LPI Linux Certification/OpenVPN
Detailed Objectives (212.5)
edit(LPIC-2 Version 4.5)
Weight: 2
Description: Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.
Key Knowledge Areas:
- OpenVPN
Terms and Utilities:
/etc/openvpn/
openvpn
Description
editOpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications. The official website is openvpn.net.
Motivation
editDue to ongoing development, many of the information available for OpenVPN on the web can no longer be used. This book is intended to provide assistance based on currently available software. This does not mean that the very latest software is the basis of the descriptions. If possible, the versions used are mentioned here. The description should avoid technical terms as far as possible. Anyone can make additions and changes here.
Installation
editOn Linux
editUbuntu
editsudo apt-get install network-manager-openvpn network-manager-openvpn-gnome
On Windows
editThe executable files are available on https://openvpn.net/community-downloads.
Consider, for 64 bit systems the 32 bit binary does not work. You need the 64 executable file. For example, for Windows OpenVPN-2.5.7-I602-amd64.msi
. The following instructions was tested with the OpenVPN 2.5.7 version.
If only keys are to be created, it is sufficient to use these files: https://github.com/OpenVPN/easy-rsa/releases.
During the installation process, the installer ask for quick install or custom install. Use custom installation. Espically , click all extensions to install. In particular, easyrsa is needed if you want to create certificates.
OpenVPN installs some folders and files. If you want to install it in C:\Program Files
you need administrator rights or you need to give everyone write rights in the /OpenVPN
folder. However, the fewest problems and surprises arise from installing OpenVPN in C:\OpenVPN
.
Create keys and certificates
editIf you have to realized highest security, the keys and certificates have to generated on a computer that has no network connection, let alone an Internet connection, and will never do so again in the future.
A certificate (*.crt) and an associated private key (*.key) shall never be transmitted over the same way. A private key (*.key) should only be in one place at a time.
Compare a key
to your credit card and the crt
to your credit card PIN[1].
On Windows
editOpenSSL
editKeys and certificates can easily be generated with OpenSSL. OpenSSL is not a part of Windows. OpenSSL is also not as a single software package available. However, usable OpenSSL is part of some software packages. A search for "openssl.exe" in the C:
folder shows whether OpenSSL was along the way installed another time. Git use very up to date OpenSSL. But e.g. OpenVPN also contains OpenSSL. When you find openssl.exe
, double-click on it; if no error message appears, it is already the usuable command line. If it's not there, install e.g. the OpenVPN software.
The certificates and keys should be stored clearly at one place. A folder can be created for this as follows: C:/myvpnfiles
.
Into this folder is to place a configuration file myopenssl.cnf
, following with a minimal content:
[req] distinguished_name = req_distinguished_name [req_distinguished_name] [v3_req]
- Core key and certificate
At first, the central secret core RSA key is to be created. In addition, a pass phrase must be entered twice, which must be remembered.
genrsa -aes256 -out C:/myvpnfiles/ca.key 2048
After that, the certificate can be created:
req -new -x509 -sha256 -days 36500 -key C:/myvpnfiles/ca.key -subj '/CN=fooCore' -out C:/myvpnfiles/ca.crt -config C:/myvpnfiles/myopenssl.cnf
These steps for generating the RSA key and certificate are to be repeated for the server and the clients.
- Server
These two commands above can also be combined into one statement. With -noip
it is also specified for the server that no pass phrase is assigned here. A pass phrase would require special measures on the server and is not necessary since the server is owned by us.
req -newkey rsa:2048 -nodes -subj '/CN=fooServer1' -keyout C:/myvpnfiles/server1.key -out C:/myvpnfiles/server1.csr -config C:/myvpnfiles/myopenssl.cnf
Now the certificate is to be validated:
x509 -req -sha256 -CA C:/myvpnfiles/ca.crt -CAkey C:/myvpnfiles/ca.key -days 36500 -in C:/myvpnfiles/server1.csr -CAcreateserial -out C:/myvpnfiles/server1.crt
- Clients
For the clients, the steps are repeated in the same way as for the server. However, a end user pass phrase is assigned here. Because the client files are given to someone else. If these files accidentally fall into the wrong hands, they remain useless without the pass phrase.
req -newkey rsa:2048 -subj '/CN=fooClient1' -keyout C:/myvpnfiles/client1.key -out C:/myvpnfiles/client1.csr -config C:/myvpnfiles/myopenssl.cnf
x509 -req -sha256 -CA C:/myvpnfiles/ca.crt -CAkey C:/myvpnfiles/ca.key -days 36500 -in C:/myvpnfiles/client1.csr -CAcreateserial -out C:/myvpnfiles/client1.crt
For more clients these steps are to be repaeted with name client2 or something else.
- Additionals
For the server are additional Diffie Hellmann params required for the encrypted transmission. These values are stored in a file dh.pem. This is just a parameter file, which is in no way required for the previously generated keys or certificates.
dhparam -out C:/myvpnfiles/dh.pem 2048
One and the same dh-file can be used for several servers, since the values only are used for software support.
Easy-RSA
editPrecondisioned OpenVPN is installed in a folder with full write permissions. The core key and certificate are generated as follows:
- Go to
C:\OpenVPN\easy-rsa
. RunEasyRSA-Start.bat
./easyrsa init-pki
A new pki folder will be created../easyrsa build-ca
There you have to put in a password, called a passphrase, and a server name. For the server name, you can use the default name inside the square brackets "fooCore" or another. You will get the files...\pki\ca.crt
and...\pki\private\ca.key
. These files are the core files for all other generations. Don't lose them and put them in a safe place. If you lose control of your private CA key, you can no longer trust any certificate.
The files for keys and certificates for a server are generated with this commands. "server1" can be replaced by any other name:
./easyrsa gen-req server1 nopass
Usenopass
, since it is usually not possible to use passwords on a server.
These files are generated:.../pki/reqs/server1.req
,.../pki/private/server1.key
../easyrsa sign-req server server1
generatesserver1.crt
../easyrsa gen-dh
does generate.../pki/dh.pem
.
- Alternatively all the commands before can be processed with one command:
./easyrsa build-server-full server1
Furthermore files for keys and certificates for a client device are required. "client1" can be replaced by any other name.
./easyrsa build-client-full client1
These files are generated:...\pki\reqsclient1.req
,...\pki\privateclient1.key
and...\pki/issued/client1.crt
.