OpenVPN with client and server different intermediate certificates

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
dcano
OpenVpn Newbie
Posts: 3
Joined: Thu Nov 23, 2017 5:14 pm

OpenVPN with client and server different intermediate certificates

Post by dcano » Thu Nov 23, 2017 5:44 pm

Hello all,

We are trying to configure OpenVPN using official certificates (SwissSign).

By default, one intermediate CA will generate certificates for servers (TLS) and the other one issues only client certificates. This will be something like this:

Code: Select all

                 +-------------------------+
                 | SwissSign Root CA |
                 +-----------+------------+
                                 |
            	   +-----------------+
                      |                 |
      +--------------+        +--------------+
       | Server CA |         | Client CA  |
      +--------------+        +--------------+
                 |                      |
     +------------------+   +-----------------+
      | Server Certs |     | Client Certs  |
     +------------------+   +------------------+
       vpn_cert.pem        client_cert.pem
       vpn_key.pem         client_key.pem

We generate two bundle files, one for the root CA with the Server CA, and another for the root CA with the Client CA and configure the OpenVPN in server side.

We set the configuration in the client side but the client can not authenticate.

So, this seems to be a problem related with the certificate configuration, even if the both intermediate are generated with the same root certificate. If we try with a self-signed certificate CA to generate the server certificate and the client certificate, and with the same configuration, all works perfectly.

Here is the current configuration for the server:

Code: Select all

[oconf=SERVER]
port 1194
proto udp
dev tun0

ca      /etc/openvpn/easy-rsa/keys/swissign_ca.crt    # Contains SwissSign Root CA and SwissSign Server Intermediate CA.
cert    /etc/openvpn/easy-rsa/keys/server_cert.pem # server vpn certificate
key     /etc/openvpn/easy-rsa/keys/server_cert.key  # keep secret
dh      /etc/openvpn/easy-rsa/keys/dh2048.pem

topology subnet
server 10.10.10.0 255.255.255.0  # internal tun0 connection IP
push "route 192.168.1.0 255.255.240.0"
push "route 10.10.10.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.1.10"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DOMAIN myfakedomain.ch"

ifconfig-pool-persist ipp.txt

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

keepalive 10 120

persist-key
persist-tun
auth-nocache
cipher AES-256-CBC
auth SHA1
engine none

resolv-retry infinite

status log/openvpn-status.log

verb 5  # verbose mode
client-to-client

[/oconf]
The client configuration is the following:

Code: Select all

[oconf=CLIENT]
client
dev tun1
port 1194
proto udp

remote 192.168.1.11 1194             # VPN server IP : PORT
nobind
push "dhcp-options DNS 192.168.1.10"
redirect-gateway def1

ca /home/myuser/myuser.p12         # Contains the full certification chain. 
pkcs12 /home/myuser/myuser.p12 # Contains the full certification chain.

remote-cert-tls server
auth-nocache
cipher AES-256-CBC
auth SHA1
connection-type password-tls
float yes

username myuser
password mypassword

resolv-retry infinite

persist-key
persist-tun

verb 5

nobind
push "dhcp-options DNS 192.168.1.10"
redirect-gateway def1
[/oconf]
Here you can find the Client LOGS:

Code: Select all

Nov 24 13:31:23 mypc NetworkManager[29337]: <info>  [1511526683.3077] audit: op="connection-activate" uuid="967102b3-1563-450b-8879-e0a91334aaf1" name="VPN" pid=29458 uid=10139 result="success"
Nov 24 13:31:23 mypc NetworkManager[29337]: <info>  [1511526683.3174] vpn-connection[0x56019d7543e0,967102b3-1563-450b-8879-e0a91334aaf1,"VPN",0]: Started the VPN service, PID 29746
Nov 24 13:31:23 mypc NetworkManager[29337]: <info>  [1511526683.3358] vpn-connection[0x56019d7543e0,967102b3-1563-450b-8879-e0a91334aaf1,"VPN",0]: Saw the service appear; activating connection
Nov 24 13:31:23 mypc NetworkManager[29337]: <info>  [1511526683.5807] keyfile: update /etc/NetworkManager/system-connections/VPN (967102b3-1563-450b-8879-e0a91334aaf1,"VPN")
Nov 24 13:31:23 mypc NetworkManager[29337]: <info>  [1511526683.6270] vpn-connection[0x56019d7543e0,967102b3-1563-450b-8879-e0a91334aaf1,"VPN",0]: VPN plugin: state changed: starting (3)
Nov 24 13:31:23 mypc NetworkManager[29337]: <info>  [1511526683.6270] vpn-connection[0x56019d7543e0,967102b3-1563-450b-8879-e0a91334aaf1,"VPN",0]: VPN connection: (ConnectInteractive) reply received
Nov 24 13:31:23 mypc nm-openvpn[29752]: OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Nov 24 13:31:23 mypc nm-openvpn[29752]: library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Nov 24 13:31:23 mypc nm-openvpn[29752]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Nov 24 13:31:23 mypc nm-openvpn[29752]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 24 13:31:23 mypc nm-openvpn[29752]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.10:1194
Nov 24 13:31:23 mypc nm-openvpn[29752]: UDP link local: (not bound)
Nov 24 13:31:23 mypc nm-openvpn[29752]: UDP link remote: [AF_INET]192.168.179.251:1194
Nov 24 13:31:23 mypc nm-openvpn[29752]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Nov 24 13:31:23 mypc nm-openvpn[29752]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Nov 24 13:32:23 mypc nm-openvpn-serv[29746]: Connect timer expired, disconnecting.
Nov 24 13:32:23 mypc nm-openvpn[29752]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Nov 24 13:32:23 mypc nm-openvpn[29752]: TLS Error: TLS handshake failed
Nov 24 13:32:23 mypc NetworkManager[29337]: <warn>  [1511526743.6041] vpn-connection[0x56019d7543e0,967102b3-1563-450b-8879-e0a91334aaf1,"VPN",0]: VPN connection: connect timeout exceeded.
Nov 24 13:32:23 mypc nm-openvpn[29752]: SIGTERM[hard,tls-error] received, process exiting
Nov 24 13:32:23 mypc NetworkManager[29337]: <warn>  [1511526743.6074] vpn-connection[0x56019d7543e0,967102b3-1563-450b-8879-e0a91334aaf1,"VPN",0]: VPN plugin: failed: connect-failed (1)
Nov 24 13:32:23 mypc NetworkManager[29337]: <info>  [1511526743.6076] vpn-connection[0x56019d7543e0,967102b3-1563-450b-8879-e0a91334aaf1,"VPN",0]: VPN plugin: state changed: stopping (5)
And here the Server LOGS:

