badvpn+nss certs generate|expot|import

COMPILE_NSS:

1. Extract and patch NSS sources
2. cd <nss_source>/mozilla/security/nss
3. export BUILD_OPT=1
4. export NSS_ENABLE_ECC=1
5. export NSS_ECC_MORE_THAN_SUITE_B=1
7. make nss_build_all

OpenSSL: no special configuration is needed (build as specified in OpenSSL source directory). For Linux, compilation is not needed if distribution includes OpenSSL package (but make sure to install OpenSSL-dev package)

COMPLILE_BadVPN:
1. Extract and patch BadVPN source
2. Set path to compiled NSS binaries in <badvpnsource>/cmake/modules/FindNSPR.cmake and <badvpnsource>/cmake/modules/FindNSS.cmake
3. Compile as described in <badvpnsource>/INSTALL

Notes:
When using certutil and pk12util on Linux to generate certificates make sure that this utilities use proper NSS libs (not system, but compiled version). One way to do it is set LD_LIBRARY_PATH environment variable.

Running:
Set up and run as described here:
http://code.google.com/p/badvpn/wiki/Examples
But, for command which generates certificates (ca, server, user)(starts with certutil -d <some path> -S) add two options at the end: -k ec -q sect163r1

#---------------------{Cryptolink_G}--------------------
#--------{GENERATE_CA_SERVER-KEY_AND_CLIENT-KEY}--------
mkdir "%APPDATA%\cryptolink\nssdb"
certutil.exe -d sql:"%APPDATA%\cryptolink\nssdb" -N
<maybe any passwd>

certutil.exe -d sql:"%APPDATA%\cryptolink\nssdb" -k ec -q sect163r1 -S -n "vpnca" -s "CN=vpnca" -t "TC,," -x -2 -v 24
y
-1
n
certutil.exe -d sql:"%APPDATA%\cryptolink\nssdb" -k ec -q sect163r1 -S -n "server" -c "vpnca" -s "CN=server" -t ",," -6 -2 -v 24
0
-1
n
n

n
certutil.exe -d sql:"%APPDATA%\cryptolink\nssdb" -k ec -q sect163r1 -S -n "peer-00" -c "vpnca" -s "CN=peer-00" -t ",," -6 -2 -v 24
0
1
-1
n
n

n
certutil.exe -d sql:"%APPDATA%\cryptolink\nssdb" -k ec -q sect163r1 -S -n "peer-01" -c "vpnca" -s "CN=peer-01" -t ",," -6 -2 -v 24
0
1
-1
n
n

n
#--------{EXPORT_KEYS}------------
certutil.exe -d sql:"%APPDATA%\cryptolink\nssdb" -L -n vpnca -a > ca.pem
pk12util -d sql:"%APPDATA%\cryptolink\nssdb"-o server.p12 -n "server"
<SET PASSWD>
pk12util -d sql:"%APPDATA%\cryptolink\nssdb" -o peer-01.p12 -n "peer-00"
<SET PASSWD>
pk12util -d sql:"%APPDATA%\cryptolink\nssdb" -o peer-01.p12 -n "peer-01"
<SET PASSWD>


#---------------{Cryptolink_S}---------------------------------------------------#
#--------{IMPORT_SERVER-KEY_TO_NEW_BD}----------
mkdir "%APPDATA%\cryptolink\nssdb"
certutil.exe -d sql:"%APPDATA%\cryptolink\nssdb" -N
   <without passwd>
certutil -d sql:"%APPDATA%\cryptolink\nssdb" -A -t "CT,," -n "vpnca" -i ca.pem
pk12util -d sql:"%APPDATA%\cryptolink\nssdb" -i server.p12
pk12util -d sql:"%APPDATA%\cryptolink\nssdb" -i peer-00.p12

#--------{START_CL_SERVER}----------
badvpn-server  --listen-addr 0.0.0.0:7000   --ssl --nssdb sql:"%APPDATA%\cryptolink\nssdb" --server-cert-name "server"

#NOTICE(server): initializing BadVPN server 1.999.127
#NOTICE(server): entering event loop
#INFO(BConnection): connection accepted
#INFO(server): client 0 (192.168.41.202:30137): initialized
#INFO(server): client 0 (192.168.41.202:30137) (peer-01): handshake complete
#INFO(server): client 0 (193.168.41.202:30137) (peer-01): received hello

#--------{START_CL_CLIENT}----------
#NOTE: badvpn-server does not actually participate in the virtual network. If you want the server machine to be part of the network, run a local badvpn-client, like on other peers.

badvpn-client  --server-addr 192.168.139.5:7000  --transport-mode udp --scope local1  --bind-addr 0.0.0.0:8000 --num-ports 30 --ext-addr {server_reported}:8000 local1  --tapdev "tap0901:TAP_VPN"  --server-name "server"  --ssl --nssdb sql:"%APPDATA%\cryptolink\nssdb" --client-cert-name "peer-01"  --encryption-mode blowfish --hash-mode md5 --otp blowfish 3000 2000

#NOTICE(client): initializing BadVPN client 1.999.127
#INFO(BTap): Looking for TAP-Win32 with component ID tap0901, name TAP_VPN_1
#INFO(BTap): Opening device \\.\Global\{21CDC91C-90CA-4C08-82A6-F9D6C7828541}.tap
#INFO(BTap): Device opened
#INFO(client): device MTU is 1514
#NOTICE(client): entering event loop
#NOTICE(ServerConnection): connected
#INFO(client): server: ready, my ID is 4
#INFO(client): peer 0 (peer-01): initialized; talking to peer in SSL server mode
#NOTICE(client): peer 0 (peer-01): no more addresses to bind to
#NOTICE(client): peer 0 (peer-01): msg_youconnect: using address in scope 'local1
#INFO(client): peer 0 (peer-01): connecting


#-----------------{Cryptolink_C}-----------------------------------------------------#
#--------{IMPORT_CLIENT-KEY_TO_NEW_BD}----------------
mkdir "%APPDATA%\cryptolink\nssdb"
certutil.exe -d sql:"%APPDATA%\cryptolink\nssdb" -N
   <without passwd>
certutil -d sql:"%APPDATA%\cryptolink\nssdb" -A -t "CT,," -n "vpnca" -i ca.pem
pk12util -d sql:"%APPDATA%\cryptolink\nssdb" -i peer-01.p12

#--------{INSTALL_TAP_DRIVER}----------
install OpenVPN Tap Driver
http://swupdate.openvpn.org/community/releases/tap-windows-9.9.2.exe
Rename it "Network Connection" to "TAP_VPN" for use in --tapdev "tap0901:TAP_VPN"

#--------{START_CL_CLIENT}----------
badvpn-client --server-addr 192.168.139.5:7000 --scope local1 --transport-mode udp --tapdev "tap0901:TAP_VPN_1" --server-name "server" --ssl --nssdb sql:"%APPDATA%\cryptolink\nssdb" --client-cert-name "peer-02" --encryption-mode blowfish --hash-mode md5 --otp blowfish 3000 2000

#NOTICE(client): initializing BadVPN client 1.999.127
#INFO(BTap): Looking for TAP-Win32 with component ID tap0901, name TAP_VPN_1
#INFO(BTap): Opening device \\.\Global\{21CDC91C-90CA-4C08-82A6-F9D6C7828541}.tap
#INFO(BTap): Device opened
#INFO(client): device MTU is 1514
#NOTICE(client): entering event loop
#NOTICE(ServerConnection): connected
#INFO(client): external address (0,0): server reported 192.168.41.202:8000
#INFO(client): server: ready, my ID is 2