From owner-freebsd-questions@freebsd.org Mon Nov 16 21:55:38 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 62C7EA31639 for ; Mon, 16 Nov 2015 21:55:38 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-in6.apple.com (mail-out6.apple.com [17.151.62.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3997C101A for ; Mon, 16 Nov 2015 21:55:37 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay7.apple.com (relay7.apple.com [17.128.113.101]) by mail-in6.apple.com (Apple Secure Mail Relay) with SMTP id DA.F4.09556.3D05A465; Mon, 16 Nov 2015 13:55:31 -0800 (PST) X-AuditID: 11973e15-f79be6d000002554-fd-564a50d3f1c8 Received: from [17.149.239.203] (Unknown_Domain [17.149.239.203]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by relay7.apple.com (Apple SCV relay) with SMTP id FC.09.12340.3D05A465; Mon, 16 Nov 2015 13:55:31 -0800 (PST) Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\)) Subject: Re: Help/advice request please. From: Charles Swiger In-Reply-To: <564A4CE3.9663.851BBC@g8kbvdave.googlemail.com> Date: Mon, 16 Nov 2015 13:55:30 -0800 Cc: FreeBSD - Message-Id: <822C3CCA-C3FA-42FA-8F25-971D6D081EFC@mac.com> References: <564A4CE3.9663.851BBC@g8kbvdave.googlemail.com> To: Dave B X-Mailer: Apple Mail (2.3096.5) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrKLMWRmVeSWpSXmKPExsUi2FCYqns5wCvMYOEcNouXXzexWLRtaWB3 YPKY8Wk+i8fOWXfZA5iiuGxSUnMyy1KL9O0SuDIO9O5gKlggXzHz1g/GBsZPUl2MnBwSAiYS t5vOMEHYYhIX7q1n62Lk4hAS2Mco0T2jmwmmaOORRlaIxHQmiYmPFrKAJJgFEiR2r3wFZvMK GEi0XT3DCGILC2hILD55B8jm4GATUJOYMJEHJMwpYCNx4vdisDCLgKrEg/uKEFN0JZpuvGWE mGIlsXHhVLCJQgLWEv923wM7QURAQeLynjesEOfIS/xc2cAEco6EwBo2iebvs5kmMArOQnLR LCQXQcS1JZYtfM08C2g1s4COxOSFaMIQ9sfzR5gWMLKtYhTKTczM0c3MM9NLLCjISdVLzs/d xAgK9+l2ojsYz6yyOsQowMGoxMPb8NczTIg1say4MvcQozQHi5I471YTrzAhgfTEktTs1NSC 1KL4otKc1OJDjEwcnFINjEaccx51+V+PZhD9OyeHlzG79me+Rn+Mwr4MTrV9ttGB69KO8HAf z1l9sGnL7WmLDk0PeDzp2d3doilXb8y0Pjy11ctPesHUuuPFLB8DVlq01/7xs1K5bLvWUJbz 1EunK+fymL/W6E1v4kjs6+KzmKymkvn+UE5MjP6GN08jsmfV6Uz4e3qGuxJLcUaioRZzUXEi AK3RTl9YAgAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrPIsWRmVeSWpSXmKPExsUiOPX9ad3LAV5hBpN+Mlm8/LqJxaJtSwO7 A5PHjE/zWTx2zrrLHsAUxWWTkpqTWZZapG+XwJVxoHcHU8EC+YqZt34wNjB+kupi5OSQEDCR 2HikkRXCFpO4cG89WxcjF4eQwHQmiYmPFrKAJJgFEiR2r3wFZvMKGEi0XT3DCGILC2hILD55 B8jm4GATUJOYMJEHJMwpYCNx4vdisDCLgKrEg/uKEFN0JZpuvGWEmGIlsXHhVLCJQgLWEv92 32MCsUUEFCQu73kDdY68xM+VDUwTGPlmITliFpIjIOLaEssWvmaeBbSNWUBHYvJCNGEI++P5 I0wLGNlWMQoUpeYkVprrJRYU5KTqJefnbmIEhWdDYeoOxsblVocYBTgYlXh4G/56hgmxJpYV V+YeYpTgYFYS4XW38AoT4k1JrKxKLcqPLyrNSS0+xDiREejHicxSosn5wOjJK4k3NDExMDE2 NjM2Njcxp6WwkjjvfF+3MCGB9MSS1OzU1ILUIpijmDg4pRoYF637Mp1J99XB1tRlWia8i1m8 3h464/m04arp1DcP1q6sn2F+s3FCf/umYCe+nqgn0/Ze958e0bNnovnik/X2jxdM1Tvpa7cn z0NMlOVs+v078YnmvpXuub5Oneb2T8z+39MPeH1MuyieOf346VvvA08bb32Tv3UB20SxNSGp Fi5L5wVeN+QIU2Ipzkg01GIuKk4EAJvU3CDCAgAA Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Nov 2015 21:55:38 -0000 On Nov 16, 2015, at 1:38 PM, Dave B wrote: > Trying to figure out how to get openvpn setup, ultimately for a small = number of=20 > traveling client machines (Linux and Windows) all owned by myself, for = my own=20 > personal use. >=20 > Is there any (in plain english) "how-to's" out there, that actually = work? Sure. Use preshared static keys, documented here: = https://openvpn.net/index.php/open-source/documentation/miscellaneous/78-s= tatic-key-mini-howto.html = Use client certs when you're supporting dozens of different users, not = one. > In particular, in regards to creating a self-signed CA (and the other = needed)=20 > certificates, working at the command line. >=20 > I'm falling over with the (undocumented) various user input data = fields. > For example, it's taken me a full week, to find out that my country = code is not=20 > UK, or 44, but GB! >=20 > But there is no guidance as to what the other field values should (or = should=20 > not) be. Such as region/state etc. x.509 PKI cryptography is hard. Running your own CA is sufficient work = that most people pay good money for certs rather than doing it themselves. Regards, --=20 -Chuck