====OpenVPN====

OpenVPN server with client certificate and password
authentication.

TBC

===Install===

<code>
sudo -s
cd /root
apt update
apt upgrade
apt install openvpn easy-rsa
rehash
/etc/init.d/openvpn stop
update-rc.d openvpn disable
</code>

===Certificate Store===

==Init==

Create the certificate folder and intialise it.

<code>
make-cadir easy-rsa
cd easy-rsa
./easyrsa init-pki hard-reset

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /root/ovpn/pki
</code>

Edit the `vars' file changing organisational data.

Eg.
<code>
set_var EASYRSA_REQ_COUNTRY     "GB"
set_var EASYRSA_REQ_PROVINCE    "England"
set_var EASYRSA_REQ_CITY        "London"
set_var EASYRSA_REQ_ORG         "OVPN"
set_var EASYRSA_REQ_EMAIL       "root@example.com"
set_var EASYRSA_REQ_OU          "CA"
</code>

The CA expiry date defaults to 10 years (3650 days) and certificates to 825 days. Change this to your preferred timespan.

<code>
set_var EASYRSA_CA_EXPIRE   3650
set_var EASYRSA_CERT_EXPIRE 3650
</code>

/**************************************************************************

Change the default Common Name (CN) (doesn't work)

<code>
EASYRSA_REQ_CN="OpenVPN"
</code>

**************************************************************************/

==Create Certificate Authority==

Create a CA for managing certificates. Choose a secret passphrase.

<code>
./easyrsa --vars=./vars build-ca
Enter New CA Key Passphrase:
...
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/root/ovpn/pki/ca.crt

</code>

==Create Server Certificate==

The server certificate will be utilised by the OpenVPN daemon, sign it with the CA passphrase.

<code>
./easyrsa --vars=./vars build-server-full server nopass
Enter pass phrase for /root/ovpn/pki/private/ca.key:
...
</code>

==Create DH Certificate==

<code>
./easyrsa --vars=./vars gen-dh
</code>

==Create TA Certificate==

Shared secret key.

<code>
openvpn --genkey secret pki/ta.key
</code>

Example configuration on server.

<code>
tls-server
tls-auth ta.key 0
</code>

On the client, the shared secret may be inline in the connection profile.

==Create Client Certificate==

<code>
./easyrsa --vars=./vars build-client-full vpn nopass
</code>

==Bundle Client Certificate==

<code>
openssl pkcs12 -export -inkey vpn.key -in vpn.crt -certfile ca.crt -out vpn.p12 -passout pass:
</code>

==Unbundle Client Certificate==

<code>
openssl pkcs12 -in vpn.p12 -nocerts -out vpn.key -nodes -passin pass:
openssl pkcs12 -in vpn.p12 -nokeys -clcerts -out vpn.crt -passin pass:
openssl pkcs12 -in vpn.p12 -nokeys -cacerts -out ca.crt -passin pass:
</code>