Difference between revisions of "OpenVPN custom certificates"

From Amahi Wiki
Jump to: navigation, search
 
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{NeedsUpdate}}
+
The default [[OpenVPN]] install for Amahi will work with the certificates provided on the wiki, however there are a couple of reasons you may not want to use these.  One, you can only have one client connected to the VPN at a time with these certificates and two, security best practices would advise against allowing the same certificate for all devices.  Follow the instructions below to reconfigure your OpenVPN instance for use with multiple certificates.  Keep in mind that when new certificates are made for your Amahi server the default profile created by the OpenVPN app will no longer work. This process will give you the files and profiles that you need in the future.
  
 +
All commands are issued from the [[Open_Terminal_as_root|CLI as the root user]] unless noted otherwise.
  
The default [[OpenVPN]] install for Amahi will work with the certificates provided on the wiki, however there are a couple of reasons you may not want to use these.  One, you can only have one client connected to the VPN at a time with these certificates and two, security best practices would advise against allowing the same certificate for all devices.  Follow the instructions below to reconfigure your OpenVPN instance for use with multiple certificates.  All commands are issued from the CLI as the root user unless noted otherwise.
+
<h2>Getting Started</h2>
 +
Install easyrsa (The latest installations of OpenVPN do not include it.)
  
Step 1: Copy the necessary easy-rsa files to the openvpn directory in etc
+
<pre>dnf install easy-rsa</pre>
  
<pre>cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa</pre>
+
Create a directory for working with Easy-RSA in which you will store Server keys and Certificate files.
  
Step 2: Navigate to the directory you just copied
+
<pre>mkdir /etc/openvpn/easy-rsa</pre>
  
<pre>cd /etc/openvpn/easy-rsa</pre>
+
Copy the key/certificate generation scripts installed by Easy-RSA from the default directory to the directory created above.
  
Step 3: Backup, then modify the variables in the vars file
+
<pre>cp -air /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa</pre>
  
<pre>cp vars vars.backup</pre>
+
Navigate to /etc/openvpn/easy-rsa directory and start new PKI.
  
This creates a backup of the original file
+
<pre>cd /etc/openvpn/easy-rsa
 +
./easyrsa init-pki</pre>
  
<pre>nano vars</pre>
 
  
This is the command we will use to modify the variables in the vars file
+
Build the CA certificate. This will prompt you for the encryption password and the server common name.
  
The primary variable we are looking is (ctrl+w to search):
+
Suggestions:
 +
<ul
 +
><li>Set the PEM password and write it down. You will be asked to confirm it. You will need it later.</li>
 +
<li>For the Common Name you can use "server," "Amahi" or the name you gave your HDA. Remember it. You will need it later.</li>
 +
</ul>
  
<pre>export EASY_RSA = “`pwd`”</pre>
+
<pre>./easyrsa build-ca</pre>
  
You want to change this variable to this:
+
The CA certificate is stored at /etc/openvpn/easy-rsa/pki/ca.crt.
  
<pre>export EASY_RSA=”/etc/openvpn/easy-rsa”</pre>
+
Generate Diffie-Hellman key file that can be used during the TLS handshake with connecting clients. (Depending on the speed of your server, this may take a while.)
  
OPTIONAL
+
<pre>./easyrsa gen-dh</pre>
  
You can also change the cipher strength in this file. If you wish to do this, the variable you are looking for is:
+
This will generate the DH key and store as /etc/openvpn/easy-rsa/pki/dh.pem.
  
<pre>export KEY_SIZE=1024</pre>
+
Generate a key and certificate file for the server. We use the name "Amahi-Server-OpenVPN" in this command so that the names for the server files match the OpenVPN config file (amahi.conf) for Amahi. When the process begins you will be prompted for a Common Name. Be sure to use the same common name you used when creating the CA certificate.
  
You can bump this number up to 2048 to increase security, however you may notice a decrease in speeds over the VPN if you do so.  
+
<pre>./easyrsa build-server-full Amahi-Server-OpenVPN nopass</pre>
  
Step 4: The next step here is to build your new CA on your server. Issue the commands below:
+
<h2>Generating Client Keys</h2>
 +
You will repeat this process until you have created all of the client keys you wish to have on hand.
  
First, be sure you are still in the /etc/openvpn/easy-rsa directory. Issuing the pwd command will display the directory you currently working in. If it is anything other than /etc/openvpn/easy-rsa, issue the following command:
+
Generate a key and certificate file for the client. In the code below, we are assuming that the client keys and certificates you wish to create follow the naming convention "client1, client2, client3," etc. You could name them anything you want as long as each name is unique.
  
<pre>cd /etc/openvpn/easy-rsa</pre>
+
Command for creating a client key and cert
 +
<pre>./easyrsa build-client-full client1 nopass</pre>
  
Now issue the following commands to build the new CA:
+
You will be prompted to enter the pass phrase for the ca.cert you created earlier. Be sure to use that password.
  
<pre>source ./vars</pre>
+
Run the command for creating the "client2" key and cert, substituting "client2" (without the quotes) in the command. The revised command would look like this:
 +
<pre>./easyrsa build-client-full client2 nopass</pre>
  
This command loads the vars file you modified in step 3.
+
Repeat until all clients are created.
  
<pre>./clean-all</pre>
+
<h2>Continuing On</h2>
 +
In case you need to invalidate a previously signed certificate, generate a revocation certificate.
  
This command will remove anything in the /keys directory. There is most likely nothing in the directory at this point (if there is, back it up!).
+
<pre>./easyrsa gen-crl</pre>
 +
This stores the revocation certificate under /etc/openvpn/easy-rsa/pki/crl.pem.
  
<pre>./build-ca</pre>
+
Generate TLS/SSL pre-shared authentication key
  
This command will build the CA.  You will be asked various questions, note that you do not need to modify any of these values.  You can just hit enter and it will use the default displayed values.
+
<pre>openvpn --genkey --secret /etc/openvpn/easy-rsa/pki/ta.key</pre>
  
Step 5: We now build the keys for the server with the following commands.
+
This stores the ta key under /etc/openvpn/easy-rsa/pki/ta.key
  
</pre>./build-key-server [HDA NAME HERE (no brackets)]</pre>
+
<h2>Putting the New Files In Place</h2>
 +
Backup Default files
 +
<pre>mkdir /etc/openvpn/easy-rsa/amahi-backup</pre>
 +
<pre>cp /etc/openvpn/amahi/* /etc/openvpn/easy-rsa/amahi-backup/</pre>
  
You will again be asked many questions.  Default values should all be OK.  Ensure that the 'common name' lines up with the HDA name you typed previously.
+
Copy files to the appropriate places. When asked if you want to overwrite the destination file, choose "y" for yes.
  
When asked for a challenge password, leave it blank
+
<pre>cp /ect/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/amahi/ca.crt
 +
cp /ect/openvpn/easy-rsa/pki/issued/Amahi-Server-OpenVPN.crt /etc/openvpn/amahi/Amahi-Server-OpenVPN.crt
 +
cp /ect/openvpn/easy-rsa/pki/private/Amahi-Server-OpenVPN.key /etc/openvpn/amahi/Amahi-Server-OpenVPN.key
 +
cp /ect/openvpn/easy-rsa/pki/ph.pem /etc/openvpn/amahi/dh.pem</pre>
  
When asked to sign the certificate, type y
+
<h2>Create .ovpn files</h2>
 +
There are scripts for doing this out there but the simplest way is to edit the following and save it as an .ovpn file. (Be sure that you save this file strictly as "client1.ovpn" (for example) and not "client1.ovpn.txt" or something like that. The easiest way I found was to use Notepad++ and, when finished editing the file, choose File > Save As and under "Save Type As" choose "All Types." Then name the file "client1.ovpn" (for example) and click save.)
 +
<pre>client
 +
dev tun
 +
proto udp
 +
resolv-retry infinite
 +
nobind
 +
persist-key
 +
persist-tun
 +
ca ca.crt
 +
cert client1.crt
 +
key client1.key
 +
comp-lzo
 +
verb 3
 +
auth-user-pass
 +
route-method exe
 +
route-delay 2</pre>
  
