upstream/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2026-05-28 04:03:29 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Improve peer fingerprint documentation

Browse source 
- fix typo in peer-fingerprint
- use ec_paramgen_curve instead of requiring a subshell

Note: we still use -nodes instead of -noenc as it is more compatible.

Github: closes OpenVPN/openvpn#666

Change-Id: I9a12a0c127908af9f09d88fb3a493df3763d0cc5
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20250114134909.31334-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30447.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit cb9fdc8479)
This commit is contained in:
Arne Schwabe 2025-01-14 14:49:09 +01:00 committed by Gert Doering
parent 62d41dec8d
commit de127bd10c
1 changed files with 10 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
doc/man-sections/example-fingerprint.rst
View file

@ -18,7 +18,7 @@ Server setup
2. Generate a self-signed certificate for the server:
::
openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=server'
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=server'
3. Generate SHA256 fingerprint of the server certificate
@ -28,7 +28,7 @@ Server setup
openssl x509 -fingerprint -sha256 -in server.crt -noout
This output something similar to:
This outputs something similar to:
::
SHA256 Fingerprint=00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
@ -64,6 +64,12 @@ Server setup
# Ping every 60s, restart if no data received for 5 minutes
keepalive 60 300
# Uncomment the line below if you want to have persistent IP addresses
# ifconfig-pool-persist /etc/openvpn/server/ipp.txt
# Uncomment the line below to push a DNS server to clients
# push "dhcp-option DNS 1.1.1.1"
5. Add at least one client as described in the client section.
6. Start the server.
@ -85,7 +91,7 @@ Adding a client
different name for each client.
::
openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -nodes -sha256 -days 3650 -subj '/CN=alice'
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -keyout - -nodes -sha256 -days 3650 -subj '/CN=alice'
This generate a certificate and a key for the client. The output of the command will look
something like this:
@ -162,7 +168,7 @@ Adding a client
<peer-fingerprint>
ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00
99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:88:77:66:55:44:33
</peer-fingperint>
</peer-fingerprint>
6. (optional) if the client is an older client that does not support the
:code:`peer-fingerprint` (e.g. OpenVPN 2.5 and older, OpenVPN Connect 3.3