This is an old revision of the document!
Table of Contents
OpenVPN
OpenVPN server with client certificate and password authentication.
Install
sudo -s cd /root apt update apt upgrade apt install openvpn easy-rsa rehash /etc/init.d/openvpn stop update-rc.d openvpn disable
Certificate Store
Init
Create the certificate folder and intialise it.
make-cadir easy-rsa cd easy-rsa ./easyrsa init-pki hard-reset init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /root/ovpn/pki
Edit the `vars' file changing organisational data.
Eg.
set_var EASYRSA_REQ_COUNTRY "GB" set_var EASYRSA_REQ_PROVINCE "England" set_var EASYRSA_REQ_CITY "London" set_var EASYRSA_REQ_ORG "OVPN" set_var EASYRSA_REQ_EMAIL "root@example.com" set_var EASYRSA_REQ_OU "CA"
The CA expiry date defaults to 10 years (3650 days) and certificates to 825 days. Change this to your preferred timespan.
set_var EASYRSA_CA_EXPIRE 3650 set_var EASYRSA_CERT_EXPIRE 3650
Create Certificate Authority
Create a CA for managing certificates. Choose a secret passphrase.
./easyrsa --vars=./vars build-ca Enter New CA Key Passphrase: ... Common Name (eg: your user, host, or server name) [Easy-RSA CA]: CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /root/ovpn/pki/ca.crt
Create Server Certificate
The server certificate will be utilised by the OpenVPN daemon, sign it with the CA passphrase.
./easyrsa --vars=./vars build-server-full server nopass Enter pass phrase for /root/ovpn/pki/private/ca.key: ...
Create DH Certificate
./easyrsa --vars=./vars gen-dh
Create TA Certificate
Shared secret key.
openvpn --genkey secret pki/ta.key
Example configuration on server.
tls-server tls-auth ta.key 0
On the client, the shared secret may be inline in the connection profile.
Create Client Certificate
./easyrsa --vars=./vars build-client-full vpn nopass
Bundle Client Certificate
openssl pkcs12 -export -inkey vpn.key -in vpn.crt -certfile ca.crt -out vpn.p12 -passout pass:
Unbundle Client Certificate
openssl pkcs12 -in vpn.p12 -nocerts -out vpn.key -nodes -passin pass: openssl pkcs12 -in vpn.p12 -nokeys -clcerts -out vpn.crt -passin pass: openssl pkcs12 -in vpn.p12 -nokeys -cacerts -out ca.crt -passin pass: