openvpn site-to-site tls


#1

Trying tls for first time I am getting error in vyos and vyatta.
As I do not know why and the consecuenses of this error, I wonder if is there that I can do.
Using gnomint to generate certificates. Using 4096 for certificates and dh-file (paranoia with NSA)
Active point is vyos

openvpn vtun1 {
    description casa-intradata
    local-address 10.1.200.85 {
    }
    local-host xxx.xxx.201.100
    local-port 1195
    mode site-to-site
    remote-address 10.1.200.86
    remote-host xxx.xxx.253.9
    remote-port 1195
    tls {
        ca-cert-file /config/auth/mydomain.com.cer
        cert-file /config/auth/casa.mydomain.com.cer
        dh-file /config/auth/dh4096.pem
        key-file /config/auth/casa.mydomain.com.key
        role passive
    }
}

vyos@fw# commit
[ interfaces openvpn vtun1 ]
WARN: could not open database for 4096 bits. Skipped

[edit]
vyos@fw#

Passive point is vyatta

openvpn vtun1 {
    description intra-casa
    local-address 10.1.200.86 {
    }
    local-host xxx.xxx.253.9
    local-port 1195
    mode site-to-site
    remote-address 10.1.200.85
    remote-host xxx.xxx.201.100
    remote-port 1195
    tls {
        ca-cert-file /config/auth/mydomain.com.cer
        cert-file /config/auth/intradata.mydomain.com.cer
        key-file /config/auth/intradata.mydomain.com.key
        role active
    }
}

vyatta@R-intra# commit
[ interfaces openvpn vtun1 ]
WARN: could not open database for 4096 bits. Skipped

[edit]
vyatta@R-intra#


#2

It´s because, there is no blacklist for 4096 bit.

simple workarround would be

touch /usr/share/openssl-blacklist/blacklist.RSA-4096

Hope ths helps you :slight_smile: good luck.


#3

I googled for the error and came across this solution

[quote]The server initialization script will complain about WARN: could not open database for 4096 bits. Skipped and you can work around it by running this command:

touch /usr/share/openssl-blacklist/blacklist.RSA-4096[/quote]

I think it is a quirk of openvpn.
Please provide feedback if you were able to solve the problem.


#4

thks, fix it!