diff options
| -rw-r--r-- | openvpn.8 | 14 | ||||
| -rw-r--r-- | push.c | 6 | ||||
| -rw-r--r-- | sample-config-files/loopback-client | 2 | ||||
| -rw-r--r-- | sample-config-files/loopback-server | 2 | ||||
| -rw-r--r-- | sample-keys/README | 2 | ||||
| -rw-r--r-- | sample-keys/ca.crt (renamed from sample-keys/tmp-ca.crt) | 0 | ||||
| -rw-r--r-- | sample-keys/ca.key (renamed from sample-keys/tmp-ca.key) | 0 |
7 files changed, 13 insertions, 13 deletions
@@ -3363,15 +3363,15 @@ certificate. This file can have multiple certificates in .pem format, concatenated together. You can construct your own certificate authority certificate and private key by using a command such as: -.B openssl req -nodes -new -x509 -keyout tmp-ca.key -out tmp-ca.crt +.B openssl req -nodes -new -x509 -keyout ca.key -out ca.crt Then edit your openssl.cnf file and edit the .B certificate variable to point to your new root certificate -.B tmp-ca.crt. +.B ca.crt. For testing purposes only, the OpenVPN distribution includes a sample -CA certificate (tmp-ca.crt). +CA certificate (ca.crt). Of course you should never use the test certificates and test keys distributed with OpenVPN in a production environment, since by virtue of the fact that @@ -5001,9 +5001,9 @@ Diffie Hellman parameters (see above where .B --dh is discussed for more info). You can also use the included test files client.crt, client.key, -server.crt, server.key and tmp-ca.crt. +server.crt, server.key and ca.crt. The .crt files are certificates/public-keys, the .key -files are private keys, and tmp-ca.crt is a certification +files are private keys, and ca.crt is a certification authority who has signed both client.crt and server.crt. For Diffie Hellman parameters you can use the included file dh1024.pem. @@ -5011,11 +5011,11 @@ parameters you can use the included file dh1024.pem. .LP On may: .IP -.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --tls-client --ca tmp-ca.crt --cert client.crt --key client.key --reneg-sec 60 --verb 5 +.B openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --tls-client --ca ca.crt --cert client.crt --key client.key --reneg-sec 60 --verb 5 .LP On june: .IP -.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --tls-server --dh dh1024.pem --ca tmp-ca.crt --cert server.crt --key server.key --reneg-sec 60 --verb 5 +.B openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --tls-server --dh dh1024.pem --ca ca.crt --cert server.crt --key server.key --reneg-sec 60 --verb 5 .LP Now verify the tunnel is working by pinging across the tunnel. .LP @@ -273,12 +273,12 @@ remove_iroutes_from_push_route_list (struct options *o) if (parse_line (line, p, SIZE (p), "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc)) { /* is the push item a route directive? */ - if (p[0] && p[1] && p[2] && !strcmp (p[0], "route")) + if (p[0] && !strcmp (p[0], "route") && !p[3]) { /* get route parameters */ bool status1, status2; const in_addr_t network = getaddr (GETADDR_HOST_ORDER, p[1], 0, &status1, NULL); - const in_addr_t netmask = getaddr (GETADDR_HOST_ORDER, p[2], 0, &status2, NULL); + const in_addr_t netmask = getaddr (GETADDR_HOST_ORDER, p[2] ? p[2] : "255.255.255.255", 0, &status2, NULL); /* did route parameters parse correctly? */ if (status1 && status2) @@ -288,7 +288,7 @@ remove_iroutes_from_push_route_list (struct options *o) /* does route match an iroute? */ for (ir = o->iroutes; ir != NULL; ir = ir->next) { - if (network == ir->network && netmask == netbits_to_netmask (ir->netbits)) + if (network == ir->network && netmask == netbits_to_netmask (ir->netbits >= 0 ? ir->netbits : 32)) { copy = false; break; diff --git a/sample-config-files/loopback-client b/sample-config-files/loopback-client index 9db2877..5499763 100644 --- a/sample-config-files/loopback-client +++ b/sample-config-files/loopback-client @@ -17,7 +17,7 @@ dev null verb 3 reneg-sec 10 tls-client -ca sample-keys/tmp-ca.crt +ca sample-keys/ca.crt key sample-keys/client.key cert sample-keys/client.crt cipher DES-EDE3-CBC diff --git a/sample-config-files/loopback-server b/sample-config-files/loopback-server index 18bbbeb..d9fe506 100644 --- a/sample-config-files/loopback-server +++ b/sample-config-files/loopback-server @@ -18,7 +18,7 @@ verb 3 reneg-sec 10 tls-server dh sample-keys/dh1024.pem -ca sample-keys/tmp-ca.crt +ca sample-keys/ca.crt key sample-keys/server.key cert sample-keys/server.crt cipher DES-EDE3-CBC diff --git a/sample-keys/README b/sample-keys/README index dd5c25c..1cd473a 100644 --- a/sample-keys/README +++ b/sample-keys/README @@ -7,7 +7,7 @@ NOTE: THESE KEYS ARE FOR TESTING PURPOSES ONLY. DON'T USE THEM FOR ANY REAL WORK BECAUSE THEY ARE TOTALLY INSECURE! -tmp-ca.{crt,key} -- sample CA key/cert +ca.{crt,key} -- sample CA key/cert client.{crt,key} -- sample client key/cert server.{crt,key} -- sample server key/cert (nsCertType=server) pass.{crt,key} -- sample client key/cert with password-encrypted key diff --git a/sample-keys/tmp-ca.crt b/sample-keys/ca.crt index e063ccc..e063ccc 100644 --- a/sample-keys/tmp-ca.crt +++ b/sample-keys/ca.crt diff --git a/sample-keys/tmp-ca.key b/sample-keys/ca.key index b4bf792..b4bf792 100644 --- a/sample-keys/tmp-ca.key +++ b/sample-keys/ca.key |