OpenVPN
From wiki
I like OpenVPN, and have many openVPN 'clients' to my box, they are typically .za GPRS users who want to minimilise their traffic, or other people preferring to use my SMTP server or just to make sure it gets not sent in plaintext (: I also have various WRT54G's running dd-wrt which OpenVPN through to me, such as family's ADSL's in South Africa who's LAN's I want to see, etc.
My current config is using the debian Openvpn v1 standard of one-client-one-port with a pre-shared certificate per client, one of the major reasons for this document is to switch to a standarised set of ports with own-made-CA signed certificates.
This page has been written with huge help from here and here, I suggest you read there for more information.
Main obstacles with this work in progress document:
- A config for this
- Sort out the CERTS
- Run in parralel with current config
- Make it work in dd-wrt
- Unshaped udp port to use in .za?
Contents |
CA Process
To start your own OpenVPN server with various clients all over, it's a good idea to start your own CA (if you don't have one already) this will make you authoritive to sign certificate signing requests (csr) against your OpenVPN daemon. I already have a CA of my own but in this case I have a seperate CA (not a chain) for certificates, this guide can propably be used as a CA HOWTO as well - you would just fill in more fields....
Creating Your own CA
A Certificate Authority should be on a machine that's secure, difficult to get to and only under your own control, your CA's private keys are stored on this machine and if a hacker has access to these they can sign their own certificates which will of course give them access to things you do not want them to (:
My CA lives under /root/CA-openvpn below that we have 'certs' 'private' 'crl' 'newcerts' directories.
openvpn.cnf
Openssl uses config files for each CA, mine is called openvpn.cnf, it does not contain any real information but URL's put in the certificates and where to put it's files, I'll put a example of mine up in a few years.
Generating the CA key
Let's generate the key:
hydra:~/CA-openvpn# openssl genrsa -aes256 -out private/openvpn-cakey.pem 2048 Generating RSA private key, 2048 bit long modulus .+++ ...................................................................+++ e is 65537 (0x10001) Enter pass phrase for private/openvpn-cakey.pem: Verifying - Enter pass phrase for private/openvpn-cakey.pem: hydra:~/CA-openvpn#
The passphrase is the phrase you will type when signing certificates, you should of course remember this.
Making the CA Certificate
Since we have the CA's Private key now, it's time to make a certificate! I suggest you modify the -days option to a useable amount of days before you renew this.
hydra:~/CA-openvpn# openssl req -config openvpn.cnf -new -x509 -days 1825 -key private/openvpn-cakey.pem -out openvpn-ca.pem Enter pass phrase for private/openvpn-cakey.pem: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [UK]: State or Province Name (full name) [Western Cape]:London Locality Name (eg, city) [Cape Town]:London Organization Name (eg, company) [CompanyName]: Organizational Unit Name (eg, section) [ITU]: Common Name (eg, YOUR name) []:zaphod.lagged.za.net Email Address []: hydra:~/CA-openvpn#
It's a good idea to touch a index file now:
hydra:~/CA-openvpn# touch index.txt
Openvpn CSR
To make key pairs for the server and clients we first need to make a Certificate Signing Request (CSR). This can be done in one step:
hydra:~/CA-openvpn# openssl req -config openvpn.cnf -new -newkey rsa:1024 -out c erts/openvpnservercsr.pem -nodes -keyout private/openvpnserverkey.pem -days 9999 9 Generating a 1024 bit RSA private key ..........................................................................++++++ ............................++++++ writing new private key to 'private/openvpnserverkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [UK]: State or Province Name (full name) [Western Cape]: Locality Name (eg, city) [Cape Town]: Organization Name (eg, company) [CompanyName]: Organizational Unit Name (eg, section) [ITU]: Common Name (eg, YOUR name) []:zaphod.lagged.za.net Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: hydra:~/CA-openvpn#
Do not enter a challege password or company name!
Making the Server Certificate
Now we're able to make the server certificate:
First make a serial file for your CA:
hydra:~/CA-openvpn# echo 01 > openvpn-ca.srl
Now let's do the server cert:
hydra:~/CA-openvpn# openssl x509 -req -in certs/openvpnservercsr.pem -out certs/openvpnservercert.pem -CA openvpn-ca.pem -CAkey private/openvpn-cakey.pem Signature ok subject=/C=UK/ST=Western Cape/L=Cape Town/O=CompanyName/OU=ITU/CN=zaphod.lagged.za.net Getting CA Private Key Enter pass phrase for private/openvpn-cakey.pem: hydra:~/CA-openvpn#
OpenVPN Daemon CA Files
Ok, so now we have our CA and we have to put all the files in place required for out OpenVPN box to use these. It's naturally confusing to try and figure out what's private and what's meant for public with the amount of files created, so I hope this helps:
We need 3 files from your CA to be copied to say /etc/openvpn/certs/
./openvpn-ca.pem ./certs/openvpnservercert.pem ./private/openvpnserverkey.pem
openvpn-ca.pem is the CA's public key, this is for OpenVPN to verify that the openvpnservercert was signed by the CA key. This CA information file is obviously public.
openvpnservercert.pem is the Certificate request, this plus the openvpn-ca.pem will create a checksum that will be validated against the private key, it's a good idea to keep this file from all eyes, although not crucial.
openvpnserverkey.pem is the Signed Certificate, this plus the openvpn-ca.pem will create a checksum that will be validated against openvpnservercert.pem to ensure authenticity, this is a SECRET file and should only be readable by Openvpn and nobody else.
OpenVPN Certificate Management
Your client wants to make a certificate request that asks for a trusted party (your OpenVPN CA) to sign to prove that they are a valid user of OpenVPN.
Client Certificate Signing Request
This is to be done by the client!
Replace the domain name (in my example it's 'test.lagged.za.net') and -days with the number of days you want your certificate to be valid for, you just need OpenSSL installed.
fbotha@blah:/tmp$ openssl req -newkey rsa:1024 -out test.lagged.za.net.pem -nodes -keyout test.lagged.za.net-key.pem -days 99999999 Generating a 1024 bit RSA private key ...........++++++ ..............................................................................++++++ writing new private key to 'test.lagged.za.net-key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:UK State or Province Name (full name) [Some-State]:Kent Locality Name (eg, city) []:London Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:test.lagged.za.net Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: fbotha@blah:/tmp$ fbotha@blah:/tmp$ ls -al test.lagged.za.net* -rw-r--r-- 1 fbotha fbotha 887 2007-06-22 19:55 test.lagged.za.net-key.pem -rw-r--r-- 1 fbotha fbotha 660 2007-06-22 19:55 test.lagged.za.net.pem fbotha@blah:/tmp$
No challenge password or company name please. The Comman name must be your uniqe domain name, test.lagged.za.net for example.
The client must then, as root, make a certs directory and copy their private key in there, and obviously change it's permissions to be only visible by root, for example:
root@blah:/tmp# mkdir /etc/openvpn/keys root@blah:/tmp# chown root:root test.lagged.za.net-key.pem root@blah:/tmp# chmod 600 test.lagged.za.net-key.pem root@blah:/tmp# mv test.lagged.za.net-key.pem /etc/openvpn/keys/ root@blah:/tmp# mv test.lagged.za.net.pem /etc/openvpn/keys/
Now, get test.lagged.za.net.pem to your CA (FB) - this is a CSR that needs to be signed.
Client Certificate Signing BY THE CA
This MUST be done by the CA (FB)
In this case, we received a test.lagged.za.net.pem from the client, I've put it in /root/CA-openvpn/newcerts/
Now sign it:
In short: name=test.lagged.za.net openssl x509 -req -in newcerts/$name.pem -days 5475 \ -out certs/$name-crt.pem -CA openvpn-ca.pem -CAkey private/openvpn-cakey.pem To be complete: hydra:~/CA-openvpn# openssl x509 -req -in newcerts/test.lagged.za.net.pem -days 5475 -out certs/test.lagged.za.net-crt.pem -CA openvpn-ca.pem -CAkey private/openvpn-cakey.pem Signature ok subject=/C=UK/ST=Kent/L=London/O=Internet Widgits Pty Ltd/CN=test.lagged.za.net Getting CA Private Key Enter pass phrase for private/openvpn-cakey.pem: hydra:~/CA-openvpn# ls -al certs/test.lagged.za.net-crt.pem -rw-r--r-- 1 root root 1058 2007-06-22 20:00 certs/test.lagged.za.net-crt.pem hydra:~/CA-openvpn#
You can now, SECURELY transfer certs/test.lagged.za.net-crt.pem to the client.
Client Certificate Installation by Client
To be done by the client!
Receive test.lagged.za.net-crt.pem from the CA, now shove it in /etc/openvpn/keys/ make 100% sure this file is not readable by anyone else.
