Using OpenVPN with CAcert certificates

Monday, November 12, 2007 at 03:14 AM

The goal was to setup a server that allowed authenticated users access to a VPN. Here are the important bits from server configuration:

port 1194
proto udp
dev tun

dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
comp-lzo

ca /etc/ssl/certs/cacert.crt
cert /etc/ssl/certs/my.crt
key /etc/ssl/private/my.key

plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth
client-cert-not-required

The root.crt file contains the CAcert.org root certificate. The server certificate that has to be signed through CAcert.org is stored in my.crt and the private portion in my.key. The last two lines enable password authentication for clien

The client configuration is straight forward:

client
dev tun
proto udp
comp-lzo

remote [server hostname] 1194
resolv-retry infinite
ca /etc/ssl/certs/cacert.crt

auth-user-pass
tls-remote "/CN=[certificate common name]..."
tls-exit

During the first attempts to connect I repeatedly ran into error messages about failed certificate authentication on the client:

VERIFY ERROR: depth=1, error=unable to get issuer certificate: /O=CAcert_Inc./OU=http://www.CAcert.org/CN=CAcert_Class_3_Root
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

It turned out that the CAcert class 3 certificate is signed with the CAcert class 1 certificate and both need to be stored in root.crt:

cat root.crt class3.crt > /etc/ssl/certs/cacert.crt

By default clients will only see the VPN server. In order to have them also see the rest of the network IP forwarding needs to be enabled on the server a NAT rule needs to be added:

iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -j SNAT --to [IP]

 

Entry filed under: Linux

No entries
Nothing found in the guestbook.