OpenVPN 2 Cookbook Errata
No book is free of errors, and my cookbook is no exception. Here is a list of known errata.
If you think you've found an error in my cookbook then please let me know!
Chapter 1, recipe 'Shortest setup possible'
In the "There's more..." section of this chapter a 'TCP protocol' setup is given. The client
side command of this setup is missing a line. The correct client-side command command is
openvpn --ifconfig 10.200.0.2 10.200.0.1 --dev tun --proto tcp-client --remote openvpnserver
i.e. the --remote openvpnserver part is missing.
Chapter 1, recipe 'Plaintext tunnel'
The tcpdump command listed to view the tunnel traffic contains an error. The correct
tcpdump -l -w - -i eth0 -s 0 host openvpnserver | strings
as is shown in the screenshot 'Example1-5'.
Chapter 2, recipe 'Proxy ARP'
The server configuration file listed in this recipe uses the wrong IP subnet for the server
directive. The correct server configuration is listed here:
server 10.198.1.128 255.255.255.128
tls-auth /etc/openvpn/cookbook/ta.key 0
keepalive 10 60
push "route 10.198.0.0 255.255.0.0"
Chapter 3, recipe 'Simple configuration - non-bridged'
The iptables masquerading rule listed on page 71 is not correct.
The correct rule is
iptables -t nat -I POSTROUTING -o eth0 -s 192.168.99.0/24 -j MASQUERADE
i.e. the -i tap+ part needs to be removed.
Chapter 4, recipe 'Intermediary CAs'
In the "There's more..." section of this chapter I state that you can stack CRLs just like
CA certificates. Unfortunately, this is not true. You can either use the --capath
directory (the next recipe in the book) or you can use the following tls-verify
script to check a list of CRLs:
[ $# -lt 2 ] && exit 1
# if the depth is non-zero , continue processing
[ "$1" -ne 0 ] && exit 0
# we're at the last certificate in the chain, now verify it against the CRLs
for crl in $CRL_LIST
crl_text=`openssl crl -text -noout -in $crl`
crl_issuer=`echo "$crl_text" | sed -n '/Issuer/s/[ ]*Issuer: //p' | sed 's/ /_/g'`
# echo "crl_issuer=[$crl_issuer]"
if [ "$tls_id_1" = "$crl_issuer" ]
# OpenVPN 2.1 does not handle serial numbers very well
# In 2.2.1+ you can just use
# text_to_look_for="Serial Number: $tls_serial_0"
if [ $tls_serial_0 -eq 0 ]
text_to_look_for="Serial Number: 00"
text_to_look_for=`printf "Serial Number: %08X\n" $tls_serial_0 2> /dev/null | sed 's/00//g'`
if [ $? -ne 0 ]
text_to_look_for="Serial Number: $tls_serial_0"
# echo "$crl_text" | grep "$text_to_look_for"
if echo "$crl_text" | grep "$text_to_look_for" > /dev/null
echo "$crl: Certificate revoked, denying access"
You can also download it here.
To use this script, add
to the server configuration file. You should still use the root CA crl file (ca.crl)
to check for revoked intermediary CAs.
NOTE This script will not work in combination with OpenVPN 2.1 and long serial numbers
(e.g. 83:d5:81:75:e3:a8:50:0b:5e:1a:78:75:c6:3c:b1:7a), because such serial numbers
are not correctly supported by OpenVPN 2.1; in OpenVPN 2.2.1+ this is fixed.
Comments to Jan Just Keijser
| IP = 22.214.171.124
| lastmod = 31/01/2019 03:21:24