Tag Archives: OpenVPN

OpenVPN: Built a certification authority from scratch with openssl

Hi,

these are the steps to build your own CA (Certification Authority) and all requiered certificates for a OpenVPN instance (Client and Server) on Linux.

Define your environment. Always set these variables in the shell before executing openssl commands. Adjust it to your needs.
Continue reading OpenVPN: Built a certification authority from scratch with openssl

OpenVPN: Connect to multiple VPNs on Windows

Hi,

on Windows OpenVPN by default installs one TAP network interface. If you want to connect to multiple VPNs simultaneously you need an interface for each VPN.

You can add a additional adapter by a batch file provided by the TAP driver. Open a command prompt with administrative rights and change to the TAP install folder.

c:\> cd "C:\Program Files\TAP-Windows\bin"

and call
Continue reading OpenVPN: Connect to multiple VPNs on Windows

OpenVPN: Read certificate passphrase from file

Hello,

when you establish a OpenVPN connection with a password protected ceritificate you have enter the passphrase each time when OpenVPN starts.

This isn’t nice if you want to connect at system startup without an user interaction.
Continue reading OpenVPN: Read certificate passphrase from file

Windows: Set permissions on a service

Hi,

when it is necessary that normal user needs the ability to do some operations on a service, such as starting or stopping, multiple ways exists to grant these permissions. Windows has no GUI or (easy to use) command line tool on board to set these access rights. I will show you 3 ways to set them.

  • Sysinternals Process Explorer
  • sc.exe (Service controller)
  • subinacl.exe (The security swiss knife)

For the following examples I will use the OpenVPN Service with its Service Name openvpnservice and assign the start and stop permissions to a user or group. But its the same procedure for all other services.

The easiest way is to use the sysinternals Process Explorer. It provides a graphical user interface but  has the dependency that the service must be in the running state before process explorer is started. If you already have a valid openvpn configuration start the service:

sc start openvpnservice

Then start the process explorer as administrator and locate the openvpn service process openvpnserv.exe.

Openvpn Process
Openvpn Process

Continue reading Windows: Set permissions on a service

OpenVPN: Set a static IP Address for a client

Hi,

sometimes you have to set a static IP Address for some VPN Clients. Because they provide some server services which always must be reached at the same IP Address.

The client configuration do not provide any option to do that, set a static IP Address on the adapter itself is also always being overwritten when the client establish a connection to the OpenVPN server.

Solution: Define a client specific script at the server.

In this example the openvpn server’s OS is linux (tap Interface IP 10.1.134.62), the client runs at Windows (static IP 10.1.134.1).

Define a directory where the client scripts should be stored , e.g. /etc/openvpn/staticclients and create the directory

mkdir /etc/openvpn/staticclients

Add this directory as option to your openvpn configfile at the server:

client-config-dir /etc/openvpn/staticclients

For each client you have to create a file. The filename must match the “common name” attribute that was specified at the X509 certificate of the client.This command gets the CN from the computers certificate:

root@devdeb~ > openssl x509 -in /etc/openvpn/yourClientCertificate.cer -noout -subject | sed -e 's/.*CN=\(.*\)\/.*/\1/'

TESTCLIENT

This example pushs the IP Address 10.1.134.1/255.255.255.192 to the Client with the common name TESTCLIENT and also pushes a additional route for subnet 10.1.135.0.

cat /etc/openvpn/staticclients/TESTCLIENT

ifconfig-push 10.1.134.1 255.255.255.192
push "route 10.1.135.0 255.255.255.0 10.1.134.62"
# push "dhcp-option WINS addr"
# push "dhcp-option DNS addr"

Michael