can't find openvpn key folder

qwertyjjj · 09-20-2009, 11:00 AM

Any ideas on how to get the server started?
I have followed the instructions on:
http://www.openvpn.net/index.php/ope...o.html#install

Code:

[root@localhost easy-rsa]# openvpn /etc/openvpn/easy-rsa/server.conf
Sun Sep 20 16:59:22 2009 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar  8 2007
Sun Sep 20 16:59:22 2009 Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
Sun Sep 20 16:59:22 2009 Exiting
[root@localhost easy-rsa]#

qwertyjjj · 09-20-2009, 11:02 AM

Quote:

Originally Posted by prasanta

Are you planning to log into the VPN server using MSN? Normally you would have the openvpn client (including software) wherein you specify the server name along with the port.

Regards,

--
Prasanta

No, I'll be using the VPN client but what I mean is that the port MSN uses must connect to the MSN server at some point on 1080? How can it do that if my VPN server does not have port 1080 open?

prasanta · 09-20-2009, 11:08 AM

It will create a tunnel between the client and the server. The users logged in using VPN will be able to go out via the same rules that you have places for your LAN. In case from your LAN, MSN is blocked, the same will be true for VPN clients also.

Regards,

--
Prasanta

qwertyjjj · 09-20-2009, 11:10 AM

Quote:

Originally Posted by prasanta

It will create a tunnel between the client and the server. The users logged in using VPN will be able to go out via the same rules that you have places for your LAN. In case from your LAN, MSN is blocked, the same will be true for VPN clients also.

Regards,

--
Prasanta

But since I can't possibly know all the client ports and the software that they will be running, in order to allow a client to use the VPN, I would have to leave every port open on my server both outgoing and incoming. That's kind of dangerous.

Any ideas on how to get the server started?
I have followed the instructions on:
http://www.openvpn.net/index.php/ope...o.html#install

Code:

[root@localhost easy-rsa]# openvpn /etc/openvpn/easy-rsa/server.conf
Sun Sep 20 16:59:22 2009 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar  8 2007
Sun Sep 20 16:59:22 2009 Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
Sun Sep 20 16:59:22 2009 Exiting
[root@localhost easy-rsa]#

prasanta · 09-20-2009, 11:16 AM

Nope, you don't need to open each and every port. When a client logs via VPN, services that are there in your LAN will only be accessible. As an example, in case you have blocked FTP for your LAN, user connected via VPN will not be able to use FTP.

Regards,

--
Prasanta

qwertyjjj · 09-20-2009, 11:26 AM

Quote:

Originally Posted by prasanta

Nope, you don't need to open each and every port. When a client logs via VPN, services that are there in your LAN will only be accessible. As an example, in case you have blocked FTP for your LAN, user connected via VPN will not be able to use FTP.

Regards,

--
Prasanta

So, could someone connected via VPN get into my SQL server and my server files?
I only want them to connect via VPN so they can have a country specific IP address. This is mainly for HTTP requests but there are some sites that the proxy server will not work for so they have to use VPN.
At present I have every outgoing port open so that would be okay but some servers respond on different ports incoming. How can a VPN be secure if many ports have to be open just for certain applications to work? If I have 100 clients using VPN, it is impossible for me to list all the different applications and ports that they could want to use, no? This then also opens up my server to someone trying to hack into it?

prasanta · 09-20-2009, 11:29 AM

Quote:

Any ideas on how to get the server started?
I have followed the instructions on:
http://www.openvpn.net/index.php/ope...o.html#install

The sample server.conf file has lot of parameters in it. Just open the file and check the required files. In your case, the Diffie hellman parameters are missing and hence it is throwing out an error. Just create those along with the certificates, and then start.

Regards,

--
Prasanta

prasanta · 09-20-2009, 11:38 AM

Yes, anyone connected via VPN can access your whole LAN, until you have put on some access restrictions for VPN users. As you have said, you can not keep track of each and every application that the client is using and open the port simultaneously. That defeats the purpose using VPN. Normally, why will people use VPN? Most probable answer is to get data from the LAN and access things which are not accessible from the internet like the intranet website for an example. In case they want to use some application which you have restricted in your LAN, better ask them to log of from VPN and use their own Internet.

