Old openvpn client with current easyrsa certificate

[boskar]

Hello,

I'm starting with my openvpn server, after years of being client-only user.

I've successfully connected my current linux box to the server using more-or-less default sample configuration and howto.

The problem is I've got a host I need to connect which has OpenVPN 2.0.7 x86_64-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 12 2006
and update is not an option.

First I needed to comment out remote-cert-tls server, ok, less secure.

But then as i've tried to start openvpn the following error occurred:

Code: Select all

Cannot load private key file <cut>.key: error:0607607D:digital envelope routines:PKCS5_v2_PBE_keyivgen:unsupported prf: error:06074078:digital envelope routines:EVP_PBE_CipherInit:keygen failure: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error: error:2306A075:PKCS12 routines:PKCS12_decrypt_d2i:pkcs12 pbe crypt error: error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib

The password I've provided is correct, it worked at the current openvpn.

This openvpn is working as a client for other server successfully.

Can I change the certificate to make it compatible with that old openvpn? Is it possible? This key is generated with easyrsa 3.0.6. The server is 2.4.7.

[TinCanTech]

The problem is I've got a host I need to connect which has OpenVPN 2.0.7 x86_64-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 12 2006
and update is not an option

Why not ?

[boskar]

Let's say this PC is a part of old, complicated system, which back then was expensive.

If I could get statically linked openvpn It might work, upgrading one package in this system without breaking what it was designed for is probably impossible.

In fact I was surprised I found any version of openvpn there, and even more surprised It works with openvpn server I usually connect to.

[TinCanTech]

Please see:
https://community.openvpn.net/openvpn/w ... edVersions

Your version is not even listed.

[boskar]

The kernel 2.6.15 is probably not supported as well. Yup, I'm perfectly aware how old it is.

The vendor is charging around $25 000 for an upgrade to current system with current components, we can't afford that, so we're gonna "use it till it breaks".

Or maybe there is there any way to get statically linked current openvpn? Maybe some backport?
Compiling anything there is not gonna work, no headers, no compilers, no way.

Anyway - I suppose changing the certificate format is still an easiest and the least invasive solution.

[Pippin]

What if you place (or have) a box running current OpenVPN in front of that old stuff?

[TinCanTech]

Does the output from openvpn --version list the openssl library version and date ?

[boskar]

openvpn --version

Code: Select all

OpenVPN 2.0.7 x86_64-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 12 2006
Developed by James Yonan
Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>

openssl version

Code: Select all

OpenSSL 0.9.7f 22 Mar 2005

What if you place (or have) a box running current OpenVPN in front of that old stuff?

This device needs to work in own local network too, it would probably be possible, yet it sounds really complicated, I'd need to forward ports both ways... I'm afraid that not being aware of the IP assigned might be a problem.

[TinCanTech]

openvpn --version

Code: Select all

OpenVPN 2.0.7 x86_64-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 12 2006
Developed by James Yonan
Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>

openssl version

Code: Select all

OpenSSL 0.9.7f 22 Mar 2005

No chance ..

What if you place (or have) a box running current OpenVPN in front of that old stuff?

Only option.

it sounds really complicated, I'd need to forward ports both ways... I'm afraid ... etc

The vendor is charging around $25 000 for an upgrade

So would I ..

[boskar]

Maybe I should downgrade openvpn/easyrsa?
Maybe pre-shared key solution would work... I will give it a try. The box is not a convenient solution.

Anyway - I don't fully understand why it is not working,regarding the fact it worked with other server (for sure not a recent build, but not THAT old).
it is because of the openssl cipher used in the key? The leght? Or it is just the format of the key, header, some kind of metadata?

[TinCanTech]

If you use that old VPN setup then you may aswell send your data in clear text.

[boskar]

I would, unfortunately there is no way to set up a tcp socket over that many routers and SNATs.

That's why I need vpn, I don't need openvpn to provide _any_ security in this scenario.

[TinCanTech]

there is no way to set up a tcp socket over that many routers and SNATs.

That's why I need vpn

Because OpenVPN is simply magic ..

[boskar]

The obvious magic is that over single UDP port behind a nat and routers with private subnets, I could access all ports both ways at once.

[TinCanTech]

https://community.openvpn.net/openvpn/w ... nPage#lbBC

That's probably the simplest option.

[boskar]

Code: Select all

On bob:

    openvpn --remote alice.example.com --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9 

On alice:

    openvpn --remote bob.example.com --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 9

But what if I'm behind a NAT?

[TinCanTech]

But what if I'm behind a NAT?

The usual solution ..

[boskar]

The usual solution is to setup openvpn in client-server mode ; )