Changes

From Amahi Wiki
Jump to: navigation, search
no edit summary
{{NeedsUpdate}}The default [[OpenVPN]] install for Amahi will work with the certificates provided on the wiki, however there are a couple of reasons you may not want to use these. One, you can only have one client connected to the VPN at a time with these certificates and two, security best practices would advise against allowing the same certificate for all devices. Follow the instructions below to reconfigure your OpenVPN instance for use with multiple certificates. Keep in mind that when new certificates are made for your Amahi server the default profile created by the OpenVPN app will no longer work. This process will give you the files and profiles that you need in the future.
All commands are issued from the CLI as the root user unless noted otherwise.
<h2>Getting Started</h2>Install easyrsa (The default [[latest installations of OpenVPN]] install for Amahi will work with the certificates provided on the wiki, however there are a couple of reasons you may do not want to use these. One, you can only have one client connected to the VPN at a time with these certificates and two, security best practices would advise against allowing the same certificate for all devices. Follow the instructions below to reconfigure your OpenVPN instance for use with multiple certificates. All commands are issued from the CLI as the root user unless noted otherwiseinclude it.)
Step 1: Copy the necessary <pre>dnf install easy-rsa files to the openvpn directory in etc</pre>
<pre>cp –r /usr/share/doc/openvpn/examples/easyCreate a directory for working with Easy-rsa/2RSA in which you will store Server keys and Certificate files.0 /etc/openvpn/easy-rsa</pre>
Step 2: Navigate to the directory you just copied<pre>mkdir /etc/openvpn/easy-rsa</pre>
<pre>cd Copy the key/etc/openvpn/easycertificate generation scripts installed by Easy-rsa</pre>RSA from the default directory to the directory created above.
Step <pre>cp -air /usr/share/easy-rsa/3: Backup, then modify the variables in the vars file/* /etc/openvpn/easy-rsa</pre>
<pre>cp vars varsNavigate to /etc/openvpn/easy-rsa directory and start new PKI.backup</pre>
This creates a backup of the original file<pre>cd /etc/openvpn/easy-rsa./easyrsa init-pki</pre>
<pre>nano vars</pre>
Build the CA certificate. This is the command we will use to modify prompt you for the variables in encryption password and the vars fileserver common name.
The primary variable we are looking is (ctrl+w Suggestions:<ul><li>Set the PEM password and write it down. You will be asked to search):confirm it. You will need it later.</li><li>For the Common Name you can use "server," "Amahi" or the name you gave your HDA. Remember it. You will need it later.</li></ul>
<pre>export EASY_RSA = “`pwd`”./easyrsa build-ca</pre>
You want to change this variable to this:The CA certificate is stored at /etc/openvpn/easy-rsa/pki/ca.crt.
<pre>export EASY_RSA=”/etc/openvpn/easyGenerate Diffie-rsa”</pre>Hellman key file that can be used during the TLS handshake with connecting clients. (Depending on the speed of your server, this may take a while.)
OPTIONAL<pre>./easyrsa gen-dh</pre>
You can also change This will generate the cipher strength in this fileDH key and store as /etc/openvpn/easy-rsa/pki/dh.pem. If you wish to do this, the variable you are looking for is:
<pre>export KEY_SIZE=1024</pre>Generate a key and certificate file for the server. We use the name "Amahi-Server-OpenVPN" in this command so that the names for the server files match the OpenVPN config file (amahi.conf) for Amahi. When the process begins you will be prompted for a Common Name. Be sure to use the same common name you used when creating the CA certificate.
You can bump this number up to 2048 to increase security, however you may notice a decrease in speeds over the VPN if you do so<pre>. /easyrsa build-server-full Amahi-Server-OpenVPN nopass</pre>
Step 4: The next step here is <h2>Generating Client Keys</h2>You will repeat this process until you have created all of the client keys you wish to build your new CA have on your serverhand. Issue the commands below:
FirstGenerate a key and certificate file for the client. In the code below, be sure we are assuming that the client keys and certificates you are still in wish to create follow the /naming convention "client1, client2, client3," etc/openvpn/easy-rsa directory. Issuing the pwd command will display the directory You could name them anything you currently working inwant as long as each name is unique. If it is anything other than /etc/openvpn/easy-rsa, issue the following command:
Command for creating a client key and cert<pre>cd ./etc/openvpn/easyeasyrsa build-client-rsafull client1 nopass</pre>
Now issue You will be prompted to enter the following commands pass phrase for the ca.cert you created earlier. Be sure to build the new CA:use that password.
<pre>source Run the command for creating the "client2" key and cert, substituting "client2" (without the quotes) in the command.Repeat until all clients are created./vars</pre>
This command loads the vars file *See "Client Key Encryption Option" below if you modified in step 3want a different encryption option for client keys.
<preh2>./clean-allContinuing On</preh2>In case you need to invalidate a previously signed certificate, generate a revocation certificate.
<pre>./easyrsa gen-crl</pre>This command will remove anything in stores the revocation certificate under /etc/openvpn/easy-rsa/pki/keys directorycrl. There is most likely nothing in the directory at this point (if there is, back it up!)pem.
<Generate TLS/SSL pre>./build-ca</pre>shared authentication key
This command will build the CA. You will be asked various questions, note that you do not need to modify any of these values. You can just hit enter and it will use the default displayed values<pre>openvpn --genkey --secret /etc/openvpn/easy-rsa/pki/ta.key</pre>
Step 5: We now build This stores the keys for the server with the following commandsrevocation certificate under /etc/openvpn/easy-rsa/pki/ta.key
<h2>Putting the New Files In Place</h2>Backup Default files<pre>.mkdir /etc/openvpn/buildeasy-keyrsa/amahi-server [HDA NAME HERE (no brackets)]backup</pre><pre>cp /etc/openvpn/amahi/* /etc/openvpn/easy-rsa/amahi-backup/</pre>
You will again be Copy files to the appropriate places. When asked many questions. Default values should all be OK. Ensure that if you want to overwrite the 'common name' lines up with the HDA name you typed previouslydestination file, choose "y" for yes.
When asked for a challenge password, leave it blank<pre>cp /ect/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/amahi/ca.crtcp /ect/openvpn/easy-rsa/pki/issued/Amahi-Server-OpenVPN.crt /etc/openvpn/amahi/Amahi-Server-OpenVPN.crtcp /ect/openvpn/easy-rsa/pki/private/Amahi-Server-OpenVPN.key /etc/openvpn/amahi/Amahi-Server-OpenVPN.keycp /ect/openvpn/easy-rsa/pki/ph.pem /etc/openvpn/amahi/dh.pem</pre>
When asked <h2>Create .ovpn files</h2>There are scripts for doing this out there but the simplest way is to sign edit the certificatefollowing and save it as an .ovpn file. (Be sure that you save this file strictly as "client1.ovpn" (for example) and not "client1.ovpn.txt" or something like that. The easiest way I found was to use Notepad++ and, type ywhen finished editing the file, choose File > Save As and under "Save Type As" choose "All Types." Then name the file "client1.ovpn" (for example) and click save.)<pre>clientdev tunproto udpresolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert client1.crtkey client1.keycomp-lzoverb 3auth-user-passroute-method exeroute-delay 2</pre>
When asked Be sure to commitcreate one .ovpn file for each client you create. In addition, type ythe lines "cert client1.crt" and "key client1.key" refer to the key and client certificate for a client you created. You need to change the .ovpn file to reflect the client which that .ovpn file references. (For example, if setting up client2, the lines would be "cert client2.crt" and "key client2.key" and the .ovpn file would be named "client2.ovpn". Make certain to spell the file names in the .ovpn exactly the same as the .crt and .key file names.)
Step 6: Create certificates for each of your clients with the commands below:Restart OpenVPN service<pre>systemctl restart openvpn@amahi.service</pre>
<h2>Files Clients Need</h2>Copy needed client files to an easy to access directory<pre>mkdir [CHOSEN_LOCATION]/ovpn-clientscp /ect/openvpn/easy-rsa/pki/issued/* [CHOSEN_LOCATION]/ovpn-clients/cp /ect/openvpn/easy-rsa/pki/private/* [CHOSEN_LOCATION]/ovpn-clients/cp /ect/openvpn/easy-rsa/pki/ca.crt [CHOSEN_LOCATION]/buildovpn-key-pass UserName(or client name, or whatever will identify this for you)clients/</pre>Add your client .ovpn files that you created to the "[CHOSEN_LOCATION]/ovpn-clients/" directory.
Enter VERY IMPORTANT: Compress that "ovpn-clients" directory (into a .zip file, for example) and set a PEM password and confirmfor the compressed file. This can be whatever you wantway, anyone wanting access to any keys or certifications will have to know that password. Once the compressed file is created, delete all of the files in the "[CHOSEN_LOCATION]/ovpn-clients/" directory except the compressed file.
You <h2>Setting Up Clients for Windows</h2>Each client that you setup to use the HDAConnect GUI will be asked many questions againneed one common file (ca. You can leave these at crt) and then its own unique set of files to make the default values or modify them if you wishconnection work.Be sure the HDAConnect GUI is not running.
When asked for a challenge passwordAssuming we are setting up "Client1"In Windows, leave this field blank<ul><li>Go to the C:\Program Files (x86)\HDAConnect\config directory</li><li>Delete everything contained in that config directory.</li><li>Paste the ca.cert file to C:\Program Files (x86)\HDAConnect\config</li><li>Paste client1.ovpn, client1.key and client1.crt to C:\Program Files (x86)\HDAConnect\config</li></ul>
When asked Start HDAConnect GUI and you should be ready to sign the certificate, type yconnect.
REPEAT THIS STEP FOR EACH CLIENT<h2>Client Key Encryption Option</h2>One could change the encryption method of the client keys to be used. We will be using triple des in this tutorial, but you can use other encryption methods if you wish.
After you have created certs/keys Create a new working directory to house all the files necessary for each of your clients, move on to the next stepprocess.
Step 6: The next step is to change the encryption method of the client keys to be used. We will be using triple des in this tutorial, but you can use other encryption methods if you wish.<pre>mkdir /etc/openvpn/easy-rsa/ovpn3des</pre>
<pre>Cd keys</pre>Copy all the files needed to the new directory
This command moves us to the keys directory<pre>cp /etc/openvpn/easy-rsa/pki/private/* /etc/openvpn/easy-rsa/ovpn3des/cp /etc/openvpn/easy-rsa/pki/issued/* /etc/openvpn/easy-rsa/ovpn3des/cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/easy-rsa/ovpn3des/cp /etc/openvpn/easy-rsa/pki/ph.pem /etc/openvpn/easy-rsa/ovpn3des/</pre>
<pre>Openssl rsa -in KEYNAMEFROMSTEP6.key -des3 -out KEYNAMEFROMSTEP6.3des.key</pre>Move to the working directory
This command creates an encrypted key. Keep in mind the original key will not be impacted when doing this. You will be asked for a pass phrase. Use whatever you wish here, but do not leave this blank.<pre>cd /etc/openvpn/easy-rsa/ovpn3des</pre>
REPEAT THIS STEP FOR ALL THE KEYS CREATED IN STEP 6This command creates an encrypted key. Keep in mind the original key will not be impacted when doing this. You will be asked for a pass phrase.<pre>openssl rsa -in client1.key -des3 -out client1.3des.key</pre>Repeat this command on each key you created.
Once you have created your 3des keys, move on to the next step.
 
