Laconic openvpn setup

/en/linux/how-to/ openvpnopenssl
30/September/2017
authorRentaro
Rentaro

Basic example of openvpn settings

1
2
3
4
5
6
7
8

cd /etc/openvpn
mkdir ccd
mkdir crl
mkdir keys
mkdir secret
chmod 700 keys secret
printf '00' > serial
touch index.txt

As an example.
Organization Name: OVPN-NET
Common Name: OVPN-SERVER

nano openssl.cnf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

[ ca ]
default_ca               = CA_default
[ CA_default ]
dir                      = /etc/openvpn
crl_dir                  = $dir/crl
database                 = $dir/index.txt
new_certs_dir            = $dir/keys
certificate              = $dir/keys/CA_cert.pem
serial                   = $dir/serial
private_key              = $dir/secret/CA_key.pem
crl                      = $dir/crl/crl.pem
# crlnumber              = $dir/crlnumber
RANDFILE                 = $dir/secret/.rand
default_days             = 7300
default_crl_days         = 7300
# default_md             = md5
default_md               = sha256
unique_subject           = yes
policy                   = policy_any
x509_extensions          = user_extensions
[ policy_any ]
organizationName         = match
organizationalUnitName   = optional
commonName               = supplied
[ req ]
default_bits             = 4096
default_keyfile          = privkey.pem
distinguished_name       = req_distinguished_name
x509_extensions          = CA_extensions
default_md               = sha256
[ req_distinguished_name ]
organizationName         = Organization Name (must match CA)
organizationName_default = Company
organizationalUnitName   = Location Name
commonName               = Common User or Org Name
commonName_max           = 64
[ user_extensions ]
basicConstraints         = CA:FALSE
[ CA_extensions ]
basicConstraints         = CA:TRUE
default_days             = 7300
[ server ]
basicConstraints         = CA:FALSE
nsCertType               = server

Server keys

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

  # Generate passwords using the commands:
cat /dev/urandom | tr -dc '[[:print:]]' | fold -w 256 | sed 's/ //g' | fold -w128 | head -n 1 > secret/CA_key.passwd
cat /dev/urandom | tr -dc '[[:print:]]' | fold -w 256 | sed 's/ //g' | fold -w128 | head -n 1 > keys/server_key.passwd

  # Creating a self-signed trusted certificate (CA)
openssl genrsa -aes256 -out secret/CA_key.pem 4096
openssl req -new -key secret/CA_key.pem -out keys/CA_csr.pem -subj "/C=NN/ST=None/L=None/O=OVPN-NET/OU=None/CN=OVPN-SERVER"
openssl x509 -req -in keys/CA_csr.pem -signkey secret/CA_key.pem -days 7300 -out keys/CA_cert.pem

  # Check
  # openssl req -in keys/CA_csr.pem -noout -text
  # openssl rsa -noout -text -in secret/CA_key.pem
  # openssl x509 -noout -text -in keys/CA_cert.pem

  # Creating a server certificate
openssl genrsa -aes256 -out keys/server_key.pem 4096
openssl req -new -key keys/server_key.pem -out keys/server_csr.pem -subj "/C=NN/ST=None/L=None/O=OVPN-NET/OU=None/CN=OVPN-SERVER"
openssl ca -batch -config openssl.cnf -extensions server -out keys/server_cert.pem -infiles keys/server_csr.pem

  # Check
  # openssl req -in keys/server_csr.pem -noout -text
  # openssl x509 -noout -text -in keys/server_cert.pem

openssl dhparam -out keys/dh4096.pem 4096
  # To revoke certificates
openssl ca -config openssl.cnf -gencrl -out crl/crl.pem
  # Check
  # openssl crl -noout -text -in crl/crl.pem
  # Certificate revocation, example
  # openssl ca -config openssl.cnf -revoke keys/user_cert.pem
  # After revocation, it is necessary to regenerate crl.pem
  # openssl ca -config openssl.cnf -gencrl -out crl/crl.pem
  # You can recreate the certificate using the existing user_csr.pem , user_key.pem and user_cert.pem no need to regenerate.
  # openssl ca -batch -config openssl.cnf -out keys/user-test_cert.pem -infiles keys/user-test_csr.pem
openvpn --genkey --secret keys/ta.key
  # Passwords to keys
chmod 400 keys/*
chmod 400 secret/*

