OpenVPN 2 Cookbook Errata

No book is free of errors, and my cookbook is no exception. Here is a list of known errata. If you think you've found an error in my cookbook then please let me know!

Chapter 1, recipe 'Shortest setup possible'

In the "There's more..." section of this chapter a 'TCP protocol' setup is given. The client side command of this setup is missing a line. The correct client-side command command is
    openvpn --ifconfig 10.200.0.2 10.200.0.1 --dev tun --proto tcp-client --remote openvpnserver
i.e. the --remote openvpnserver part is missing.

Chapter 1, recipe 'Plaintext tunnel'

The tcpdump command listed to view the tunnel traffic contains an error. The correct command is
    tcpdump -l -w - -i eth0 -s 0 host openvpnserver | strings
as is shown in the screenshot 'Example1-5'.

Chapter 2, recipe 'Proxy ARP'

The server configuration file listed in this recipe uses the wrong IP subnet for the server directive. The correct server configuration is listed here:
    proto udp
    port 1194
    dev tun
    
    server 10.198.1.128 255.255.255.128
    
    ca       /etc/openvpn/cookbook/ca.crt
    cert     /etc/openvpn/cookbook/server.crt
    key      /etc/openvpn/cookbook/server.key
    dh       /etc/openvpn/cookbook/dh1024.pem
    tls-auth /etc/openvpn/cookbook/ta.key 0
    
    persist-key
    persist-tun
    keepalive 10 60
    
    topology subnet
    push "route 10.198.0.0 255.255.0.0"
    
    user  nobody
    group nobody
    
    daemon
    log-append /var/log/openvpn.log
    
    script-security 2
    client-connect /etc/openvpn/cookbook/proxyarp-connect.sh
    client-disconnect /etc/openvpn/cookbook/proxyarp-disconnect.sh

Chapter 3, recipe 'Simple configuration - non-bridged'

The iptables masquerading rule listed on page 71 is not correct. The correct rule is
    iptables -t nat -I POSTROUTING -o eth0 -s 192.168.99.0/24 -j MASQUERADE
i.e. the -i tap+ part needs to be removed.

Chapter 4, recipe 'Intermediary CAs'

In the "There's more..." section of this chapter I state that you can stack CRLs just like CA certificates. Unfortunately, this is not true. You can either use the --capath directory (the next recipe in the book) or you can use the following tls-verify script to check a list of CRLs:
    #!/bin/bash
    
    CRL_LIST="ca.crl subca.crl"
    
    [ $# -lt 2 ] && exit 1
    
    # if the depth is non-zero , continue processing
    [ "$1" -ne 0 ] && exit 0
    
    # we're at the last certificate in the chain, now verify it against the CRLs
    for crl in $CRL_LIST
    do 
        crl_text=`openssl crl -text -noout -in $crl`
        crl_issuer=`echo "$crl_text" | sed -n '/Issuer/s/[ 	]*Issuer: //p' | sed 's/ /_/g'`
    #    echo "crl_issuer=[$crl_issuer]"
    
        if [ "$tls_id_1" = "$crl_issuer" ]
        then
            # OpenVPN 2.1 does not handle serial numbers very well
            # In 2.2.1+ you can just use
            #   text_to_look_for="Serial Number: $tls_serial_0"
            if [ $tls_serial_0 -eq 0 ]
            then
                text_to_look_for="Serial Number: 00"
            else
                text_to_look_for=`printf "Serial Number: %08X\n" $tls_serial_0 2> /dev/null | sed 's/00//g'`
                if [ $? -ne 0 ]
                then
                    text_to_look_for="Serial Number: $tls_serial_0"
                fi
            fi 
     #       echo "$crl_text" | grep "$text_to_look_for"
            if echo "$crl_text" | grep "$text_to_look_for" > /dev/null
            then
                echo "$crl: Certificate revoked, denying access"
                exit 1
            fi
        fi
    done
    
    exit 0
You can also download it here.
To use this script, add
    script-security 2
    tls-verify /etc/openvpn/cookbook/verify-crls.sh
to the server configuration file. You should still use the root CA crl file (ca.crl) to check for revoked intermediary CAs.

NOTE This script will not work in combination with OpenVPN 2.1 and long serial numbers (e.g. 83:d5:81:75:e3:a8:50:0b:5e:1a:78:75:c6:3c:b1:7a), because such serial numbers are not correctly supported by OpenVPN 2.1; in OpenVPN 2.2.1+ this is fixed.
Comments to Jan Just Keijser | IP = 54.172.234.236 | lastmod = 31/01/2019 03:21:24