I start openvpn server with openvpn --dev tun --ifconfig 172.16.0.1 172.16.0.2 --cipher AES-256-CBC on my Ubuntu 22.04 Linux Box
I generate the certificates and keys with easycert and copy everything on a Windows 10 client.
The connection doesn't work, and in the syslog I find a lot of
write to TUN/TAP : Invalid argument (code=22)
write to TUN/TAP : Invalid argument (code=22)
...
What's wrong? This is my client configuration file:
client
dev tun
proto udp
remote *MYSERVERIP* 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-256-CBC
The problem is that your server uses comp-lzo adaptive compression default (even if not added to the server.conf file), but client does not have compression enabled at all. So the client is sending uncompressed packets, while the server is expecting a compression header. Pls check a log: /var/log/openvpn/openvpn.log on your server.
To solve the problem pls add this line: comp-lzo adaptive or simply comp-lzo to your client.conf file, because adaptive is the default mode for comp-lzo, so you can omit that.
You can also add the same option to your server.conf file, then you are sure that your server uses the same kind of compression.
Hello if you have a vpn configuration file like .pcf:
1)convert the file format to .conf:
$>pcf2vpnc file.pcf file.conf
2)so you can connect by typing:
$>vpnc ./file.conf
3)and disconnect:
$> vpnc-disconnect
I found this in: https://kifarunix.com/connect-to-cisco-vpn-using-pcf-file-on-ubuntu/
Related
How do I download a proxy's SSL cert and save it to a file using the Linux command line.
It's possible to download an ssl cert via the openssl tool: https://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file. But this does not work when behind a corporate proxy that re-writes the SSL cert. I would like to download the proxy's ssl cert. Changing the HOST and PORT to my proxy's host and port does not work either.
Downloading the cert using my browser works but I need to do this in a bash script.
You can only extract certificates from the connection which actually get send inside the connection. Within a MITM proxy the root CA you want to have usually does not get send since it is expected to be installed locally as trusted, similar to a public root CA. And the reason you can extract this MITM CA within your browser is because the browser already has this CA as trusted in the CA store and can thus export it.
As mentioned here, openssl 1.1.0 and above support the -proxy argument so you can get the proxy's certificates with a command like (jcenter.bintray.com is just an example host to connect to)
openssl s_client -showcerts -proxy $https_proxy -connect jcenter.bintray.com:443
Also see this script for a more complete example how to import the certificate(s) to a JVM keystore and the system certificates.
I'm building a mqtt server. I used the mosquitto with the TLS on the server as a broker.
I encountered this problem:
I created the ca.crt, server certificate, server key, client certificate, client key via generate-CA.sh
I can connect the broker and publish and subscribe msg via MQTT.fx, but when I tried to connect the broker with the mosquitto_sub, it came out Error:A TLS error occurred on the client PC(ubuntu), at the same time, the server prints
New connection from xx.xx.xx.xx on port 8883.
Openssl Error: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Openssl Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
my command used is:
mosquitto_sub -p 8883 -i test -t mqtt -h 150.xx.xx.xx --cafile ca.crt --cert xx.crt --key xx.key in which, the 150.xx.xx.xx is the IP of my broker.
when I used the option --insecure with the command above, the problem disappeared.
so I think it is the server hostname which leads to this problem.
In the mosquitto_sub command the option -h specifies the hostname, but i need to use this parameter to point to the IP address of my broker, so how could i specify the hostname of my server??
Old question but perhaps this might help someone:
If the --insecure option makes it work, you have a certificate problem. What hostname did you set whilst signing the certificate? What does openssl s_client -showcerts -connect 150.xx.xx.xx:8883 say?
Related: although it should be possible to use SSL certs for your servers using public IP addresses (see Is it possible to have SSL certificate for IP address, not domain name?), I'd recommend not doing this and just using DNS, even if this means server.localdomain and/or editing your /etc/hosts file if necessary.
Running ubuntu on EC2 instance. I want to setup Jenkins SSH with my github server, but when I run the command
ssh -vT git#github.com
I receive the following output:
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to github.com [192.30.253.113] port 22.
ssh: connect to host github.com port 22: Connection timed out
My ssh key for jenkins is located in the /var/lib/jenkins/.ssh folder, but it looks as if ssh config data is being read in the /etc/ folder
I have added the public SSH key to my github account and have verified that I did so as one line.
What else am I missing?
I came across this Creating SSH keys for Gerrit and Hudson as a potential reason why it is not connecting, but I find it highly unlikely that the last time this occurred for somebody was 5 years ago.
This looks more like a networking issue as you receive a Connection timed out error.
So, first check that you can really connect to the github server, e.g. using nmap or telnet; the output should look like this if networking is ok:
$ telnet github.com 22
Trying 192.30.253.112...