Code: Select all

Nov 24 13:32:45 openvpn[11931]: MANAGEMENT: Client disconnected 
Nov 24 13:32:45 openvpn[38615]: I/O WAIT TR|Tw|SR|Sw [10/0] 
Nov 24 13:32:45 openvpn[11931]: MANAGEMENT: CMD 'status 2' 
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=6 arg=0x32df844e3f8 
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=7 arg=0x32df844e3f4 
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=8 arg=0x32df8e9f2b0 
Nov 24 13:32:45 openvpn[11931]: MANAGEMENT: Client connected from /var/etc/openvpn/server3.sock 
Nov 24 13:32:45 openvpn[38615]: SCHEDULE: schedule_find_least NULL 
Nov 24 13:32:45 openvpn[38615]: MANAGEMENT: Client disconnected 
Nov 24 13:32:45 openvpn[38615]: I/O WAIT status=0x0040 
Nov 24 13:32:45 openvpn[38615]: event_wait returned 1 
Nov 24 13:32:45 openvpn[38615]: PO_WAIT[2,0] fd=9 rev=0x00000011 rwflags=0x0001 arg=0x32df844e3f8 
Nov 24 13:32:45 openvpn[38615]: I/O WAIT TR|Tw|SR|Sw [10/0] 
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=9 arg=0x32df844e3f8 
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=7 arg=0x32df844e3f4 
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=8 arg=0x32df8e9f2b0 
Nov 24 13:32:45 openvpn[38615]: SCHEDULE: schedule_find_least NULL 
Nov 24 13:32:45 openvpn[38615]: I/O WAIT status=0x0080 
Nov 24 13:32:45 openvpn[38615]: event_wait returned 1 
Nov 24 13:32:45 openvpn[38615]: PO_WAIT[2,0] fd=9 rev=0x00000004 rwflags=0x0002 arg=0x32df844e3f8 
Nov 24 13:32:45 openvpn[38615]: I/O WAIT TR|Tw|SR|Sw [10/0] 
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0002 ev=9 arg=0x32df844e3f8 
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=7 arg=0x32df844e3f4 
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=8 arg=0x32df8e9f2b0 
Nov 24 13:32:45 openvpn[38615]: SCHEDULE: schedule_find_least NULL 
Nov 24 13:32:45 openvpn[38615]: MANAGEMENT: CMD 'status 2' 
Nov 24 13:32:45 openvpn[38615]: I/O WAIT status=0x0040 
Nov 24 13:32:45 openvpn[38615]: event_wait returned 1 
Nov 24 13:32:45 openvpn[38615]: PO_WAIT[2,0] fd=9 rev=0x00000001 rwflags=0x0001 arg=0x32df844e3f8
Nov 24 13:32:45 openvpn[38615]: I/O WAIT TR|Tw|SR|Sw [10/0] 
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=9 arg=0x32df844e3f8 
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=7 arg=0x32df844e3f4 
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=8 arg=0x32df8e9f2b0 
Nov 24 13:32:45 openvpn[38615]: SCHEDULE: schedule_find_least NULL 
Nov 24 13:32:45 openvpn[38615]: I/O WAIT status=0x0080 
Nov 24 13:32:45 openvpn[38615]: event_wait returned 1 
Nov 24 13:32:45 openvpn[38615]: PO_WAIT[2,0] fd=9 rev=0x00000004 rwflags=0x0002 arg=0x32df844e3f8 
Nov 24 13:32:45 openvpn[38615]: I/O WAIT TR|Tw|SR|Sw [10/0] 
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0002 ev=9 arg=0x32df844e3f8 
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=7 arg=0x32df844e3f4 
Nov 24 13:32:45 openvpn[38615]: PO_CTL rwflags=0x0001 ev=8 arg=0x32df8e9f2b0 
Nov 24 13:32:45 openvpn[38615]: SCHEDULE: schedule_find_least NULL 
Nov 24 13:32:45 openvpn[38615]: MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock 
Nov 24 13:32:45 openvpn[38615]: MULTI: REAP range 32 -> 48 
Nov 24 13:32:45 openvpn[38615]: I/O WAIT status=0x0040 
Nov 24 13:32:45 openvpn[38615]: event_wait returned 1 
Nov 24 13:32:45 openvpn[38615]: PO_WAIT[2,0] fd=6 rev=0x00000001 rwflags=0x0001 arg=0x32df844e3f8

Could someone give us a hint about this? Do you know if it is possible to use 2 different intermediates for clients and the server certificate?

Thanks a lot in advance.
Last edited by dcano on Fri Nov 24, 2017 12:43 pm, edited 1 time in total.

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: OpenVPN with client and server different intermediate certificates

Post by Pippin » Thu Nov 23, 2017 6:11 pm

More info needed:
viewtopic.php?f=30&t=22603

At least how the keys/certs lines are configured for server and client.
Also server log at verb 4.
So, this seems to be a problem related with the certificate configuration
A failed handshake can have more causes, closed port, firewall, missing tls-auth or tls-crypt key, DPI.....but we don`t know ;)

remd
OpenVpn Newbie
Posts: 1
Joined: Fri Nov 24, 2017 10:12 am

Re: OpenVPN with client and server different intermediate certificates

Post by remd » Fri Nov 24, 2017 10:16 am

Thanks for the reply dcano will post some more info, but just to reply to your last comment, everything works fine with a self signed CA and certificate (using the same int CA for the server and user cert) but not with the SwissSign certificates, so we should be able to rule out issues like firewall rules.

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: OpenVPN with client and server different intermediate certificates

Post by TiTex » Sat Nov 25, 2017 7:59 am

Code: Select all

ca      /etc/openvpn/easy-rsa/keys/swissign_ca.crt    # Contains SwissSign Root CA and SwissSign Server Intermediate CA.
this should contain the clients intermediate CA , since the server verify the client has the right cert based on it's (server) CA's
"SwissSign Server Intermediate CA" - is it an actual intermediate CA , or just a certificate issued by SwissSign ? :D

dcano
OpenVpn Newbie
Posts: 3
Joined: Thu Nov 23, 2017 5:14 pm

Re: OpenVPN with client and server different intermediate certificates

Post by dcano » Mon Nov 27, 2017 9:40 am

Hello!

Thanks for your quick answer.

Indeed, in the file swissign_ca.crt is included the Intermediate CA. We tried these different options:
  • 1. In the swissign_ca.crt file, include the SwissSign Root CA, and the SwissSign Server Intermediate certificate.
    2. In the swissign_ca.crt file, include the SwissSign Root CA, and the SwissSign Client Intermediate certificate.
    3. In the swissign_ca.crt file, include the SwissSign Root CA, the SwissSign Server Intermediate certificate and the SwissSign Client Intermediate certificate.
    4. In the swissign_ca.crt file, include only the SwissSign Root CA.
None of the previous options worked out.

Other test we did, were related with the VPN server certificate. So every time we were doing any test or change in the CA certificate (previous list), we were trying the following with the VPN server certificate:

Code: Select all

cert    /etc/openvpn/easy-rsa/keys/server_cert.pem # server vpn certificate
  • 1. In the server_cert.pem file, include the SwissSign Server Intermediate certificate.
    2. In the server_cert.pem file, include the SwissSign Server Intermediate certificate and the SwissSign Client intermediate certificate.
None of the previous options worked out.


All the certificates we are using for the configuration are official certificates generated by SwissSign, even for the clients. So, indeed, the "SwissSign Server Intermediate CA" certificate is a certificate issued by SwissSign, in this case signed and generated by the SwissSign Root CA.

Thanks again for your answer.
Cheers

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: OpenVPN with client and server different intermediate certificates

Post by TiTex » Mon Nov 27, 2017 7:29 pm

dcano wrote:
Mon Nov 27, 2017 9:40 am
All the certificates we are using for the configuration are official certificates generated by SwissSign, even for the clients. So, indeed, the "SwissSign Server Intermediate CA" certificate is a certificate issued by SwissSign, in this case signed and generated by the SwissSign Root CA.

Thanks again for your answer.
Cheers
just because a cert was issued by a public CA , doesn't make your cert an Intermediate CA so unless you can confirm that you have an actual intermediate CA, your setup is flaw

i actually think you have a server cert and some client certs issued by a SwissSign CA , usually not the Root CA but an intermediate which are listed here
if turns out that i'm right , your swissign_ca.crt should contain on server and client the same chain , this order from top to bottom
(on linux you can create this chain like so: cat swiss_intermediat.crt swiss_root.crt > swissing_ca.crt)
SwissSign Intermediate CA - in pem format
SwissSign Root Ca - in pem format

server_cert.pem
should contain your issued cert only in pem format

server_cert.key
should contain your private key in pem format



or you can just create pkcs12 store and use that , see the openvpn manual for --pkcs12 option

dcano
OpenVpn Newbie
Posts: 3
Joined: Thu Nov 23, 2017 5:14 pm

Re: OpenVPN with client and server different intermediate certificates

Post by dcano » Tue Nov 28, 2017 2:12 pm

Hello,

Thanks a lot for your answer.

We are using an Intermediate certificate. From the link you mentioned we are using the following certificates (we even checked the Serial Number of each certificate):

Root certificate:
SSL Silver, SSL Silver Wildcard, Personal Silver ID: Silver_G2.pem -> The certificate used as root certificate

Intermediate certificate:
SSL Silver, SSL Silver Wildcard: Server_Silver_G22_2014.pem -> Generated by SSL Silver, SSL Silver Wildcard, Personal Silver ID: Silver_G2.pem
E-Mail ID Silver: Personal_Silver_G22_2014.pem -> Generated by SSL Silver, SSL Silver Wildcard, Personal Silver ID: Silver_G2.pem

Server certificate:
vpn.mydomain.ch: Generated by -> SSL Silver, SSL Silver Wildcard: Server_Silver_G22_2014.pem

Client certificate:
myuserclient @ mydomain. ch: Generated by -> E-Mail ID Silver: Personal_Silver_G22_2014.pem

As you mention, in the parameter for the CA certificate we try with the following:
1. cat swiss_Server_silver_G22_intermediate.crt swiss_Silver_G2_root.crt > swissing_ca.crt.
2. cat swiss_Personal_silver_G22_intermediate.crt swiss_Silver_G2_root.crt > swissing_ca.crt.
3. Even the three certificates all together in the order you mention, intermediates and then the root CA.

None of the previous 3 options worked out and always we were having the error related with the TLS handshake that means it is not possible to verify that the certificate was generated by the CA.

In the field for server we enter always the vpn.mydomain.ch.pem certificate. We verify multiple times that it is the right certificate, key and certificate match and we provide as well the key of the certificate.

But it does not work... and I guess is because the client certificate was generated by a Intermediate CA different of the server certificate.

Thanks again for your help.

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: OpenVPN with client and server different intermediate certificates

Post by TiTex » Tue Nov 28, 2017 6:24 pm

can you check if your client certs has this EKU (extended key usage) ?
TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)

openssl x509 -in client_cert.pem -noout -purpose - this should display "SSL client : Yes"
or
openssl x509 -in client_cert.pem -noout -text - and check the "X509v3 extensions:" section

i'm not sure if openvpn client would work without having TLS Web Client Authentication (1.3.6.1.5.5.7.3.2) extension set on the cert , personally i haven't tested ... maybe somebody has tested with s/mime certs for example on the clients, although i guess Personal_silver_G22_intermediate.crt should issue a cert for client with both S/MIME and TLS Web Client Authentication usage.

1. cat swiss_Server_silver_G22_intermediate.crt swiss_Silver_G2_root.crt > swissing_ca.crt - this should be on the client
2. cat swiss_Personal_silver_G22_intermediate.crt swiss_Silver_G2_root.crt > swissing_ca.crt - this should be on the server

remember that the certs/keys hould be in PEM frormat

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: OpenVPN with client and server different intermediate certificates

Post by TiTex » Tue Nov 28, 2017 8:21 pm

I just tested with
Root CA -> Intermediate1 CA -> server cert
Root CA -> Intermediate2 CA -> client cert

ca.crt on server contains Intermediate2 CA & Root CA (cat inter2.crt root.crt > ca.crt)
ca.crt on client contains Intermediate1 CA & Root CA (cat inter1.crt root.crt > ca.crt)

and works as expected, i'll post my configs below if you want to mess with it.

SERVER CONF

server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
topology subnet
server 10.10.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
persist-key
persist-tun
auth-nocache
cipher AES-256-CBC
auth SHA1
resolv-retry infinite
status openvpn-status.log
log-append server.log
verb 3
client-to-client


ca.crt

Code: Select all

-----BEGIN CERTIFICATE-----
MIIFrDCCA5SgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCUk8x
DTALBgNVBAgMBENsdWoxFDASBgNVBAcMC0NsdWotTmFwb2NhMQ4wDAYDVQQKDAVN
eU9yZzERMA8GA1UECwwITXlPcmcgSVQxEzARBgNVBAMMCk15IFJvb3QgQ0EwHhcN
MTcxMTI4MTg1ODAzWhcNMjcxMTI2MTg1ODAzWjBgMQswCQYDVQQGEwJSTzENMAsG
A1UECAwEQ2x1ajEOMAwGA1UECgwFTXlPcmcxETAPBgNVBAsMCE15T3JnIElUMR8w
HQYDVQQDDBZNeU9yZyBJbnRlcm1lZGlhdGUyIENBMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEA2Y3+jyFqnX9/5RKpBNsMiRueDSYczKvTU5R5n5ShdrI6
YN1Ib4+Y3CfrOmVV6KDOJwsEqCcFllkKMiYdYiApcsap+rPL8yL7gZ4ObZxFyYxo
U0KbkHKSJB/RqyfsYLfsTVykYWgKrTKXw684xmQAtqwIg1H5S5EUJajRG6WULvfl
qIDtOs09Y8JOAc+3NLzoKHJFCLh3kq2HsMr549vn5UXerAVgeGuIXZusg4G5Zcj1
H83AAKAAmz8+4oezIg55m3pCLn6JNHM9XBmhgs2eCpi47a4Oy6ylUkBuSbKR/odj
uqV49xj4hokb8HF2NO+a2BOBHHJ8DhyiIbGlrJdbhYOXsraemTRVM6+mg6oMh+83
fbef/rsrx+CEW6oU90aiNTabpSiFRH8uYsjR6gPM292uksYsTJFpXaAe/y35A0kN
zsIPU1l/5G1B2F4fhxrrcwdVuP7EomDvit3NquOtorvPFhgMhVqMhgLwHBLWN+2n
qiPUMYQhKCSGNYAv5ij+qPPjnUM7scjwib0Kn53QE2HAdrN2sD7QshOUbarR+r5w
UFuQ2XZa2yg/x3aQKA9v0Uwb/3TvlGmlE3Jy48HptCxxh/JNqAlTT1zeyHqYL6Pa
cHg9LL2LCDVl/eiK4HQtvPpKXWXo3J9dVJ36fdlOarW7q4L6Kke/ov/nSknygcsC
AwEAAaNmMGQwHQYDVR0OBBYEFBZcxragRjBL/oXdrW9mwXWM/bR+MB8GA1UdIwQY
MBaAFGmXuD0RMvDYAElBSUskG4f5MENkMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYD
VR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQCtCciw+0ZFWtWOARD7SFCB
9JhxdPkuqihqL2NODFlRGEafFJpvtMQXZxcBGLiSBgueYB0qlU8vrUZRbam81kEf
fL3b2cMsM2z2KxfecmytxEmCmXNynNILVi2N+n92zJLWL4+G4Z/uJ5BrRxvxRrOz
4zf/cpBBeyIrle5wQXwrbtygEdilQzh1Ynp8h7QO46saUOii6DpLCUAaGLERrErf
td13D6+LW0Bm70i8RtJsFbd4jUZt8Y3JdFizN9sTzxymbnStWkqA1KmWZo5PmGzy
nh4nBHoNp17rFNmwvQJ0tU2DA4NnY1FZ/8iwfzKjKyL+9blBIdkjKhIuV0xGlzkc
RGkkI++lC+FkddhyiNpdAAqnmc3p8HZQ+/PCAfeyKN6Dq5XxgFBAu1PaN7A4767F
VLjIhF1TYW/ys88fPz9+xGwBBQ2BrR+PJRnZyI9h9x5VHejCtcou/Jx8sfLIAn5Z
ytfHuyonNZrgd5E4rE5toSvNW4Y70oeArrhNmGSzlYQtnELnG5Ne0+cRdpiVws1t
qbhaTpqjvdtFWtWNM1+lJ9tZowmKP5B14LJSdKi9jOZLyvsTBtyuIpKRb4zBVlwP
epQhlIAF/ZWlemn2ra7jVS7xQ+Mbc6+LSzZea0F3tVXHvHylZ8iKV85fKxQ9kQ38
gE/3F0FWMc+H9x08aa5xEw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFujCCA6KgAwIBAgIJAJxZDMHK0D68MA0GCSqGSIb3DQEBCwUAMGoxCzAJBgNV
BAYTAlJPMQ0wCwYDVQQIDARDbHVqMRQwEgYDVQQHDAtDbHVqLU5hcG9jYTEOMAwG
A1UECgwFTXlPcmcxETAPBgNVBAsMCE15T3JnIElUMRMwEQYDVQQDDApNeSBSb290
IENBMB4XDTE3MTEyODE4MzkwOFoXDTM3MTEyMzE4MzkwOFowajELMAkGA1UEBhMC
Uk8xDTALBgNVBAgMBENsdWoxFDASBgNVBAcMC0NsdWotTmFwb2NhMQ4wDAYDVQQK
DAVNeU9yZzERMA8GA1UECwwITXlPcmcgSVQxEzARBgNVBAMMCk15IFJvb3QgQ0Ew
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9XgMh08Noctj9Q4mEc1dw
lc8jZQtWC8N/6kLcxvOMScbLPWySy5WPBXM8Oh1HHKw0DB64plI9Kqi2EbSQMxJV
/Ceq8tK1FANs+qV9hzGVtdH0EpAJpmDH6Bew3Cem7Y8Dvo1osL/O6RcjzdGb3/+g
cS7SYHguY2Jpy+wVNueJsuupqD7QJAZeBEIy+/ScS4RCEVG26rbgaSuIqfwBqseX
jyJ/vtKR1AiF01QMxj3dxghay0n9lGbJGvjJhnDHrCeyladQdpyUJRppV2o7GJ2Y
EraMdyNO2nAYFsBnwlQuIRcw4hRPr4sv/S0wObB9+w44ibuwuIhCpZm9FdRPq+4H
m21C4HkeC9zoKNTnefglC7Pi83nvPDCcANaeYtAhcl2yyvMc+EqOnq9SMpfk/IPX
gknHs+6QCdZGO4r/2wgzZ25ao0jFt+6BPbAO5YP6PVJZ6BvIdohlX6oIXPRai1KU
gDLC/Bl1gntptFALxHLKkr9WtQ1dEa+sCB+D8R6hXg9pEs0fksvHSmnssVCClx+I
s2g6wtEWqJ7M3LYp9dFs4lrMxL/d3pe8mRTJGVx9TEQuz3m78IjstAergqVO5LRW
ezIPL53MkG2dTbiWXihjarYbvqa99X8QDYLU57EWjp88M75IX0CVHjsZnFDw6Q8E
VWA6BKivaUHVkLOLJodcKwIDAQABo2MwYTAdBgNVHQ4EFgQUaZe4PREy8NgASUFJ
SyQbh/kwQ2QwHwYDVR0jBBgwFoAUaZe4PREy8NgASUFJSyQbh/kwQ2QwDwYDVR0T
AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAIaV
9Oo/wr4PK7cuzXREEUgJUHIh8h2zgyh2nHYZ7URldYw2TcqlH4OuzcLzRXgy22Vd
iahiOrhs39ce2L78T7L7+A9lVuqupqJ8H0iJNQEHqM9whaWpJx8zBOoINfdlPB50
TZ36T55DyJJTUoW6ygfRuaE+7RVgxcmlwU+bExFEdjM21ApbWRNbDDEh5KO6MHva
sPzjlXSvgDUB7Fztg3cTLfNSCzq6ig8wigkq8sGJ4j0K4uLnexRynNTRtpSEVu6d
dAUWVmwbNo2a/99NLe7xNBMLnWUre6zd9RJsH2HQouhD7pLfoi/mn6nvQPzv4HQt
NInSpEkPkVGseEtjrSUHUJiviIEsShplKJ1o/OHHdQt5H4uHPN8kMlFU69uNwBbw
ApUCSOEK+uQM8a2DVunzR/buMbow9/lkVp/S7O1n0MkyI4U0peydLtD7yY2pVlVZ
n7JFJo3vvQAEGslqbGc6xGqxmTVw69fK9flZjMs4dAdy9OXN2JHWBuypNOB/Idcc
5l+tJZQgPUvFQAMdt5OpqHiI8OXwYmBSiJPk10gqjvoR41l/ggArNjJ8m1/eZaNx
JI30eBP7wlGJYXaA7NWTZOS2hm1noKQ9vuPQbOuEJPpwNA+jCifH2Ef3japs1ved
ACwk3l+7j0kmRz/ik6cfS9cZO3rFvMzli+WWs6Iy
-----END CERTIFICATE-----
server.crt

Code: Select all

-----BEGIN CERTIFICATE-----
MIIFezCCA2OgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCUk8x
DTALBgNVBAgMBENsdWoxDjAMBgNVBAoMBU15T3JnMREwDwYDVQQLDAhNeU9yZyBJ
VDEfMB0GA1UEAwwWTXlPcmcgSW50ZXJtZWRpYXRlMSBDQTAeFw0xNzExMjgxOTA1
NDVaFw0xODEyMDgxOTA1NDVaMGoxCzAJBgNVBAYTAlJPMQ0wCwYDVQQIDARDbHVq
MRQwEgYDVQQHDAtDbHVqX05hcG9jYTEOMAwGA1UECgwFTXlPcmcxFTATBgNVBAsM
DE15T3JnIFNlcnZlcjEPMA0GA1UEAwwGc2VydmVyMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAupK7YkvUnqJzgWQMfdAb6ts9mE+NqB0qRnf+/mmmKySW
uiJszrTLcR4lsQEreIUGvyYXgsTqxSaqtaEchUXtRsTSKl68yuNKPwLdbVF2TWgD
MebZhXHmoxMulMtqsYEcs18VV212KzT+evN43G0Rg8qP4Uh7kKWhW8DH5aNiHvgS
V+47otjfXsAMdvxvd2MnpKiNoGYjizGPyNaC++toY55cqkwPYGlVPhdnTvRhRzjj
z/51MLrgibyqgwJqppv43RtTltGZon6rioXGiEII5yoX+CtaTtV3CeYO5YdmxPJC
UpPOrA1fgjflyZnVS1kRB4ooQHBxD5LnAEQjvH2MTQIDAQABo4IBMzCCAS8wCQYD
VR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5T
U0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUX29dEYAg
9RmshtM+JTKlH4y2IuAwgZUGA1UdIwSBjTCBioAUjGD/wdq55PR3ldJt7mzuZymC
fN+hbqRsMGoxCzAJBgNVBAYTAlJPMQ0wCwYDVQQIDARDbHVqMRQwEgYDVQQHDAtD
bHVqLU5hcG9jYTEOMAwGA1UECgwFTXlPcmcxETAPBgNVBAsMCE15T3JnIElUMRMw
EQYDVQQDDApNeSBSb290IENBggIQADAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAww
CgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggIBAGcNOeFqOQEnu/tTLwYUKjyN
7/SEzg/oMgMCy37ggGrtEUfEAV44GMfJDzPxaxNhsuZM4cQUP300NxrHkwKwpknT
3Om8cYNF54h+/JnxMONIa5vZ6MbQZQT4Pwa3IYDADMZ1y7DnFyrxVbp7AbawRnwm
fUSEgW0u4KTFUumWJp1TvSPlqG8kblXS5JFXBSfJvkRXS/94hDmSIcRmF+F+df4w
4MZ8/hpSCBJDsDvWwE4vLhGK9Yc32dNga/Zq7f+cFHqKkfSWe1BC4tHQu7eZEOo2
N8o7JSX9hx1d84neo0j2vO2QRZB7xzE9KK8gUxrlZyog4dW85d2abyZNYHUhHmmj
rC3/SNZrSz4Jz61uBbwG/+EDRhH9m9+jHoZ4wxgRko1YLm2bsXkLFlMkg5FcCQy+
A1YiZnvwF6zCqJ8GWD2yrqY+eJF7na+Jx2z1t0VkiYhP0Qxw9BoayzIn+RzsujRP
L0as8gVaHxoaT+xjjN0w6BxihZLccrXzNi90XylUTluUNVqWDzQjmDCHUawse2k4
aOXOCRwBGnWGxizd1tC6rIDVLwkPQL48NoX0Jf3WZDjGWjBaSEibg+kfh2QivYr4
OtdlmLPKcfRog+nWd+rt+HWCrxCmUWJwOGnSynJfOGwg0iNVzYeHnL+LZVqHyS2X
dUYIsDUwIC+6WoEwL/x8
-----END CERTIFICATE-----
server.key

Code: Select all

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAupK7YkvUnqJzgWQMfdAb6ts9mE+NqB0qRnf+/mmmKySWuiJs
zrTLcR4lsQEreIUGvyYXgsTqxSaqtaEchUXtRsTSKl68yuNKPwLdbVF2TWgDMebZ
hXHmoxMulMtqsYEcs18VV212KzT+evN43G0Rg8qP4Uh7kKWhW8DH5aNiHvgSV+47
otjfXsAMdvxvd2MnpKiNoGYjizGPyNaC++toY55cqkwPYGlVPhdnTvRhRzjjz/51
MLrgibyqgwJqppv43RtTltGZon6rioXGiEII5yoX+CtaTtV3CeYO5YdmxPJCUpPO
rA1fgjflyZnVS1kRB4ooQHBxD5LnAEQjvH2MTQIDAQABAoIBAHxF4mS+B9jGclN8
VcmzxfSwph1+1+djzdX0dbf2nUVdcLx406r3yA8HuqllExSK3wyRjdV/3rUFZW3n
67xl8H9T+H1abzxhGwJPoTgAq+ExZ/dkQf1d+fcjfsKDoASt8HUV33xFoBF1khBJ
fnase58iXKX9hri5anpYNY4jPudKyC5wye/nbKRj0k1/xSQeG8/0CPyIy3jdkqtA
msL28SirYy2m6ZWAOyWRQ0Vv6GSY4I8PYqCDxx88YNmfeXDUW/8jO904M912XMiQ
2Sj1lEJ2rNWtI2+/K/mIQHvM/yUB/G2J1wJszvTTMnX9aT1ZLX9SzRcgsV2hFFZd
MavFQi0CgYEA5vSWS8iQUQdZQKceLHkIRpjmzlzYzYBu4NhyxACcjzfMOr08qPCM
FFmrhL6G4ZQurAB8au1pRGeRkieZV4mDg4HYJhcc9qbukhGiswrMFAcnv+Zul+pq
AQSoKDk95nDObLdyreMPXawbG9ArrBXNoCH594JPvIND45ibuze+IMsCgYEAzs4T
ibCyVd43Ws1yHiplOW8r6slNrvvmVgGGHgvvdm8cqhqOThdfAA5qCeYPISBo83wF
ssopw2JPgENXRpcAKcFU2+YEHeWxbnXAb8Gc46OkHlN3TmT9rLVBaGxYKyXVayVY
uzwutAL8dmk1BcEUnGbpymWlgJ3dOFcs+Tk83EcCgYEAzmn5TeACQ7kqpuL1z8+Y
eug7GGLZDcnkzyYEZHMbedDnwfPRnDfpKmL+LZTPHht/HxEMIdDwDUf3TcYAgcEQ
fl91HI35v+RwQrJqVFSpEplWiGddnn7OoPxVgiWu0h8uDvJiF1FhMVoZnGEQNywB
bEYRj4my1AwJiAej386xKcMCgYEAg3w6p9yURkwW3cCpwcwqt62bOpfqsEqwVBZ7
8zabda2HiA+CUtxBJoQDn2+KRwGYONatuNMYYoVrDp3CK7tt+x5UmctQ6sFTYmuz
glqTKZitjCp9PHaxYtGLWJ0qIaTYYFtKYyEMgJ81bQPPFm2AcUBtfKXL6E52jI/A
pGRj8ZkCgYBnZ4U2mRPqIs3rMGpJSQ+FkcHG6E06PQwKxQ/cFC+CzwE84JhCtA06
U+DdYDBnwHliwSKwbMS0uhUDq/Jg628zRgwvT+cP1C2mvENclBmpOmYdHqIx8jO5
Ng4vsK3j59D0O8wkqRyqI0zrG+AcB0DtkgUSiEgGHU2yi0oyE4p/og==
-----END RSA PRIVATE KEY-----
dh2048.pem

Code: Select all

-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAwcSUocP5GkOTgqhH+jURx3w7ET9ebgDm/CS17h9hXRymzH+oQQMn
QMpD2SaNcsOTjb9QHFaPMJ1zvSQ6FFRjfGs+Gk0nUge+OJnxxgzEBV9OIbVticcw
A6y9RCQPJzcEVRIKx7RK58PGQolXQwnHzFWJ7cM+5b2ly8x1Mcyokx6ZjEw6rmcd
csqSSmjXAx/A7D8c9r15j8YKXKlcXcMX/nbWmf0faRKSWTlZDpvjR7Mw/DocTBT0
NcbWR1pCJsPFgWQAun/EdBfKdW7LdYcE8G+Nr6pUxnbFXXCUwIlIw+BT8F9eFOBt
sQCnetdtNJMUSaFk23Wg5hu5wELkBdZOEwIBAg==
-----END DH PARAMETERS-----
--------------------------------------------------------------------------------------------------------

CLIENT CONF

I used inline configs here for certificates

client.ovpn
client
dev tun
proto udp
remote 192.168.88.10 1194 # VPN server IP : PORT
nobind
remote-cert-tls server
cipher AES-256-CBC
auth SHA1
resolv-retry infinite
persist-key
persist-tun
verb 3

<ca>
</ca>
<cert>
</cert>
<key>
</key>



ca

Code: Select all

-----BEGIN CERTIFICATE-----
MIIFrDCCA5SgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCUk8x
DTALBgNVBAgMBENsdWoxFDASBgNVBAcMC0NsdWotTmFwb2NhMQ4wDAYDVQQKDAVN
eU9yZzERMA8GA1UECwwITXlPcmcgSVQxEzARBgNVBAMMCk15IFJvb3QgQ0EwHhcN
MTcxMTI4MTg1NjI2WhcNMjcxMTI2MTg1NjI2WjBgMQswCQYDVQQGEwJSTzENMAsG
A1UECAwEQ2x1ajEOMAwGA1UECgwFTXlPcmcxETAPBgNVBAsMCE15T3JnIElUMR8w
HQYDVQQDDBZNeU9yZyBJbnRlcm1lZGlhdGUxIENBMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEA1GDP0r8HowQatIWi6zRQTSEobOWaabf9VOv6vkpuCao9
VDFb5Iy6ikQQAY6chv25iglCoe91OuJNbYghzXJMiiYRzHHBoBCSsBl0UxX2g5Ax
wagsO8y2VQgiKi1JTgXjtdpbmBD2K3m/8DzBt271cC+let8AaLKA1wiOa0qRVw/v
nJQqg4t0Bx2tsypmALCKJiZLavqAiPm4j4eBWjS9oesFW3qwNrEyLzw/29GFrs9x
HJwPHDkAsimFfl0K9ecoA/XaWkY+ISp8m9FkOMGSIde6TZKuY2ZuN3gFxRwdnGnk
rIwMDIoJYEspXg/fB2zLqpoAeOxeRAA08eCkP4w+wuLeZ/KRKF8wWwtaexiYZexF
+JE2YeK0PIT3VLIcVp1UH97CVX9NUSJ3VoZJF1+sR951tsqsLYZKmOZfU1qBasOU
p+7XLb+yiaPkw4MAP3RhqOFduhaJMA2ruTmxp8Ily6gOIosHNuPpBM2hpLeTFhF0
qJnULXMBUSLYZzFxnRB5Et5TWGhxwHkuqdvFoBiX1TRAtvipLR3GwO/JTKG1vIlU
s19ZM3W/z8SJPJrRqX0TfkLa2JkDNRvMD5bCDRwRS2yxCnR/L+RZuevdYBx/YIWF
8dvD/vcGwB26VXY/IPlq1yx7+2Pm2mgsk7Mgl3gsNUYZIRMOnMvs5RrCtXvkvYMC
AwEAAaNmMGQwHQYDVR0OBBYEFIxg/8HaueT0d5XSbe5s7mcpgnzfMB8GA1UdIwQY
MBaAFGmXuD0RMvDYAElBSUskG4f5MENkMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYD
VR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQAOmwTmf6KmSsnCuc0q8uNs
KpfDOiASpiVKH+H95G0VW3Ho6jUjctnswzbw1sI2WivfptWrWe6IS35n3um68NDZ
inGmurFsvfvXEU7eiNGbNpR3wQDvIaSRsqGMeZiVYSdqVuzdZzIVe9objJv1fk3l
yyzAI0txJOz9E9vmy+Y6DDxQJ/3ncyuLLkjSVKRlzRqGJZSzBZhDxGhR6irYFa8K
lYv/Dz4z612hNNpsOyj59swol2/9eCbFOmUjRsT71nSgqQjYMT/K0s/yhidUGDpp
Ep01op+nSwIclSiMcA1juz1xpV37+KzzjDKB6CGbC9F1uNqM7DmKcwR7mQSLy6X6
B6jpk03rrLEVp8ajTxJnwoEiHMJkJJ9RC3qRLgFGhSVv7vpT6jwJrhVouiRtnJQT
TXXtXcBnOy552KIn/5CP4E24zD8wrC9/OK2ypb8pk94w59Un/GyYqx14F7ehbjSb
ZhIInEymILZF6LNsfJi8dmML6AmFWcYRWpQOs2Y2ZTky1taublZlr6e/kjbsJENB
gZEmLQQQZUeaxR3GaPf+tkMbZVaVkeZslJbMzHqEmgZeqq8OwESyG1+b4AJIhXne
n32vW5Z+s9EHo5d/x2YW27k5vZu9Ck+dXT5nDGozhsPn5XAuvMQFNPqaiD1NnhNn
0399XP7+O8obeNz+lhC0Yg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFujCCA6KgAwIBAgIJAJxZDMHK0D68MA0GCSqGSIb3DQEBCwUAMGoxCzAJBgNV
BAYTAlJPMQ0wCwYDVQQIDARDbHVqMRQwEgYDVQQHDAtDbHVqLU5hcG9jYTEOMAwG
A1UECgwFTXlPcmcxETAPBgNVBAsMCE15T3JnIElUMRMwEQYDVQQDDApNeSBSb290
IENBMB4XDTE3MTEyODE4MzkwOFoXDTM3MTEyMzE4MzkwOFowajELMAkGA1UEBhMC
Uk8xDTALBgNVBAgMBENsdWoxFDASBgNVBAcMC0NsdWotTmFwb2NhMQ4wDAYDVQQK
DAVNeU9yZzERMA8GA1UECwwITXlPcmcgSVQxEzARBgNVBAMMCk15IFJvb3QgQ0Ew
ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9XgMh08Noctj9Q4mEc1dw
lc8jZQtWC8N/6kLcxvOMScbLPWySy5WPBXM8Oh1HHKw0DB64plI9Kqi2EbSQMxJV
/Ceq8tK1FANs+qV9hzGVtdH0EpAJpmDH6Bew3Cem7Y8Dvo1osL/O6RcjzdGb3/+g
cS7SYHguY2Jpy+wVNueJsuupqD7QJAZeBEIy+/ScS4RCEVG26rbgaSuIqfwBqseX
jyJ/vtKR1AiF01QMxj3dxghay0n9lGbJGvjJhnDHrCeyladQdpyUJRppV2o7GJ2Y
EraMdyNO2nAYFsBnwlQuIRcw4hRPr4sv/S0wObB9+w44ibuwuIhCpZm9FdRPq+4H
m21C4HkeC9zoKNTnefglC7Pi83nvPDCcANaeYtAhcl2yyvMc+EqOnq9SMpfk/IPX
gknHs+6QCdZGO4r/2wgzZ25ao0jFt+6BPbAO5YP6PVJZ6BvIdohlX6oIXPRai1KU
gDLC/Bl1gntptFALxHLKkr9WtQ1dEa+sCB+D8R6hXg9pEs0fksvHSmnssVCClx+I
s2g6wtEWqJ7M3LYp9dFs4lrMxL/d3pe8mRTJGVx9TEQuz3m78IjstAergqVO5LRW
ezIPL53MkG2dTbiWXihjarYbvqa99X8QDYLU57EWjp88M75IX0CVHjsZnFDw6Q8E
VWA6BKivaUHVkLOLJodcKwIDAQABo2MwYTAdBgNVHQ4EFgQUaZe4PREy8NgASUFJ
SyQbh/kwQ2QwHwYDVR0jBBgwFoAUaZe4PREy8NgASUFJSyQbh/kwQ2QwDwYDVR0T
AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAIaV
9Oo/wr4PK7cuzXREEUgJUHIh8h2zgyh2nHYZ7URldYw2TcqlH4OuzcLzRXgy22Vd
iahiOrhs39ce2L78T7L7+A9lVuqupqJ8H0iJNQEHqM9whaWpJx8zBOoINfdlPB50
TZ36T55DyJJTUoW6ygfRuaE+7RVgxcmlwU+bExFEdjM21ApbWRNbDDEh5KO6MHva
sPzjlXSvgDUB7Fztg3cTLfNSCzq6ig8wigkq8sGJ4j0K4uLnexRynNTRtpSEVu6d
dAUWVmwbNo2a/99NLe7xNBMLnWUre6zd9RJsH2HQouhD7pLfoi/mn6nvQPzv4HQt
NInSpEkPkVGseEtjrSUHUJiviIEsShplKJ1o/OHHdQt5H4uHPN8kMlFU69uNwBbw
ApUCSOEK+uQM8a2DVunzR/buMbow9/lkVp/S7O1n0MkyI4U0peydLtD7yY2pVlVZ
n7JFJo3vvQAEGslqbGc6xGqxmTVw69fK9flZjMs4dAdy9OXN2JHWBuypNOB/Idcc
5l+tJZQgPUvFQAMdt5OpqHiI8OXwYmBSiJPk10gqjvoR41l/ggArNjJ8m1/eZaNx
JI30eBP7wlGJYXaA7NWTZOS2hm1noKQ9vuPQbOuEJPpwNA+jCifH2Ef3japs1ved
ACwk3l+7j0kmRz/ik6cfS9cZO3rFvMzli+WWs6Iy
-----END CERTIFICATE-----
cert

