Difference between revisions of "OpenVPN custom certificates"
(Created page with "new page") |
|||
Line 1: | Line 1: | ||
− | new | + | The default OpenVPN install for Amahi will work with the certificates provided on the wiki, however there are a couple of reasons you may not want to use these. One, you can only have one client connected to the VPN at a time with these certificates and two, security best practices would advise against allowing the same certificate for all devices. Follow the instructions below to reconfigure your OpenVPN instance for use with multiple certificates. All commands are issued from the CLI as the root user unless noted otherwise. |
+ | |||
+ | Step 1: Copy the necessary easy-rsa files to the openvpn directory in etc | ||
+ | |||
+ | <pre>cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa</pre> | ||
+ | |||
+ | Step 2: Navigate to the directory you just copied | ||
+ | |||
+ | <pre>cd /etc/openvpn/easy-rsa</pre> | ||
+ | |||
+ | Step 3: Backup, then modify the variables in the vars file | ||
+ | |||
+ | <pre>cp vars vars.backup</pre> | ||
+ | |||
+ | This creates a backup of the original file | ||
+ | |||
+ | <pre>nano vars</pre> | ||
+ | |||
+ | This is the command we will use to modify the variables in the vars file | ||
+ | |||
+ | The primary variable we are looking is (ctrl+w to search): | ||
+ | |||
+ | <pre>export EASY_RSA = “`pwd`”</pre> | ||
+ | |||
+ | You want to change this variable to this: | ||
+ | |||
+ | <pre>export EASY_RSA=”/etc/openvpn/easy-rsa”</pre> | ||
+ | |||
+ | OPTIONAL | ||
+ | |||
+ | You can also change the cipher strength in this file. If you wish to do this, the variable you are looking for is: | ||
+ | |||
+ | <pre>export KEY_SIZE=1024</pre> | ||
+ | |||
+ | You can bump this number up to 2048 to increase security, however you may notice a decrease in speeds over the VPN if you do so. | ||
+ | |||
+ | Step 4: The next step here is to build your new CA on your server. Issue the commands below: | ||
+ | |||
+ | First, be sure you are still in the /etc/openvpn/easy-rsa directory. Issuing the pwd command will display the directory you currently working in. If it is anything other than /etc/openvpn/easy-rsa, issue the following command: | ||
+ | |||
+ | <pre>cd /etc/openvpn/easy-rsa</pre> | ||
+ | |||
+ | Now issue the following commands to build the new CA: | ||
+ | |||
+ | <pre>source ./vars</pre> | ||
+ | |||
+ | This command loads the vars file you modified in step 3. | ||
+ | |||
+ | <pre>./clean-all</pre> | ||
+ | |||
+ | This command will remove anything in the /keys directory. There is most likely nothing in the directory at this point (if there is, back it up!). | ||
+ | |||
+ | <pre>./build-ca</pre> | ||
+ | |||
+ | This command will build the CA. You will be asked various questions, note that you do not need to modify any of these values. You can just hit enter and it will use the default displayed values. | ||
+ | |||
+ | Step 5: We now build the keys for the server with the following commands. | ||
+ | |||
+ | </pre>./build-key-server [HDA NAME HERE (no brackets)]</pre> | ||
+ | |||
+ | You will again be asked many questions. Default values should all be OK. Ensure that the 'common name' lines up with the HDA name you typed previously. | ||
+ | |||
+ | When asked for a challenge password, leave it blank | ||
+ | |||
+ | When asked to sign the certificate, type y | ||
+ | |||
+ | When asked to commit, type y | ||
+ | |||
+ | Step 6: Create certificates for each of your clients with the commands below: | ||
+ | |||
+ | <pre>./build-key-pass UserName(or client name, or whatever will identify this for you)</pre> | ||
+ | |||
+ | Enter a PEM password and confirm. This can be whatever you want. | ||
+ | |||
+ | You will be asked many questions again. You can leave these at the default values or modify them if you wish. | ||
+ | |||
+ | When asked for a challenge password, leave this field blank. | ||
+ | |||
+ | When asked to sign the certificate, type y | ||
+ | |||
+ | REPEAT THIS STEP FOR EACH CLIENT | ||
+ | |||
+ | After you have created certs/keys for each of your clients, move on to the next step. | ||
+ | |||
+ | Step 6: The next step is to change the encryption method of the client keys to be used. We will be using triple des in this tutorial, but you can use other encryption methods if you wish. | ||
+ | |||
+ | <pre>Cd keys</pre> | ||
+ | |||
+ | This command moves us to the keys directory. | ||
+ | |||
+ | <pre>Openssl rsa -in KEYNAMEFROMSTEP6.key -des3 -out KEYNAMEFROMSTEP6.3des.key</pre> | ||
+ | |||
+ | This command creates an encrypted key. Keep in mind the original key will not be impacted when doing this. You will be asked for a pass phrase. Use whatever you wish here, but do not leave this blank. | ||
+ | |||
+ | REPEAT THIS STEP FOR ALL THE KEYS CREATED IN STEP 6 | ||
+ | |||
+ | Once you have created your 3des keys, move on to the next step. | ||
+ | |||
+ | Step 7: This step will be to build the diffie-hellman key exchange for the server. | ||
+ | |||
+ | <pre>Cd /etc/openvpn/easy-rsa/</pre> | ||
+ | |||
+ | This moves us back to the easy-rsa directory. | ||
+ | |||
+ | <pre>./build-dh</pre> | ||
+ | |||
+ | Depending on your system specs this can take some time, but it is typically pretty fast. | ||
+ | |||
+ | Step 8: Now we will generate an HMAC key for DoS protection. | ||
+ | |||
+ | <pre>Openvpn --genkey --secret keys/ta.key</pre> | ||
+ | |||
+ | Please note that copying and pasting this command may cause formatting issues. The lines in the command need to be two hyphens back to back without spaces. | ||
+ | |||
+ | OK, now we are getting close to the home stretch. | ||
+ | |||
+ | Step 9: In this step we will backup then modify the openvpn.conf file. | ||
+ | |||
+ | <pre>Cd /etc/openvpn</pre> | ||
+ | |||
+ | Change directory to the openvpn directory | ||
+ | |||
+ | <pre>cp openvpn.conf openvpn.conf.backup</pre> | ||
+ | |||
+ | This backs up the default config | ||
+ | |||
+ | <pre>nano openvpn.conf</pre> | ||
+ | |||
+ | You can use this [http://fpaste.org/136131/11574407/ config file] as a template. You will need to change the indicated fields as necessary. You will need to setup IP forwarding if you wish to browse LAN devices and the internet while on the VPN. This information can be found elsewhere in the Amahi wiki. | ||
+ | |||
+ | Step 10: In this step we will create a template file for a script to create ovpn files. | ||
+ | |||
+ | Use [http://fpaste.org/136132/ this file] as a template. Name the file Default.txt | ||
+ | |||
+ | Step 11: In this step we will download a script to create your ovpn files for you. | ||
+ | |||
+ | <pre>Cd /etc/openvpn/easy-rsa/keys</pre> | ||
+ | |||
+ | First we move to the keys directory | ||
+ | |||
+ | Download [https://gist.github.com/laurenorsini/10013430 this script] to the keys directory and call it makeovpn.sh | ||
+ | |||
+ | Now we need to make the script executable | ||
+ | |||
+ | <pre>chmod +x makeovpn.sh</pre> | ||
+ | |||
+ | Step 12: Run the script created in step 12 for each client you created in step 6. | ||
+ | |||
+ | <pre>./makeovpn.sh</pre> | ||
+ | |||
+ | When the script runs it will ask you for a client name you created in step 6. Enter the name and press enter. You may see some errors, but the file should still be created and be usable. | ||
+ | |||
+ | And that is it. You have now got everything you need to connect multiple clients to your VPN. | ||
+ | |||
+ | The following link was used as a primary source for the bulk of this tutorial: | ||
+ | |||
+ | [http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing Raspberry Pi VPN Tutorial] |
Revision as of 20:39, 6 November 2014
The default OpenVPN install for Amahi will work with the certificates provided on the wiki, however there are a couple of reasons you may not want to use these. One, you can only have one client connected to the VPN at a time with these certificates and two, security best practices would advise against allowing the same certificate for all devices. Follow the instructions below to reconfigure your OpenVPN instance for use with multiple certificates. All commands are issued from the CLI as the root user unless noted otherwise.
Step 1: Copy the necessary easy-rsa files to the openvpn directory in etc
cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
Step 2: Navigate to the directory you just copied
cd /etc/openvpn/easy-rsa
Step 3: Backup, then modify the variables in the vars file
cp vars vars.backup
This creates a backup of the original file
nano vars
This is the command we will use to modify the variables in the vars file
The primary variable we are looking is (ctrl+w to search):
export EASY_RSA = “`pwd`”
You want to change this variable to this:
export EASY_RSA=”/etc/openvpn/easy-rsa”
OPTIONAL
You can also change the cipher strength in this file. If you wish to do this, the variable you are looking for is:
export KEY_SIZE=1024
You can bump this number up to 2048 to increase security, however you may notice a decrease in speeds over the VPN if you do so.
Step 4: The next step here is to build your new CA on your server. Issue the commands below:
First, be sure you are still in the /etc/openvpn/easy-rsa directory. Issuing the pwd command will display the directory you currently working in. If it is anything other than /etc/openvpn/easy-rsa, issue the following command:
cd /etc/openvpn/easy-rsa
Now issue the following commands to build the new CA:
source ./vars
This command loads the vars file you modified in step 3.
./clean-all
This command will remove anything in the /keys directory. There is most likely nothing in the directory at this point (if there is, back it up!).
./build-ca
This command will build the CA. You will be asked various questions, note that you do not need to modify any of these values. You can just hit enter and it will use the default displayed values.
Step 5: We now build the keys for the server with the following commands.
./build-key-server [HDA NAME HERE (no brackets)]
You will again be asked many questions. Default values should all be OK. Ensure that the 'common name' lines up with the HDA name you typed previously.
When asked for a challenge password, leave it blank
When asked to sign the certificate, type y
When asked to commit, type y
Step 6: Create certificates for each of your clients with the commands below:
./build-key-pass UserName(or client name, or whatever will identify this for you)
Enter a PEM password and confirm. This can be whatever you want.
You will be asked many questions again. You can leave these at the default values or modify them if you wish.
When asked for a challenge password, leave this field blank.
When asked to sign the certificate, type y
REPEAT THIS STEP FOR EACH CLIENT
After you have created certs/keys for each of your clients, move on to the next step.
Step 6: The next step is to change the encryption method of the client keys to be used. We will be using triple des in this tutorial, but you can use other encryption methods if you wish.
Cd keys
This command moves us to the keys directory.
Openssl rsa -in KEYNAMEFROMSTEP6.key -des3 -out KEYNAMEFROMSTEP6.3des.key
This command creates an encrypted key. Keep in mind the original key will not be impacted when doing this. You will be asked for a pass phrase. Use whatever you wish here, but do not leave this blank.
REPEAT THIS STEP FOR ALL THE KEYS CREATED IN STEP 6
Once you have created your 3des keys, move on to the next step.
Step 7: This step will be to build the diffie-hellman key exchange for the server.
Cd /etc/openvpn/easy-rsa/
This moves us back to the easy-rsa directory.
./build-dh
Depending on your system specs this can take some time, but it is typically pretty fast.
Step 8: Now we will generate an HMAC key for DoS protection.
Openvpn --genkey --secret keys/ta.key
Please note that copying and pasting this command may cause formatting issues. The lines in the command need to be two hyphens back to back without spaces.
OK, now we are getting close to the home stretch.
Step 9: In this step we will backup then modify the openvpn.conf file.
Cd /etc/openvpn
Change directory to the openvpn directory
cp openvpn.conf openvpn.conf.backup
This backs up the default config
nano openvpn.conf
You can use this config file as a template. You will need to change the indicated fields as necessary. You will need to setup IP forwarding if you wish to browse LAN devices and the internet while on the VPN. This information can be found elsewhere in the Amahi wiki.
Step 10: In this step we will create a template file for a script to create ovpn files.
Use this file as a template. Name the file Default.txt
Step 11: In this step we will download a script to create your ovpn files for you.
Cd /etc/openvpn/easy-rsa/keys
First we move to the keys directory
Download this script to the keys directory and call it makeovpn.sh
Now we need to make the script executable
chmod +x makeovpn.sh
Step 12: Run the script created in step 12 for each client you created in step 6.
./makeovpn.sh
When the script runs it will ask you for a client name you created in step 6. Enter the name and press enter. You may see some errors, but the file should still be created and be usable.
And that is it. You have now got everything you need to connect multiple clients to your VPN.
The following link was used as a primary source for the bulk of this tutorial: