Before we can set up a client/server VPN, we need to set up the Public Key Infrastructure (PKI) first. The PKI comprises the Certificate Authority, the private keys, and the certificates (public keys) for both the client and server. We also need to generate a Diffie-Hellman parameter file that is required for perfect forward secrecy.
For setting up the PKI, we make use of the easy-rsa scripts supplied by the OpenVPN distribution itself.
The PKI needs to be set up on a trusted computer. This can be the same as the computer on which the OpenVPN server is run, but from a security point of view, it is best if the PKI is kept completely separated from the rest of the OpenVPN services. One option is to keep the PKI Certificate Authority (CA) key located on a separate, external disk, which is attached only when needed. Another option would be to keep the CA private key on a separate computer that is not hooked up to any network at all.
This recipe was done on Linux, but can also be done on a Mac OS machine. On Windows, the commands are very similar as well. The Linux easy-rsa scripts are meant to be run from a bash-like shell, so make sure you are not running csh/tcsh (UNIX shells).
- Create the directories for the PKI and copy over the
easy-rsadistribution from your OpenVPN installation:$ mkdir -m 700 -p /etc/openvpn/cookbook/keys $ cd /etc/openvpn/cookbook $ cp -drp /usr/share/openvpn/easy-rsa/2.0/* .
- Note that there is no need to run these commands as the
rootuser, provided that the user is allowed to create the above directory path. - Next, we set up the
varsfile. Create a file containing the following:export EASY_RSA=/etc/openvpn/cookbook export OPENSSL="openssl" export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` export KEY_DIR="$EASY_RSA/keys" export PKCS11_MODULE_PATH="dummy" export PKCS11_PIN="dummy" export KEY_SIZE=2048 export CA_EXPIRE=3650 export KEY_EXPIRE=1000 export KEY_COUNTRY="NL" export KEY_PROVINCE= export KEY_CITY= export KEY_ORG="Cookbook" export KEY_EMAIL="openvpn-ca@cookbook.example.com"
Note
Note that the
PKCS11_MODULE_PATHandPKCS11_PINentries are needed even if you are not using smart cards.The default KEY_SIZE of 2048 bits is sufficiently secure for the next few years. A larger key size (4096 bits) is possible, but the trade off is a performance penalty. We shall generate a 4096 bit CA private key, as performance is not an issue here.
Adjust the settings (
KEY_ORG,KEY_EMAIL) to reflect your organization. The meaning of these settings is explained in more details later. - Source the
varsfile and generate the CA private key and certificate, using a 4096 bit modulus. Choose a strong password for the CA certificate. After that, simply press the Enter key every time the script asks for input:$ cd /etc/openvpn/cookbook $ . ./vars $ ./clean-all $ KEY_SIZE=4096 ./build-ca --pass
Sample output:
- Next, we build the server certificate. When the script asks for input, press the Enter key. When the script asks for the
ca.keypassword, enter the password for the CA certificate. Finally, when the script asks for a[y/n]answer, typey:$ ./build-key-server openvpnserver Generating a 1024 bit RSA private key .....++++++ .......................++++++ writing new private key to 'openvpnserver.key' ----- […] ----- Country Name (2 letter code) [NL]: State or Province Name (full name) []: Locality Name (eg, city) []: Organization Name (eg, company) [Cookbook]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) [openvpnserver]: Name []: Email Address [openvpn-ca@cookbook.example.com]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/cookbook/openssl.cnf Enter pass phrase for /etc/openvpn/cookbook/keys/ca.key:[enter CA key password] Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'NL' organizationName :PRINTABLE:'Cookbook' commonName :PRINTABLE:'openvpnserver' emailAddress :IA5STRING:' openvpn- ca@cookbook.example.com ' Certificate is to be certified until Jan 30 11:59:06 2013 GMT (1000 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated - The first client certificate is generated in a batch. It is a very fast method for generating a client certificate but it is not possible to set a password on the client's private key file:
$ ./build-key-server --batch openvpnclient1
- The second client certificate is generated with a password. Choose a strong password (but different than the CA certificate password!). The output is abbreviated for clarity:
$ ./build-key-pass openvpnclient2 Generating a 1024 bit RSA private key ...++++++ ..++++++ writing new private key to 'openvpnclient2.key' Enter PEM pass phrase:[enter private key password] Verifying - Enter PEM pass phrase: [enter password again] […] Enter pass phrase for /etc/openvpn/cookbook /keys/ca.key:[enter CA key password] […] Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated - Next, build the Diffie-Hellman parameter file for the server:
- And finally, the
tls-authkey file:$ openvpn --genkey --secret ta.key
The easy-rsa scripts are a handy set of wrapper scripts around some of the openssl ca commands. The openssl ca commands are commonly used to set up a PKI using X509 certificates. The build-dh script is a wrapper for the openssl dh command.
To use the easy-rsa scripts on Windows, a command window (cmd.exe) is needed and the starting ./ needs to be removed from all the commands, for example:
[Win]C:> vars [Win]C:> clean-all [Win]C:> build-ca
The following variables are set in the vars file:
KEY_SIZE=2048: This is the cipher strength for all private keys. The longer the key size is, the stronger the encryption. Unfortunately, it also makes the encryption process slower.CA_EXPIRE=3650: This gives the number of days the CA certificate is considered valid, thus translating to a period of 10 years. For a medium-secure setup, this is fine, but if stronger security is required this number needs to be lowered.KEY_EXPIRE=1000: This gives the number of days for which the client of server certificate is considered valid, thus translating to a period of almost 3 years.KEY_COUNTRY="NL",KEY_PROVINCE=,KEY_CITY=,KEY_ORG="Cookbook",KEY_EMAIL=openvpn-ca@cookbook.example.com: These variables are all used to form the certificate Distinguished Name (DN). None of them are required, but both OpenVPN and OpenSSL suggest using at leastKEY_COUNTRYto indicate where a certificate was issued.
See Chapter 4, PKI, Certificates, and OpenSSL, for a lengthier introduction to the easy-rsa scripts and the openssl commands.