Regards,

--
Prasanta

qwertyjjj · 09-20-2009, 11:42 AM

Quote:

Originally Posted by prasanta

The sample server.conf file has lot of parameters in it. Just open the file and check the required files. In your case, the Diffie hellman parameters are missing and hence it is throwing out an error. Just create those along with the certificates, and then start.

Regards,

--
Prasanta

I created the diffie config here:

Code:

[root@localhost keys]# ls -l
total 68
-rw-r--r-- 1 root root 3693 Sep 20 17:07 01.pem
-rw-r--r-- 1 root root 3589 Sep 20 17:08 02.pem
-rw-r--r-- 1 root root 1257 Sep 20 17:07 ca.crt
-rw------- 1 root root  887 Sep 20 17:07 ca.key
-rw-r--r-- 1 root root  245 Sep 20 17:38 dh1024.pem
-rw-r--r-- 1 root root  220 Sep 20 17:08 index.txt
-rw-r--r-- 1 root root   20 Sep 20 17:08 index.txt.attr
-rw-r--r-- 1 root root   21 Sep 20 17:07 index.txt.attr.old
-rw-r--r-- 1 root root  110 Sep 20 17:07 index.txt.old
-rw-r--r-- 1 root root 3589 Sep 20 17:08 my.cert.crt
-rw-r--r-- 1 root root  688 Sep 20 17:08 my.cert.csr
-rw------- 1 root root  887 Sep 20 17:08 my.cert.key
-rw-r--r-- 1 root root    3 Sep 20 17:08 serial
-rw-r--r-- 1 root root    3 Sep 20 17:07 serial.old
-rw-r--r-- 1 root root 3693 Sep 20 17:07 server.crt
-rw-r--r-- 1 root root  688 Sep 20 17:07 server.csr
-rw------- 1 root root  887 Sep 20 17:07 server.key
[root@localhost keys]#

The server.conf file has this:

Code:

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh1024.pem

prasanta · 09-20-2009, 11:46 AM

Your server.conf is sitting at /etc/openvpn/easy-rsa/, while dh1024.pem is sitting in another location. Just move it to the former and it should start.

Regards,

--
Prasanta

qwertyjjj · 09-20-2009, 11:51 AM

Quote:

Originally Posted by prasanta

Your server.conf is sitting at /etc/openvpn/easy-rsa/, while dh1024.pem is sitting in another location. Just move it to the former and it should start.

Regards,

--
Prasanta

Sorry for all the questions.
No, that didn't help either.

Code:

[root@localhost easy-rsa]# mv /etc/openvpn/easy-rsa/server.conf /etc/openvpn/easy-rsa/keys/server.conf
[root@localhost easy-rsa]# openvpn /etc/openvpn/easy-rsa/keys/server.conf
Sun Sep 20 17:49:35 2009 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar  8 2007
Sun Sep 20 17:49:35 2009 Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
Sun Sep 20 17:49:35 2009 Exiting
[root@localhost easy-rsa]# cd keys
[root@localhost keys]# ls -l
total 80
-rw-r--r-- 1 root root 3693 Sep 20 17:07 01.pem
-rw-r--r-- 1 root root 3589 Sep 20 17:08 02.pem
-rw-r--r-- 1 root root 1257 Sep 20 17:07 ca.crt
-rw------- 1 root root  887 Sep 20 17:07 ca.key
-rw-r--r-- 1 root root  245 Sep 20 17:38 dh1024.pem
-rw-r--r-- 1 root root  220 Sep 20 17:08 index.txt
-rw-r--r-- 1 root root   20 Sep 20 17:08 index.txt.attr
-rw-r--r-- 1 root root   21 Sep 20 17:07 index.txt.attr.old
-rw-r--r-- 1 root root  110 Sep 20 17:07 index.txt.old
-rw-r--r-- 1 root root 3589 Sep 20 17:08 my.cert.crt
-rw-r--r-- 1 root root  688 Sep 20 17:08 my.cert.csr
-rw------- 1 root root  887 Sep 20 17:08 my.cert.key
-rw-r--r-- 1 root root    3 Sep 20 17:08 serial
-rw-r--r-- 1 root root    3 Sep 20 17:07 serial.old
-rw-r--r-- 1 root root 9968 Sep 20 16:55 server.conf
-rw-r--r-- 1 root root 3693 Sep 20 17:07 server.crt
-rw-r--r-- 1 root root  688 Sep 20 17:07 server.csr
-rw------- 1 root root  887 Sep 20 17:07 server.key
[root@localhost keys]#

