Page 1 of 1
Old openvpn client with current easyrsa certificate
Posted: Sat May 30, 2020 5:28 pm
by boskar
Hello,
I'm starting with my openvpn server, after years of being client-only user.
I've successfully connected my current linux box to the server using more-or-less default sample configuration and howto.
The problem is I've got a host I need to connect which has OpenVPN 2.0.7 x86_64-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 12 2006
and update is not an option.
First I needed to comment out remote-cert-tls server, ok, less secure.
But then as i've tried to start openvpn the following error occurred:
Code: Select all
Cannot load private key file <cut>.key: error:0607607D:digital envelope routines:PKCS5_v2_PBE_keyivgen:unsupported prf: error:06074078:digital envelope routines:EVP_PBE_CipherInit:keygen failure: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error: error:2306A075:PKCS12 routines:PKCS12_decrypt_d2i:pkcs12 pbe crypt error: error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
The password I've provided is correct, it worked at the current openvpn.
This openvpn is working as a client for other server successfully.
Can I change the certificate to make it compatible with that old openvpn? Is it possible? This key is generated with easyrsa 3.0.6. The server is 2.4.7.
Re: Old openvpn client with current easyrsa certificate
Posted: Sat May 30, 2020 5:36 pm
by TinCanTech
boskar wrote: ↑Sat May 30, 2020 5:28 pm
The problem is I've got a host I need to connect which has OpenVPN 2.0.7 x86_64-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 12 2006
and
update is not an option
Why not ?
Re: Old openvpn client with current easyrsa certificate
Posted: Sat May 30, 2020 5:44 pm
by boskar
Let's say this PC is a part of old, complicated system, which back then was expensive.
If I could get statically linked openvpn It might work, upgrading one package in this system without breaking what it was designed for is probably impossible.
In fact I was surprised I found any version of openvpn there, and even more surprised It works with openvpn server I usually connect to.
Re: Old openvpn client with current easyrsa certificate
Posted: Sat May 30, 2020 5:46 pm
by TinCanTech
Re: Old openvpn client with current easyrsa certificate
Posted: Sat May 30, 2020 5:57 pm
by boskar
The kernel 2.6.15 is probably not supported as well. Yup, I'm perfectly aware how old it is.
The vendor is charging around $25 000 for an upgrade to current system with current components, we can't afford that, so we're gonna "use it till it breaks".
Or maybe there is there any way to get statically linked current openvpn? Maybe some backport?
Compiling anything there is not gonna work, no headers, no compilers, no way.
Anyway - I suppose changing the certificate format is still an easiest and the least invasive solution.
Re: Old openvpn client with current easyrsa certificate
Posted: Sat May 30, 2020 6:02 pm
by Pippin
What if you place (or have) a box running current OpenVPN in front of that old stuff?
Re: Old openvpn client with current easyrsa certificate
Posted: Sat May 30, 2020 6:03 pm
by TinCanTech
Does the output from openvpn --version list the openssl library version and date ?
Re: Old openvpn client with current easyrsa certificate
Posted: Sat May 30, 2020 6:14 pm
by boskar
openvpn --version
Code: Select all
OpenVPN 2.0.7 x86_64-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 12 2006
Developed by James Yonan
Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
openssl version
What if you place (or have) a box running current OpenVPN in front of that old stuff?
This device needs to work in own local network too, it would probably be possible, yet it sounds really complicated, I'd need to forward ports both ways... I'm afraid that not being aware of the IP assigned might be a problem.
Re: Old openvpn client with current easyrsa certificate
Posted: Sat May 30, 2020 7:05 pm
by TinCanTech
boskar wrote: ↑Sat May 30, 2020 6:14 pm
openvpn --version
Code: Select all
OpenVPN 2.0.7 x86_64-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 12 2006
Developed by James Yonan
Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
openssl version
No chance ..
Pippin wrote: ↑Sat May 30, 2020 6:02 pm
What if you place (or have) a box running current OpenVPN in front of that old stuff?
Only option.
boskar wrote: ↑Sat May 30, 2020 6:14 pm
it sounds really complicated, I'd need to forward ports both ways... I'm afraid ... etc
boskar wrote: ↑Sat May 30, 2020 5:57 pm
The vendor is charging around $25 000 for an upgrade
So would I ..
Re: Old openvpn client with current easyrsa certificate
Posted: Sat May 30, 2020 7:38 pm
by boskar
Maybe I should downgrade openvpn/easyrsa?
Maybe pre-shared key solution would work... I will give it a try. The box is not a convenient solution.
Anyway - I don't fully understand why it is not working,regarding the fact it worked with other server (for sure not a recent build, but not THAT old).
it is because of the openssl cipher used in the key? The leght? Or it is just the format of the key, header, some kind of metadata?
Re: Old openvpn client with current easyrsa certificate
Posted: Sat May 30, 2020 7:45 pm
by TinCanTech
If you use that old VPN setup then you may aswell send your data in clear text.
Re: Old openvpn client with current easyrsa certificate
Posted: Sat May 30, 2020 8:09 pm
by boskar
I would, unfortunately there is no way to set up a tcp socket over that many routers and SNATs.
That's why I need vpn, I don't need openvpn to provide _any_ security in this scenario.
Re: Old openvpn client with current easyrsa certificate
Posted: Sat May 30, 2020 8:14 pm
by TinCanTech
boskar wrote: ↑Sat May 30, 2020 8:09 pm
there is no way to set up a tcp socket over that many routers and SNATs.
That's why I need vpn
Because OpenVPN is
simply magic ..
Re: Old openvpn client with current easyrsa certificate
Posted: Sat May 30, 2020 8:34 pm
by boskar
The obvious magic is that over single UDP port behind a nat and routers with private subnets, I could access all ports both ways at once.
Re: Old openvpn client with current easyrsa certificate
Posted: Sat May 30, 2020 9:02 pm
by TinCanTech
Re: Old openvpn client with current easyrsa certificate
Posted: Sun May 31, 2020 6:58 am
by boskar
Code: Select all
On bob:
openvpn --remote alice.example.com --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9
On alice:
openvpn --remote bob.example.com --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 9
But what if I'm behind a NAT?
Re: Old openvpn client with current easyrsa certificate
Posted: Sun May 31, 2020 11:23 am
by TinCanTech
boskar wrote: ↑Sun May 31, 2020 6:58 am
But what if I'm behind a NAT?
The usual solution ..
Re: Old openvpn client with current easyrsa certificate
Posted: Sun May 31, 2020 2:17 pm
by boskar
The usual solution is to setup openvpn in client-server mode ; )