Changes

From Amahi Wiki
Jump to: navigation, search
6,420 bytes added ,  01:21, 6 November 2014
no edit summary
sudo bash openvpn_extra.sh
 
= Generating your own certificates in OpenVPN for Amahi =
 
The default OpenVPN install for Amahi will work with the certificates provided on the wiki, however there are a couple of reasons you may not want to use these. One, you can only have one client connected to the VPN at a time with these certificates and two, security best practices would advise against allowing the same certificate for all devices. Follow the instructions below to reconfigure your OpenVPN instance for use with multiple certificates. All commands are issued from the CLI as the root user unless noted otherwise.
 
Step 1: Copy the necessary easy-rsa files to the openvpn directory in etc
 
<pre>cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa</pre>
 
Step 2: Navigate to the directory you just copied
 
<pre>cd /etc/openvpn/easy-rsa</pre>
 
Step 3: Backup, then modify the variables in the vars file
 
<pre>cp vars vars.backup</pre>
 
This creates a backup of the original file
 
<pre>nano vars</pre>
 
This is the command we will use to modify the variables in the vars file
 
The primary variable we are looking is (ctrl+w to search):
 
<pre>export EASY_RSA = “`pwd`”</pre>
 
You want to change this variable to this:
 
<pre>export EASY_RSA=”/etc/openvpn/easy-rsa”</pre>
 
OPTIONAL
 
You can also change the cipher strength in this file. If you wish to do this, the variable you are looking for is:
 
<pre>export KEY_SIZE=1024</pre>
 
You can bump this number up to 2048 to increase security, however you may notice a decrease in speeds over the VPN if you do so.
 
Step 4: The next step here is to build your new CA on your server. Issue the commands below:
 
First, be sure you are still in the /etc/openvpn/easy-rsa directory. Issuing the pwd command will display the directory you currently working in. If it is anything other than /etc/openvpn/easy-rsa, issue the following command:
 
<pre>cd /etc/openvpn/easy-rsa</pre>
 
Now issue the following commands to build the new CA:
 
<pre>source ./vars</pre>
 
This command loads the vars file you modified in step 3.
 
<pre>./clean-all</pre>
 
This command will remove anything in the /keys directory. There is most likely nothing in the directory at this point (if there is, back it up!).
 
<pre>./build-ca</pre>
 
This command will build the CA. You will be asked various questions, note that you do not need to modify any of these values. You can just hit enter and it will use the default displayed values.
 
Step 5: We now build the keys for the server with the following commands.
 
</pre>./build-key-server [HDA NAME HERE (no brackets)]</pre>
 
You will again be asked many questions. Default values should all be OK. Ensure that the 'common name' lines up with the HDA name you typed previously.
 
When asked for a challenge password, leave it blank
 
When asked to sign the certificate, type y
 
When asked to commit, type y
 
Step 6: Create certificates for each of your clients with the commands below:
 
<pre>./build-key-pass UserName(or client name, or whatever will identify this for you)</pre>
 
Enter a PEM password and confirm. This can be whatever you want.
 
You will be asked many questions again. You can leave these at the default values or modify them if you wish.
 
When asked for a challenge password, leave this field blank.
 
When asked to sign the certificate, type y
 
REPEAT THIS STEP FOR EACH CLIENT
 
After you have created certs/keys for each of your clients, move on to the next step.
 
Step 6: The next step is to change the encryption method of the client keys to be used. We will be using triple des in this tutorial, but you can use other encryption methods if you wish.
 
<pre>Cd keys</pre>
 
This command moves us to the keys directory.
 
<pre>Openssl rsa -in KEYNAMEFROMSTEP6.key -des3 -out KEYNAMEFROMSTEP6.3des.key</pre>
 
This command creates an encrypted key. Keep in mind the original key will not be impacted when doing this. You will be asked for a pass phrase. Use whatever you wish here, but do not leave this blank.
 
REPEAT THIS STEP FOR ALL THE KEYS CREATED IN STEP 6
 
Once you have created your 3des keys, move on to the next step.
 
Step 7: This step will be to build the diffie-hellman key exchange for the server.
 
<pre>Cd /etc/openvpn/easy-rsa/</pre>
 
This moves us back to the easy-rsa directory.
 
<pre>./build-dh</pre>
 
Depending on your system specs this can take some time, but it is typically pretty fast.
 
Step 8: Now we will generate an HMAC key for DoS protection.
 
<pre>Openvpn --genkey --secret keys/ta.key</pre>
 
Please note that copying and pasting this command may cause formatting issues. The lines in the command need to be two hyphens back to back without spaces.
 
OK, now we are getting close to the home stretch.
 
Step 9: In this step we will backup then modify the openvpn.conf file.
 
<pre>Cd /etc/openvpn</pre>
 
Change directory to the openvpn directory
 
<pre>cp openvpn.conf openvpn.conf.backup</pre>
 
This backs up the default config
 
<pre>nano openvpn.conf</pre>
 
You can use this [http://fpaste.org/136131/11574407/ config file] as a template. You will need to change the indicated fields as necessary. You will need to setup IP forwarding if you wish to browse LAN devices and the internet while on the VPN. This information can be found elsewhere in the Amahi wiki.
 
Step 10: In this step we will create a template file for a script to create ovpn files.
 
Use [http://fpaste.org/136132/ this file] as a template. Name the file Default.txt
 
Step 11: In this step we will download a script to create your ovpn files for you.
 
<pre>Cd /etc/openvpn/easy-rsa/keys</pre>
 
First we move to the keys directory
 
Download [https://gist.github.com/laurenorsini/10013430 this script] to the keys directory and call it makeovpn.sh
 
Now we need to make the script executable
 
<pre>chmod +x makeovpn.sh</pre>
 
Step 12: Run the script created in step 12 for each client you created in step 6.
 
<pre>./makeovpn.sh</pre>
 
When the script runs it will ask you for a client name you created in step 6. Enter the name and press enter. You may see some errors, but the file should still be created and be usable.
 
And that is it. You have now got everything you need to connect multiple clients to your VPN.
 
The following link was used as a primary source for the bulk of this tutorial:
 
[http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing Raspberry Pi VPN Tutorial]
= Troubleshooting =
18

edits