Code: Select all

-----BEGIN CERTIFICATE-----
MIIFDjCCAvagAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCUk8x
DTALBgNVBAgMBENsdWoxDjAMBgNVBAoMBU15T3JnMREwDwYDVQQLDAhNeU9yZyBJ
VDEfMB0GA1UEAwwWTXlPcmcgSW50ZXJtZWRpYXRlMiBDQTAeFw0xNzExMjgxOTEz
MDFaFw0xODEyMDgxOTEzMDFaMGwxCzAJBgNVBAYTAlJPMQ0wCwYDVQQIDARDbHVq
MRQwEgYDVQQHDAtDbHVqLU5hcG9jYTEOMAwGA1UECgwFTXlPcmcxFjAUBgNVBAsM
DU15T3JnIENsaWVudHMxEDAOBgNVBAMMB2NsaWVudDIwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC7AgYkfqmwPp0mjQ7fwAfSxP1VI4Mi80vQ1geOhCy5
URa2aYT+OLXDxOzE7iJxBkFlHiRUryKkomw2DVlyQ06lvt22DiOvMSKBFmj0ombt
vQeudSqWs6wsRkLqi5cFtAk2VJ1p3EUeWzS4NPhDOlq4Azhi2p+Z24RVQcfsYk9h
WfPH5IRaSBT69zvHKIVpQpsuEoraG0EhrBP2eOwZR/0r85Aif6jfJUNMc1bxZQrj
rzQlkY/kQCvh2uXTlS8Rn4sfDDbNzsJ1r+XkT4JAYQ38M7It+z8fewuo9oDzfM8k
ZlGY8OhIfcAalnERmEbCbWp75mbLQMcyWtzIjmZ+GYS7AgMBAAGjgcUwgcIwCQYD
VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwMwYJYIZIAYb4QgENBCYWJE9wZW5T
U0wgR2VuZXJhdGVkIENsaWVudCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUZcGknrgC
xIN5QwCnGUE7rL3xSVEwHwYDVR0jBBgwFoAUFlzGtqBGMEv+hd2tb2bBdYz9tH4w
DgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAN
BgkqhkiG9w0BAQsFAAOCAgEAgB3+bW6Na/G/qp6g5he5yWJ9EkG9E+qYwvkErStW
PLA93eRQefXYbf2Y4Vv71qXBXnFF9SFhFkHnDHMVjjlLvN53dp6khmy6zzoh4WkE
mZl78ddnyUc+B4rF+lcDmFsnC0zSCMzIrNuEmq2gQg+nJM6AOOSBsok2htGJ+e0L
j2XWPqB8FTD3vHVzBXF+Y7nzNI8j72cvSMdCwLOqLeiC/3g5v06l0DooDoi0O5ni
s6vbKfBXwDu1CY7nQw+XUwetp9RTe46w96WUc1jNmVTCEh3vQJ4hDdxNinpchRPk
zUgoRPi3Ic1RGvTQJJxbxmZ6wEZ1FjNtLXsA8yLwMyed6XAwwUF7e2ZIOVYz+vKJ
IvOLkVEAn0gYzWoxBgez10E3yqet4juaY1/YKy9qFwOpCShaR3iIwP/GAuRFc7rW
Zr78K9nnFjsVLbXb1lhBs7RabSoY9BP3tCtbtVfFgei4NB3AOn7seMOTppyL84K3
qobyArRNFKY6Peyky6ZbjOn50v3dGNAMeof0qQV38VyvhskOsULW12DJfTRhubTy
emWE18DJKnI5bJdBSOkh1LH8COlY/mODyRyMrnTPwXYNsdxLsftJi/JMoFYIM5iz
4xVDLOICXSo2xJc7B8qKrrvoJHEqbhLmC8Ip4LEte1JukAN8CDkuDzTASJTtqJ4O
bM0=
-----END CERTIFICATE-----
key

Code: Select all

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAuwIGJH6psD6dJo0O38AH0sT9VSODIvNL0NYHjoQsuVEWtmmE
/ji1w8TsxO4icQZBZR4kVK8ipKJsNg1ZckNOpb7dtg4jrzEigRZo9KJm7b0HrnUq
lrOsLEZC6ouXBbQJNlSdadxFHls0uDT4QzpauAM4YtqfmduEVUHH7GJPYVnzx+SE
WkgU+vc7xyiFaUKbLhKK2htBIawT9njsGUf9K/OQIn+o3yVDTHNW8WUK4680JZGP
5EAr4drl05UvEZ+LHww2zc7Cda/l5E+CQGEN/DOyLfs/H3sLqPaA83zPJGZRmPDo
SH3AGpZxEZhGwm1qe+Zmy0DHMlrcyI5mfhmEuwIDAQABAoIBACQEOcahlnDZPk8E
b87sHxWa1uek1UbP8NQhxIbQMgTm9yben7yOk4NG1AsBiiSWfdXJvlmI+XUXyxuF
6qo1CFqnre+4PWsqXWjbNg+Xj5dOBsK00iUAKbLFPXIKvGVezT9ngIG46J72Fes8
WGwqOvqhtCRl0sNBIfWBm82NCZjH8/8U9lTAhD4XTJDTRh9wdQguwXfQ/pTwGSUa
cH5ZTiYy2+gtimOpjr6AE15lumqXD/gfz4f6fMUsu4Kzgv5YTAw14gxcTy+IRsv2
zFT3atnybaD7t/k0hY7ImpmRqSGkM+m5tZFALYUrCpvs6B61C/6DdwI8KcC6y+tY
k9pCzxECgYEA3kA7rYiQZm6jqlJwEJvO1oOyo/Jo/vuRIDFaBP46QkA1xzz+64OQ
HhIReWqu374acWuXr5hpDr/MXYLSKZpXpFUxW7ekEqq0dFsuEGBDjw7flDmEuFjZ
P/ky/fp2bjjSKXsClQ/pSbpJEv23whBQ7SUz7+vYOVl5e5egIz+6RiUCgYEA12fB
t4JwJawttWSpEDBqtn7k6zF5GHNI80JE9cYd0vHi+tm1vtWPViWtj4MJ4FcUcfB1
R3R8Mcl5kTXjPEVcYOBJyxlx943SjFf5pTv/e2kvdKb/seB2F7fAZpMKn6V/Wzqo
co6+RLLMVm6Wka8gXpmZKXuEDon42mTNV0PqeV8CgYEAqhxcETz/2YdBujITGINJ
U6PF7fqzJseCkzNzBXNZQDBJeVBUhgtTGdEWkup3I0YskzeZCIwNjX58e+6P0cwS
3PNgLiVnbeo+6PiJT3t++laWBqvny/olfvPMdd1pHIBdS+adWV6uXwI4wFJ2fhFi
/8CD+lV4UJ0NgO3TYmd6ugkCgYBmMT9iRGvYM5tr11mt6Ip4EjOgsVP2GZuebO4y
e89iaId64xaqdr8N68ovr8dbu3RjqeS6BbV2GVOnZJ1t1qpA+6eGx4eeHpapJoO1
tIU8k2aEPUZJqWfdULvi7he4LdgB/A42ayoxhXIT/1tHuoHs34oeeA7qpuJ9Gh2h
LQNsmQKBgC5JoKSf/2QdhucOebgTTXoUNwvNUcbgLJ6GmOc6XpFWfy0TeX76AlPB
CrNxy7WaeB3/nFmNli4DSkm34WSjiVMw1XnteqAULkC5s6Wtcghz1t7oYc0skrhB
JcnDukELY1TES4zc74PjIsixn6fcRvLPC2UiOvon/+flXUWMNelx
-----END RSA PRIVATE KEY-----

Macsta
OpenVpn Newbie
Posts: 1
Joined: Sat Oct 27, 2018 12:56 am

Re: OpenVPN with client and server different intermediate certificates

Post by Macsta » Sat Oct 27, 2018 12:57 am

Why has no one commented telling this person the dangers of publishing a private key??? Please say this CA key is not still in use?

harmv
OpenVpn Newbie
Posts: 1
Joined: Wed Aug 23, 2023 12:57 pm

Re: OpenVPN with client and server different intermediate certificates

Post by harmv » Wed Aug 23, 2023 1:06 pm

This example above (although working) has the configuration of the intermediate certificates mixed up.
The whole purpose of intermediate certificates is that they might expire, that that you have seamles rollover. That breaks in the setup proposed. You cannot have have clients mixed, of which newer might have an updated Intermediate 2 CA.

In the setup.
Root CA -> Intermediate1 CA -> server cert
Root CA -> Intermediate2 CA -> client cert

Do don't want to configure Intermediate1 in client setup, but rather in the server setup. (as it belongs to server cert)
Same for Intermediate 2. You don't want that configured in the server setup, but rater in the client setup.


Desired Scenario:
Server has only root CA configured.
Client identifies itself by sending its client cert + Intermediate 1

Client has only root CA configured
Server identifies itself by sending its server cert + Intermediate 2

openvpn supports this via the 'extra-certs' option.
Do don't add any intermediate CA's, to the ca section !

The client config should be

Code: Select all

<ca>
 --STRIPPED INLINE CA CERT--           <-  Only the ROOT CA, no intermediate
</ca>
<cert>
 --STRIPPED INLINE Client CERT-- 
</cert>
<extra-certs>
-- STRIPPED Intermediate 2
</extra-certs>
<key>
 --STRIPPED INLINE Client KEY-- 
</key>
The server config should have

Code: Select all

<ca>
 --STRIPPED INLINE CA CERT--           <-  Only the ROOT CA
</ca>
<cert>
 --STRIPPED INLINE Server CERT-- 
</cert>
<extra-certs>
-- STRIPPED Intermediate 1
</extra-certs>
<key>
 --STRIPPED INLINE Server KEY-- 
</key>

Post Reply