Differences

This shows you the differences between two versions of the page.

--- technical:openvpn_setup [2018/12/02 21:17] – [Generate the master Certificate Authority (CA) certificate & key] bob
+++ technical:openvpn_setup [2018/12/20 13:18] (current) – [Generate the master Certificate Authority (CA) certificate & key] bob
@@ Line 26: / Line 26: @@
   * From  [[https://www.rfc-editor.org/rfc/rfc8446.txt|RFC 8446]] Section 1: The server side of the channel is always authenticated; the client side is optionally authenticated.
   * During the hanshake protocol a TLS/SSL server will typically provide a certificate. The client may optionally also provide a certificate.
+==== File Formats ====
+DER - All SSL related objects (Certificates, keys etc.) use native ASN.1 DER encoding. DER is a binary (8 bit) encoding.
+PEM - Privacy Enhanced Mail (PEM) encodes binary DER in base 64 (RFC 3548) creating a text (ASCII/IA5 subset) version that may be sent by, among other things, mail systems. Objects encoded by PEM include header lines and trailer lines each starting and finishing with precisely 5 dashes to encapsulate the base64 material and provide a human readable indication of its content. PEM files look something like that shown below:
+<code>
+-----BEGIN CERTIFICATE-----
+MIIDHDCCAoWgAwIBAgIJALt8VJ...
+...
+Cfh/ea7F1El1Ym1Zj2v3wLhRl1...
+NH5lEmZybl+m2frlkjUv9KAvxc...
+IFgovdU8YPMDds=
+-----END CERTIFICATE-----
+BLAH BLAH BLAH
+</code>
 ==== Generate the master Certificate Authority (CA) certificate & key ====
-Use easy-rsa 2, a set of scripts which is bundled with OpenVPN. With the Windows OpenVPN client open up a Command Prompt window with administrative privileges and cd to c:\Program Files\OpenVPN\easy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files):
+Use easy-rsa 2, a set of scripts which is bundled with OpenVPN. With the Windows OpenVPN client open up a Command Prompt window with administrative privileges and cd to c:\Program Files\OpenVPN\easy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files). Skip this if you already have vars.bat setup the way you like it. :
 <code>init-config</code>
@@ Line 53: / Line 71: @@
 build-ca
 </code>
+The "build-ca" command issues this OpenSSL command:
+<code>
+# Build a cert authority valid for ten years, starting now
+openssl req -days 3650 -nodes -new -x509 -keyout %KEY_DIR%\ca.key -out %KEY_DIR%\ca.crt -config %KEY_CONFIG%
+</code>
+Substitute "-enddate YYMMDDHHMMSSZ" to specify an end date instead.
 The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command. My certificate looked like:
@@ Line 100: / Line 127: @@
 </codedoc>
-Use openssl or an [[https://www.sslchecker.com/certdecoder|SSL certificate decoder]] to view the contents.
+Use openssl or an [[https://ssldecoder.org/|SSL certificate decoder]] to view the contents.
 <code>openssl x509 -in ca.crt -text -noout</code>
@@ Line 202: / Line 229: @@
-==== Generate certificate & key for server ====
+==== Generate Certificate & Key for Server ====
 Generate a certificate and private key for the server. On Windows:
@@ Line 215: / Line 242: @@
   * “1 out of 1 certificate requests certified, commit? [y/n]”.
-==== Generate certificates & keys for clients ====
+The "build-key-server" command generates server files by first building a Certificate Signing Request (CSR) and then signing the CSR. It issues these OpenSSL commands:
+<code>
+# Build a request for a cert that will be valid for ten years
+openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+# Sign the cert request with our ca, creating a cert/key pair
+openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -extensions server -config %KEY_CONFIG%
+</code>
+==== Generate Certificates & Keys for Clients ====
 Generating client certificates is very similar to the previous step. On Windows:
@@ Line 226: / Line 262: @@
 Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. “client1”, “client2”, or “client3”. Always use a unique common name for each client.
+The “build-key” command generates client files by first building a Certificate Signing Request (CSR) and then signing the CSR. It issues these OpenSSL commands:
+<code>
+# Build a request for a cert that will be valid for ten years
+openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+# Sign the cert request with our ca, creating a cert/key pair
+openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG%
+</code>
 Clients can generate their own private key locally. To do this they submit a Certificate Signing Request (CSR) to the key signer. The key-signer can then processed the CSR and returned a signed certificate to the client.
