Easy-RSA: Difference between revisions
(reworking article/work in progress) |
(Sorry, but this must be split in several smaller, comprehensible edits: ArchWiki:Contributing#Do_not_make_complex_edits_at_once) |
||
Line 1: | Line 1: | ||
[[Category:Virtual Private Network]] | [[Category:Virtual Private Network]] | ||
The first step when setting up [[OpenVPN]] is to create a [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]]. | The first step when setting up [[OpenVPN]] is to create a [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]]. The PKI consists of: | ||
* A public master [[Wikipedia:Certificate Authority|Certificate Authority (CA)]] certificate and a private key. | * A public master [[Wikipedia:Certificate Authority|Certificate Authority (CA)]] certificate and a private key. | ||
* A separate public certificate and private key pair for each server. | * A separate public certificate and private key pair for each server and each client. | ||
To facilitate the certificate creation process, {{Pkg|easy-rsa}} provides a [[Wikipedia:RSA (algorithm)|RSA]] key management script. | |||
{{Note|The certificates can be created on any machine. For the highest security, generate the certificates on a physically secure machine disconnected from any network, and make sure that the generated ca.key private key is backed up kept secret from users.}} | |||
== OpenVPN Server and Client Configuration == | |||
{{Note|All commands below are expected to be run as the root user. To make them more copy/paste friendly for readers, they are not prefixed.}} | {{Note|All commands below are expected to be run as the root user. To make them more copy/paste friendly for readers, they are not prefixed.}} | ||
== | ===Create the CA=== | ||
After installing {{pkg|easy-rsa}}, initialize a new PKI and generate a CA: | |||
After installing {{pkg|easy-rsa}} | |||
cd /etc/easy-rsa | cd /etc/easy-rsa | ||
easyrsa init-pki | easyrsa init-pki | ||
easyrsa build-ca | easyrsa build-ca | ||
== | ===Create the DH=== | ||
Created the initial dh.pem file: | |||
cd /etc/easy-rsa | cd /etc/easy-rsa | ||
openssl dhparam -out /etc/easy-rsa/pki/dh.pem 2048 | |||
{{Note|Although values higher than 2048 (4096 for example) may be used, they take considerably more time to generate and offer little benefit in security.}} | |||
===Create and and sign an entity keypair=== | |||
The term "entity" in this context can be a unique name given to a specific user (in the case of client key pairs) or to a particular server. | |||
Generate and sign a key pair: | |||
cd /etc/easy-rsa | |||
easyrsa gen-req ''entity'' nopass | |||
{{Note| | Sign the server cert and key with the CA. | ||
{{Note|Server keys need to be signed with "server" type whereas clients need to be signed with the "client" type. Make the appropriate substitution for the word "TYPE" in the following command.}} | |||
cd /etc/easy-rsa | |||
easyrsa sign-req TYPE ''entity'' | |||
=== Hash-based Message Authentication Code (HMAC) key === | === Generate a secret Hash-based Message Authentication Code (HMAC) key === | ||
cd /etc/easy-rsa | |||
openvpn --genkey --secret /etc/ | openvpn --genkey --secret /etc/easy-rsa/pki/ta.key | ||
This will be used to add an additional HMAC signature to all SSL/TLS handshake packets. In addition any UDP packet not having the correct HMAC signature will be immediately dropped, protecting against: | This will be used to add an additional HMAC signature to all SSL/TLS handshake packets. In addition any UDP packet not having the correct HMAC signature will be immediately dropped, protecting against: | ||
Line 48: | Line 47: | ||
* Any eventual buffer overflow vulnerabilities in the SSL/TLS implementation. | * Any eventual buffer overflow vulnerabilities in the SSL/TLS implementation. | ||
== See also == | == See also == | ||
Upstream docs | Upstream docs | ||
* [https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md README.quickstart]. | * [https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md README.quickstart]. | ||
* [https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Advanced.md EASYRSA-Advanced]. | * [https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Advanced.md EASYRSA-Advanced]. |
Revision as of 14:29, 9 August 2016
The first step when setting up OpenVPN is to create a Public Key Infrastructure (PKI). The PKI consists of:
- A public master Certificate Authority (CA) certificate and a private key.
- A separate public certificate and private key pair for each server and each client.
To facilitate the certificate creation process, easy-rsa provides a RSA key management script.
Note: The certificates can be created on any machine. For the highest security, generate the certificates on a physically secure machine disconnected from any network, and make sure that the generated ca.key private key is backed up kept secret from users.
OpenVPN Server and Client Configuration
Note: All commands below are expected to be run as the root user. To make them more copy/paste friendly for readers, they are not prefixed.
Create the CA
After installing easy-rsa, initialize a new PKI and generate a CA:
cd /etc/easy-rsa easyrsa init-pki easyrsa build-ca
Create the DH
Created the initial dh.pem file:
cd /etc/easy-rsa openssl dhparam -out /etc/easy-rsa/pki/dh.pem 2048
Note: Although values higher than 2048 (4096 for example) may be used, they take considerably more time to generate and offer little benefit in security.
Create and and sign an entity keypair
The term "entity" in this context can be a unique name given to a specific user (in the case of client key pairs) or to a particular server.
Generate and sign a key pair:
cd /etc/easy-rsa easyrsa gen-req entity nopass
Sign the server cert and key with the CA.
Note: Server keys need to be signed with "server" type whereas clients need to be signed with the "client" type. Make the appropriate substitution for the word "TYPE" in the following command.
cd /etc/easy-rsa easyrsa sign-req TYPE entity
Generate a secret Hash-based Message Authentication Code (HMAC) key
cd /etc/easy-rsa openvpn --genkey --secret /etc/easy-rsa/pki/ta.key
This will be used to add an additional HMAC signature to all SSL/TLS handshake packets. In addition any UDP packet not having the correct HMAC signature will be immediately dropped, protecting against:
- Portscanning.
- DOS attacks on the OpenVPN UDP port.
- SSL/TLS handshake initiations from unauthorized machines.
- Any eventual buffer overflow vulnerabilities in the SSL/TLS implementation.
See also
Upstream docs