hello
I'm trying to create a new client (certificate) using only the openssl command, for learning purposes.
I used the following commands
# create private key
# generate csr
# assign
I got the following files from the ovpn server:
and ran the script to generate the ovpn file
On the client I try to connect and get the following log
On server
is it possible to create a client certificate for use in openvpn using openssl? Let me know what I am doing wrong.
thanks
best regards
I'm trying to create a new client (certificate) using only the openssl command, for learning purposes.
I used the following commands
# create private key
openssl genrsa -aes256 -out client01.key 2048
openssl req -new -key client01.key -out client01.csr
openssl x509 -req -days 365 -in client01.csr -signkey client01.key -out client01.crt
- ca.key
- ca.crt
- ta.key
and ran the script to generate the ovpn file
USER=client01
cat <(echo -e 'client') \
<(echo -e 'proto udp') \
<(echo -e 'dev tun') \
<(echo -e 'remote xx.xxx.xx.xx 1194' ) \
<(echo -e 'resolv-retry infinite') \
<(echo -e 'nobind') \
<(echo -e 'persist-key') \
<(echo -e 'persist-tun') \
<(echo -e 'remote-cert-tls server') \
<(echo -e 'key-direction 1') \
<(echo -e 'cipher AES-256-GCM') \
<(echo -e 'auth SHA256') \
<(echo -e 'verb 3') \
<(echo -e '<ca>') \
ca.crt \
<(echo -e '</ca>\n<cert>') \
${USER}.crt \
<(echo -e '</cert>\n<key>') \
${USER}.key \
<(echo -e '</key>\n<tls-auth>') \
ta.key \
<(echo -e '</tls-auth>') \
> ${USER}.ovpn
cat <(echo -e 'client') \
<(echo -e 'proto udp') \
<(echo -e 'dev tun') \
<(echo -e 'remote xx.xxx.xx.xx 1194' ) \
<(echo -e 'resolv-retry infinite') \
<(echo -e 'nobind') \
<(echo -e 'persist-key') \
<(echo -e 'persist-tun') \
<(echo -e 'remote-cert-tls server') \
<(echo -e 'key-direction 1') \
<(echo -e 'cipher AES-256-GCM') \
<(echo -e 'auth SHA256') \
<(echo -e 'verb 3') \
<(echo -e '<ca>') \
ca.crt \
<(echo -e '</ca>\n<cert>') \
${USER}.crt \
<(echo -e '</cert>\n<key>') \
${USER}.key \
<(echo -e '</key>\n<tls-auth>') \
ta.key \
<(echo -e '</tls-auth>') \
> ${USER}.ovpn
On the client I try to connect and get the following log
2024-10-30 22:33:36 OpenVPN 2.5.11 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 17 2024
2024-10-30 22:33:36 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
🔐 Enter Private Key Password: ******
2024-10-30 22:33:39 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-10-30 22:33:39 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2024-10-30 22:33:39 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2024-10-30 22:33:39 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xxx.xx.xx:1194
2024-10-30 22:33:39 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-10-30 22:33:39 UDP link local: (not bound)
2024-10-30 22:33:39 UDP link remote: [AF_INET]xx.xxx.xx.xx:1194
2024-10-30 22:33:39 TLS: Initial packet from [AF_INET]xx.xxx.xx.xx:1194, sid=c7af0d20 62301f9f
2024-10-30 22:33:39 VERIFY OK: depth=1, CN=CA
2024-10-30 22:33:39 VERIFY KU OK
2024-10-30 22:33:39 Validating certificate extended key usage
2024-10-30 22:33:39 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-10-30 22:33:39 VERIFY EKU OK
2024-10-30 22:33:39 VERIFY OK: depth=0, CN=vpn_server
2024-10-30 22:33:36 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
🔐 Enter Private Key Password: ******
2024-10-30 22:33:39 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-10-30 22:33:39 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2024-10-30 22:33:39 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2024-10-30 22:33:39 TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xxx.xx.xx:1194
2024-10-30 22:33:39 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-10-30 22:33:39 UDP link local: (not bound)
2024-10-30 22:33:39 UDP link remote: [AF_INET]xx.xxx.xx.xx:1194
2024-10-30 22:33:39 TLS: Initial packet from [AF_INET]xx.xxx.xx.xx:1194, sid=c7af0d20 62301f9f
2024-10-30 22:33:39 VERIFY OK: depth=1, CN=CA
2024-10-30 22:33:39 VERIFY KU OK
2024-10-30 22:33:39 Validating certificate extended key usage
2024-10-30 22:33:39 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-10-30 22:33:39 VERIFY EKU OK
2024-10-30 22:33:39 VERIFY OK: depth=0, CN=vpn_server
On server
xx.xxx.xx.xx:46580 TLS Error: Unroutable control packet received from [AF_INET]xx.xxx.xx.xx:46580 (si=3 op=P_CONTROL_V1)
xx.xxx.xx.xx:46580 TLS Error: Unroutable control packet received from [AF_INET]xx.xxx.xx.xx:46580 (si=3 op=P_CONTROL_V1)
xx.xxx.xx.xx:46580 TLS Error: Unroutable control packet received from [AF_INET]xx.xxx.xx.xx:46580 (si=3 op=P_CONTROL_V1)
xx.xxx.xx.xx:46580 TLS Error: Unroutable control packet received from [AF_INET]xx.xxx.xx.xx:46580 (si=3 op=P_CONTROL_V1)
xx.xxx.xx.xx:46580 TLS Error: Unroutable control packet received from [AF_INET]xx.xxx.xx.xx:46580 (si=3 op=P_CONTROL_V1)
xx.xxx.xx.xx:46580 TLS Error: Unroutable control packet received from [AF_INET]xx.xxx.xx.xx:46580 (si=3 op=P_CONTROL_V1)
xx.xxx.xx.xx:46580 TLS Error: Unroutable control packet received from [AF_INET]xx.xxx.xx.xx:46580 (si=3 op=P_CONTROL_V1)
xx.xxx.xx.xx:46580 TLS Error: Unroutable control packet received from [AF_INET]xx.xxx.xx.xx:46580 (si=3 op=P_CONTROL_V1)
xx.xxx.xx.xx:46580 TLS Error: Unroutable control packet received from [AF_INET]xx.xxx.xx.xx:46580 (si=3 op=P_CONTROL_V1)
xx.xxx.xx.xx:46580 TLS Error: Unroutable control packet received from [AF_INET]xx.xxx.xx.xx:46580 (si=3 op=P_CONTROL_V1)
xx.xxx.xx.xx:46580 TLS Error: Unroutable control packet received from [AF_INET]xx.xxx.xx.xx:46580 (si=3 op=P_CONTROL_V1)
xx.xxx.xx.xx:46580 TLS Error: Unroutable control packet received from [AF_INET]xx.xxx.xx.xx:46580 (si=3 op=P_CONTROL_V1)
xx.xxx.xx.xx:46580 TLS Error: Unroutable control packet received from [AF_INET]xx.xxx.xx.xx:46580 (si=3 op=P_CONTROL_V1)
xx.xxx.xx.xx:46580 TLS Error: Unroutable control packet received from [AF_INET]xx.xxx.xx.xx:46580 (si=3 op=P_CONTROL_V1)
xx.xxx.xx.xx:46580 TLS Error: Unroutable control packet received from [AF_INET]xx.xxx.xx.xx:46580 (si=3 op=P_CONTROL_V1)
xx.xxx.xx.xx:46580 TLS Error: Unroutable control packet received from [AF_INET]xx.xxx.xx.xx:46580 (si=3 op=P_CONTROL_V1)
xx.xxx.xx.xx:46580 TLS Error: Unroutable control packet received from [AF_INET]xx.xxx.xx.xx:46580 (si=3 op=P_CONTROL_V1)
is it possible to create a client certificate for use in openvpn using openssl? Let me know what I am doing wrong.
thanks
best regards