-==== Generate Diffie Hellman parameters ====
+==== Generate Diffie Hellman Parameters ====
 Diffie Hellman parameters must be generated for the OpenVPN server. On Windows:
@@ Line 258: / Line 304: @@
 [[https://wiki.dd-wrt.com/wiki/index.php/OpenVPN_Remote_Access_by_Static_Key_%28The_Simple_Way%29|OpenVPN Remote Access By Static Key (The Simple Way)]]
-To avoid IP address conflicts:
+Here is another great article on setting up a [[https://advancedhomeserver.com/dd-wrt-and-openvpn-part-3/|home OpenVPN server]].
+When using tunneling mode, to avoid IP address conflicts in a routed configuration:
   * the private LAN IP subnet
@@ Line 264: / Line 312: @@
   * the remote LAN subnet
-must all be different from each other.
+must all be different from each other. I used bridge mode and avoided all the routing stuff.
 Choose subnets for the private LAN and the VPN that are unlikely to conflict. I chose 192.168.100.x for my home LAN.
-  * CA Cert - The master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.
+==== Customizable Web Page Setup Parameters ====
-  * Public Server Cert - The master key which is used to sign each of the server and client certificates.
-  * Private Server Key
+<WRAP center round tip 80%>
-  * DH PEM
+Settings are stored in NVRAM which is limited in size. Only store the PEM version of keys and certs to save space. If there isn't enough space in NVRAM some of these settings will mysteriously disappear after saving.
-  * Additional Config
+</WRAP>
-  * TLS Auth Key
-  * Certificate Revoke List
+^  Setting  ^ Description ^ Default ^
+| Start Type | Use "System". "WAN Up" doesnt work. |  |
+| Server Mode | The mode of tunneling. TUN: routing (layer 3), TAP: bridging networks (layer 2). |  |
+| DHCP-Proxy mode | Only in bridge mode. Let the clients use the network DHCP server not the OpenVPN DHCP. |  |
+| Pool start IP | 1st IP of the IP pool used (Only in bridge mode). |  |
+| Pool end IP | Last IP of the IP pool used (Only in bridge mode). |  |
+| Gateway | Default gateway to use (Only in bridge mode). |  |
+| Network (e.g. 10.10.10.0) | Network to use for the tunnel (Only in routing mode). |  |
+| Netmask (e.g. 255.255.255.0) | Netmask of the used network. |  |
+| Block DHCP across the tunnel | Don't allow DHCP requests across tunnel (Only in bridge mode).|  |
+| Port | Port which OpenVPN server listens on. | 1194 |
+| Tunnel Protocol | The subprotocol the connection will use on the real used tcp connection. | UDP |
+| Encryption Cipher | The encryption algorithm that will be used for the tunnel. Blowfish: fastest to AES512 safest. | AES128 |
+| Hash Algorithm (None and MD4 to SHA512) | The hash algorithm that will be used. MD4: fastest (maybe unsafe) to SHA512. | SHA256 |
+| Advanced options | Leave defaults as is if you dont know what you are doing. | disabled |
+| LZO Compression | Enables compression over VPN. This might speedup the connection. Must be the same value as on server. | yes |
+| Redirect default Gateway | Force the clients to use the tunnel as default gateway. | disabled |
+| Allow Client to Client | Allow clients to see each other. | disabled |
+| Allow duplicate cn | Allow to use 1 client cert to use on multiple clients (security risk) |  |
+| TUN MTU Setting | Set the MTU of the tunnel | 1500 |
+| MSS-Fix/Fragment across the tunnel | Set mss-fix and fragmentaion accross the tunnel. |  |
+| TLS Cipher | What encryption algorithm OpenVPN should use for encrypting its control channel. | disabled |
+| Additional Config | Any additional configurations you want to define for the VPN connection. |  |
+| Public Server Cert | Server certificate issued by CA for this particular router (usually server.crt); also only part between 'BEGIN' and 'END' is required. |  |
+| CA Cert | The master key which is used to sign each of the server and client certificates. Certificate in PEM form (usually ca.crt); only part between (and including) -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- is necessary; as it is stored in NVRAM, everything else from that file should be removed to conserve space. |  |
+| Private Server Key | Key associated with certificate above (usually server.key); should be kept secret because anybody who knows this key can successfully authenticate client certificates. |  |
+| DH PEM | Diffie Hellman parameters generated for the OpenVPN server (usually dh1024.pem) |  |
+| Additional Config | Any additional configurations you want to define for the VPN connection. |  |
+| TLS Auth Key | The static key OpenVPN should use for generating HMAC send/receive keys. For extra security beyond that provided by SSL/TLS, create an "HMAC firewall" to help block DoS attacks and UDP port flooding. The server and each client must have a copy of this key. |  |
+| Certificate Revoke List |  |  |
 ===== OpenVPN Client Setup =====