OpenVPN custom certificates
The default OpenVPN install for Amahi will work with the certificates provided on the wiki, however there are a couple of reasons you may not want to use these. One, you can only have one client connected to the VPN at a time with these certificates and two, security best practices would advise against allowing the same certificate for all devices. Follow the instructions below to reconfigure your OpenVPN instance for use with multiple certificates. Keep in mind that when new certificates are made for your Amahi server the default profile created by the OpenVPN app will no longer work. This process will give you the files and profiles that you need in the future.
All commands are issued from the CLI as the root user unless noted otherwise.
Install easyrsa (The latest installations of OpenVPN do not include it.)
dnf install easy-rsa
Create a directory for working with Easy-RSA in which you will store Server keys and Certificate files.
Copy the key/certificate generation scripts installed by Easy-RSA from the default directory to the directory created above.
cp -air /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa
Navigate to /etc/openvpn/easy-rsa directory and start new PKI.
cd /etc/openvpn/easy-rsa ./easyrsa init-pki
Build the CA certificate. This will prompt you for the encryption password and the server common name.
- Set the PEM password and write it down. You will be asked to confirm it. You will need it later.
- For the Common Name you can use "server," "Amahi" or the name you gave your HDA. Remember it. You will need it later.
The CA certificate is stored at /etc/openvpn/easy-rsa/pki/ca.crt.
Generate Diffie-Hellman key file that can be used during the TLS handshake with connecting clients. (Depending on the speed of your server, this may take a while.)
This will generate the DH key and store as /etc/openvpn/easy-rsa/pki/dh.pem.
Generate a key and certificate file for the server. We use the name "Amahi-Server-OpenVPN" in this command so that the names for the server files match the OpenVPN config file (amahi.conf) for Amahi. When the process begins you will be prompted for a Common Name. Be sure to use the same common name you used when creating the CA certificate.
./easyrsa build-server-full Amahi-Server-OpenVPN nopass
Generating Client Keys
You will repeat this process until you have created all of the client keys you wish to have on hand.
Generate a key and certificate file for the client. In the code below, we are assuming that the client keys and certificates you wish to create follow the naming convention "client1, client2, client3," etc. You could name them anything you want as long as each name is unique.
Command for creating a client key and cert
./easyrsa build-client-full client1 nopass
You will be prompted to enter the pass phrase for the ca.cert you created earlier. Be sure to use that password.
Run the command for creating the "client2" key and cert, substituting "client2" (without the quotes) in the command. The revised command would look like this:
./easyrsa build-client-full client2 nopass
Repeat until all clients are created.
In case you need to invalidate a previously signed certificate, generate a revocation certificate.
This stores the revocation certificate under /etc/openvpn/easy-rsa/pki/crl.pem.
Generate TLS/SSL pre-shared authentication key
openvpn --genkey --secret /etc/openvpn/easy-rsa/pki/ta.key
This stores the ta key under /etc/openvpn/easy-rsa/pki/ta.key
Putting the New Files In Place
Backup Default files
cp /etc/openvpn/amahi/* /etc/openvpn/easy-rsa/amahi-backup/
Copy files to the appropriate places. When asked if you want to overwrite the destination file, choose "y" for yes.
cp /ect/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/amahi/ca.crt cp /ect/openvpn/easy-rsa/pki/issued/Amahi-Server-OpenVPN.crt /etc/openvpn/amahi/Amahi-Server-OpenVPN.crt cp /ect/openvpn/easy-rsa/pki/private/Amahi-Server-OpenVPN.key /etc/openvpn/amahi/Amahi-Server-OpenVPN.key cp /ect/openvpn/easy-rsa/pki/ph.pem /etc/openvpn/amahi/dh.pem
Create .ovpn files
There are scripts for doing this out there but the simplest way is to edit the following and save it as an .ovpn file. (Be sure that you save this file strictly as "client1.ovpn" (for example) and not "client1.ovpn.txt" or something like that. The easiest way I found was to use Notepad++ and, when finished editing the file, choose File > Save As and under "Save Type As" choose "All Types." Then name the file "client1.ovpn" (for example) and click save.)
client dev tun proto udp resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key comp-lzo verb 3 auth-user-pass route-method exe route-delay 2
Be sure to create one .ovpn file for each client you create. In addition,the lines "cert client1.crt" and "key client1.key" refer to the key and client certificate for a client you created. You need to change the .ovpn file to reflect the client which that .ovpn file references. (For example, if setting up client2, the lines would be "cert client2.crt" and "key client2.key" and the .ovpn file would be named "client2.ovpn". Make certain to spell the file names in the .ovpn exactly the same as the .crt and .key file names.)
Restart OpenVPN service
systemctl restart firstname.lastname@example.org
Files Clients Need
Copy needed client files to an easy to access directory
mkdir [CHOSEN_LOCATION]/ovpn-clients cp /ect/openvpn/easy-rsa/pki/issued/* [CHOSEN_LOCATION]/ovpn-clients/ cp /ect/openvpn/easy-rsa/pki/private/* [CHOSEN_LOCATION]/ovpn-clients/ cp /ect/openvpn/easy-rsa/pki/ca.crt [CHOSEN_LOCATION]/ovpn-clients/
Add your client .ovpn files that you created to the "[CHOSEN_LOCATION]/ovpn-clients/" directory.
VERY IMPORTANT: Compress that "ovpn-clients" directory (into a .zip file, for example) and set a password for the compressed file. This way, anyone wanting access to any keys or certifications will have to know that password. Once the compressed file is created, delete all of the files in the "[CHOSEN_LOCATION]/ovpn-clients/" directory except the compressed file.
Setting Up Clients for Windows
Each client that you setup to use the HDAConnect3 GUI will need one common file (ca.crt) and then its own unique set of files to make the connection work.
Be sure the HDAConnect GUI is not running.
Assuming we are setting up "Client1"
- Go to the C:\Program Files (x86)\HDAConnect\config directory
- Delete everything contained in that config directory.
- Paste the ca.cert file to C:\Program Files (x86)\HDAConnect\config
- Paste client1.ovpn, client1.key and client1.crt to C:\Program Files (x86)\HDAConnect\config
Start HDAConnect GUI and you should be ready to connect.
Client Key Encryption Option
One could change the encryption method of the client keys to be used. We will be using triple des in this tutorial, but you can use other encryption methods if you wish.
Create a new working directory to house all the files necessary for the process.
Copy all the files needed to the new directory
cp /etc/openvpn/easy-rsa/pki/private/* /etc/openvpn/easy-rsa/ovpn3des/ cp /etc/openvpn/easy-rsa/pki/issued/* /etc/openvpn/easy-rsa/ovpn3des/ cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/easy-rsa/ovpn3des/ cp /etc/openvpn/easy-rsa/pki/ph.pem /etc/openvpn/easy-rsa/ovpn3des/
Move to the working directory
This command creates an encrypted key. Keep in mind the original key will not be impacted when doing this. You will be asked for a pass phrase.
openssl rsa -in client1.key -des3 -out client1.3des.key
Repeat this command on each key you created.
The following link was used as a primary source for the bulk of this tutorial: