Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
tools:ovpn [2022/08/12 11:03] – darron | tools:ovpn [2022/08/28 12:59] (current) – [OpenVPN] darron | ||
---|---|---|---|
Line 4: | Line 4: | ||
authentication. | authentication. | ||
- | Work-in-progress :- Documentation based on working system built with easyrsa from 2014. Current version (2022) is completely different. | + | TBC |
- | TODO: Use this guide instead of trying to work it out: | ||
- | https:// | ||
===Install=== | ===Install=== | ||
Line 21: | Line 19: | ||
</ | </ | ||
- | ===Setup=== | + | ===Certificate Store=== |
==Init== | ==Init== | ||
- | Create the certificate | + | Create the certificate |
< | < | ||
Line 50: | Line 48: | ||
The CA expiry date defaults to 10 years (3650 days) and certificates to 825 days. Change this to your preferred timespan. | The CA expiry date defaults to 10 years (3650 days) and certificates to 825 days. Change this to your preferred timespan. | ||
- | Eg. | ||
< | < | ||
set_var EASYRSA_CA_EXPIRE | set_var EASYRSA_CA_EXPIRE | ||
Line 56: | Line 53: | ||
</ | </ | ||
+ | / | ||
+ | |||
+ | Change the default Common Name (CN) (doesn' | ||
+ | |||
+ | < | ||
+ | EASYRSA_REQ_CN=" | ||
+ | </ | ||
+ | |||
+ | **************************************************************************/ | ||
==Create Certificate Authority== | ==Create Certificate Authority== | ||
Line 65: | Line 71: | ||
Enter New CA Key Passphrase: | Enter New CA Key Passphrase: | ||
... | ... | ||
- | Common Name (eg: your user, host, or server name) [Easy-RSA CA]:OVPN | + | Common Name (eg: your user, host, or server name) [Easy-RSA CA]: |
CA creation complete and you may now import and sign cert requests. | CA creation complete and you may now import and sign cert requests. | ||
Line 90: | Line 96: | ||
==Create TA Certificate== | ==Create TA Certificate== | ||
+ | |||
+ | Shared secret key. | ||
< | < | ||
openvpn --genkey secret pki/ta.key | openvpn --genkey secret pki/ta.key | ||
</ | </ | ||
+ | |||
+ | Example configuration on server. | ||
+ | |||
+ | < | ||
+ | tls-server | ||
+ | tls-auth ta.key 0 | ||
+ | </ | ||
+ | |||
+ | On the client, the shared secret may be inline in the connection profile. | ||
==Create Client Certificate== | ==Create Client Certificate== | ||
< | < | ||
+ | ./easyrsa --vars=./ | ||
+ | </ | ||
+ | |||
+ | ==Bundle Client Certificate== | ||
+ | |||
+ | < | ||
+ | openssl pkcs12 -export -inkey vpn.key -in vpn.crt -certfile ca.crt -out vpn.p12 -passout pass: | ||
+ | </ | ||
+ | |||
+ | ==Unbundle Client Certificate== | ||
+ | |||
+ | < | ||
+ | openssl pkcs12 -in vpn.p12 -nocerts -out vpn.key -nodes -passin pass: | ||
+ | openssl pkcs12 -in vpn.p12 -nokeys -clcerts -out vpn.crt -passin pass: | ||
+ | openssl pkcs12 -in vpn.p12 -nokeys -cacerts -out ca.crt -passin pass: | ||
</ | </ | ||