Skip to main content

Openvpn On My Machine: Easy-RSA: Building My Public Key Infrastructure (PKI) part I

I have been on the lookout for third party VPN providers for a year now. Since the start of 2017, privacy is in the top of my to-do list. After installing Arch linux early February, and configuring basic maintenance and security procedures, I am now ready to embark on connecting to somekind of vpn service. From what I've read so far my best bet is a third party vpn provider which gives me a secure and private connection to the Internet and easy to configure. I also went to the Arch linux wiki, specifically, Openvpn and Easy-RSA pages. Arch linux has a culture of "do-it-yourself" and "keep-it-simple-shit" (KISS, maybe I got that wrong). 

The latter course is the subject of my post (hopefully in the next post(s) I could bring good news too). Openvpn is based on machines authenticating themselves to servers which connect to the Internet securely. I have to build up my public key infrastructure PKI to make this possible. In the wiki, it is recommended that the CA issuing machine be different (more entropy capable) from the server and of course the client machines. This path assumes I have more than one machine. What if I only have one?

Openvpn is a flexible and highly configurable software. It says so in the manual:
            "OpenVPN  is  an  open  source VPN daemon by James Yonan.  Because OpenVPN tries to be a universal VPN tool      offering a great
       deal of flexibility, there are a lot of options..."

Also:

            "OpenVPN  is a robust and highly flexible VPN daemon.  OpenVPN supports SSL/TLS security, ethernet bridging,     TCP or UDP tun‐
       nel transport through proxies or NAT, support for dynamic IP addresses and DHCP, scalability to hundreds  or      thousands  of
       users, and portability to most major OS platforms.

       OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it.

       OpenVPN  supports  conventional  encryption using a pre-shared secret key (Static Key mode) or public key         security (SSL/TLS)."

But what closed the deal for me is this:
            "Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #
# configurations (See the Examples page         #
# on the web site for more info). 

I hope single machine is what it means and I can make this work.


Comments

Post a Comment

Popular posts from this blog

ZFS Unable to System Snapshot, bpool is Full?

I first encountered the problem after a routine update / upgrade of the system. Well there was a kernel upgrade and I have not checked how many old kernels are still left for backups in /boot. Apparently, there was a few and the partition is 85% full. Every software update included a warning because of the restriction in disk space. Also, zfs could not create snapshots. It is also full. This is not very clear to me. Snapshots were suppose to be diff copies so why would it take up a large space. Most of the snapshots are less than 2MB. Or 0MB. Another problem that popped up is the constant freezing of Rhythmbox. I don't know if the config files are corrupted. The CPU cycles from one to the next. Peaks for 5-6 seconds then on to the next CPU. This forced me to download Clementine and Audacious. But both applications do not find the zfs pool or don't show the zfs structure. Why not? My final solution is to reinstall Rhythmbox via snaps. I re-scanned the music libr
Post a Comment
Read more

Renter's ID and Business Licensing 2023

Last year's business permit application involved an undertaking of submitting lessee list to the Barangay in order to get them ID's including one for the lessor himself. I received a letter of notification just before New Year's Day. It informed me that I might be denied renewal of permits because I did not comply with this undertaking. So the Renter's ID is a serious thing now. When I went ahead and applied for a business permit renewal at the local government office everything went well except they want my list of lessee. So I had to backtrack and go to the Barangay and submit the list. They produced the ID's and I provided the photo ID's and of course have it signed by the lessee. After that, they pointed me to the cashier to pay the taxes and permit fees which totaled php15,305.00 ($280.33) During the payment of Fire and Safety department, they reminded me to bring my fire extinguisher official receipts of payment. I can pick up my new pe
Post a Comment
Read more

Check rkhunter warnings For Deleted Files

logfile- /var/log/rkhunter.log starts [partial starts] [19:18:58] Info: Starting test name 'malware' [19:18:58] Performing malware checks [19:18:58] [19:18:58] Info: Starting test name 'deleted_files' [19:19:35]   Checking running processes for deleted files    [ Warning ] [19:19:35] Warning: The following processes are using deleted files: [19:19:35]          Process: /usr/bin/pulseaudio    PID: 784    File: /memfd:pulseaudio [19:19:35]          Process: /usr/bin/gnome-shell    PID: 1151    File: /tmp/mutter-shared-67ER4Y [19:19:35]          Process: /usr/bin/pulseaudio    PID: 1173    File: /memfd:pulseaudio [19:19:35]          Process: /usr/lib/evolution-data-server/evolution-source-registry    PID: 1194    File: /home/donato/.local/share/gvfs-metadata/home [19:19:35]          Process: /usr/bin/python2.7    PID: 1472    File: /tmp/vteZY4V4Y [19:19:35]          Process: /usr/bin/megasync    PID: 1484    File: /run/user/1000/wayland-cursor-shared-t6KVCM [19:19:35]    
Post a Comment
Read more