From: Arne Schwabe Date: Tue, 14 Jan 2025 13:49:09 +0000 (+0100) Subject: Improve peer fingerprint documentation X-Git-Tag: v2.7_alpha1~121 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cb9fdc8479a2744b9db95ef8ef97222ee86454fd;p=thirdparty%2Fopenvpn.git Improve peer fingerprint documentation - fix typo in peer-fingerprint - use ec_paramgen_curve instead of requiring a subshell Note: we still use -nodes instead of -noenc as it is more compatible. Github: closes OpenVPN/openvpn#666 Change-Id: I9a12a0c127908af9f09d88fb3a493df3763d0cc5 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20250114134909.31334-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30447.html Signed-off-by: Gert Doering --- diff --git a/doc/man-sections/example-fingerprint.rst b/doc/man-sections/example-fingerprint.rst index 7cdda1905..31ca0c16f 100644 --- a/doc/man-sections/example-fingerprint.rst +++ b/doc/man-sections/example-fingerprint.rst @@ -18,7 +18,7 @@ Server setup 2. Generate a self-signed certificate for the server: :: - openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=server' + openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=server' 3. Generate SHA256 fingerprint of the server certificate @@ -28,7 +28,7 @@ Server setup openssl x509 -fingerprint -sha256 -in server.crt -noout - This output something similar to: + This outputs something similar to: :: SHA256 Fingerprint=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff @@ -64,6 +64,12 @@ Server setup # Ping every 60s, restart if no data received for 5 minutes keepalive 60 300 + # Uncomment the line below if you want to have persistent IP addresses + # ifconfig-pool-persist /etc/openvpn/server/ipp.txt + + # Uncomment the line below to push a DNS server to clients + # push "dhcp-option DNS 1.1.1.1" + 5. Add at least one client as described in the client section. 6. Start the server. @@ -85,7 +91,7 @@ Adding a client different name for each client. :: - openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -nodes -sha256 -days 3650 -subj '/CN=alice' + openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout - -nodes -sha256 -days 3650 -subj '/CN=alice' This generate a certificate and a key for the client. The output of the command will look something like this: @@ -162,7 +168,7 @@ Adding a client ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00 99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:88:77:66:55:44:33 - + 6. (optional) if the client is an older client that does not support the :code:`peer-fingerprint` (e.g. OpenVPN 2.5 and older, OpenVPN Connect 3.3