Difference between revisions of "VPN certificates management"
(12 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[[Category:Linux]] | [[Category:Linux]] | ||
+ | |||
+ | {| style="margin: 1em auto 1em auto" | ||
+ | |-valign="top" | ||
+ | |width="30%"|[[File:Pki-icon.png|link=VPN certificates management#PKI initialization|64px|caption|Setup PKI]] | ||
+ | [[VPN certificates management#PKI initialization|Setup PKI]] | ||
+ | |width="30%"| [[File:Server-certificate-icon.png|link=VPN certificates management#VPN server|64px|caption|VPN server certificate]] | ||
+ | [[VPN certificates management#VPN server|VPN server certificate]] | ||
+ | |width="30%"| [[File:Client-certificate-icon.png|link=VPN certificates management#Client certificates|64px|caption|Clients certificates]] | ||
+ | [[VPN certificates management#Client certificates|Clients certificates]] | ||
+ | |} | ||
+ | |||
+ | |||
OpenVPN relies on the '''public key infrastructure''' principle. | OpenVPN relies on the '''public key infrastructure''' principle. | ||
Line 6: | Line 18: | ||
* [https://www.youtube.com/watch?v=E5FEqGYLL0o What is a key? High overview] | * [https://www.youtube.com/watch?v=E5FEqGYLL0o What is a key? High overview] | ||
* [https://www.youtube.com/watch?v=ERp8420ucGs Encryption principles, technical principles] | * [https://www.youtube.com/watch?v=ERp8420ucGs Encryption principles, technical principles] | ||
− | |||
− | |||
− | |||
Line 32: | Line 41: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
cp -R /usr/share/easy-rsa/ /etc/openvpn | cp -R /usr/share/easy-rsa/ /etc/openvpn | ||
+ | # You must add a symlink manually, depending on the OpenSSL version you want to use | ||
+ | ln -s /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 53: | Line 64: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
− | export KEY_COUNTRY=" | + | # 2016 |
− | export KEY_PROVINCE=" | + | # If you put '4096' it might take a very long time to generate the Diffie Hellman key (more than 30h on a raspberry pi 2) |
− | export KEY_CITY=" | + | export KEY_SIZE=2048 |
+ | # Certificate owner | ||
+ | export KEY_COUNTRY="LU" | ||
+ | export KEY_PROVINCE="" | ||
+ | export KEY_CITY="Luxembourg" | ||
export KEY_ORG="daxiongmao.eu" | export KEY_ORG="daxiongmao.eu" | ||
export KEY_EMAIL="guillaume@qin-diaz.com" | export KEY_EMAIL="guillaume@qin-diaz.com" | ||
+ | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 64: | Line 80: | ||
This information will be included in certificates you create! That must be accurate, particularly the KEY_ORG and KEY_EMAIL values. | This information will be included in certificates you create! That must be accurate, particularly the KEY_ORG and KEY_EMAIL values. | ||
− | |||
==Generate Authority of Certification (AC)== | ==Generate Authority of Certification (AC)== | ||
Line 75: | Line 90: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | |||
+ | This an example of replies: | ||
+ | * Country Name (2 letter code) [LU]: '''LU''' | ||
+ | * State or Province Name (full name) []: | ||
+ | * Locality Name (eg, city) [Luxembourg]: '''Luxembourg''' | ||
+ | * Organization Name (eg, company) [Daxiongmao]: '''Daxiongmao''' | ||
+ | * Organizational Unit Name (eg, section) [Personal_usage]: '''Personal_usage''' | ||
+ | * Common Name (eg, your name or your server's hostname) [Daxiongmao CA]: '''Daxiongmao CA''' | ||
+ | * Name [EasyRSA]: '''Daxiongmao_CA''' | ||
+ | * Email Address [guillaume@daxiongmao.eu]: '''guillaume@daxiongmao.eu''' | ||
− | + | ||
+ | |||
+ | ==Generate Diffie Hellman Parameters== | ||
The "Diffie Hellman Parameters" govern the method of key exchange and authentication used by the OpenVPN server. | The "Diffie Hellman Parameters" govern the method of key exchange and authentication used by the OpenVPN server. | ||
Line 90: | Line 115: | ||
− | =VPN server | + | =VPN server= |
+ | |||
+ | |||
+ | ==Generate server certificate== | ||
First, you need to create a certificate + private key for the VPN server. | First, you need to create a certificate + private key for the VPN server. | ||
Line 101: | Line 129: | ||
→ replace server by your actual server name ! | → replace server by your actual server name ! | ||
+ | |||
+ | |||
+ | Example | ||
+ | * Country Name (2 letter code) [LU]: '''LU''' | ||
+ | * State or Province Name (full name) []: | ||
+ | * Locality Name (eg, city) [Luxembourg]: '''Luxembourg''' | ||
+ | * Organization Name (eg, company) [Daxiongmao]: '''Daxiongmao''' | ||
+ | * Organizational Unit Name (eg, section) [Personal_usage]: '''Personal_usage''' | ||
+ | * Common Name (eg, your name or your server's hostname) [code.daxiongmao.eu]: '''code.daxiongmao.eu''' | ||
+ | * Name [EasyRSA]:'''VPN server code.daxiongmao.eu''' | ||
+ | * Email Address [guillaume@daxiongmao.eu]: '''guillaume@daxiongmao.eu''' | ||
+ | |||
Line 107: | Line 147: | ||
− | = | + | ==Let OpenVPN access the files== |
The keys and certificates for the server need to be relocated to the <code>/etc/openvpn</code> directory so the OpenVPN server process can access them. These files are: | The keys and certificates for the server need to be relocated to the <code>/etc/openvpn</code> directory so the OpenVPN server process can access them. These files are: | ||
* Authority of certification ca.crt | * Authority of certification ca.crt | ||
* Authority private key ca.key | * Authority private key ca.key | ||
− | * Diffie Hellman props | + | * Diffie Hellman props dh4096.pem !! on new distro it might be higher by default !! |
* Server certificate server.crt | * Server certificate server.crt | ||
* Server private key server.key | * Server private key server.key |
Latest revision as of 22:15, 28 March 2019
OpenVPN relies on the public key infrastructure principle.
Quick reminder:
Installation
The OpenVPN package provides a set of encryption-related tools called "easy-rsa".
apt-get install easy-rsa
Copy the Easy-RSA scripts into OpenVPN directory:
[Old Ubuntu - before 14.04]
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
[New Ubuntu distro - 14.04 and later]
cp -R /usr/share/easy-rsa/ /etc/openvpn
# You must add a symlink manually, depending on the OpenSSL version you want to use
ln -s /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
PKI initialization
PKI Variables
Before you can generate the public key infrastructure for OpenVPN, you must configure a few variables that the easy-rsa scripts will use to generate the scripts.
These variables are set near the end of the /etc/openvpn/easy-rsa/vars
file.
vim /etc/openvpn/easy-rsa/vars
Here is an example of the relevant values:
# 2016
# If you put '4096' it might take a very long time to generate the Diffie Hellman key (more than 30h on a raspberry pi 2)
export KEY_SIZE=2048
# Certificate owner
export KEY_COUNTRY="LU"
export KEY_PROVINCE=""
export KEY_CITY="Luxembourg"
export KEY_ORG="daxiongmao.eu"
export KEY_EMAIL="guillaume@qin-diaz.com"
>> Alter the examples to reflect your configuration.
This information will be included in certificates you create! That must be accurate, particularly the KEY_ORG and KEY_EMAIL values.
Generate Authority of Certification (AC)
cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./build-ca
This an example of replies:
- Country Name (2 letter code) [LU]: LU
- State or Province Name (full name) []:
- Locality Name (eg, city) [Luxembourg]: Luxembourg
- Organization Name (eg, company) [Daxiongmao]: Daxiongmao
- Organizational Unit Name (eg, section) [Personal_usage]: Personal_usage
- Common Name (eg, your name or your server's hostname) [Daxiongmao CA]: Daxiongmao CA
- Name [EasyRSA]: Daxiongmao_CA
- Email Address [guillaume@daxiongmao.eu]: guillaume@daxiongmao.eu
Generate Diffie Hellman Parameters
The "Diffie Hellman Parameters" govern the method of key exchange and authentication used by the OpenVPN server.
cd /etc/openvpn/easy-rsa/
source vars
./build-dh
VPN server
Generate server certificate
First, you need to create a certificate + private key for the VPN server.
cd /etc/openvpn/easy-rsa/
source /vars
./build-key-server [server]
→ replace server by your actual server name !
Example
- Country Name (2 letter code) [LU]: LU
- State or Province Name (full name) []:
- Locality Name (eg, city) [Luxembourg]: Luxembourg
- Organization Name (eg, company) [Daxiongmao]: Daxiongmao
- Organizational Unit Name (eg, section) [Personal_usage]: Personal_usage
- Common Name (eg, your name or your server's hostname) [code.daxiongmao.eu]: code.daxiongmao.eu
- Name [EasyRSA]:VPN server code.daxiongmao.eu
- Email Address [guillaume@daxiongmao.eu]: guillaume@daxiongmao.eu
This script will also prompt you for additional information.
- Common Name = Name of the current server (server DNS name). Ex: dev.daxiongmao.eu
Let OpenVPN access the files
The keys and certificates for the server need to be relocated to the /etc/openvpn
directory so the OpenVPN server process can access them. These files are:
- Authority of certification ca.crt
- Authority private key ca.key
- Diffie Hellman props dh4096.pem !! on new distro it might be higher by default !!
- Server certificate server.crt
- Server private key server.key
cd /etc/openvpn/
ln -s /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/ca.crt
ln -s /etc/openvpn/easy-rsa/keys/ca.key /etc/openvpn/ca.key
ln -s /etc/openvpn/easy-rsa/keys/dh2048.pem /etc/openvpn/dh2048.pem
ln -s /etc/openvpn/easy-rsa/keys/myServer.crt /etc/openvpn/server.crt
ln -s /etc/openvpn/easy-rsa/keys/myServer.key /etc/openvpn/server.key
!! Apart from 'ca.crt
', all these files mustn't leave your server, ever!!
Client certificates
Generate Clients certificates
Now you need to generate 1 private key + 1 certificate per client.
cd /etc/openvpn/easy-rsa/
source vars
./build-key [clientName]
Replace the [clientName] parameter with a relevant identifier for each client.
- The client common name must be unique
- It helps you to identify each client. Don’t hesitate to use meaningful name.
The name is put inside the certificate.
All other information can remain the same
Distribute client files
In order to authenticate to the VPN, you'll need to copy a number of certificate and key files to the remote client machines. They are:
- Authority of certification ca.crt
- Client certificate [clientName].crt
- Client private key [clientName].key
!!! These keys should transferred with the utmost attention to security. Anyone who has the key is able to gain full access to your virtual private network !!!
Revoking Client Certificates
How to remove a user's access to the VPN server?
cd /etc/openvpn/easy-rsa/
source vars
./revoke-full [clientName]
This will revoke the ability of users who have the [clientName] certificate to access the VPN.
For this reason, keeping track of which users are in possession of which certificates is crucial.