Old openvpn client with current easyrsa certificate

Scripts to manage certificates or generate config files
Post Reply
boskar
OpenVpn Newbie
Posts: 9
Joined: Sat May 30, 2020 5:16 pm

Old openvpn client with current easyrsa certificate

Post by boskar » Sat May 30, 2020 5:28 pm

Hello,

I'm starting with my openvpn server, after years of being client-only user.

I've successfully connected my current linux box to the server using more-or-less default sample configuration and howto.

The problem is I've got a host I need to connect which has OpenVPN 2.0.7 x86_64-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 12 2006
and update is not an option.

First I needed to comment out remote-cert-tls server, ok, less secure.

But then as i've tried to start openvpn the following error occurred:

Code: Select all

Cannot load private key file <cut>.key: error:0607607D:digital envelope routines:PKCS5_v2_PBE_keyivgen:unsupported prf: error:06074078:digital envelope routines:EVP_PBE_CipherInit:keygen failure: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error: error:2306A075:PKCS12 routines:PKCS12_decrypt_d2i:pkcs12 pbe crypt error: error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
The password I've provided is correct, it worked at the current openvpn.

This openvpn is working as a client for other server successfully.

Can I change the certificate to make it compatible with that old openvpn? Is it possible? This key is generated with easyrsa 3.0.6. The server is 2.4.7.
Last edited by Pippin on Sat May 30, 2020 5:34 pm, edited 1 time in total.
Reason: Formatting

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Old openvpn client with current easyrsa certificate

Post by TinCanTech » Sat May 30, 2020 5:36 pm

boskar wrote:
Sat May 30, 2020 5:28 pm
The problem is I've got a host I need to connect which has OpenVPN 2.0.7 x86_64-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 12 2006
and update is not an option
Why not ?

boskar
OpenVpn Newbie
Posts: 9
Joined: Sat May 30, 2020 5:16 pm

Re: Old openvpn client with current easyrsa certificate

Post by boskar » Sat May 30, 2020 5:44 pm

Let's say this PC is a part of old, complicated system, which back then was expensive.

If I could get statically linked openvpn It might work, upgrading one package in this system without breaking what it was designed for is probably impossible.

In fact I was surprised I found any version of openvpn there, and even more surprised It works with openvpn server I usually connect to.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Old openvpn client with current easyrsa certificate

Post by TinCanTech » Sat May 30, 2020 5:46 pm

Please see:
https://community.openvpn.net/openvpn/w ... edVersions

Your version is not even listed.

boskar
OpenVpn Newbie
Posts: 9
Joined: Sat May 30, 2020 5:16 pm

Re: Old openvpn client with current easyrsa certificate

Post by boskar » Sat May 30, 2020 5:57 pm

The kernel 2.6.15 is probably not supported as well. Yup, I'm perfectly aware how old it is.

The vendor is charging around $25 000 for an upgrade to current system with current components, we can't afford that, so we're gonna "use it till it breaks".

Or maybe there is there any way to get statically linked current openvpn? Maybe some backport?
Compiling anything there is not gonna work, no headers, no compilers, no way.

Anyway - I suppose changing the certificate format is still an easiest and the least invasive solution.

User avatar
Pippin
Forum Team
Posts: 799
Joined: Wed Jul 01, 2015 8:03 am

Re: Old openvpn client with current easyrsa certificate

Post by Pippin » Sat May 30, 2020 6:02 pm

What if you place (or have) a box running current OpenVPN in front of that old stuff?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Old openvpn client with current easyrsa certificate

Post by TinCanTech » Sat May 30, 2020 6:03 pm

Does the output from openvpn --version list the openssl library version and date ?

boskar
OpenVpn Newbie
Posts: 9
Joined: Sat May 30, 2020 5:16 pm

Re: Old openvpn client with current easyrsa certificate

Post by boskar » Sat May 30, 2020 6:14 pm

openvpn --version

Code: Select all

OpenVPN 2.0.7 x86_64-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 12 2006
Developed by James Yonan
Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
openssl version

Code: Select all

OpenSSL 0.9.7f 22 Mar 2005
What if you place (or have) a box running current OpenVPN in front of that old stuff?
This device needs to work in own local network too, it would probably be possible, yet it sounds really complicated, I'd need to forward ports both ways... I'm afraid that not being aware of the IP assigned might be a problem.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Old openvpn client with current easyrsa certificate

Post by TinCanTech » Sat May 30, 2020 7:05 pm

boskar wrote:
Sat May 30, 2020 6:14 pm
openvpn --version

Code: Select all

OpenVPN 2.0.7 x86_64-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 12 2006
Developed by James Yonan
Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
openssl version

Code: Select all

OpenSSL 0.9.7f 22 Mar 2005
No chance ..
Pippin wrote:
Sat May 30, 2020 6:02 pm
What if you place (or have) a box running current OpenVPN in front of that old stuff?
Only option.
boskar wrote:
Sat May 30, 2020 6:14 pm
it sounds really complicated, I'd need to forward ports both ways... I'm afraid ... etc
boskar wrote:
Sat May 30, 2020 5:57 pm
The vendor is charging around $25 000 for an upgrade
So would I ..

boskar
OpenVpn Newbie
Posts: 9
Joined: Sat May 30, 2020 5:16 pm

Re: Old openvpn client with current easyrsa certificate

Post by boskar » Sat May 30, 2020 7:38 pm

Maybe I should downgrade openvpn/easyrsa?
Maybe pre-shared key solution would work... I will give it a try. The box is not a convenient solution.

Anyway - I don't fully understand why it is not working,regarding the fact it worked with other server (for sure not a recent build, but not THAT old).
it is because of the openssl cipher used in the key? The leght? Or it is just the format of the key, header, some kind of metadata?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Old openvpn client with current easyrsa certificate

Post by TinCanTech » Sat May 30, 2020 7:45 pm

If you use that old VPN setup then you may aswell send your data in clear text.

boskar
OpenVpn Newbie
Posts: 9
Joined: Sat May 30, 2020 5:16 pm

Re: Old openvpn client with current easyrsa certificate

Post by boskar » Sat May 30, 2020 8:09 pm

I would, unfortunately there is no way to set up a tcp socket over that many routers and SNATs.

That's why I need vpn, I don't need openvpn to provide _any_ security in this scenario.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Old openvpn client with current easyrsa certificate

Post by TinCanTech » Sat May 30, 2020 8:14 pm

boskar wrote:
Sat May 30, 2020 8:09 pm
there is no way to set up a tcp socket over that many routers and SNATs.

That's why I need vpn
:lol: :roll:

Because OpenVPN is simply magic ..

boskar
OpenVpn Newbie
Posts: 9
Joined: Sat May 30, 2020 5:16 pm

Re: Old openvpn client with current easyrsa certificate

Post by boskar » Sat May 30, 2020 8:34 pm

The obvious magic is that over single UDP port behind a nat and routers with private subnets, I could access all ports both ways at once.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Old openvpn client with current easyrsa certificate

Post by TinCanTech » Sat May 30, 2020 9:02 pm

https://community.openvpn.net/openvpn/w ... nPage#lbBC

That's probably the simplest option.

boskar
OpenVpn Newbie
Posts: 9
Joined: Sat May 30, 2020 5:16 pm

Re: Old openvpn client with current easyrsa certificate

Post by boskar » Sun May 31, 2020 6:58 am

Code: Select all

On bob:

    openvpn --remote alice.example.com --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9 

On alice:

    openvpn --remote bob.example.com --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 9
But what if I'm behind a NAT?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Old openvpn client with current easyrsa certificate

Post by TinCanTech » Sun May 31, 2020 11:23 am

boskar wrote:
Sun May 31, 2020 6:58 am
But what if I'm behind a NAT?
The usual solution ..

boskar
OpenVpn Newbie
Posts: 9
Joined: Sat May 30, 2020 5:16 pm

Re: Old openvpn client with current easyrsa certificate

Post by boskar » Sun May 31, 2020 2:17 pm

The usual solution is to setup openvpn in client-server mode ; )

Post Reply