OpenVPN custom certificates

From Amahi Wiki
Revision as of 20:39, 6 November 2014 by Arthur (talk | contribs)
Jump to: navigation, search

The default OpenVPN install for Amahi will work with the certificates provided on the wiki, however there are a couple of reasons you may not want to use these. One, you can only have one client connected to the VPN at a time with these certificates and two, security best practices would advise against allowing the same certificate for all devices. Follow the instructions below to reconfigure your OpenVPN instance for use with multiple certificates. All commands are issued from the CLI as the root user unless noted otherwise.

Step 1: Copy the necessary easy-rsa files to the openvpn directory in etc

cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa

Step 2: Navigate to the directory you just copied

cd /etc/openvpn/easy-rsa

Step 3: Backup, then modify the variables in the vars file

cp vars vars.backup

This creates a backup of the original file

nano vars

This is the command we will use to modify the variables in the vars file

The primary variable we are looking is (ctrl+w to search):

export EASY_RSA = “`pwd`”

You want to change this variable to this:

export EASY_RSA=”/etc/openvpn/easy-rsa”

OPTIONAL

You can also change the cipher strength in this file. If you wish to do this, the variable you are looking for is:

export KEY_SIZE=1024

You can bump this number up to 2048 to increase security, however you may notice a decrease in speeds over the VPN if you do so.

Step 4: The next step here is to build your new CA on your server. Issue the commands below:

First, be sure you are still in the /etc/openvpn/easy-rsa directory. Issuing the pwd command will display the directory you currently working in. If it is anything other than /etc/openvpn/easy-rsa, issue the following command:

cd /etc/openvpn/easy-rsa

Now issue the following commands to build the new CA:

source ./vars

This command loads the vars file you modified in step 3.

./clean-all

This command will remove anything in the /keys directory. There is most likely nothing in the directory at this point (if there is, back it up!).

./build-ca

This command will build the CA. You will be asked various questions, note that you do not need to modify any of these values. You can just hit enter and it will use the default displayed values.

Step 5: We now build the keys for the server with the following commands.

./build-key-server [HDA NAME HERE (no brackets)]

You will again be asked many questions. Default values should all be OK. Ensure that the 'common name' lines up with the HDA name you typed previously.

When asked for a challenge password, leave it blank

When asked to sign the certificate, type y

When asked to commit, type y

Step 6: Create certificates for each of your clients with the commands below:

./build-key-pass UserName(or client name, or whatever will identify this for you)

Enter a PEM password and confirm. This can be whatever you want.

You will be asked many questions again. You can leave these at the default values or modify them if you wish.

When asked for a challenge password, leave this field blank.

When asked to sign the certificate, type y

REPEAT THIS STEP FOR EACH CLIENT

After you have created certs/keys for each of your clients, move on to the next step.

Step 6: The next step is to change the encryption method of the client keys to be used. We will be using triple des in this tutorial, but you can use other encryption methods if you wish.

Cd keys

This command moves us to the keys directory.

Openssl rsa -in KEYNAMEFROMSTEP6.key -des3 -out KEYNAMEFROMSTEP6.3des.key

This command creates an encrypted key. Keep in mind the original key will not be impacted when doing this. You will be asked for a pass phrase. Use whatever you wish here, but do not leave this blank.

REPEAT THIS STEP FOR ALL THE KEYS CREATED IN STEP 6

Once you have created your 3des keys, move on to the next step.

Step 7: This step will be to build the diffie-hellman key exchange for the server.

Cd /etc/openvpn/easy-rsa/

This moves us back to the easy-rsa directory.

./build-dh

Depending on your system specs this can take some time, but it is typically pretty fast.

Step 8: Now we will generate an HMAC key for DoS protection.

Openvpn --genkey --secret keys/ta.key

Please note that copying and pasting this command may cause formatting issues. The lines in the command need to be two hyphens back to back without spaces.

OK, now we are getting close to the home stretch.

Step 9: In this step we will backup then modify the openvpn.conf file.

Cd /etc/openvpn

Change directory to the openvpn directory

cp openvpn.conf openvpn.conf.backup

This backs up the default config

nano openvpn.conf

You can use this config file as a template. You will need to change the indicated fields as necessary. You will need to setup IP forwarding if you wish to browse LAN devices and the internet while on the VPN. This information can be found elsewhere in the Amahi wiki.

Step 10: In this step we will create a template file for a script to create ovpn files.

Use this file as a template. Name the file Default.txt

Step 11: In this step we will download a script to create your ovpn files for you.

Cd /etc/openvpn/easy-rsa/keys

First we move to the keys directory

Download this script to the keys directory and call it makeovpn.sh

Now we need to make the script executable

chmod +x makeovpn.sh

Step 12: Run the script created in step 12 for each client you created in step 6.

./makeovpn.sh

When the script runs it will ask you for a client name you created in step 6. Enter the name and press enter. You may see some errors, but the file should still be created and be usable.

And that is it. You have now got everything you need to connect multiple clients to your VPN.

The following link was used as a primary source for the bulk of this tutorial:

Raspberry Pi VPN Tutorial