Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
Dmitriy Loginov2021-12-21 09:56:31
openvpn
Dmitriy Loginov, 2021-12-21 09:56:31

How to safely spoof an OpenVPN server?

Hello.

There is a working OpenVPN server on FreeBSD 11.4 Every day from 10 to 50 people use it, in total there are about a hundred users. Authorization is configured by login - password. At clients to a config of connection certificates are registered.

There is a desire to transfer the server to Ubuntu, but I would not like to change the configs of the clients at all. On the test server, I configured everything so that I can connect with the same config, only by specifying the IP address of the test VPN server.

client config

client
tls-client
dev tun
proto tcp-client
remote ip_add-server 1194
remote-cert-tls server
nobind
persist-key
persist-tun
auth-user-pass
reneg-sec 0
route-delay 2
verb 3
auth SHA1
cipher AES-256-CBC
auth-nocache

ca
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
/ca

key-direction 1

tls-auth
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
/tls-auth

#tls-auth ta.key 1


So, in order to connect with the same config on the new server, I had to replace the files
ca.crt
server.crt
dh.pem
server.key
ta.key
Taking them from the old server

Is it normal, safe to do such a substitution? Or is it still better to leave the "native" certificates and change the connection configs for all users?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
R
res2001, 2021-12-21
@res2001

Absolutely normal. These are your certificates. On the old server, you generated them yourself (well, or the one who was in your place and set up OpenVPN). OpenVPN itself has no other certificates other than the ones you provide to it.
In principle, for a new server, you could generate other certificates (server.crt and server.key files) that do not need to be transferred to the client. So it would be absolutely correct (but it is also quite possible to use the keys of the old server). To generate, you will need the CA private key (ca.key), if it is not there, then it is no longer possible to generate new keys. And in this case, you will run into a problem when the certificates expire. In general, in the entire infrastructure of encryption keys, the CA key and certificate are the most valuable components, the rest can be easily changed.

Report
C
CityCat4, 2021-12-21
@CityCat4

i had to replace the files

Well, of course. Otherwise, you will have to send notifications to everyone - dudes, download a new server certificate and change it for yourself.
I don’t know why ta.key and dh.pem could not be changed - let the new instance generate a new constant for itself, but server.crt and server.key were correctly replaced. ca.crt is just a root certificates file

Report
D
Drno, 2021-12-21
@Drno

Just transfer the old certificates to the new server
Then change the DNS entry
All

Similar questions
M
MaxxDamage2019-07-18 10:33:48
How to force the tunnel to use a specific interface? 1Reply
S
shumovandrew09112017-02-22 21:19:45
How to make it possible to connect multiple clients to an openvpn tap server? 2Reply
V
Vladimir Kivva2017-02-23 18:36:16
How to overclock openvpn due to nat? 2Reply
C
cccp8122017-02-28 05:46:04
There is a Mikrotik 951, there is a VPS with OpenVPN, how can I send Mikrotik users to the Internet through a VPS with OpenVPN? 2Reply
P
Pom4uk2021-03-08 14:54:28
Why doesn't routing work when openvpn is enabled? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question