I moved it the other way round as well but got this:

Code:

[root@localhost easy-rsa]# mv /etc/openvpn/easy-rsa/keys/dh1024.pem /etc/openvpn/easy-rsa/dh1024.pem
[root@localhost easy-rsa]# ls -l
total 108
drwxr-xr-x 2 root root 4096 Sep 20 16:21 2.0
-rwxr-xr-x 1 root root  242 Sep 20 16:21 build-ca
-rwxr-xr-x 1 root root  228 Sep 20 16:21 build-dh
-rw-r--r-- 1 root root  529 Sep 20 16:21 build-inter
-rwxr-xr-x 1 root root  516 Sep 20 16:21 build-key
-rw-r--r-- 1 root root  424 Sep 20 16:21 build-key-pass
-rw-r--r-- 1 root root  695 Sep 20 16:21 build-key-pkcs12
-rwxr-xr-x 1 root root  662 Sep 20 16:21 build-key-server
-rw-r--r-- 1 root root  466 Sep 20 16:21 build-req
-rw-r--r-- 1 root root  402 Sep 20 16:21 build-req-pass
-rwxr-xr-x 1 root root  280 Sep 20 16:21 clean-all
-rw-r--r-- 1 root root  245 Sep 20 17:38 dh1024.pem
-rw------- 1 root root    0 Sep 20 16:59 ipp.txt
drwx------ 2 root root 4096 Sep 20 17:48 keys
-rw-r--r-- 1 root root  264 Sep 20 16:21 list-crl
-rw-r--r-- 1 root root  268 Sep 20 16:21 make-crl
-rw-r--r-- 1 root root 7487 Sep 20 16:21 openssl.cnf
-rw------- 1 root root    0 Sep 20 17:41 openvpn-status.log
-rw-r--r-- 1 root root 6075 Sep 20 16:21 README
-rw-r--r-- 1 root root  268 Sep 20 16:21 revoke-crt
-rw-r--r-- 1 root root  593 Sep 20 16:21 revoke-full
-rw-r--r-- 1 root root 9968 Sep 20 16:55 server.conf
-rw-r--r-- 1 root root  411 Sep 20 16:21 sign-req
-rw-r--r-- 1 root root 1273 Sep 20 16:30 vars
drwxr-xr-x 2 root root 4096 Sep 20 16:21 Windows
[root@localhost easy-rsa]# openvpn /etc/openvpn/easy-rsa/server.conf
Sun Sep 20 17:48:23 2009 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar  8 2007
Sun Sep 20 17:48:23 2009 Diffie-Hellman initialized with 1024 bit key
Sun Sep 20 17:48:23 2009 Cannot load certificate file server.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Sun Sep 20 17:48:23 2009 Exiting

prasanta · 09-20-2009, 11:53 AM

Have you installed lzo package? The other way round is to comment out the line and then start it.

Regards,

--
Prasanta

qwertyjjj · 09-20-2009, 11:55 AM

Quote:

Originally Posted by prasanta

Have you installed lzo package? The other way round is to comment out the line and then start it.

Regards,

--
Prasanta

lzo?

the error was:
If I put server.conf in the keys folder, then it doesn't load the diffie. It's a circle!

Code:

[root@localhost easy-rsa]# openvpn /etc/openvpn/easy-rsa/server.conf
Sun Sep 20 17:48:23 2009 OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar  8 2007
Sun Sep 20 17:48:23 2009 Diffie-Hellman initialized with 1024 bit key
Sun Sep 20 17:48:23 2009 Cannot load certificate file server.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Sun Sep 20 17:48:23 2009 Exiting

prasanta · 09-20-2009, 11:59 AM

Comment out that line and then try to start.

Regards,

--
Prasanta

qwertyjjj · 09-20-2009, 12:00 PM

Quote:

Originally Posted by prasanta

Comment out that line and then try to start.

Regards,

--
Prasanta

Sorry, which line?
The server needs diffie and server.crt so they should both be present shouldn't they?