When asked to commit, type y
+
Be sure to create one .ovpn file for each client you create. In addition,the lines "cert client1.crt" and "key client1.key" refer to the key and client certificate for a client you created. You need to change the .ovpn file to reflect the client which that .ovpn file references. (For example, if setting up client2, the lines would be "cert client2.crt" and "key client2.key" and the .ovpn file would be named "client2.ovpn". Make certain to spell the file names in the .ovpn exactly the same as the .crt and .key file names.)
  
Step 6: Create certificates for each of your clients with the commands below:
+
Restart OpenVPN service
 +
<pre>systemctl restart openvpn@amahi.service</pre>
  
<pre>./build-key-pass UserName(or client name, or whatever will identify this for you)</pre>
+
<h2>Files Clients Need</h2>
 +
Copy needed client files to an easy to access directory
 +
<pre>mkdir [CHOSEN_LOCATION]/ovpn-clients
 +
cp /ect/openvpn/easy-rsa/pki/issued/* [CHOSEN_LOCATION]/ovpn-clients/
 +
cp /ect/openvpn/easy-rsa/pki/private/* [CHOSEN_LOCATION]/ovpn-clients/
 +
cp /ect/openvpn/easy-rsa/pki/ca.crt [CHOSEN_LOCATION]/ovpn-clients/
 +
</pre>
 +
Add your client .ovpn files that you created to the "[CHOSEN_LOCATION]/ovpn-clients/" directory.
  
Enter a PEM password and confirm. This can be whatever you want.
+
VERY IMPORTANT: Compress that "ovpn-clients" directory (into a .zip file, for example) and set a password for the compressed file. This way, anyone wanting access to any keys or certifications will have to know that password. Once the compressed file is created, delete all of the files in the "[CHOSEN_LOCATION]/ovpn-clients/" directory except the compressed file.
  
You will be asked many questions again. You can leave these at the default values or modify them if you wish.
+
<h2>Setting Up Clients for Windows</h2>
 +
Each client that you setup to use the [http://dl.amahi.org/HDAConnect3.exe HDAConnect3] GUI will need one common file (ca.crt) and then its own unique set of files to make the connection work.
  
When asked for a challenge password, leave this field blank.
+
Be sure the HDAConnect GUI is not running.
  
When asked to sign the certificate, type y
+
Assuming we are setting up "Client1"
  
REPEAT THIS STEP FOR EACH CLIENT
+
In Windows,
 +
<ul>
 +
<li>Go to the C:\Program Files (x86)\HDAConnect\config directory</li>
 +
<li>Delete everything contained in that config directory.</li>
 +
<li>Paste the ca.cert file to C:\Program Files (x86)\HDAConnect\config</li>
 +
<li>Paste client1.ovpn, client1.key and client1.crt to C:\Program Files (x86)\HDAConnect\config</li>
 +
</ul>
  
After you have created certs/keys for each of your clients, move on to the next step.
 
  
Step 6:  The next step is to change the encryption method of the client keys to be used.  We will be using triple des in this tutorial, but you can use other encryption methods if you wish.
+
Start HDAConnect GUI and you should be ready to connect.
  
<pre>Cd keys</pre>
+
<h2>Client Key Encryption Option</h2>
 +
One could change the encryption method of the client keys to be used.  We will be using triple des in this tutorial, but you can use other encryption methods if you wish.
  
This command moves us to the keys directory.
+
Create a new working directory to house all the files necessary for the process.
  
