From ArchWiki
Revision as of 14:04, 9 August 2016 by Graysky (talk | contribs) (reworking article/work in progress)
Jump to: navigation, search

The first step when setting up OpenVPN is to create a Public Key Infrastructure (PKI). In summary, this consists of:

  • A public master Certificate Authority (CA) certificate and a private key.
  • A separate public certificate and private key pair for each server.
  • A separate public certificate and private key pair for each client.

One can think of the key-based authentication in terms similar to that of how [SSH_keys] work with the added layer of a signing authority (the CA). OpenVPN relies on a bidirectional authentication strategy, so the client must authenticate the server's certificate and in parallel, the server must authenticate the client's certificate. This is accomplished by the 3rd party's signature (the CA) on both the client and server certificates. Once this is established, further checks are performed before the authentication is complete. For more details, see secure-computing's guide.

Note: All commands below are expected to be run as the root user. To make them more copy/paste friendly for readers, they are not prefixed.

Certificate Authority (CA)

Note: For security purposes, it is recommended that the CA machine be separate from the machine running OpenVPN.

After installing easy-rsa on the CA machine, initialize a new PKI and generate a CA keypair that will be used to sign certificates:

cd /etc/easy-rsa
easyrsa init-pki
easyrsa build-ca

OpenVPN server files

The server will require 3 sets of files:

  1. The server key pair (a public certificate and a private key).
  2. The Diffie-Hellman (DH) parameters file (needed for TLS mode which is recommended).
  3. The Hash-based Message Authentication Code (HMAC) key.

Server certificate and private key

On the machine that will be running OpenVPN, install easy-rsa and generate a key pair for the server:

cd /etc/easy-rsa
easyrsa init-pki
easyrsa gen-req servername nopass

This will end up with two files on the OpenVPN server: /etc/easy-rsa/pki/reqs/servername.req /etc/easy-rsa/pki/private/servername.key

Diffie-Hellman (DH) parameters file

Create the initial dh.pem file:

openssl dhparam -out /etc/openvpn/dh.pem 2048
Note: Although values higher than 2048 (4096 for example) may be used, they take considerably more time to generate and offer little benefit in security.

Hash-based Message Authentication Code (HMAC) key

Create the HMAC key:

openvpn --genkey --secret /etc/openvpn/ta.key

This will be used to add an additional HMAC signature to all SSL/TLS handshake packets. In addition any UDP packet not having the correct HMAC signature will be immediately dropped, protecting against:

  • Portscanning.
  • DOS attacks on the OpenVPN UDP port.
  • SSL/TLS handshake initiations from unauthorized machines.
  • Any eventual buffer overflow vulnerabilities in the SSL/TLS implementation.

OpenVPN client files

Client certificate and private key

Any machine can generate client files. The machien will need the easy-rsa to be installed.

Initialize the pki if not generating the client keypair on the OpenVPN server:

cd /etc/easy-rsa
easyrsa init-pki

Generate the client key and certificate:

cd /etc/easy-rsa
easyrsa gen-req client1 nopass

This will end up with two files on the OpenVPN server: /etc/easy-rsa/pki/reqs/client1.req /etc/easy-rsa/pki/private/client1.key

The gen-req set can be repeat as many times as needed for additional clients.

Sign the certificates on the CA

The server and client(s) certificates need to be signed by the CA. Since these files were generated on the OpenVPN server machine, the requests need to be transferred to the CA via a secure means (emailing as attachments is not recommended). For the purposes of this guide, scp is shown. The readers may employ alternative methods as well. Since the Arch default is to deny root user over ssh, this will require transferring ownership of the files to be exported to a non-root user (in the case of the code snippet below, this is the foo user).

On the OpenVPN server (or the box used to generate the certificate/key pairs:

cp /etc/easy-rsa/pki/reqs/*.req /tmp
chown foo /tmp/*.req

Now foo can securly transfer (via scp) these requests to the CA for signing:

scp /tmp/*.req foo@hostname-of-CA:/tmp
cd /etc/easy-rsa
easyrsa sign-req server UNIQUE-SERVER-NAME

On the CA machine, import and sign the certificate requests:

cd /etc/easy-rsa
easyrsa import-req /tmp/servername.req servername
easyrsa import-req /tmp/client1.req client1
easyrsa sign-req server servername
easyrsa sign-req client client1

This will create the following signed certificates which can be transferred back to their respective machines: /etc/easy-rsa/pki/issued/servername.crt /etc/easy-rsa/pki/issued/client1.crt

cp /etc/easy-rsa/pki/issued/*.crt /tmp
chown foo /tmp/*.crt
scp /tmp/*.crt foo@hostname-of-openvpn_server:/tmp

<<placeholder for final step>>

See also

Upstream docs