Connected to github.com.
Escape character is '^]'.
SSH-2.0-libssh-0.7.0
ssh keys are usually located in $HOME/.ssh/ (where $HOME is the home directory of the user that runs the Jenkins master) -- the folder /var/lib/jenkins/.ssh looks at least unusal.
The directory /etc/ssh contains system-wide ssh configuration data, it will always be read and is not intended for user-specific configuration items.
Turns out that EC2 doesn't seem to let me connect to github via port 22.
I tested this via Alex O's suggestion that I attempt to telnet into git
My solution:
Use SSH through the HTTPS port
Change the config file for github to
ssh through 443
Profit
Major cred to #AlexO
I'm trying to make LDAP setup using CentOS based OpenLDAP server and MCP Linux based PAM LDAP client.
Without SSL, I'm able to get the user authenticated successfully.
But with SSL('ssl start_tls' in /etc/pam_ldap.conf), I'm unable to get the user authenticated. When I did packet capture at server, I do not see client's HELLO packet.
Also, I'm not interested in server/client certificate verification hence at server I had 'TLSVerifyClient never' and at client I used 'TLS_REQCERT never' in /etc/openldap/ldap.conf(in addition to 'tls_checkpeer no' in /etc/pam_ldap.conf)
With CentOS based PAM LDAP client and with the same client configuration, I'm able to get the user authenticated successfully with the same server.
Can anyone tell me, in which cases SSL client doesn't send 'HELLO' packet ?
Here you go with logs at server:
...
connection_read(13): checking for input on id=1005
tls_read: want=3, got=0
TLS: error: accept - force handshake failure: errno 11 - moznss error -5938
TLS: can't accept: TLS error -5938:Encountered end of file.
connection_read(13): TLS accept failure error=-1 id=1005, closing
connection_closing: readying conn=1005 sd=13 for close
....
BTW, I'm trying to connect to client using SSH.
Also, if I use 'openssl s_client -connect my-domain.com:636 -showcerts -state -CAfile /etc/pki/tls/certs/cacert.pem' command at CLIENT, it is sending Client hello packet and is returing the server certificates
Thanks,
Sravani
From 'strace ldapsearch ....' log, I see that
open("/usr/lib/libsoftokn3.so", O_RDONLY) = -1 ENOENT (No such file or directory)
I'll try to get this library for MCP Linux and give it a try again.
Thanks all for your support
I have an app running on port 9100 on a remote server serving http pages. After I ssh into the server I can curl localhost 9100 and I receive the response.
However I am unable to access the same app from the browser using http://ip:9100
I am also unable to telnet from my local PC. How do I debug it? Is there a way to traceroute a particular IP and port combination, to see where it is being blocked?
Any linux tools / commands / utilities will be appreciated.
Thanks,
Murtaza
You can use the default traceroute command for this purpose, then there will be nothing to install.
traceroute -T -p 9100 <IP address/hostname>
The -T argument is required so that the TCP protocol is used instead of UDP.
In the rare case when traceroute isn't available, you can also use ncat.
nc -Czvw 5 <IP address/hostname> 9100
tcptraceroute xx.xx.xx.xx 9100
if you didn't find it you can install it
yum -y install tcptraceroute
or
aptitude -y install tcptraceroute
you can use tcpdump on the server to check if the client even reaches the server.
tcpdump -i any tcp port 9100
also make sure your firewall is not blocking incoming connections.
EDIT: you can also write the dump into a file and view it with wireshark on your client if you don't want to read it on the console.
2nd Edit: you can check if you can reach the port via
nc ip 9100 -z -v
from your local PC.
Firstly, check the IP address that your application has bound to. It could only be binding to a local address, for example, which would mean that you'd never see it from a different machine regardless of firewall states.
You could try using a portscanner like nmap to see if the port is open and visible externally... it can tell you if the port is closed (there's nothing listening there), open (you should be able to see it fine) or filtered (by a firewall, for example).
it can be done by using this command: tcptraceroute -p destination port destination IP. like: tcptraceroute -p 9100 10.0.0.50 but don't forget to install tcptraceroute package on your system. tcpdump and nc by default installed on the system. regards
If you use the 'openssl' tool, this is one way to get extract the CA cert for a particular server:
openssl s_client -showcerts -servername server -connect server:443
The certificate will have "BEGIN CERTIFICATE" and "END CERTIFICATE" markers.
If you want to see the data in the certificate, you can do: "openssl x509 -inform PEM -in certfile -text -out certdata" where certfile is the cert you extracted from logfile. Look in certdata.
If you want to trust the certificate, you can add it to your CA certificate store or use it stand-alone as described. Just remember that the security is no better than the way you obtained the certificate.
https://curl.se/docs/sslcerts.html
After getting the certificate use keytool to install it.