Table of Contents

OpenVPN

OpenVPN server with client certificate and password authentication.

TBC

Install

sudo -s
cd /root
apt update
apt upgrade
apt install openvpn easy-rsa
rehash
/etc/init.d/openvpn stop
update-rc.d openvpn disable

Certificate Store

Init

Create the certificate folder and intialise it.

make-cadir easy-rsa
cd easy-rsa
./easyrsa init-pki hard-reset

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /root/ovpn/pki

Edit the `vars' file changing organisational data.

Eg.

set_var EASYRSA_REQ_COUNTRY     "GB"
set_var EASYRSA_REQ_PROVINCE    "England"
set_var EASYRSA_REQ_CITY        "London"
set_var EASYRSA_REQ_ORG         "OVPN"
set_var EASYRSA_REQ_EMAIL       "root@example.com"
set_var EASYRSA_REQ_OU          "CA"

The CA expiry date defaults to 10 years (3650 days) and certificates to 825 days. Change this to your preferred timespan.

set_var EASYRSA_CA_EXPIRE   3650
set_var EASYRSA_CERT_EXPIRE 3650
Create Certificate Authority

Create a CA for managing certificates. Choose a secret passphrase.

./easyrsa --vars=./vars build-ca
Enter New CA Key Passphrase:
...
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/root/ovpn/pki/ca.crt
Create Server Certificate

The server certificate will be utilised by the OpenVPN daemon, sign it with the CA passphrase.

./easyrsa --vars=./vars build-server-full server nopass
Enter pass phrase for /root/ovpn/pki/private/ca.key:
...
Create DH Certificate
./easyrsa --vars=./vars gen-dh
Create TA Certificate

Shared secret key.

openvpn --genkey secret pki/ta.key

Example configuration on server.

tls-server
tls-auth ta.key 0

On the client, the shared secret may be inline in the connection profile.

Create Client Certificate
./easyrsa --vars=./vars build-client-full vpn nopass
Bundle Client Certificate
openssl pkcs12 -export -inkey vpn.key -in vpn.crt -certfile ca.crt -out vpn.p12 -passout pass:
Unbundle Client Certificate
openssl pkcs12 -in vpn.p12 -nocerts -out vpn.key -nodes -passin pass:
openssl pkcs12 -in vpn.p12 -nokeys -clcerts -out vpn.crt -passin pass:
openssl pkcs12 -in vpn.p12 -nokeys -cacerts -out ca.crt -passin pass: