|
Title: Use OpenVPN certificates from another OpenVPNserver ? Post by: mrt on Saturday 10 April 2010, 11:35:31 pm Hi,
Today I'm running ClarkConnect/ClearFondation/OS 5.1 Enterprise and would like to change it to Endian Gateway, main reason because of that the CleasOS begin to take money for IDS updates and so on. On my ClearOS I'm running OpenVPN with 5 clients, and on the server my certificate is generated from OpenVPN (windows) and they are in "default" OpenVPN format ca.key and ca.crt and server.key and server.crt. I hope that I don't have to change the certificates on the clients. My questions is: Is it possible to "convert/export/import" the certificate from the ClearOS OpenVPN server and let my new Endian Gateway have them, and a short "HowTo"/tips on how to do it or done that before ? I see that on the Endian the Certificates has .pem extension, what is the difference? Regards from Norway Title: Re: Use OpenVPN certificates from another OpenVPNserver ? Post by: mrkroket on Sunday 11 April 2010, 03:24:39 am I was able to move the certs from one Endian to another, but I didn't tested from a 3rd party firewall.
OpenVPN certs and config is on /var/efw/openvpn. There are more certs on /etc/openvpn/ca. Also, if you have time check out the inners of the openvpn start script, /usr/local/bin/restartopenvpn.py The first lines gives you all the info about certs and openvpn config. About the .pem extension, just open your file and see if they are similar. Title: Re: Use OpenVPN certificates from another OpenVPNserver ? Post by: mrt on Sunday 11 April 2010, 07:18:59 am Ok, thanks for the information. :-) It clear it out a little bit. But still a little confused.
The names are "static" in some scriptfiles. If I want to generate new CA files, how could I do that in Endian? I want for security reason (as told in the docs @ the official OpenVPN webpage) to use "common name". Like: ns-cert-type server (server is one "commond name") Also: tls-auth ////ta.key 1 This is not in the files that generates when starting the OpenVPN server. When I create one client account, it is not any "client1.pem/crt/key) files in the system, as I found. Is anyone using "selfsign/made" cert in Endian? Is it more docs on how the OpenVPN works with certificates on an Endian GW (gateway) All help will be great. :-) PS:mrkroket, do you have one example on how a client configfile you have look like ? Regards Title: Re: Use OpenVPN certificates from another OpenVPNserver ? Post by: mrt on Monday 12 April 2010, 06:43:39 am Ping.....
Title: Re: Use OpenVPN certificates from another OpenVPNserver ? Post by: mrkroket on Wednesday 14 April 2010, 02:12:58 am Client config is like that:
client dev tap proto udp remote <<<Endian Firewall IP>>> resolv-retry infinite nobind persist-key persist-tun ca <<<Endian Firewall Certificate>>> auth-user-pass comp-lzo Save it as Config.ovpn and place it on %programfiles%\OpenVPN\config folder. You also need to place the certificate on that path. About the static names, yes, but you can change it since they are loaded into variables. Never tested tough, but simply make a backup of the restart script. The firewall.pem certificate you can save from Webpage is the one located at /var/efw/openvpn/cacert.pem |