certificates in .pem format, concatenated together. You can construct your own
certificate authority certificate and private key by using a command such as:
-.B openssl req -nodes -new -x509 -keyout tmp-ca.key -out tmp-ca.crt
+.B openssl req -nodes -new -x509 -keyout ca.key -out ca.crt
Then edit your openssl.cnf file and edit the
.B certificate
variable to point to your new root certificate
-.B tmp-ca.crt.
+.B ca.crt.
For testing purposes only, the OpenVPN distribution includes a sample
-CA certificate (tmp-ca.crt).
+CA certificate (ca.crt).
Of course you should never use
the test certificates and test keys distributed with OpenVPN in a
production environment, since by virtue of the fact that
.B --dh
is discussed for more info). You can also use the
included test files client.crt, client.key,
-server.crt, server.key and tmp-ca.crt.
+server.crt, server.key and ca.crt.
The .crt files are certificates/public-keys, the .key
-files are private keys, and tmp-ca.crt is a certification
+files are private keys, and ca.crt is a certification
authority who has signed both
client.crt and server.crt. For Diffie Hellman
parameters you can use the included file dh1024.pem.
.LP
On may:
.IP
-.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --tls-client --ca tmp-ca.crt --cert client.crt --key client.key --reneg-sec 60 --verb 5
+.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --tls-client --ca ca.crt --cert client.crt --key client.key --reneg-sec 60 --verb 5
.LP
On june:
.IP
-.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --tls-server --dh dh1024.pem --ca tmp-ca.crt --cert server.crt --key server.key --reneg-sec 60 --verb 5
+.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --tls-server --dh dh1024.pem --ca ca.crt --cert server.crt --key server.key --reneg-sec 60 --verb 5
.LP
Now verify the tunnel is working by pinging across the tunnel.
.LP
if (parse_line (line, p, SIZE (p), "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc))
{
/* is the push item a route directive? */
- if (p[0] && p[1] && p[2] && !strcmp (p[0], "route"))
+ if (p[0] && !strcmp (p[0], "route") && !p[3])
{
/* get route parameters */
bool status1, status2;
const in_addr_t network = getaddr (GETADDR_HOST_ORDER, p[1], 0, &status1, NULL);
- const in_addr_t netmask = getaddr (GETADDR_HOST_ORDER, p[2], 0, &status2, NULL);
+ const in_addr_t netmask = getaddr (GETADDR_HOST_ORDER, p[2] ? p[2] : "255.255.255.255", 0, &status2, NULL);
/* did route parameters parse correctly? */
if (status1 && status2)
/* does route match an iroute? */
for (ir = o->iroutes; ir != NULL; ir = ir->next)
{
- if (network == ir->network && netmask == netbits_to_netmask (ir->netbits))
+ if (network == ir->network && netmask == netbits_to_netmask (ir->netbits >= 0 ? ir->netbits : 32))
{
copy = false;
break;
verb 3
reneg-sec 10
tls-client
-ca sample-keys/tmp-ca.crt
+ca sample-keys/ca.crt
key sample-keys/client.key
cert sample-keys/client.crt
cipher DES-EDE3-CBC
reneg-sec 10
tls-server
dh sample-keys/dh1024.pem
-ca sample-keys/tmp-ca.crt
+ca sample-keys/ca.crt
key sample-keys/server.key
cert sample-keys/server.crt
cipher DES-EDE3-CBC
DON'T USE THEM FOR ANY REAL WORK BECAUSE
THEY ARE TOTALLY INSECURE!
-tmp-ca.{crt,key} -- sample CA key/cert
+ca.{crt,key} -- sample CA key/cert
client.{crt,key} -- sample client key/cert
server.{crt,key} -- sample server key/cert (nsCertType=server)
pass.{crt,key} -- sample client key/cert with password-encrypted key
projects / thirdparty / openvpn.git / commitdiff
