Advertisement
mightyroot

badvpn+nss certs generate|expot|import

Apr 3rd, 2013
478
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 5.82 KB | None | 0 0
  1. COMPILE_NSS:
  2.  
  3. 1. Extract and patch NSS sources
  4. 2. cd <nss_source>/mozilla/security/nss
  5. 3. export BUILD_OPT=1
  6. 4. export NSS_ENABLE_ECC=1
  7. 5. export NSS_ECC_MORE_THAN_SUITE_B=1
  8. 7. make nss_build_all
  9.  
  10. OpenSSL: no special configuration is needed (build as specified in OpenSSL source directory). For Linux, compilation is not needed if distribution includes OpenSSL package (but make sure to install OpenSSL-dev package)
  11.  
  12. COMPLILE_BadVPN:
  13. 1. Extract and patch BadVPN source
  14. 2. Set path to compiled NSS binaries in <badvpnsource>/cmake/modules/FindNSPR.cmake and <badvpnsource>/cmake/modules/FindNSS.cmake
  15. 3. Compile as described in <badvpnsource>/INSTALL
  16.  
  17. Notes:
  18. When using certutil and pk12util on Linux to generate certificates make sure that this utilities use proper NSS libs (not system, but compiled version). One way to do it is set LD_LIBRARY_PATH environment variable.
  19.  
  20. Running:
  21. Set up and run as described here:
  22. http://code.google.com/p/badvpn/wiki/Examples
  23. But, for command which generates certificates (ca, server, user)(starts with certutil -d <some path> -S) add two options at the end: -k ec -q sect163r1
  24.  
  25. #---------------------{Cryptolink_G}--------------------
  26. #--------{GENERATE_CA_SERVER-KEY_AND_CLIENT-KEY}--------
  27. mkdir "%APPDATA%\cryptolink\nssdb"
  28. certutil.exe -d sql:"%APPDATA%\cryptolink\nssdb" -N
  29. <maybe any passwd>
  30.  
  31. certutil.exe -d sql:"%APPDATA%\cryptolink\nssdb" -k ec -q sect163r1 -S -n "vpnca" -s "CN=vpnca" -t "TC,," -x -2 -v 24
  32. y
  33. -1
  34. n
  35. certutil.exe -d sql:"%APPDATA%\cryptolink\nssdb" -k ec -q sect163r1 -S -n "server" -c "vpnca" -s "CN=server" -t ",," -6 -2 -v 24
  36. 0
  37. -1
  38. n
  39. n
  40.  
  41. n
  42. certutil.exe -d sql:"%APPDATA%\cryptolink\nssdb" -k ec -q sect163r1 -S -n "peer-00" -c "vpnca" -s "CN=peer-00" -t ",," -6 -2 -v 24
  43. 0
  44. 1
  45. -1
  46. n
  47. n
  48.  
  49. n
  50. certutil.exe -d sql:"%APPDATA%\cryptolink\nssdb" -k ec -q sect163r1 -S -n "peer-01" -c "vpnca" -s "CN=peer-01" -t ",," -6 -2 -v 24
  51. 0
  52. 1
  53. -1
  54. n
  55. n
  56.  
  57. n
  58. #--------{EXPORT_KEYS}------------
  59. certutil.exe -d sql:"%APPDATA%\cryptolink\nssdb" -L -n vpnca -a > ca.pem
  60. pk12util -d sql:"%APPDATA%\cryptolink\nssdb"-o server.p12 -n "server"
  61. <SET PASSWD>
  62. pk12util -d sql:"%APPDATA%\cryptolink\nssdb" -o peer-01.p12 -n "peer-00"
  63. <SET PASSWD>
  64. pk12util -d sql:"%APPDATA%\cryptolink\nssdb" -o peer-01.p12 -n "peer-01"
  65. <SET PASSWD>
  66.  
  67.  
  68. #---------------{Cryptolink_S}---------------------------------------------------#
  69. #--------{IMPORT_SERVER-KEY_TO_NEW_BD}----------
  70. mkdir "%APPDATA%\cryptolink\nssdb"
  71. certutil.exe -d sql:"%APPDATA%\cryptolink\nssdb" -N
  72.    <without passwd>
  73. certutil -d sql:"%APPDATA%\cryptolink\nssdb" -A -t "CT,," -n "vpnca" -i ca.pem
  74. pk12util -d sql:"%APPDATA%\cryptolink\nssdb" -i server.p12
  75. pk12util -d sql:"%APPDATA%\cryptolink\nssdb" -i peer-00.p12
  76.  
