Before we can set up a client/server VPN, we need to set up the public key infrastructure (PKI). The PKI comprises the certificate authority, the private keys, and the certificates (public keys) for both the client and server. We also need to generate a Diffie-Hellman parameter file, which is required for perfect forward secrecy.
To set up PKI, we make use of the easy-rsa
scripts. These scripts were originally supplied with the OpenVPN distribution itself, but nowadays, they can also be downloaded and installed separately.
The PKI needs to be set up on a trusted computer. This can be the same as the computer on which the OpenVPN server is run, but from a security point of view, it is best if the PKI is kept completely separate from the rest of the OpenVPN services. One option is to keep the PKI certificate authority (CA) key located on a separate external disk, which is attached only when required. Another option would be to keep the CA private key on a separate computer that is not hooked up to any network at all.
This recipe was done on Linux, but can also be done on a Mac OS machine. On Windows, the commands are very similar as well. The Linux easy-rsa
scripts are meant to be run from a bash-like shell, so make sure you are not running csh/tcsh (UNIX shells).
easy-rsa
distribution from your OpenVPN installation:$ mkdir -m 700 -p /etc/openvpn/cookbook/keys $ cd /etc/openvpn/cookbook $ cp -drp /usr/share/easy-rsa/2.0/* .
vars
file. Create a file containing the following:export EASY_RSA=/etc/openvpn/cookbook export OPENSSL="openssl" export PKCS11TOOL="pkcs11-tool" export GREP="grep" export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` export KEY_DIR="$EASY_RSA/keys" export PKCS11_MODULE_PATH="dummy" export PKCS11_PIN="dummy" export KEY_SIZE=2048 export CA_EXPIRE=3650 export KEY_EXPIRE=1000 export KEY_COUNTRY="US" export KEY_PROVINCE= export KEY_CITY= export KEY_ORG="Cookbook 2.4" export KEY_OU= export KEY_CN= export KEY_EMAIL="[email protected]"
Note that the PKCS11_MODULE_PATH
and PKCS11_PIN
entries are needed even if you are not using smart cards.
Also note that some KEY_
variables are set to an empty value. This is required for generating certificates in a batch, as we shall see later on.
The default KEY_SIZE
of 2048 bits is sufficiently secure for the next few years. A larger key size (4096 bits) is possible, but the tradeoff is a performance penalty. We shall generate a 4096 bit CA private key, as performance is not an issue here.
Adjust the settings (KEY_ORG
, KEY_OU
, KEY_EMAIL
) to reflect your organization. The meaning of these settings is explained in more details later.
vars
file and generate the CA private key and certificate, using a 4096-bit modulus. Choose a strong password for the CA certificate. After that, simply press the Enter key every time the script asks for input:$ cd /etc/openvpn/cookbook $ . ./vars $ ./clean-all $ KEY_SIZE=4096 ./build-ca --pass
Sample output is shown in the following screenshot:
KEY_EMAIL
variable to an empty value. When the script asks for input, press the Enter key. When the script asks for the CA private key (ca.key
) password, enter the password for the CA certificate. Finally, when the script asks for a [y/n]
answer, type y
:$ export KEY_EMAIL= $ ./build-key-server openvpnserver Generating a 2048 bit RSA private key ............................................................ ............................+++ ...........................................+++ writing new private key to 'openvpnserver.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) []: Locality Name (eg, city) []: Organization Name (eg, company) [Cookbook 2.4]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [openvpnserver]: Name []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/cookbook/openssl- 1.0.0.cnf Enter pass phrase for /etc/openvpn/cookbook/keys/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' organizationName :PRINTABLE:'Cookbook 2.4' commonName :PRINTABLE:'openvpnserver' Certificate is to be certified until Oct 13 17:49:24 2018 GMT (1000 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
ca.key
password: $ ./build-key --batch client1
Sample output is shown in the following screenshot:
$ ./build-key-pass --batch client2 Generating a 2048 bit RSA private key ............+++ ...............+++ writing new private key to 'client2.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- Using configuration from /etc/openvpn/cookbook/openssl- 1.0.0.cnf Enter pass phrase for /etc/openvpn/cookbook/keys/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' organizationName :PRINTABLE:'Cookbook 2.4' commonName :PRINTABLE:'client2' Certificate is to be certified until Oct 13 17:59:15 2018 GMT (1000 days) Write out database with 1 new entries Data Base Updated
tls-auth
key file: $ openvpn --genkey --secret ta.key
The easy-rsa
scripts are a handy set of wrapper scripts around some of the openssl ca
commands. The openssl ca
commands are commonly used to set up a PKI using X509 certificates. The build-dh
script is a wrapper for the openssl dh
command.
The easy-rsa
scripts provide a full PKI setup, supporting different platforms and many settings. Some of these are outlined here.
To use the easy-rsa
scripts on Windows, a command window (cmd.exe
) is required and the starting ./
needs to be removed from all the commands, for example:
[Win]C:> vars [Win]C:> clean-all [Win]C:> build-ca
The following variables are set in the vars
file:
KEY_SIZE=2048
: This is the cipher strength for all private keys. The longer the key size is, the stronger the encryption. Unfortunately, it also makes the encryption process slower.CA_EXPIRE=3650
: This gives the number of days the CA certificate is considered valid, thus translating to a period of 10 years. For a medium-secure setup, this is fine; however, if stronger security is required, this number needs to be lowered.KEY_EXPIRE=1000
: This gives the number of days for which the client of the server certificate is considered valid, thus translating to a period of almost 3 years.KEY_COUNTRY="US"
, KEY_PROVINCE=
, KEY_CITY=
, KEY_ORG="Cookbook 2.4"
, [email protected]
: These variables are all used to form the certificate Distinguished Name (DN). None of them are required, but both OpenVPN and OpenSSL suggest using at least KEY_COUNTRY
to indicate where a certificate was issued.easy-rsa
scripts and the openssl
commands3.129.42.244