OpenVPN
ExplodingLemur edited this page Oct 15, 2015
·
4 revisions
Just the config files to copy
port 1194 proto udp dev tun0 ca /etc/ssl/myca/SERVER_CA.crt cert /etc/ssl/mycerts/SERVER.crt key /etc/ssl/private/SERVER.key dh /etc/ssl/dh2048.pem tls-auth /etc/ssl/private/tlsauth.key 0 crl-verify /etc/ssl/crl/crl.pem server 10.255.255.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 cipher AES-256-CBC auth SHA384 tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA persist-key persist-tun script-security 1 status /var/log/openvpn-status.log log-append /var/log/openvpn.log verb 3 user nobody group nogroup push "redirect-gateway def1" push "dhcp-option DNS 10.255.255.1"
client dev tun proto udp remote HOSTNAME 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cert CLIENT.crt key CLIENT.key ca SERVER_CA.crt tls-auth tlsauth.key 1 cipher AES-256-CBC auth SHA384 tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA
[ CA_default ]
dir = /etc/ssl # Where everything is kept
certs = $dir/mycerts # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/myca/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/myca/openvpn_ca.cert # The CA certificate
serial = $dir/myca/serial # The current serial number
crlnumber = $crl_dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $crl_dir/crl.pem # The current CRL
private_key = $dir/private/openvpn_ca.key # The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 365 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = SOMESTATENAME
localityName = Locality Name (eg, city)
localityName_default = SOMECITY
0.organizationName = Organization Name (eg, company)
0.organizationName_default = SOMEORGANIZATION
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = SOMEEMAIL@HOSTNAME.TLD
emailAddress_max = 64
[server]
basicConstraints=CA:FALSE
nsCertType = server
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
extendedKeyUsage=serverAuth
keyUsage = digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
keyUsage = cRLSign, keyCertSign
nsCertType = sslCA
Make sure you set proper permissions on all private keys!
Set up tls-auth key:
openvpn --genkey --secret /etc/ssl/private/tlsauth.key
Set up CA:
touch /etc/ssl/myca/index.txt echo '01' > /etc/ssl/myca/serial openssl genrsa -des3 -out /etc/ssl/private/openvpn_ca.key 2048 openssl req -x509 -new -key /etc/ssl/private/openvpn_ca.key -days 3650 -extensions v3_ca -out /etc/ssl/myca/openvpn_ca.cert
Set up cert request (leave off the -des3 to skip encrypting the key with a passphrase):
openssl genrsa -des3 -out CLIENT.key 2048 openssl req -new -key CLIENT.key -out CLIENT.csr
Sign Client cert:
openssl ca -in CLIENT.csr -out /etc/ssl/mycerts/CLIENT.cert
Sign Server cert:
openssl ca -in SERVER.csr -extensions server -out /etc/ssl/mycerts/SERVER.cert
Revoke certificate (you can find the certs in /etc/ssl/myca/index.txt):
openssl ca -revoke CERTIFICATE.cert
Update CRL:
openssl ca -gencrl -out /etc/ssl/crl/crl.pem
- Set the port to listen on
- port 1194
- Set the protocol to use (TCP or UDP)
- proto udp
- tun or tap device to use (tun for routing, tap for bridging)
- dev tun0
- CA certificate
- ca /etc/ssl/myca/SERVER_CA.crt
- Server certificate
- cert /etc/ssl/mycerts/SERVER.crt
- Server key
- key /etc/ssl/private/SERVER.key
- Diffie-Hellman parameters
- dh /etc/ssl/dh2048.pem
- Shared TLS authentication key (0/1 for directionality, usually 0 is the server side and 1 is the client side)
- tls-auth /etc/ssl/private/tlsauth.key 0
- CRL to check against for client certs
- crl-verify /etc/ssl/crl/crl.pem
- Subnet to use for tunnel device (server will automatically set itself as the first IP in the subnet)
- server 10.255.255.0 255.255.255.0
- Client IP persistence file
- ifconfig-pool-persist ipp.txt
- Keepalive settings: keepalive x y where it pings every X seconds and drops if it hasn't received a reply in Y seconds
- keepalive 10 120
- Crypto cipher
- cipher AES-256-CBC
- Authentication hash
- auth SHA384
- Ciphers for TLS connection (tunnel setup)
- tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA
- Persist options try to keep resources in memory rather than reload from disk, due to privilege downgrade after startup
- persist-key
- persist-tun
- Set level of external scripts that can run. 1 only runs built-in executables (ifconfig, ip route)
- script-security 1
- Logging options
- status /var/log/openvpn-status.log
- log-append /var/log/openvpn.log
- verb 3
- Privilege downgrade
- user nobody
- group nogroup
- Set options for clients. redirect-gateway def1 ensures all traffic traverses the tunnel, dhcp-option overrides client's local ISP DNS settings.
- push "redirect-gateway def1"
- push "dhcp-option DNS 10.255.255.1"
- Set to client mode
- client
- Tunnel device for routed mode
- dev tun
- Protocol (tcp or udp)
- proto udp
- Remote host and port
- remote HOSTNAME 1194
- Don't give up trying to resolve the remote host
- resolv-retry infinite
- Dynamic source port
- nobind
- Persist options try to keep resources in memory rather than reload from disk, due to privilege downgrade after startup
- persist-key
- persist-tun
- Make sure the remote host's cert is signed as a server certificate
- remote-cert-tls server
- Client certificate and key files
- cert CLIENT.crt
- key CLIENT.key
- CA certificate
- ca SERVER_CA.crt
- Shared TLS authentication key (0/1 for directionality, usually 0 is the server side and 1 is the client side)
- tls-auth /etc/ssl/private/tlsauth.key 1
- Crypto cipher
- cipher AES-256-CBC
- Authentication hash
- auth SHA384
- Ciphers for TLS connection (tunnel setup)
- tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA