=0, error=self-signed certificate: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=trinity, serial=582419616495282865804820731754480487093640211897 Jul 18 11:19:47 pocket nm-openvpn[10750]: OpenSSL: error:0A000086:SSL routines::certificate verify failed Jul 18 11:19:47 pocket nm-openvpn[10750]: TLS_ERROR: BIO read tls_read_plaintext error Jul 18 11:19:47 pocket nm-openvpn[10750]: TLS Error: TLS object -> incoming plaintext read error Jul 18 11:19:47 pocket nm-openvpn[10750]: TLS Error: TLS handshake failed Jul 18 11:19:47 pocket nm-openvpn[10750]: Fatal TLS error (check_tls_errors_co), restarting Jul 18 11:19:47 pocket nm-openvpn[10750]: SIGUSR1[soft,tls-error] received, process restarting |
Quote:
| # CA openssl genpkey -algorithm RSA -out ca.key openssl req -new -x509 -days 365 -key ca.key -out ca.crt # server openssl genpkey -algorithm RSA -out server.key openssl req -new -key server.key -out server.csr openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 # client openssl genpkey -algorithm RSA -out client.key openssl req -new -key client.key -out client.csr openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 # misc openssl dhparam -out dh.pem 2048 openvpn --genkey --secret ta.key |