User keys

1
2
3
4
5
6
7

cat /dev/urandom | tr -dc '[[:print:]]' | fold -w 256 | sed 's/ //g' | fold -w128 | head -n 1 > keys/user-laptop_key.passwd

openssl genrsa -aes256 -out keys/user-laptop_key.pem 4096
openssl req -new -key keys/user-laptop_key.pem -out keys/user-laptop_csr.pem -subj "/C=NN/ST=None/L=None/O=OVPN-NET/OU=None/CN=user-laptop"
openssl ca -batch -config openssl.cnf -out keys/user-laptop_cert.pem -infiles keys/user-laptop_csr.pem
chmod 400 keys/*
chmod 400 secret/*

Server config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

dev tun0
server 10.10.10.0 255.255.255.0
mode server
port 1194
proto tcp
# for openssl >= 1.0.2
# engine aesni
user openvpn
group openvpn
cipher AES-256-CBC
tls-version-min 1.2
auth sha256
comp-lzo
keepalive 10 30
# reneg-sec 120
# ping 10
# ping-restart 60
persist-key
persist-tun
tls-server
tls-timeout 360
hand-window 360
auth-nocache
askpass                   /etc/openvpn/keys/server_key.passwd
ca                        /etc/openvpn/keys/CA_cert.pem
cert                      /etc/openvpn/keys/server_cert.pem
key                       /etc/openvpn/keys/server_key.pem
tls-auth                  /etc/openvpn/keys/ta.key 0
dh                        /etc/openvpn/keys/dh4096.pem
crl-verify                /etc/openvpn/crl/crl.pem
ifconfig-pool-persist     /etc/openvpn/ipp.txt
client-to-client
client-config-dir         /etc/openvpn/ccd
script-security 1
# push                    "route 10.10.10.0 255.255.255.0"
log                       /var/log/ovpn-srv.log
status                    /var/log/ovpn-srv-status.log
verb 3

Client config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

client
dev tun0
proto tcp
port 1194
remote <server ip>
key-direction 1
tls-client
# tls-remote OVPN-SERVER
verify-x509-name 'O=OVPN-NET, OU=None, CN=OVPN-SERVER'
# tls-version-min 1.0
# remote-cert-tls
tls-auth            /etc/openvpn/server/ta.key 1
dh                  /etc/openvpn/server/dh4096.pem
ca                  /etc/openvpn/server/CA_cert.pem
cert                /etc/openvpn/server/user-laptop_cert.pem
key                 /etc/openvpn/server/user-laptop_key.pem
askpass             /etc/openvpn/server/user-laptop_key.passwd
# ns-cert-type server
persist-key
persist-tun
verb 3
cipher AES-256-CBC
# auth md5
auth sha256
comp-lzo
route-method exe
route-delay 10
status /var/log/ovpn-srv-status.log
log /var/log/ovpn-srv.log
verb 3

Create a file with client settings nano ccd/user-laptop
And write a line into it: ifconfig-push 10.10.10.5 10.10.10.6

IP endpoints pairs, /30 subnet

1
2
3
4
5
6
7

[  1,  2]   [  5,  6]   [  9, 10]   [ 13, 14]   [ 17, 18]   [ 21, 22]   [ 25, 26]   [ 29, 30]   [ 33, 34]   [ 37, 38]
[ 41, 42]   [ 45, 46]   [ 49, 50]   [ 53, 54]   [ 57, 58]   [ 61, 62]   [ 65, 66]   [ 69, 70]   [ 73, 74]   [ 77, 78]
[ 81, 82]   [ 85, 86]   [ 89, 90]   [ 93, 94]   [ 97, 98]   [101,102]   [105,106]   [109,110]   [113,114]   [117,118]
[121,122]   [125,126]   [129,130]   [133,134]   [137,138]   [141,142]   [145,146]   [149,150]   [153,154]   [157,158]
[161,162]   [165,166]   [169,170]   [173,174]   [177,178]   [181,182]   [185,186]   [189,190]   [193,194]   [197,198]
[201,202]   [205,206]   [209,210]   [213,214]   [217,218]   [221,222]   [225,226]   [229,230]   [233,234]   [237,238]
[241,242]   [245,246]   [249,250]   [253,254]
Original post on SecOps.it Blog Laconic openvpn setup