OpenVPN
ExplodingLemur edited this page Oct 15, 2015
·
4 revisions
Just the config files to copy
port 1194 proto udp dev tun0 ca /etc/ssl/myca/SERVER_CA.crt cert /etc/ssl/mycerts/SERVER.crt key /etc/ssl/private/SERVER.key dh /etc/ssl/dh2048.pem tls-auth /etc/ssl/private/tlsauth.key 0 crl-verify /etc/ssl/crl/crl.pem server 10.255.255.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 cipher AES-256-CBC auth SHA384 tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA persist-key persist-tun script-security 1 status /var/log/openvpn-status.log log-append /var/log/openvpn.log verb 3 user nobody group nogroup push "redirect-gateway def1" push "dhcp-option DNS 10.255.255.1"
client dev tun proto udp remote HOSTNAME 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cert CLIENT.crt key CLIENT.key ca SERVER_CA.crt tls-auth tlsauth.key 1 cipher AES-256-CBC auth SHA384 tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA
[ CA_default ] dir = /etc/ssl # Where everything is kept certs = $dir/mycerts # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/myca/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/myca/openvpn_ca.cert # The CA certificate serial = $dir/myca/serial # The current serial number crlnumber = $crl_dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $crl_dir/crl.pem # The current CRL private_key = $dir/private/openvpn_ca.key # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options # Extension copying option: use with caution. # copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions = crl_ext default_days = 365 # how long to certify for default_crl_days= 365 # how long before next CRL default_md = default # use public key default MD preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = SOMESTATENAME localityName = Locality Name (eg, city) localityName_default = SOMECITY 0.organizationName = Organization Name (eg, company) 0.organizationName_default = SOMEORGANIZATION organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_default = SOMEEMAIL@HOSTNAME.TLD emailAddress_max = 64 [server] basicConstraints=CA:FALSE nsCertType = server subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always extendedKeyUsage=serverAuth keyUsage = digitalSignature, keyEncipherment [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = CA:true keyUsage = cRLSign, keyCertSign nsCertType = sslCA
Make sure you set proper permissions on all private keys!
Set up tls-auth key:
openvpn --genkey --secret /etc/ssl/private/tlsauth.key
Set up CA:
touch /etc/ssl/myca/index.txt echo '01' > /etc/ssl/myca/serial openssl genrsa -des3 -out /etc/ssl/private/openvpn_ca.key 2048 openssl req -x509 -new -key /etc/ssl/private/openvpn_ca.key -days 3650 -extensions v3_ca -out /etc/ssl/myca/openvpn_ca.cert
Set up cert request (leave off the -des3
to skip encrypting the key with a passphrase):
openssl genrsa -des3 -out CLIENT.key 2048 openssl req -new -key CLIENT.key -out CLIENT.csr
Sign Client cert:
openssl ca -in CLIENT.csr -out /etc/ssl/mycerts/CLIENT.cert
Sign Server cert:
openssl ca -in SERVER.csr -extensions server -out /etc/ssl/mycerts/SERVER.cert
Revoke certificate (you can find the certs in /etc/ssl/myca/index.txt):
openssl ca -revoke CERTIFICATE.cert
Update CRL:
openssl ca -gencrl -out /etc/ssl/crl/crl.pem
- Set the port to listen on
- port 1194
- Set the protocol to use (TCP or UDP)
- proto udp
- tun or tap device to use (tun for routing, tap for bridging)
- dev tun0
- CA certificate
- ca /etc/ssl/myca/SERVER_CA.crt
- Server certificate
- cert /etc/ssl/mycerts/SERVER.crt
- Server key
- key /etc/ssl/private/SERVER.key
- Diffie-Hellman parameters
- dh /etc/ssl/dh2048.pem
- Shared TLS authentication key (0/1 for directionality, usually 0 is the server side and 1 is the client side)
- tls-auth /etc/ssl/private/tlsauth.key 0
- CRL to check against for client certs
- crl-verify /etc/ssl/crl/crl.pem
- Subnet to use for tunnel device (server will automatically set itself as the first IP in the subnet)
- server 10.255.255.0 255.255.255.0
- Client IP persistence file
- ifconfig-pool-persist ipp.txt
- Keepalive settings: keepalive x y where it pings every X seconds and drops if it hasn't received a reply in Y seconds
- keepalive 10 120
- Crypto cipher
- cipher AES-256-CBC
- Authentication hash
- auth SHA384
- Ciphers for TLS connection (tunnel setup)
- tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA
- Persist options try to keep resources in memory rather than reload from disk, due to privilege downgrade after startup
- persist-key
- persist-tun
- Set level of external scripts that can run. 1 only runs built-in executables (ifconfig, ip route)
- script-security 1
- Logging options
- status /var/log/openvpn-status.log
- log-append /var/log/openvpn.log
- verb 3
- Privilege downgrade
- user nobody
- group nogroup
- Set options for clients. redirect-gateway def1 ensures all traffic traverses the tunnel, dhcp-option overrides client's local ISP DNS settings.
- push "redirect-gateway def1"
- push "dhcp-option DNS 10.255.255.1"
- Set to client mode
- client
- Tunnel device for routed mode
- dev tun
- Protocol (tcp or udp)
- proto udp
- Remote host and port
- remote HOSTNAME 1194
- Don't give up trying to resolve the remote host
- resolv-retry infinite
- Dynamic source port
- nobind
- Persist options try to keep resources in memory rather than reload from disk, due to privilege downgrade after startup
- persist-key
- persist-tun
- Make sure the remote host's cert is signed as a server certificate
- remote-cert-tls server
- Client certificate and key files
- cert CLIENT.crt
- key CLIENT.key
- CA certificate
- ca SERVER_CA.crt
- Shared TLS authentication key (0/1 for directionality, usually 0 is the server side and 1 is the client side)
- tls-auth /etc/ssl/private/tlsauth.key 1
- Crypto cipher
- cipher AES-256-CBC
- Authentication hash
- auth SHA384
- Ciphers for TLS connection (tunnel setup)
- tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA