| View previous topic :: View next topic |
| Author |
Message |
Bigun
Advocate
Joined: 21 Sep 2003
Posts: 2196
|
 Posted: Sat Jul 28, 2018 5:26 pm Post subject: OpenVPN/EasyRSA help |
 |
|
So, I've started digging in to creating my own VPN tunnel.
Using this for OpenVPN setup: https://wiki.gentoo.org/wiki/OpenVPN
Using this for Easy-RSA key setup: https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts
That said, I've never really been comfortable with the understandings of how keys work, and then I had questions regarding OpenVPN too.
My overall goal is to create keys for two android mobile phones to connect to this box for internet access via 4G network.
If someone could explain what the init-pki, gen-req, sign-req, gen-dh, and build-client-full scripts actually do? (well the page says what it does, but what are the generated files used for?)
How do I take the keys generated and apply them to OpenVPN? The phones?
Does OpenVPN run as it's own user? Will I need to get the keys copied over to some location and give proper permissions to allow OpenVPN to access them?
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim |
|
| Back to top |
|
 |
axl
Veteran
Joined: 11 Oct 2002
Posts: 1144
Location: Romania
|
| Posted: Sat Jul 28, 2018 9:32 pm Post subject: Re: OpenVPN/EasyRSA help |
|
|
| Bigun wrote: | | If someone could explain what the init-pki, gen-req, sign-req, gen-dh, and build-client-full scripts actually do? (well the page says what it does, but what are the generated files used for?) |
they are keys. I couldn't explain which key does what exactly in the internals of openvpn, but i could _try_ to help you to make it all work.
| Bigun wrote: | | How do I take the keys generated and apply them to OpenVPN? The phones? |
On the phone you include them inside the configuration file. which instead of being a conf, like on the server, where you mention the key by filename, on the client you paste it in. and it's an ovpn file which includes conf for client and keys all pasted together. I can show you how to make your own. without actually showing any keys.
| Quote: | | Does OpenVPN run as it's own user? Will I need to get the keys copied over to some location and give proper permissions to allow OpenVPN to access them? |
openvpn runs as the user specified in the conf. so i guess it runs as root, but drops privileges on it's own based on what you tell it in the conf. I see i have user nobody group nogroup in conf... so... yeah.
where did you get stuck? |
|
| Back to top |
|
|
Bigun
Advocate
Joined: 21 Sep 2003
Posts: 2196
|
| Posted: Sat Jul 28, 2018 9:51 pm Post subject: Re: OpenVPN/EasyRSA help |
|
|
| axl wrote: | | where did you get stuck? |
I followed the OpenVPN instructions above, I followed the Easy-RSA instructions above.
So, first goal, get OpenVPN running:
I have a bunch of *.key, *.req, *.crt, and *.pem files generated in the /root/easy-rsa-example directory, I just have no idea where to put them so "nobody" can read them (I'm assuming running openVPN as root is a bad idea, so the keys need to go somewhere besides /root).
Then I guess after that's established, we can work on the OpenVPN config.
_________________
"It's ok, they might have guns but we have flowers." - Perpetual Victim |
|
| Back to top |
|
|
axl
Veteran
Joined: 11 Oct 2002
Posts: 1144
Location: Romania
|
| Posted: Sat Jul 28, 2018 10:30 pm Post subject: Re: OpenVPN/EasyRSA help |
|
|
| Bigun wrote: | | axl wrote: | | where did you get stuck? |
I followed the OpenVPN instructions above, I followed the Easy-RSA instructions above.
So, first goal, get OpenVPN running:
I have a bunch of *.key, *.req, *.crt, and *.pem files generated in the /root/easy-rsa-example directory, I just have no idea where to put them so "nobody" can read them (I'm assuming running openVPN as root is a bad idea, so the keys need to go somewhere besides /root).
Then I guess after that's established, we can work on the OpenVPN config. |
DISCLAIMER: I DO NOT CLAIM TO BE AN EXPERT. I just kinda know how to get it all going, because I did it for myself.
Now that being said, I'll just post my server and client files. and 1 shell script.
