This article is under construction
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 |
root@SERVER/etc/openvpn $ cp -r /etc/easy-rsa/ SERVER4 root@SERVER/etc/openvpn $ cd SERVER4 root@SERVER/etc/openvpn/SERVER4 $ ls -l total 28 -rw-r--r-- 1 root root 424 2016-09-28 01:49 dh.pem -rw-r--r-- 1 root root 4560 2016-09-28 01:49 openssl-1.0.cnf drwx------ 6 root root 4096 2016-09-28 01:49 pki -rw-r--r-- 1 root root 8124 2016-09-28 01:49 vars drwxr-xr-x 2 root root 4096 2016-09-28 01:49 x509-types root@SERVER/etc/openvpn/SERVER4 $ rm -rf pki/ root@SERVER/etc/openvpn/SERVER4 $ export EASYRSA_VARS_FILE=./vars root@SERVER/etc/openvpn/SERVER4 $ vim vars root@SERVER/etc/openvpn/SERVER4 $ easyrsa init-pki Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/SERVER4/pki root@SERVER/etc/openvpn/SERVER4 $ easyrsa build-ca nopass Note: using Easy-RSA configuration from: ./vars Generating a 8192 bit RSA private key .............................++ ................................................................................................++ writing new private key to '/etc/openvpn/SERVER4/pki/private/ca.key.GxRUt9nv4u' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:SERVER CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /etc/openvpn/SERVER4/pki/ca.crt root@SERVER/etc/openvpn/SERVER4 $ easyrsa build-server-full SERVER nopass Note: using Easy-RSA configuration from: ./vars Generating a 8192 bit RSA private key ................................................................................++ .............................................................................................................................................................................................................................................................................................................................................................................................................................................++ writing new private key to '/etc/openvpn/SERVER4/pki/private/SERVER.key.znWIlv0gCs' ----- Using configuration from /etc/openvpn/SERVER4/openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'SERVER' Certificate is to be certified until Sep 25 2026 GMT (3650 days) Write out database with 1 new entries Data Base Updated root@SERVER/etc/openvpn/SERVER4 $ easyrsa build-client-full notebook nopass Note: using Easy-RSA configuration from: ./vars Generating a 8192 bit RSA private key ..................................................................................................................................................................................................................................++ ............................++ writing new private key to '/etc/openvpn/SERVER4/pki/private/notebook.key.ksRFn8q1F9' ----- Using configuration from /etc/openvpn/SERVER4/openssl-1.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'notebook' Certificate is to be certified until Sep 25 2026 GMT (3650 days) Write out database with 1 new entries Data Base Updated root@SERVER/etc/openvpn/SERVER4 $ find . . ./openssl-1.0.cnf ./vars ./dh.pem ./x509-types ./x509-types/COMMON ./x509-types/ca ./x509-types/client ./x509-types/server ./pki ./pki/certs_by_serial ./pki/certs_by_serial/02.pem ./pki/certs_by_serial/01.pem ./pki/index.txt.old ./pki/index.txt.attr.old ./pki/.rnd ./pki/index.txt ./pki/serial.old ./pki/private ./pki/private/SERVER.key ./pki/private/notebook.key ./pki/private/ca.key ./pki/reqs ./pki/reqs/notebook.req ./pki/reqs/SERVER.req ./pki/ca.crt ./pki/index.txt.attr ./pki/issued ./pki/issued/SERVER.crt ./pki/issued/notebook.crt ./pki/serial root@SERVER/etc/openvpn/SERVER4 $ vim ../server.conf root@SERVER/etc/openvpn/SERVER4 $ systemctl start openvpn@server root@SERVER/etc/openvpn/SERVER4 $ systemctl status openvpn@server ● openvpn@server.service - OpenVPN connection to server Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled) Active: active (running) since Mi 2016-09-28 CEST; 5s ago Docs: man:openvpn(8) Process: 629 ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config %i.conf --daemon openvpn@%i --writepid /run/openvpn@%i.pid --status-version 2 (code=exited, status=0/SUCCESS) Main PID: 631 (openvpn) Tasks: 1 (limit: 4915) CGroup: /system.slice/system-openvpn.slice/openvpn@server.service └─631 /usr/bin/openvpn --cd /etc/openvpn --config server.conf --daemon openvpn@server --writepid /run/openvpn@server.pid --status-version 2 Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: MULTI: multi_init called, r=256 v=256 Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: IFCONFIG POOL: base=10.23.0.4 size=62, ipv6=0 Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: ifconfig_pool_read(), in='client01,10.23.0.4', TODO: IPv6 Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: succeeded -> ifconfig_pool_set() Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: ifconfig_pool_read(), in='nemti,10.23.0.8', TODO: IPv6 Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: succeeded -> ifconfig_pool_set() Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: IFCONFIG POOL LIST Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: client01,10.23.0.4 Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: nemti,10.23.0.8 Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: Initialization Sequence Completed root@SERVER/etc/openvpn/SERVER4 $ scp pki/ca.crt pki/issued/notebook.crt pki/private/notebook.key max@192.168.1.102:/tmp/openvpn/ max@192.168.1.102's password: ca.crt 100% 3223 283.5KB/s 00:00 notebook.crt 100% 12KB 1.1MB/s 00:00 notebook.key 100% 6392 981.3KB/s 00:00 |
strengethening the security
1 2 |
$ openssl dhparam -out /etc/openvpn/dh.pem 4096 $ openvpn --genkey --secret /etc/openvpn/ta.key |