LPI Linux Certification/OpenVPN

Detailed Objectives (212.5) edit

(LPIC-2 Version 4.5)


Weight: 2


Description: Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.


Key Knowledge Areas:

  • OpenVPN


Terms and Utilities:

  • /etc/openvpn/
  • openvpn

Description edit

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications. The official website is openvpn.net.

Motivation edit

Due to ongoing development, many of the information available for OpenVPN on the web can no longer be used. This book is intended to provide assistance based on currently available software. This does not mean that the very latest software is the basis of the descriptions. If possible, the versions used are mentioned here. The description should avoid technical terms as far as possible. Anyone can make additions and changes here.

Installation edit

On Linux edit

Ubuntu edit

sudo apt-get install network-manager-openvpn network-manager-openvpn-gnome

On Windows edit

The executable files are available on https://openvpn.net/community-downloads.

Consider, for 64 bit systems the 32 bit binary does not work. You need the 64 executable file. For example, for Windows OpenVPN-2.5.7-I602-amd64.msi. The following instructions was tested with the OpenVPN 2.5.7 version.

If only keys are to be created, it is sufficient to use these files: https://github.com/OpenVPN/easy-rsa/releases.

E.g: EasyRSA-3.1.0-win64.zip

During the installation process, the installer ask for quick install or custom install. Use custom installation. Espically , click all extensions to install. In particular, easyrsa is needed if you want to create certificates. OpenVPN installs some folders and files. If you want to install it in C:\Program Files you need administrator rights or you need to give everyone write rights in the /OpenVPN folder. However, the fewest problems and surprises arise from installing OpenVPN in C:\OpenVPN.

Create keys and certificates edit

If you have to realized highest security, the keys and certificates have to generated on a computer that has no network connection, let alone an Internet connection, and will never do so again in the future. A certificate (*.crt) and an associated private key (*.key) shall never be transmitted over the same way. A private key (*.key) should only be in one place at a time. Compare a key to your credit card and the crt to your credit card PIN[1].

On Windows edit

OpenSSL edit

Keys and certificates can easily be generated with OpenSSL. OpenSSL is not a part of Windows. OpenSSL is also not as a single software package available. However, usable OpenSSL is part of some software packages. A search for "openssl.exe" in the C: folder shows whether OpenSSL was along the way installed another time. Git use very up to date OpenSSL. But e.g. OpenVPN also contains OpenSSL. When you find openssl.exe, double-click on it; if no error message appears, it is already the usuable command line. If it's not there, install e.g. the OpenVPN software.

The certificates and keys should be stored clearly at one place. A folder can be created for this as follows: C:/myvpnfiles.

Into this folder is to place a configuration file myopenssl.cnf, following with a minimal content:

[req]
distinguished_name = req_distinguished_name
[req_distinguished_name]
[v3_req]
Core key and certificate

At first, the central secret core RSA key is to be created. In addition, a pass phrase must be entered twice, which must be remembered.

genrsa -aes256 -out C:/myvpnfiles/ca.key 2048 

After that, the certificate can be created:

req -new -x509 -sha256 -days 36500 -key C:/myvpnfiles/ca.key -subj '/CN=fooCore' -out C:/myvpnfiles/ca.crt -config C:/myvpnfiles/myopenssl.cnf

These steps for generating the RSA key and certificate are to be repeated for the server and the clients.

Server

These two commands above can also be combined into one statement. With -noip it is also specified for the server that no pass phrase is assigned here. A pass phrase would require special measures on the server and is not necessary since the server is owned by us.

req -newkey rsa:2048 -nodes -subj '/CN=fooServer1' -keyout C:/myvpnfiles/server1.key -out C:/myvpnfiles/server1.csr -config C:/myvpnfiles/myopenssl.cnf

Now the certificate is to be validated:

x509 -req -sha256 -CA C:/myvpnfiles/ca.crt -CAkey C:/myvpnfiles/ca.key -days 36500 -in C:/myvpnfiles/server1.csr -CAcreateserial -out C:/myvpnfiles/server1.crt
Clients

For the clients, the steps are repeated in the same way as for the server. However, a end user pass phrase is assigned here. Because the client files are given to someone else. If these files accidentally fall into the wrong hands, they remain useless without the pass phrase.

req -newkey rsa:2048 -subj '/CN=fooClient1' -keyout C:/myvpnfiles/client1.key -out C:/myvpnfiles/client1.csr -config C:/myvpnfiles/myopenssl.cnf
x509 -req -sha256 -CA C:/myvpnfiles/ca.crt -CAkey C:/myvpnfiles/ca.key -days 36500 -in C:/myvpnfiles/client1.csr -CAcreateserial -out C:/myvpnfiles/client1.crt

For more clients these steps are to be repaeted with name client2 or something else.

Additionals

For the server are additional Diffie Hellmann params required for the encrypted transmission. These values are stored in a file dh.pem. This is just a parameter file, which is in no way required for the previously generated keys or certificates.

dhparam -out C:/myvpnfiles/dh.pem 2048

One and the same dh-file can be used for several servers, since the values only are used for software support.

Easy-RSA edit

Precondisioned OpenVPN is installed in a folder with full write permissions. The core key and certificate are generated as follows:

  1. Go to C:\OpenVPN\easy-rsa. Run EasyRSA-Start.bat
  2. ./easyrsa init-pki A new pki folder will be created.
  3. ./easyrsa build-ca There you have to put in a password, called a passphrase, and a server name. For the server name, you can use the default name inside the square brackets "fooCore" or another. You will get the files ...\pki\ca.crt and ...\pki\private\ca.key. These files are the core files for all other generations. Don't lose them and put them in a safe place. If you lose control of your private CA key, you can no longer trust any certificate.

The files for keys and certificates for a server are generated with this commands. "server1" can be replaced by any other name:

  1. ./easyrsa gen-req server1 nopass Use nopass, since it is usually not possible to use passwords on a server.
    These files are generated: .../pki/reqs/server1.req, .../pki/private/server1.key.
  2. ./easyrsa sign-req server server1 generates server1.crt.
  3. ./easyrsa gen-dh does generate .../pki/dh.pem.
Alternatively all the commands before can be processed with one command:
./easyrsa build-server-full server1

Furthermore files for keys and certificates for a client device are required. "client1" can be replaced by any other name.

  1. ./easyrsa build-client-full client1 These files are generated: ...\pki\reqsclient1.req, ...\pki\privateclient1.key and ...\pki/issued/client1.crt.



References edit