VPN certificates management

Revision as of 18:53, 15 August 2015 by WikiFreak (talk | contribs) (Created page with "Category:Linux OpenVPN relies on the '''public key infrastructure''' principle. Quick reminder: * [https://www.youtube.com/watch?v=E5FEqGYLL0o What is a key? High over...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


OpenVPN relies on the public key infrastructure principle.

Quick reminder:


The OpenVPN package provides a set of encryption-related tools called "easy-rsa".

These scripts are located by default in the /usr/share/doc/openvpn/examples/easy-rsa/ directory.

However, in order to function properly, these scripts should be located in the /etc/openvpn directory.


Installation

Copy these files with the following command:

[Old Ubuntu - before 14.04] 

cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn


[New Ubuntu distro - 14.04 and later] 

cp -R /usr/share/easy-rsa/ /etc/openvpn


PKI initialization

PKI Variables

Before you can generate the public key infrastructure for OpenVPN, you must configure a few variables that the easy-rsa scripts will use to generate the scripts.

These variables are set near the end of the /etc/openvpn/easy-rsa/vars file. 

vim /etc/openvpn/easy-rsa/vars


Here is an example of the relevant values: 

export KEY_COUNTRY="SE"
export KEY_PROVINCE="Västra Götaland"
export KEY_CITY="Goteborg"
export KEY_ORG="daxiongmao.eu"
export KEY_EMAIL="guillaume@qin-diaz.com"

>> Alter the examples to reflect your configuration.


This information will be included in certificates you create! That must be accurate, particularly the KEY_ORG and KEY_EMAIL values.


Generate Authority of Certification (AC)

cd /etc/openvpn/easy-rsa/
. /etc/openvpn/easy-rsa/vars
. /etc/openvpn/easy-rsa/clean-all
. /etc/openvpn/easy-rsa/build-ca

When asked, use your COMPANY name as "common name".


Generate Diffie Hellman Parameters

The "Diffie Hellman Parameters" govern the method of key exchange and authentication used by the OpenVPN server. 

cd /etc/openvpn/easy-rsa/
. /etc/openvpn/easy-rsa/build-dh


VPN server Certificate

First, you need to create a certificate + private key for the VPN server. 

cd /etc/openvpn/easy-rsa/
source /etc/openvpn/easy-rsa/vars
. /etc/openvpn/easy-rsa/build-key-server [server]

→ replace server by your actual server name !


This script will also prompt you for additional information.

  • Common Name = Name of the current server (server DNS name). Ex: dev.daxiongmao.eu


Server files access

The keys and certificates for the server need to be relocated to the /etc/openvpn directory so the OpenVPN server process can access them. These files are:

  • Authority of certification ca.crt
  • Authority private key ca.key
  • Diffie Hellman props dh2048.pem  !! on new distro it might be higher by default !!
  • Server certificate server.crt
  • Server private key server.key


cd /etc/openvpn/
ln -s /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/ca.crt
ln -s /etc/openvpn/easy-rsa/keys/ca.key /etc/openvpn/ca.key
ln -s /etc/openvpn/easy-rsa/keys/dh2048.pem /etc/openvpn/dh2048.pem
ln -s /etc/openvpn/easy-rsa/keys/myServer.crt /etc/openvpn/server.crt
ln -s /etc/openvpn/easy-rsa/keys/myServer.key /etc/openvpn/server.key


!! Apart from 'ca.crt', all these files mustn't leave your server, ever!!


Client certificates

Generate Clients certificates

Now you need to generate 1 private key + 1 certificate per client. 

cd /etc/openvpn/easy-rsa/
source /etc/openvpn/easy-rsa/vars
. /etc/openvpn/easy-rsa/build-key [clientName]

Replace the [clientName] parameter with a relevant identifier for each client.

  • The client common name must be unique
  • It helps you to identify each client. Don’t hesitate to use meaningful name.


The name is put inside the certificate.

All other information can remain the same


Distribute client files

In order to authenticate to the VPN, you'll need to copy a number of certificate and key files to the remote client machines. They are:

  • Authority of certification ca.crt
  • Client certificate [clientName].crt
  • Client private key [clientName].key

!!! These keys should transferred with the utmost attention to security. Anyone who has the key is able to gain full access to your virtual private network !!!


Revoking Client Certificates

How to remove a user's access to the VPN server? 

cd /etc/openvpn/easy-rsa/
. /etc/openvpn/easy-rsa/vars
. /etc/openvpn/easy-rsa/evoke-full [clientName]


This will revoke the ability of users who have the [clientName] certificate to access the VPN.

For this reason, keeping track of which users are in possession of which certificates is crucial.

Retrieved from "http://www.daxiongmao.eu/wiki/index.php?title=VPN_certificates_management&oldid=2444"