You should end up with:
root@blah:/tmp# ls -al /etc/openvpn/keys/ total 20 drwxr-xr-x 2 root root 4096 2007-06-22 20:06 . drwxr-xr-x 3 root root 4096 2007-06-22 19:57 .. -rw------- 1 root root 1058 2007-06-22 20:06 test.lagged.za.net-crt.pem -rw------- 1 root root 887 2007-06-22 19:55 test.lagged.za.net-key.pem -rw------- 1 root root 660 2007-06-22 19:55 test.lagged.za.net.pem root@blah:/tmp#
test.lagged.za.net-crt.pem = Signed by CA cert
test.lagged.za.net-key.pem = Private Key from you Certificate Request
test.lagged.za.net.pem = Original Certificate Request
CA Certificate Installation on the Server
To be done by the Server Admin of the CA/Openpvn box:
Copy from the CA machine the following files, you'll notice it's much the same to the above client certs, except - of courese - your own signed certs:
./openvpn-ca.pem ./certs/openvpnservercert.pem ./private/openvpnserverkey.pem
Put these in your /etc/openvpn/keys
Now, create a Diffie-Helman 1024 parameter in /etc/openvpn/keys:
root@zaphod:/etc/openvpn/certs# openssl dhparam -out dh1024.pem 1024 Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ..............................................................................++*++*++* root@zaphod:/etc/openvpn/certs#
Lastly, create the TLS key, this is used in handshaking:
Also need this:
root@zaphod:/etc/openvpn/certs# openvpn --genkey --secret ta.key
Make sure all files are secure and owned properly and this should be it:
root@zaphod:/etc/openvpn/certs# chown root:root * ; chmod 600 * ; ls -al total 28 drwxr-xr-x 2 root root 4096 2007-06-22 20:21 . drwxr-xr-x 5 root root 4096 2007-06-22 19:04 .. -rw------- 1 root root 245 2007-06-22 20:20 dh1024.pem -rw------- 1 root root 2321 2007-06-22 20:18 openvpn-ca.pem -rw------- 1 root root 1070 2007-06-22 20:18 openvpnservercert.pem -rw------- 1 root root 887 2007-06-22 20:18 openvpnserverkey.pem -rw------- 1 root root 636 2007-06-22 20:21 ta.key root@zaphod:/etc/openvpn/certs#
OpenVPN Server Configuration
Make a /etc/openvpn/openvpn.conf and put this in it:
dev tun proto udp tls-server tls-auth /etc/openvpn/certs/ta.key 0 ca /etc/openvpn/certs/openvpn-ca.pem cert /etc/openvpn/certs/openvpnservercert.pem key /etc/openvpn/certs/openvpnserverkey.pem dh /etc/openvpn/certs/dh1024.pem server 192.168.100.0 255.255.255.0 proto udp port 1193 user nobody group nogroup client-to-client client-config-dir /etc/openvpn/ccd ping 15 verb 3 comp-lzo log-append /var/log/openvpn/openvpn.log status /var/log/openvpn/openvpn.log persist-tun
In this example, we tell it that connections will come via udp on port 1193, the daemon will run as nobody:nogroup, keep-alive checks will be done every 15 seconds, tls handshaking will be done, and all clients that connect's config will be run from /etc/openvpn/ccd/<common_name_in_cert>, the server runs on 192.168.100.0 and will dish out /24 IP's.
So I made a /etc/openvpn/ccd/test.lagged.za.net (as per example) and it contains:
root@zaphod:/etc/openvpn/ccd# cat test.lagged.za.net #ifconfig-push clientIP serverIP ifconfig-push 192.168.100.16 192.168.100.1
Naturally - other config options can also be put in this file.
OpenVPN Client Configuration
This is reversed from the server config, we basically tell it which protocol to talk on and which port, the rest is magic!
in /etc/openvpn/anything.conf put:
root@blah:/etc/openvpn# cat client.conf dev tun tls-client # 1 below means "client" tls-auth keys/ta.key 1 #ca keys/ca.crt #cert keys/client1.crt #key keys/client1.key ca keys/openvpn-ca.pem cert keys/client1cert.pem key keys/client1key.pem # Our OpenVPN peer remote zaphod.lagged.za.net pull port 1193 user nobody group nogroup comp-lzo ; ping 15 ; ping-restart 45 ; ping-timer-rem ;persist-tun ;persist-key verb 3 log-append /var/log/openvpn/openvpn.log status /var/log/openvpn/status.log
It's now a good idea to copy all that you can from the VPN server's /etc/openvpn/keys/ directory (openvpn-ca.pem etc as referenced in the config file).