  77. #--------{START_CL_SERVER}----------
  78. badvpn-server  --listen-addr 0.0.0.0:7000   --ssl --nssdb sql:"%APPDATA%\cryptolink\nssdb" --server-cert-name "server"
  79.  
  80. #NOTICE(server): initializing BadVPN server 1.999.127
  81. #NOTICE(server): entering event loop
  82. #INFO(BConnection): connection accepted
  83. #INFO(server): client 0 (192.168.41.202:30137): initialized
  84. #INFO(server): client 0 (192.168.41.202:30137) (peer-01): handshake complete
  85. #INFO(server): client 0 (193.168.41.202:30137) (peer-01): received hello
  86.  
  87. #--------{START_CL_CLIENT}----------
  88. #NOTE: badvpn-server does not actually participate in the virtual network. If you want the server machine to be part of the network, run a local badvpn-client, like on other peers.
  89.  
  90. badvpn-client  --server-addr 192.168.139.5:7000  --transport-mode udp --scope local1  --bind-addr 0.0.0.0:8000 --num-ports 30 --ext-addr {server_reported}:8000 local1  --tapdev "tap0901:TAP_VPN"  --server-name "server"  --ssl --nssdb sql:"%APPDATA%\cryptolink\nssdb" --client-cert-name "peer-01"  --encryption-mode blowfish --hash-mode md5 --otp blowfish 3000 2000
  91.  
  92. #NOTICE(client): initializing BadVPN client 1.999.127
  93. #INFO(BTap): Looking for TAP-Win32 with component ID tap0901, name TAP_VPN_1
  94. #INFO(BTap): Opening device \\.\Global\{21CDC91C-90CA-4C08-82A6-F9D6C7828541}.tap
  95. #INFO(BTap): Device opened
  96. #INFO(client): device MTU is 1514
  97. #NOTICE(client): entering event loop
  98. #NOTICE(ServerConnection): connected
  99. #INFO(client): server: ready, my ID is 4
  100. #INFO(client): peer 0 (peer-01): initialized; talking to peer in SSL server mode
  101. #NOTICE(client): peer 0 (peer-01): no more addresses to bind to
  102. #NOTICE(client): peer 0 (peer-01): msg_youconnect: using address in scope 'local1
  103. #INFO(client): peer 0 (peer-01): connecting
  104.  
  105.  
  106. #-----------------{Cryptolink_C}-----------------------------------------------------#
  107. #--------{IMPORT_CLIENT-KEY_TO_NEW_BD}----------------
  108. mkdir "%APPDATA%\cryptolink\nssdb"
  109. certutil.exe -d sql:"%APPDATA%\cryptolink\nssdb" -N
  110.    <without passwd>
  111. certutil -d sql:"%APPDATA%\cryptolink\nssdb" -A -t "CT,," -n "vpnca" -i ca.pem
  112. pk12util -d sql:"%APPDATA%\cryptolink\nssdb" -i peer-01.p12
  113.  
  114. #--------{INSTALL_TAP_DRIVER}----------
  115. install OpenVPN Tap Driver
  116. http://swupdate.openvpn.org/community/releases/tap-windows-9.9.2.exe
  117. Rename it "Network Connection" to "TAP_VPN" for use in --tapdev "tap0901:TAP_VPN"
  118.  
  119. #--------{START_CL_CLIENT}----------
  120. badvpn-client --server-addr 192.168.139.5:7000 --scope local1 --transport-mode udp --tapdev "tap0901:TAP_VPN_1" --server-name "server" --ssl --nssdb sql:"%APPDATA%\cryptolink\nssdb" --client-cert-name "peer-02" --encryption-mode blowfish --hash-mode md5 --otp blowfish 3000 2000
  121.  
  122. #NOTICE(client): initializing BadVPN client 1.999.127
  123. #INFO(BTap): Looking for TAP-Win32 with component ID tap0901, name TAP_VPN_1
  124. #INFO(BTap): Opening device \\.\Global\{21CDC91C-90CA-4C08-82A6-F9D6C7828541}.tap
  125. #INFO(BTap): Device opened
  126. #INFO(client): device MTU is 1514
  127. #NOTICE(client): entering event loop
  128. #NOTICE(ServerConnection): connected
  129. #INFO(client): external address (0,0): server reported 192.168.41.202:8000
  130. #INFO(client): server: ready, my ID is 2
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement