Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
tools:ovpn [2022/08/12 11:07] darrontools:ovpn [2022/08/28 12:59] (current) – [OpenVPN] darron
Line 4: Line 4:
 authentication. authentication.
  
-Work-in-progress :- Documentation based on working system built with easyrsa from 2014. Current version (2022) is completely different.+TBC
  
-TODO: Use this guide instead of trying to work it out: 
-https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto 
 ===Install=== ===Install===
  
Line 21: Line 19:
 </code> </code>
  
-===Setup===+===Certificate Store===
  
 ==Init== ==Init==
  
-Create the certificate store and intialise it.+Create the certificate folder and intialise it.
  
 <code> <code>
Line 55: Line 53:
 </code> </code>
  
-Change the default Common Name (CN)+/************************************************************************** 
 + 
 +Change the default Common Name (CN) (doesn't work) 
 <code> <code>
 EASYRSA_REQ_CN="OpenVPN" EASYRSA_REQ_CN="OpenVPN"
 </code> </code>
 +
 +**************************************************************************/
  
 ==Create Certificate Authority== ==Create Certificate Authority==
Line 68: Line 71:
 Enter New CA Key Passphrase: Enter New CA Key Passphrase:
 ... ...
-Common Name (eg: your user, host, or server name) [Easy-RSA CA]:OVPN+Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
  
 CA creation complete and you may now import and sign cert requests. CA creation complete and you may now import and sign cert requests.
Line 93: Line 96:
  
 ==Create TA Certificate== ==Create TA Certificate==
 +
 +Shared secret key.
  
 <code> <code>
 openvpn --genkey secret pki/ta.key openvpn --genkey secret pki/ta.key
 </code> </code>
 +
 +Example configuration on server.
 +
 +<code>
 +tls-server
 +tls-auth ta.key 0
 +</code>
 +
 +On the client, the shared secret may be inline in the connection profile.
  
 ==Create Client Certificate== ==Create Client Certificate==
  
 <code> <code>
 +./easyrsa --vars=./vars build-client-full vpn nopass
 +</code>
 +
 +==Bundle Client Certificate==
 +
 +<code>
 +openssl pkcs12 -export -inkey vpn.key -in vpn.crt -certfile ca.crt -out vpn.p12 -passout pass:
 +</code>
 +
 +==Unbundle Client Certificate==
 +
 +<code>
 +openssl pkcs12 -in vpn.p12 -nocerts -out vpn.key -nodes -passin pass:
 +openssl pkcs12 -in vpn.p12 -nokeys -clcerts -out vpn.crt -passin pass:
 +openssl pkcs12 -in vpn.p12 -nokeys -cacerts -out ca.crt -passin pass:
 </code> </code>