Using OpenVPN with CAcert certificates

Monday, November 12, 2007 at 03:14 AM

The goal was to setup a server that allowed authenticated users access to a VPN. Here are the important bits from server configuration:

port 1194
proto udp
dev tun

dh dh1024.pem
ifconfig-pool-persist ipp.txt

ca /etc/ssl/certs/cacert.crt
cert /etc/ssl/certs/my.crt
key /etc/ssl/private/my.key

plugin /usr/lib/openvpn/ common-auth

The root.crt file contains the root certificate. The server certificate that has to be signed through is stored in my.crt and the private portion in my.key. The last two lines enable password authentication for clien

The client configuration is straight forward:

dev tun
proto udp

remote [server hostname] 1194
resolv-retry infinite
ca /etc/ssl/certs/cacert.crt

tls-remote "/CN=[certificate common name]..."

During the first attempts to connect I repeatedly ran into error messages about failed certificate authentication on the client:

VERIFY ERROR: depth=1, error=unable to get issuer certificate: /O=CAcert_Inc./OU=
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

It turned out that the CAcert class 3 certificate is signed with the CAcert class 1 certificate and both need to be stored in root.crt:

cat root.crt class3.crt > /etc/ssl/certs/cacert.crt

By default clients will only see the VPN server. In order to have them also see the rest of the network IP forwarding needs to be enabled on the server a NAT rule needs to be added:

iptables -t nat -I POSTROUTING -s -j SNAT --to [IP]


Entry filed under: Linux

No entries
Nothing found in the guestbook.