content:en_us:7_ug_openvpn
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
content:en_us:7_ug_openvpn [2020/03/25 08:16] 84.9.57.48 |
content:en_us:7_ug_openvpn [2020/03/25 11:45] 84.9.57.48 |
||
|---|---|---|---|
| Line 127: | Line 127: | ||
| ===== Revoking Certificates ===== | ===== Revoking Certificates ===== | ||
| Currently this is a manual process. Start by initialising the file /etc/pki/CA/crlnumber:<code>echo 1000 > /etc/pki/CA/crlnumber</code> | Currently this is a manual process. Start by initialising the file /etc/pki/CA/crlnumber:<code>echo 1000 > /etc/pki/CA/crlnumber</code> | ||
| - | Create a file in /etc/cron.monthly. I used /etc/cron.monthly/openssl_crl. In it put:<code>openssl ca -gencrl -crldays 45 -config /usr/clearos/apps/certificate_manager/deploy/openssl.cnf \ | + | Create a file in /etc/cron.monthly. I used /etc/cron.monthly/openssl_crl. In it put:<code>openssl ca -gencrl -crldays 45 -config /usr/clearos/apps/certificate_manager/deploy/openssl.cnf -out /etc/pki/CA/crl/crl.pem > /dev/null 2>&1</code>And make the file executable:<code>chmod 0744 /etc/cron.monthly/openssl_crl</code>Then execute the file:<code>/etc/cron.monthly/openssl_crl</code>You should now find you have a file /etc/pki/CA/crl/crl.pem. |
| - | -out /etc/pki/CA/crl/crl.pem \ | + | |
| - | -keyfile /etc/pki/CA/private/ca-key.pem \ | + | |
| - | -cert /etc/pki/CA/ca-cert.pem > /dev/null 2>&1</code>And make the file executable:<code>chmod 0744 /etc/cron.monthly/openssl_crl</code>Then execute the file:<code>/etc/cron.monthly/openssl_crl</code>You should now find you have a file /etc/pki/CA/crl/crl.pem. | + | |
| To revoke a certificate, find the file name in /etc/pki/CA. It should be in the form client-{username}-cert.pem and revoke it and regenerate the crl.pem with:<code>openssl ca -config /usr/clearos/apps/certificate_manager/deploy/openssl.cnf -revoke /etc/pki/CA/client-{username}-cert.pem | To revoke a certificate, find the file name in /etc/pki/CA. It should be in the form client-{username}-cert.pem and revoke it and regenerate the crl.pem with:<code>openssl ca -config /usr/clearos/apps/certificate_manager/deploy/openssl.cnf -revoke /etc/pki/CA/client-{username}-cert.pem | ||
| Line 407: | Line 404: | ||
| <note tip> | <note tip> | ||
| - | If it shows as 'Connected' but authentication fails, you've used an incorrect password. Just reenter the correct password and it should connect correctly.\\ | + | If it shows as 'Connected' but authentication fails, you've used an incorrect password. Just re-enter the correct password and it should connect correctly.\\ |
| If it shows as 'Connected' at this point, you'll know your configuration file was assembled correctly.\\ | If it shows as 'Connected' at this point, you'll know your configuration file was assembled correctly.\\ | ||
| If it doesn't connect, you'll receive an error. You should then recheck your configuration file for errors. | If it doesn't connect, you'll receive an error. You should then recheck your configuration file for errors. | ||
| Line 442: | Line 439: | ||
| <note info>This section is only relevant to OpenVPN in Gateway mode. In standalone mode all OpenVPN packets will appear to come from the ClearOS IP and not the OpenVPN subnet</note> | <note info>This section is only relevant to OpenVPN in Gateway mode. In standalone mode all OpenVPN packets will appear to come from the ClearOS IP and not the OpenVPN subnet</note> | ||
| - | Sometimew you will find you cannot ping a Windows device or connect to it through the tunnel. If this is the case, please check the Windows firewall. In many cases it is set by default to only allow in traffic from the local subnet and the OpenVPN subnet (default 10.8.0.0/24) does not count as local. As an example, in the Windows firewall, look at the "File and Printer Sharing (Echo Request - ICMPv4-In)" rule and its "Scope" tab. You will see it only allows the "Remote IP address" to be "Local subnet" by default. You may need to modify those rules or create a blanket rule to also allow all traffic from the OpenVPN subnet. | + | Sometimes you will find you cannot ping a Windows device or connect to it through the tunnel. If this is the case, please check the Windows firewall. In many cases it is set by default to only allow in traffic from the local subnet and the OpenVPN subnet (default 10.8.0.0/24) does not count as local. As an example, in the Windows firewall, look at the "File and Printer Sharing (Echo Request - ICMPv4-In)" rule and its "Scope" tab. You will see it only allows the "Remote IP address" to be "Local subnet" by default. You may need to modify those rules or create a blanket rule to also allow all traffic from the OpenVPN subnet. |
| It may also be possible to change the settings via Group Policies - see under Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Defender Firewall > Standard Profile or Domain Profile depending on your environment. | It may also be possible to change the settings via Group Policies - see under Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Defender Firewall > Standard Profile or Domain Profile depending on your environment. | ||
content/en_us/7_ug_openvpn.txt · Last modified: 2021/03/31 10:14 by 84.9.57.48