Table of Contents
OpenVPN
OpenVPN server with client certificate and password authentication.
Install
sudo -s
apt update apt full-upgrade apt install openvpn git /etc/init.d/openvpn stop update-rc.d openvpn disable
We use easy-rsa from github because the version distributed in debian does not work with the opensssl version distributed in debian.
cd /opt/src git clone https://github.com/OpenVPN/easy-rsa
Initialise Certificate Store
Create the certificate folder and initialise it.
cp -Rp /opt/src/easy-rsa/easyrsa3 /etc/openvpn/easy-rsa cd /etc/openvpn/easy-rsa
Edit the `vars' file changing organisational data.
cp vars.example vars vi vars
set_var EASYRSA_REQ_COUNTRY "GB" set_var EASYRSA_REQ_PROVINCE "England" set_var EASYRSA_REQ_CITY "London" set_var EASYRSA_REQ_ORG "OVPN" set_var EASYRSA_REQ_EMAIL "root@example.com" set_var EASYRSA_REQ_OU "CA"
The CA expiry date defaults to 10 years (3650 days) and certificates to 825 days. Change this to your preferred timespan.
set_var EASYRSA_CA_EXPIRE 3650 set_var EASYRSA_CERT_EXPIRE 3650
./easyrsa --vars=./vars init-pki hard-reset Using Easy-RSA 'vars' configuration: * ./vars Notice ------ 'init-pki' complete; you may now create a CA or requests. Your newly created PKI dir is: * /etc/openvpn/easy-rsa/pki Using Easy-RSA configuration: * /etc/openvpn/easy-rsa/vars
Create Certificate Authority
Create a CA for managing certificates. Choose a secret passphrase.
./easyrsa --vars=./vars build-ca Using Easy-RSA 'vars' configuration: * ./vars Enter New CA Key Passphrase: Confirm New CA Key Passphrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: Notice ------ CA creation complete. Your new CA certificate is at: * /etc/openvpn/easy-rsa/pki/ca.crt Build-ca completed successfully.
Create Server Certificate
The server certificate will be utilised by the OpenVPN daemon, sign it with the CA passphrase.
./easyrsa --vars=./vars build-server-full server nopass
Change the server name “server” to something else if you prefer.
Create DH Certificate
./easyrsa --vars=./vars gen-dh
Create TLS Certificate
Shared secret key.
openvpn --genkey secret pki/private/easyrsa-tls.key
Example configuration on server.
tls-server tls-auth /etc/openvpn/easy-rsa/private/easyrsa-tls.key 0
On the client, the shared secret may be inline in the connection profile.
Create Client Certificate
./easyrsa --vars=./vars build-client-full vpn nopass
Change the client name “vpn” to something else if you prefer.
Bundle Client Certificate
A bundled certificate may be required by certain clients, eg. Mobile, or to distribute the keys for unbundling later.
openssl pkcs12 -export -inkey ./pki/private/vpn.key -in ./pki/issued/vpn.crt -certfile ./pki/ca.crt -out vpn.p12 -passout pass:
Unbundle Client Certificate
openssl pkcs12 -in vpn.p12 -nocerts -out vpn.key -nodes -passin pass: openssl pkcs12 -in vpn.p12 -nokeys -clcerts -out vpn.crt -passin pass: openssl pkcs12 -in vpn.p12 -nokeys -cacerts -out ca.crt -passin pass:
Client plaintext password
This tool allows the first line of client config file to be a comment containing a plaintext username and password.
This supplements the client certificate.
hg clone https://hg.kewl.org/pub/Ovpnenv cd Ovpnenv sudo make install gcc -c ovpnenv.c -o ovpnenv.o gcc ovpnenv.o -o ovpnenv cp ovpnenv /usr/local/bin/
The comment format is
#username:password
Server configuration
/etc/openvpn/server/server.conf
mode server data-ciphers AES-256-GCM:AES-128-GCM data-ciphers-fallback AES-256-CBC comp-lzo no script-security 3 auth-user-pass-verify /usr/local/bin/ovpnenv via-env tls-server tls-auth /etc/openvpn/easy-rsa/pki/ta.key 0 tls-version-min 1.0 proto tcp-server local X.X.X.X port XXX dev tun0 topology subnet ifconfig X.X.X.X 255.255.255.0 client-config-dir /etc/openvpn/client client-to-client keepalive 10 120 persist-key persist-tun status /var/run/openvpn/server.log verb 3 remote-cert-tls client ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/server.crt key /etc/openvpn/easy-rsa/pki/private/server.key dh /etc/openvpn/easy-rsa/pki/dh.pem
/etc/openvpn/client/vpn
#username:password ifconfig-push X.X.X.X 255.255.255.0
Exec
/usr/sbin/openvpn --writepid /var/run/openvpn/server.pid --cd /etc/openvpn/server --config server.conf
Client configuration
/etc/openvpn/client/vpn.conf
The connection certificates can be found in the inline directory.
client data-ciphers AES-256-GCM data-ciphers-fallback AES-256-CBC comp-lzo no auth-user-pass /etc/openvpn/client/passwd dev tun0 proto tcp remote X.X.X.X XXX nobind persist-key persist-tun verb 1 remote-cert-tls server tls-version-min 1.0 key-direction 1 route-nopull route X.X.X.X X.X.X.X X.X.X.X 50 status /var/run/openvpn/vpn.log <ca> ... </ca> <tls-auth> ... </tls-auth> <cert> ... </cert> <key> ... </key>
/etc/openvpn/client/passwd
username password
Exec
/usr/sbin/openvpn --auth-nocache --writepid /var/run/openvpn/vpn.pid --cd /etc/openvpn/client --config vpn.conf
