OpenVPN 2 Cookbook Errata

No book is free of errors, and my cookbook is no exception. Here is a list of known errata. If you think you've found an error in my cookbook then please let me know!

Chapter 1, recipe 'Shortest setup possible'

In the "There's more..." section of this chapter a 'TCP protocol' setup is given. The client side command of this setup is missing a line. The correct client-side command command is
    openvpn --ifconfig --dev tun --proto tcp-client --remote openvpnserver
i.e. the --remote openvpnserver part is missing.

Chapter 1, recipe 'Plaintext tunnel'

The tcpdump command listed to view the tunnel traffic contains an error. The correct command is
    tcpdump -l -w - -i eth0 -s 0 host openvpnserver | strings
as is shown in the screenshot 'Example1-5'.

Chapter 2, recipe 'Proxy ARP'

The server configuration file listed in this recipe uses the wrong IP subnet for the server directive. The correct server configuration is listed here:
    proto udp
    port 1194
    dev tun
    ca       /etc/openvpn/cookbook/ca.crt
    cert     /etc/openvpn/cookbook/server.crt
    key      /etc/openvpn/cookbook/server.key
    dh       /etc/openvpn/cookbook/dh1024.pem
    tls-auth /etc/openvpn/cookbook/ta.key 0
    keepalive 10 60
    topology subnet
    push "route"
    user  nobody
    group nobody
    log-append /var/log/openvpn.log
    script-security 2
    client-connect /etc/openvpn/cookbook/
    client-disconnect /etc/openvpn/cookbook/

Chapter 3, recipe 'Simple configuration - non-bridged'

The iptables masquerading rule listed on page 71 is not correct. The correct rule is
    iptables -t nat -I POSTROUTING -o eth0 -s -j MASQUERADE
i.e. the -i tap+ part needs to be removed.

Chapter 4, recipe 'Intermediary CAs'

In the "There's more..." section of this chapter I state that you can stack CRLs just like CA certificates. Unfortunately, this is not true. You can either use the --capath directory (the next recipe in the book) or you can use the following tls-verify script to check a list of CRLs:
    CRL_LIST="ca.crl subca.crl"
    [ $# -lt 2 ] && exit 1
    # if the depth is non-zero , continue processing
    [ "$1" -ne 0 ] && exit 0
    # we're at the last certificate in the chain, now verify it against the CRLs
    for crl in $CRL_LIST
        crl_text=`openssl crl -text -noout -in $crl`
        crl_issuer=`echo "$crl_text" | sed -n '/Issuer/s/[ 	]*Issuer: //p' | sed 's/ /_/g'`
    #    echo "crl_issuer=[$crl_issuer]"
        if [ "$tls_id_1" = "$crl_issuer" ]
            # OpenVPN 2.1 does not handle serial numbers very well
            # In 2.2.1+ you can just use
            #   text_to_look_for="Serial Number: $tls_serial_0"
            if [ $tls_serial_0 -eq 0 ]
                text_to_look_for="Serial Number: 00"
                text_to_look_for=`printf "Serial Number: %08X\n" $tls_serial_0 2> /dev/null | sed 's/00//g'`
                if [ $? -ne 0 ]
                    text_to_look_for="Serial Number: $tls_serial_0"
     #       echo "$crl_text" | grep "$text_to_look_for"
            if echo "$crl_text" | grep "$text_to_look_for" > /dev/null
                echo "$crl: Certificate revoked, denying access"
                exit 1
    exit 0
You can also download it here.
To use this script, add
    script-security 2
    tls-verify /etc/openvpn/cookbook/
to the server configuration file. You should still use the root CA crl file (ca.crl) to check for revoked intermediary CAs.

NOTE This script will not work in combination with OpenVPN 2.1 and long serial numbers (e.g. 83:d5:81:75:e3:a8:50:0b:5e:1a:78:75:c6:3c:b1:7a), because such serial numbers are not correctly supported by OpenVPN 2.1; in OpenVPN 2.2.1+ this is fixed.
Comments to Jan Just Keijser | IP = | lastmod = 31/01/2019 03:21:24