Step 7: This step will be to build the diffie-hellman key exchange for the server.
 
<pre>Cd /etc/openvpn/easy-rsa/</pre>
 
This moves us back to the easy-rsa directory.
 
<pre>./build-dh</pre>
 
Depending on your system specs this can take some time, but it is typically pretty fast.
 
Step 8: Now we will generate an HMAC key for DoS protection.
 
<pre>Openvpn --genkey --secret keys/ta.key</pre>
 
Please note that copying and pasting this command may cause formatting issues. The lines in the command need to be two hyphens back to back without spaces.
 
OK, now we are getting close to the home stretch.
 
Step 9: In this step we will backup then modify the openvpn.conf file.
 
<pre>Cd /etc/openvpn</pre>
 
Change directory to the openvpn directory
 
<pre>cp openvpn.conf openvpn.conf.backup</pre>
 
This backs up the default config
 
<pre>nano openvpn.conf</pre>
 
You can use this [http://fpaste.org/136131/11574407/ config file] as a template. You will need to change the indicated fields as necessary. You will need to setup IP forwarding if you wish to browse LAN devices and the internet while on the VPN. This information can be found elsewhere in the Amahi wiki.
 
Step 10: In this step we will create a template file for a script to create ovpn files.
 
Use [http://fpaste.org/136132/ this file] as a template. Name the file Default.txt
 
Step 11: In this step we will download a script to create your ovpn files for you.
 
<pre>Cd /etc/openvpn/easy-rsa/keys</pre>
 
First we move to the keys directory
 
Download [https://gist.github.com/laurenorsini/10013430 this script] to the keys directory and call it makeovpn.sh
 
Now we need to make the script executable
 
<pre>chmod +x makeovpn.sh</pre>
 
Step 12: Run the script created in step 12 for each client you created in step 6.
 
<pre>./makeovpn.sh</pre>
 
When the script runs it will ask you for a client name you created in step 6. Enter the name and press enter. You may see some errors, but the file should still be created and be usable.
 
And that is it. You have now got everything you need to connect multiple clients to your VPN.
<h2>Citations</h2>
The following link was used as a primary source for the bulk of this tutorial:
[http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing Raspberry Pi VPN Tutorial]
 
Update to this wiki taken from https://ravenhawktech.com/
[https://ravenhawktech.com/index.php/2020/12/18/openvpn-install-on-fedora-server/]
[https://ravenhawktech.com/index.php/2021/01/27/openvpn-install-on-fedora-server-part-2/]
6

edits