Answer the question
In order to leave comments, you need to log in
D
D
Dmitriy Loginov2021-12-21 09:56:31
Dmitriy Loginov, 2021-12-21 09:56:31
How to safely spoof an OpenVPN server?
Hello.
There is a working OpenVPN server on FreeBSD 11.4 Every day from 10 to 50 people use it, in total there are about a hundred users. Authorization is configured by login - password. At clients to a config of connection certificates are registered.
There is a desire to transfer the server to Ubuntu, but I would not like to change the configs of the clients at all. On the test server, I configured everything so that I can connect with the same config, only by specifying the IP address of the test VPN server.
client config
client
tls-client
dev tun
proto tcp-client
remote ip_add-server 1194
remote-cert-tls server
nobind
persist-key
persist-tun
auth-user-pass
reneg-sec 0
route-delay 2
verb 3
auth SHA1
cipher AES-256-CBC
auth-nocache
ca
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
/ca
key-direction 1
tls-auth
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
/tls-auth
#tls-auth ta.key 1
client
tls-client
dev tun
proto tcp-client
remote ip_add-server 1194
remote-cert-tls server
nobind
persist-key
persist-tun
auth-user-pass
reneg-sec 0
route-delay 2
verb 3
auth SHA1
cipher AES-256-CBC
auth-nocache
ca
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
/ca
key-direction 1
tls-auth
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
/tls-auth
#tls-auth ta.key 1
So, in order to connect with the same config on the new server, I had to replace the files
ca.crt
server.crt
dh.pem
server.key
ta.key
Taking them from the old server
Is it normal, safe to do such a substitution? Or is it still better to leave the "native" certificates and change the connection configs for all users?
3 answer(s)
@res2001
@CityCat4
Well, of course. Otherwise, you will have to send notifications to everyone - dudes, download a new server certificate and change it for yourself.
I don’t know why ta.key and dh.pem could not be changed - let the new instance generate a new constant for itself, but server.crt and server.key were correctly replaced. ca.crt is just a root certificates file
R
res2001, 2021-12-21 @res2001
Absolutely normal. These are your certificates. On the old server, you generated them yourself (well, or the one who was in your place and set up OpenVPN). OpenVPN itself has no other certificates other than the ones you provide to it.
In principle, for a new server, you could generate other certificates (server.crt and server.key files) that do not need to be transferred to the client. So it would be absolutely correct (but it is also quite possible to use the keys of the old server). To generate, you will need the CA private key (ca.key), if it is not there, then it is no longer possible to generate new keys. And in this case, you will run into a problem when the certificates expire. In general, in the entire infrastructure of encryption keys, the CA key and certificate are the most valuable components, the rest can be easily changed.
C
CityCat4, 2021-12-21 @CityCat4
i had to replace the files
Well, of course. Otherwise, you will have to send notifications to everyone - dudes, download a new server certificate and change it for yourself.
I don’t know why ta.key and dh.pem could not be changed - let the new instance generate a new constant for itself, but server.crt and server.key were correctly replaced. ca.crt is just a root certificates file
Similar questions
V
R
I
N
D
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question