Check public/private RSA keypairs

deep_eye deep_eye at gmx.at
Thu Mar 18 20:41:23 CET 2010 

hello, i have wrote a script (for windows) to create/update client-configs(for non nerds :-) ).
So if someone is new, he must:
* install tinc
* copy the cmd-code in a cmd-file -> run -> follow instructions (we have mumble (voice over ip) for short help).

The script creates a config (you can set all parameters with the echo's) or updates the public-keys and tinc.conf

here is the code:
------------------------------------- begin --------------------------------------------------
@echo off
rem Author: Manuel Hofstetter
rem Licence: GPLv3
rem This script generates/updates a tinc-config

rem version: 0.2
rem changelog:
rem 0.1  add backup from public-master-file to gaming-dir
rem 0.2  corrections backup local files, vpnnetwork now variable, add tinc.conf update

rem ########## custom config ##############
set VPNNETWORK=gaming

if not exist .\%VPNNETWORK%\tinc.conf goto install
if exist .\%VPNNETWORK%\tinc.conf set /p config=vorhanden config beibehalten, nur nodes aktualisieren(y/n):
if %config%==n goto install
cd %VPNNETWORK%
goto nodes

:install
echo installiere tap interface
cd .\tap-win32\
call addtap.bat
cd ..
if not exist %VPNNETWORK% md %VPNNETWORK%
if not exist .\%VPNNETWORK%\hosts md .\%VPNNETWORK%\hosts
cd .\%VPNNETWORK%\
cls
echo In den Netzwerkverbindungen die neue Verbindung (Gerät = TAP-Win32 Adapter V9) auf "%VPNNETWORK%" umbenennen und eine IP-Adress x.x.x.x mit Netmask 255.255.255.0 fix eingeben.
pause

set /p clientname=Hostname-Client(wie der eigene Rechner heist):
if exist tinc.conf move tinc.conf tinc-old.conf
if exist rsa_key.priv move rsa_key.priv rsa_key-old.priv
if exist .\hosts\%clientname% move .\hosts\%clientname% .\%clientname%-old
echo Name = %clientname% > tinc.conf

..\tincd -n %VPNNETWORK% --generate-keys=3072
move .\hosts\%clientname% .\hosts\%clientname%-key
echo Compression = 0 > .\hosts\%clientname%
type .\hosts\%clientname%-key >> .\hosts\%clientname%
del .\hosts\%clientname%-key

:nodes
if exist .\hosts\%clientname% if not exist ..\%clientname% copy .\hosts\%clientname% ..\%clientname%
if exist .\rsa_key.priv if not exist ..\rsa_key.priv copy .\rsa_key.priv ..\rsa_key.priv

echo update tinc.conf
for /f "tokens=3" %%i in ('find "Name" tinc.conf') do echo Name = %%i > tinc.conf
echo Interface = %VPNNETWORK% >> tinc.conf
echo ConnectTo = master >> tinc.conf
echo Mode = switch >> tinc.conf

echo create/update config for node: master
echo Address = test.org> .\hosts\master
echo Port = 555>> .\hosts\master
echo Compression = 0 >> .\hosts\master
echo -----BEGIN RSA PUBLIC KEY----->> .\hosts\master
echo ...6>> .\hosts\master
echo ...l>> .\hosts\master
echo ...o>> .\hosts\master
echo ...v>> .\hosts\master
echo ...s>> .\hosts\master
echo ...K>> .\hosts\master
echo ...O>> .\hosts\master
echo ...O>> .\hosts\master
echo ...l>> .\hosts\master
echo -----END RSA PUBLIC KEY----->> .\hosts\master

echo create/update config for node: laptop
echo Compression = 0 > .\hosts\laptop
echo -----BEGIN RSA PUBLIC KEY----->> .\hosts\laptop
echo ...C>> .\hosts\laptop
echo ...p>> .\hosts\laptop
echo ...R>> .\hosts\laptop
echo ...1>> .\hosts\laptop
echo ...j>> .\hosts\laptop
echo ...3>> .\hosts\laptop
echo ...V>> .\hosts\laptop
echo ...O>> .\hosts\laptop
echo ...l>> .\hosts\laptop
echo -----END RSA PUBLIC KEY----->> .\hosts\laptop

echo start "tinc vpn service" ..\tincd -n %VPNNETWORK% -D> start-vpn.cmd

echo ########## IP Liste ############ > .\ip.txt
echo ...:           x.x.x.x >> .\ip.txt
echo ...:           x.x.x.x >> .\ip.txt

echo tinc-config finished

pause
------------------------------------- end --------------------------------------------------

the questions are in german, if you need it in english:
if exist .\%VPNNETWORK%\tinc.conf set /p config=vorhanden config beibehalten, nur nodes aktualisieren(y/n):
if exist .\%VPNNETWORK%\tinc.conf set /p config=hold config and update only nodes(y/n):

echo In den Netzwerkverbindungen die neue Verbindung (Gerät = TAP-Win32 Adapter V9) auf "%VPNNETWORK%" umbenennen und eine IP-Adress x.x.x.x mit Netmask 255.255.255.0 fix eingeben.
echo In the network-settings rename the new connection (device = TAP-Win32 Adapter V9) to "%VPNNETWORK%" and give it a static ip-address of x.x.x.x with netmask 255.255.255.0

set /p clientname=Hostname-Client(wie der eigene Rechner heist):
set /p clientname=Hostname-Client(it's the name of the own pc):

hope it helps you (if clients are windows). You could send the batch-file with mail or over chat.
If you need a bash-script, i could "convert" it.

To info: the script doesn't check the host-files, it generates always new (so errors by users could minimized).

greets Manuel


Guus Sliepen schrieb:
> On Wed, Mar 17, 2010 at 02:38:37PM +0100, Claus Strasburger wrote:
> 
>> i have a tinc vpn running on several local networks as well as on
>> clients and am writing on a little "zeroconfig" tool to add new (newbie)
>> clients to the net without having to vnc to them for ages.
>> To do this easier, i wanted to have a possibility to check somehow if
>> the public key stored on the server mathes the provate key on the
>> client, or if it needs to be regenerated.
> 
> Why not check the public key stored on the server against the public key on the
> client?
> 
>> Now i figured i can output the public key to a private one by using
>> openssl rsa -in rsa_key.priv -pubout
>> this one will print out a public key in the same format as the public
>> key stored in the hosts file, i tested it with some clients, and every
>> private key will generate a pubkey different to the one in the hostfile,
>> but each of these clients do work in my vpn, so the public/private
>> keypairs must match.
>> A second command i found by googling
>> ssh-keygen -y -f rsa_key.priv
>> will output something that ist totally different to the original.
> 
> The problem is that the OpenSSL library has two ways to store a public key. You
> can see the difference in the header already, tinc's host config files will
> contain "BEGIN RSA PUBLIC KEY", while the openssl tool will output something
> that contains "BEGIN PUBLIC KEY" (note the missing "RSA"). Also, these blobs
> not only contain the public key, they contain additional information, some of
> which is not used. SSH uses yet another format. So, they all contain the same
> public key, but the representations are different.
> 
> Actually, tinc will also happily use RSA keys generated in the format used by
> the openssl tool. So instead of using tincd -K you can use openssl genrsa to
> create an rsa_key.priv file, and openssl rsa to convert it to a public key for
> in the host config file.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc

More information about the tinc mailing list