This first one is server.conf. It's nothing fancy, just the actual server.conf recommended by all guides, with a few modifications. It will be a good place to start. so here it is.
| Code: |
port 1194
proto tcp
dev tun
ca ca_public.crt
cert public.crt
key public.key
tls-auth ta_public.key 0
dh dh_public.pem
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist public.txt
cipher AES-256-CBC
comp-lzo
compress lz4-v2
persist-key
persist-tun
user nobody
group nogroup
status public.log
verb 3
sndbuf 0
rcvbuf 0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
duplicate-cn
keepalive 5 30
|
the relevant lines here will be:
| Code: | ca ca_public.crt
cert public.crt
key public.key
tls-auth ta_public.key 0
dh dh_public.pem |
.
dont worry, we will get there.
let's take a look at the client file:
| Code: | client
dev tun
proto tcp
remote $server1 1194
remote $server2 1194
resolv-retry infinite
nobind
cipher AES-256-CBC
comp-lzo
compress lz4-v2
sndbuf 0
rcvbuf 0
persist-key
persist-tun
remote-cert-tls server
key-direction 1
|
not this by itself, will not do much for the client. but there's a shell script. I'll first post it, then try to tie it all together.
| Code: |
#!/bin/bash
pwd=`pwd`
cd /etc/openvpn/public
./easyrsa gen-req ${1} nopass
./easyrsa sign-req client ${1}
cd ../
cat ovpn/public.ovpn > ${1}.ovpn
echo "<ca>" >> ${1}.ovpn
cat ca_public.crt >> ${1}.ovpn
echo "</ca>" >> ${1}.ovpn
echo "<cert>" >> ${1}.ovpn
cat public/pki/issued/${1}.crt | tail -n 20 >> ${1}.ovpn
echo "</cert>" >> ${1}.ovpn
echo "<key>" >> ${1}.ovpn
cat public/pki/private/${1}.key >> ${1}.ovpn
echo "</key>" >> ${1}.ovpn
echo "<tls-auth>" >> ${1}.ovpn
cat ta_public.key | tail -n 18 >> ${1}.ovpn
echo "</tls-auth>" >> ${1}.ovpn
mv ${1}.ovpn ovpn/public_${1}.ovpn
cd $pwd |
Ok. So, I keep my keys and easy rsa in /etc/openvpn. Its' obvious I have 2 tunnels, one public one private, so you can disregard the public parts of the file.
so. easy rsa can be downloaded with git. git clone https://github.com/OpenVPN/easy-rsa and from there only easyrsa3/ will be needed. so I copied that to /etc/openvpn and their respective places. and you start making the keys according to guide.
EDIT: this is a much later edit. this part means that after I cloned easy-rsa with git, I copied from easy-rsa only the directory easyrsa3 to /etc/openvpn/public. you can make it /etc/openvpn/server. inside you should have the contents of easyrsa3 directory. the executable, example.vars, openssl-easyrsa.cnf and a directory.
keep in mind that any keys done without "nopass" will be keys that will require a user writing the password by hand. so dont generate server keys that require passwords.
ok. so now you downloaded easy rsa. you placed in the right place. you next have to edit vars.example for EASYRSA_REQ_CN, EASYRSA_REQ_COUNTRY, EASYRSA_REQ_PROVINCE, EASYRSA_REQ_CITY, EASYRSA_REQ_ORG, EASYRSA_REQ_EMAIL, EASYRSA_REQ_OU.
./easyrsa init-pki
./easyrsa build-ca nopass (here you can use pass. it will only ask for pass when you sign others. I'm just very lazy)
you will be told you made you ca.cert. remember we talked earlier about a few important lines. ca ca_public.crt. this is the one file. this is how you make it. next we going to make key file and cert file for server like so:
./easyrsa gen-req server_name
this creates key file for server_name.key. line: key public.key
./easyrsa sign-req server server_name
this will create cert file. line: cert public.crt
next:
./easyrsa gen-dh
this key corresponds to line: dh dh_public.pem
and the last one:
openvpn --genkey --secret ta.key
this corresponds to line: tls-auth ta_public.key 0
ok. this takes care of the server.
now for each client you have to create a pair of key/crt files. you do so by:
./easyrsa gen-req client_name
this creates key file for client_name.key.
./easyrsa sign-req client client_name
this will create cert file.
if you look at the shell script, it does that for me.
NOW. the last thing. if you take a look at the shell file you can see what the ovpn should look like. in fact the ovpn file mentioned in the script is the empty client file posted here. the first few lines copied from the template, then certificates pasted with <> tags. all obvious in the shell script.
you start the server with openvpn --config path_to_config and make sure the certificates are readonly to the user that is running the tunnels; then upload ovpn's (by mail is the easiest and my case most secure because everything is secured by ssl anyway mailwise) and that's about it. i think. tell me where u get stuck. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