<pre>Openssl rsa -in KEYNAMEFROMSTEP6.key -des3 -out KEYNAMEFROMSTEP6.3des.key</pre>
+
<pre>mkdir /etc/openvpn/easy-rsa/ovpn3des</pre>
  
This command creates an encrypted key.  Keep in mind the original key will not be impacted when doing this.  You will be asked for a pass phrase.  Use whatever you wish here, but do not leave this blank.
+
Copy all the files needed to the new directory
  
REPEAT THIS STEP FOR ALL THE KEYS CREATED IN STEP 6
+
<pre>cp /etc/openvpn/easy-rsa/pki/private/* /etc/openvpn/easy-rsa/ovpn3des/
 +
cp /etc/openvpn/easy-rsa/pki/issued/* /etc/openvpn/easy-rsa/ovpn3des/
 +
cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/easy-rsa/ovpn3des/
 +
cp /etc/openvpn/easy-rsa/pki/ph.pem /etc/openvpn/easy-rsa/ovpn3des/</pre>
  
Once you have created your 3des keys, move on to the next step.
+
Move to the working directory
  
Step 7:  This step will be to build the diffie-hellman key exchange for the server.
+
<pre>cd /etc/openvpn/easy-rsa/ovpn3des</pre>
  
<pre>Cd /etc/openvpn/easy-rsa/</pre>
+
This command creates an encrypted key.  Keep in mind the original key will not be impacted when doing this.  You will be asked for a pass phrase.
 +
<pre>openssl rsa -in client1.key -des3 -out client1.3des.key</pre>
 +
Repeat this command on each key you created.
  
This moves us back to the easy-rsa directory.
 
 
<pre>./build-dh</pre>
 
 
Depending on your system specs this can take some time, but it is typically pretty fast.
 
 
Step 8:  Now we will generate an HMAC key for DoS protection.
 
 
<pre>Openvpn --genkey --secret keys/ta.key</pre>
 
 
Please note that copying and pasting this command may cause formatting issues.  The lines in the command need to be two hyphens back to back without spaces.
 
 
OK, now we are getting close to the home stretch.
 
 
Step 9: In this step we will backup then modify the openvpn.conf file.
 
 
<pre>Cd /etc/openvpn</pre>
 
 
Change directory to the openvpn directory
 
 
<pre>cp openvpn.conf openvpn.conf.backup</pre>
 
 
This backs up the default config
 
 
<pre>nano openvpn.conf</pre>
 
 
You can use this [http://fpaste.org/136131/11574407/ config file] as a template.  You will need to change the indicated fields as necessary.  You will need to setup IP forwarding if you wish to browse LAN devices and the internet while on the VPN.  This information can be found elsewhere in the Amahi wiki.
 
 
Step 10: In this step we will create a template file for a script to create ovpn files.
 
 
Use [http://fpaste.org/136132/ this file] as a template.  Name the file Default.txt
 
 
Step 11:  In this step we will download a script to create your ovpn files for you.
 
 
<pre>Cd /etc/openvpn/easy-rsa/keys</pre>
 
 
First we move to the keys directory
 
 
Download [https://gist.github.com/laurenorsini/10013430 this script] to the keys directory and call it makeovpn.sh
 
 
Now we need to make the script executable
 
 
<pre>chmod +x makeovpn.sh</pre>
 
 
Step 12: Run the script created in step 12 for each client you created in step 6.
 
 
<pre>./makeovpn.sh</pre>
 
 
When the script runs it will ask you for a client name you created in step 6.  Enter the name and press enter.  You may see some errors, but the file should still be created and be usable.
 
 
And that is it.  You have now got everything you need to connect multiple clients to your VPN. 
 
  
 +
<h2>Citations</h2>
 
The following link was used as a primary source for the bulk of this tutorial:
 
The following link was used as a primary source for the bulk of this tutorial:
  
 
[http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing Raspberry Pi VPN Tutorial]
 
[http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing Raspberry Pi VPN Tutorial]
 +
 +
Update to this wiki taken from https://ravenhawktech.com/
 +
[https://ravenhawktech.com/index.php/2020/12/18/openvpn-install-on-fedora-server/]
 +
[https://ravenhawktech.com/index.php/2021/01/27/openvpn-install-on-fedora-server-part-2/]

Latest revision as of 03:02, 19 February 2021

The default OpenVPN install for Amahi will work with the certificates provided on the wiki, however there are a couple of reasons you may not want to use these. One, you can only have one client connected to the VPN at a time with these certificates and two, security best practices would advise against allowing the same certificate for all devices. Follow the instructions below to reconfigure your OpenVPN instance for use with multiple certificates. Keep in mind that when new certificates are made for your Amahi server the default profile created by the OpenVPN app will no longer work. This process will give you the files and profiles that you need in the future.

All commands are issued from the CLI as the root user unless noted otherwise.

Getting Started

Install easyrsa (The latest installations of OpenVPN do not include it.) 

dnf install easy-rsa

Create a directory for working with Easy-RSA in which you will store Server keys and Certificate files. 

mkdir /etc/openvpn/easy-rsa

Copy the key/certificate generation scripts installed by Easy-RSA from the default directory to the directory created above. 

cp -air /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa

Navigate to /etc/openvpn/easy-rsa directory and start new PKI. 

cd /etc/openvpn/easy-rsa
./easyrsa init-pki


Build the CA certificate. This will prompt you for the encryption password and the server common name.

Suggestions:

  • Set the PEM password and write it down. You will be asked to confirm it. You will need it later.
  • For the Common Name you can use "server," "Amahi" or the name you gave your HDA. Remember it. You will need it later.
./easyrsa build-ca

The CA certificate is stored at /etc/openvpn/easy-rsa/pki/ca.crt.

Generate Diffie-Hellman key file that can be used during the TLS handshake with connecting clients. (Depending on the speed of your server, this may take a while.) 

./easyrsa gen-dh

This will generate the DH key and store as /etc/openvpn/easy-rsa/pki/dh.pem.

Generate a key and certificate file for the server. We use the name "Amahi-Server-OpenVPN" in this command so that the names for the server files match the OpenVPN config file (amahi.conf) for Amahi. When the process begins you will be prompted for a Common Name. Be sure to use the same common name you used when creating the CA certificate. 

./easyrsa build-server-full Amahi-Server-OpenVPN nopass

Generating Client Keys

You will repeat this process until you have created all of the client keys you wish to have on hand.

Generate a key and certificate file for the client. In the code below, we are assuming that the client keys and certificates you wish to create follow the naming convention "client1, client2, client3," etc. You could name them anything you want as long as each name is unique.

Command for creating a client key and cert 

./easyrsa build-client-full client1 nopass

You will be prompted to enter the pass phrase for the ca.cert you created earlier. Be sure to use that password.

Run the command for creating the "client2" key and cert, substituting "client2" (without the quotes) in the command. The revised command would look like this: 

./easyrsa build-client-full client2 nopass

Repeat until all clients are created.

Continuing On

In case you need to invalidate a previously signed certificate, generate a revocation certificate. 

./easyrsa gen-crl

This stores the revocation certificate under /etc/openvpn/easy-rsa/pki/crl.pem.

Generate TLS/SSL pre-shared authentication key 

openvpn --genkey --secret /etc/openvpn/easy-rsa/pki/ta.key

This stores the ta key under /etc/openvpn/easy-rsa/pki/ta.key

Putting the New Files In Place

Backup Default files 

mkdir /etc/openvpn/easy-rsa/amahi-backup
cp /etc/openvpn/amahi/* /etc/openvpn/easy-rsa/amahi-backup/

Copy files to the appropriate places. When asked if you want to overwrite the destination file, choose "y" for yes. 

cp /ect/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/amahi/ca.crt
cp /ect/openvpn/easy-rsa/pki/issued/Amahi-Server-OpenVPN.crt /etc/openvpn/amahi/Amahi-Server-OpenVPN.crt
cp /ect/openvpn/easy-rsa/pki/private/Amahi-Server-OpenVPN.key /etc/openvpn/amahi/Amahi-Server-OpenVPN.key
cp /ect/openvpn/easy-rsa/pki/ph.pem /etc/openvpn/amahi/dh.pem

Create .ovpn files

There are scripts for doing this out there but the simplest way is to edit the following and save it as an .ovpn file. (Be sure that you save this file strictly as "client1.ovpn" (for example) and not "client1.ovpn.txt" or something like that. The easiest way I found was to use Notepad++ and, when finished editing the file, choose File > Save As and under "Save Type As" choose "All Types." Then name the file "client1.ovpn" (for example) and click save.) 

client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
auth-user-pass
route-method exe
route-delay 2

Be sure to create one .ovpn file for each client you create. In addition,the lines "cert client1.crt" and "key client1.key" refer to the key and client certificate for a client you created. You need to change the .ovpn file to reflect the client which that .ovpn file references. (For example, if setting up client2, the lines would be "cert client2.crt" and "key client2.key" and the .ovpn file would be named "client2.ovpn". Make certain to spell the file names in the .ovpn exactly the same as the .crt and .key file names.)

Restart OpenVPN service 

systemctl restart openvpn@amahi.service

Files Clients Need

Copy needed client files to an easy to access directory 

mkdir [CHOSEN_LOCATION]/ovpn-clients
cp /ect/openvpn/easy-rsa/pki/issued/* [CHOSEN_LOCATION]/ovpn-clients/
cp /ect/openvpn/easy-rsa/pki/private/* [CHOSEN_LOCATION]/ovpn-clients/
cp /ect/openvpn/easy-rsa/pki/ca.crt [CHOSEN_LOCATION]/ovpn-clients/

Add your client .ovpn files that you created to the "[CHOSEN_LOCATION]/ovpn-clients/" directory.

VERY IMPORTANT: Compress that "ovpn-clients" directory (into a .zip file, for example) and set a password for the compressed file. This way, anyone wanting access to any keys or certifications will have to know that password. Once the compressed file is created, delete all of the files in the "[CHOSEN_LOCATION]/ovpn-clients/" directory except the compressed file.

Setting Up Clients for Windows

Each client that you setup to use the HDAConnect3 GUI will need one common file (ca.crt) and then its own unique set of files to make the connection work.

Be sure the HDAConnect GUI is not running.

Assuming we are setting up "Client1"

In Windows,

  • Go to the C:\Program Files (x86)\HDAConnect\config directory
  • Delete everything contained in that config directory.
  • Paste the ca.cert file to C:\Program Files (x86)\HDAConnect\config
  • Paste client1.ovpn, client1.key and client1.crt to C:\Program Files (x86)\HDAConnect\config


Start HDAConnect GUI and you should be ready to connect.

Client Key Encryption Option

One could change the encryption method of the client keys to be used. We will be using triple des in this tutorial, but you can use other encryption methods if you wish.

Create a new working directory to house all the files necessary for the process. 

mkdir /etc/openvpn/easy-rsa/ovpn3des

Copy all the files needed to the new directory 

cp /etc/openvpn/easy-rsa/pki/private/* /etc/openvpn/easy-rsa/ovpn3des/
cp /etc/openvpn/easy-rsa/pki/issued/* /etc/openvpn/easy-rsa/ovpn3des/
cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/easy-rsa/ovpn3des/
cp /etc/openvpn/easy-rsa/pki/ph.pem /etc/openvpn/easy-rsa/ovpn3des/

Move to the working directory 

cd /etc/openvpn/easy-rsa/ovpn3des

This command creates an encrypted key. Keep in mind the original key will not be impacted when doing this. You will be asked for a pass phrase. 

openssl rsa -in client1.key -des3 -out client1.3des.key

Repeat this command on each key you created.


Citations

The following link was used as a primary source for the bulk of this tutorial:

Raspberry Pi VPN Tutorial

Update to this wiki taken from https://ravenhawktech.com/ [1] [2]

Retrieved from "https://wiki.amahi.org/index.php?title=OpenVPN_custom_certificates&oldid=116571"