Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
tools:ovpn [2022/08/12 11:03] darrontools:ovpn [2022/08/28 12:59] (current) – [OpenVPN] darron
Line 4: Line 4:
 authentication. authentication.
  
-Work-in-progress :- Documentation based on working system built with easyrsa from 2014. Current version (2022) is completely different.+TBC
  
-TODO: Use this guide instead of trying to work it out: 
-https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto 
 ===Install=== ===Install===
  
Line 21: Line 19:
 </code> </code>
  
-===Setup===+===Certificate Store===
  
 ==Init== ==Init==
  
-Create the certificate store and intialise it.+Create the certificate folder and intialise it.
  
 <code> <code>
Line 50: Line 48:
 The CA expiry date defaults to 10 years (3650 days) and certificates to 825 days. Change this to your preferred timespan. The CA expiry date defaults to 10 years (3650 days) and certificates to 825 days. Change this to your preferred timespan.
  
-Eg. 
 <code> <code>
 set_var EASYRSA_CA_EXPIRE   3650 set_var EASYRSA_CA_EXPIRE   3650
Line 56: Line 53:
 </code> </code>
  
 +/**************************************************************************
 +
 +Change the default Common Name (CN) (doesn't work)
 +
 +<code>
 +EASYRSA_REQ_CN="OpenVPN"
 +</code>
 +
 +**************************************************************************/
  
 ==Create Certificate Authority== ==Create Certificate Authority==
Line 65: Line 71:
 Enter New CA Key Passphrase: Enter New CA Key Passphrase:
 ... ...
-Common Name (eg: your user, host, or server name) [Easy-RSA CA]:OVPN+Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
  
 CA creation complete and you may now import and sign cert requests. CA creation complete and you may now import and sign cert requests.
Line 90: Line 96:
  
 ==Create TA Certificate== ==Create TA Certificate==
 +
 +Shared secret key.
  
 <code> <code>
 openvpn --genkey secret pki/ta.key openvpn --genkey secret pki/ta.key
 </code> </code>
 +
 +Example configuration on server.
 +
 +<code>
 +tls-server
 +tls-auth ta.key 0
 +</code>
 +
 +On the client, the shared secret may be inline in the connection profile.
  
 ==Create Client Certificate== ==Create Client Certificate==
  
 <code> <code>
 +./easyrsa --vars=./vars build-client-full vpn nopass
 +</code>
 +
 +==Bundle Client Certificate==
 +
 +<code>
 +openssl pkcs12 -export -inkey vpn.key -in vpn.crt -certfile ca.crt -out vpn.p12 -passout pass:
 +</code>
 +
 +==Unbundle Client Certificate==
 +
 +<code>
 +openssl pkcs12 -in vpn.p12 -nocerts -out vpn.key -nodes -passin pass:
 +openssl pkcs12 -in vpn.p12 -nokeys -clcerts -out vpn.crt -passin pass:
 +openssl pkcs12 -in vpn.p12 -nokeys -cacerts -out ca.crt -passin pass:
 </code> </code>