Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
technical:openvpn_setup [2018/12/03 08:08] – [DD-WRT Router Setup] bobtechnical:openvpn_setup [2018/12/20 13:18] (current) – [Generate the master Certificate Authority (CA) certificate & key] bob
Line 47: Line 47:
 ==== Generate the master Certificate Authority (CA) certificate & key ==== ==== Generate the master Certificate Authority (CA) certificate & key ====
  
-Use easy-rsa 2, a set of scripts which is bundled with OpenVPN. With the Windows OpenVPN client open up a Command Prompt window with administrative privileges and cd to c:\Program Files\OpenVPN\easy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files):+Use easy-rsa 2, a set of scripts which is bundled with OpenVPN. With the Windows OpenVPN client open up a Command Prompt window with administrative privileges and cd to c:\Program Files\OpenVPN\easy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files). Skip this if you already have vars.bat setup the way you like it. :
  
 <code>init-config</code> <code>init-config</code>
Line 71: Line 71:
 build-ca build-ca
 </code> </code>
 +
 +The "build-ca" command issues this OpenSSL command:
 +
 +<code>
 +# Build a cert authority valid for ten years, starting now
 +openssl req -days 3650 -nodes -new -x509 -keyout %KEY_DIR%\ca.key -out %KEY_DIR%\ca.crt -config %KEY_CONFIG%
 +</code>
 +
 +Substitute "-enddate YYMMDDHHMMSSZ" to specify an end date instead.
  
 The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command. My certificate looked like: The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command. My certificate looked like:
Line 220: Line 229:
  
  
-==== Generate certificate key for server ====+==== Generate Certificate Key for Server ====
  
 Generate a certificate and private key for the server. On Windows: Generate a certificate and private key for the server. On Windows:
Line 233: Line 242:
   * “1 out of 1 certificate requests certified, commit? [y/n]”.   * “1 out of 1 certificate requests certified, commit? [y/n]”.
  
-==== Generate certificates keys for clients ====+The "build-key-server" command generates server files by first building a Certificate Signing Request (CSR) and then signing the CSR. It issues these OpenSSL commands: 
 + 
 +<code> 
 +# Build a request for a cert that will be valid for ten years 
 +openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG% 
 +# Sign the cert request with our ca, creating a cert/key pair 
 +openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -extensions server -config %KEY_CONFIG% 
 +</code> 
 + 
 +==== Generate Certificates Keys for Clients ====
  
 Generating client certificates is very similar to the previous step. On Windows: Generating client certificates is very similar to the previous step. On Windows:
Line 244: Line 262:
  
 Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. “client1”, “client2”, or “client3”. Always use a unique common name for each client. Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. “client1”, “client2”, or “client3”. Always use a unique common name for each client.
 +
 +The “build-key” command generates client files by first building a Certificate Signing Request (CSR) and then signing the CSR. It issues these OpenSSL commands:
 +
 +<code>
 +# Build a request for a cert that will be valid for ten years
 +openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG%
 +# Sign the cert request with our ca, creating a cert/key pair
 +openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG%
 +</code>
  
 Clients can generate their own private key locally. To do this they submit a Certificate Signing Request (CSR) to the key signer. The key-signer can then processed the CSR and returned a signed certificate to the client. Clients can generate their own private key locally. To do this they submit a Certificate Signing Request (CSR) to the key signer. The key-signer can then processed the CSR and returned a signed certificate to the client.
  
-==== Generate Diffie Hellman parameters ====+ 
 +==== Generate Diffie Hellman Parameters ====
  
 Diffie Hellman parameters must be generated for the OpenVPN server. On Windows: Diffie Hellman parameters must be generated for the OpenVPN server. On Windows:
Line 276: Line 304:
 [[https://wiki.dd-wrt.com/wiki/index.php/OpenVPN_Remote_Access_by_Static_Key_%28The_Simple_Way%29|OpenVPN Remote Access By Static Key (The Simple Way)]] [[https://wiki.dd-wrt.com/wiki/index.php/OpenVPN_Remote_Access_by_Static_Key_%28The_Simple_Way%29|OpenVPN Remote Access By Static Key (The Simple Way)]]
  
-To avoid IP address conflicts in a routed configuration:+Here is another great article on setting up a [[https://advancedhomeserver.com/dd-wrt-and-openvpn-part-3/|home OpenVPN server]]. 
 + 
 +When using tunneling mode, to avoid IP address conflicts in a routed configuration:
  
   * the private LAN IP subnet   * the private LAN IP subnet
Line 282: Line 312:
   * the remote LAN subnet   * the remote LAN subnet
  
-must all be different from each other.+must all be different from each other. I used bridge mode and avoided all the routing stuff.
  
 Choose subnets for the private LAN and the VPN that are unlikely to conflict. I chose 192.168.100.x for my home LAN. Choose subnets for the private LAN and the VPN that are unlikely to conflict. I chose 192.168.100.x for my home LAN.
Line 288: Line 318:
 ==== Customizable Web Page Setup Parameters ==== ==== Customizable Web Page Setup Parameters ====
  
-  * DD-WRT default settings in {}  +<WRAP center round tip 80%> 
-  * OpenVPN config example in []+Settings are stored in NVRAM which is limited in size. Only store the PEM version of keys and certs to save space. If there isn't enough space in NVRAM some of these settings will mysteriously disappear after saving. 
 +</WRAP>
  
 ^  Setting  ^ Description ^ Default ^ ^  Setting  ^ Description ^ Default ^
-| Start Type | Use "System". "WAN Up" doesnt work. | {} +| Start Type | Use "System". "WAN Up" doesnt work. |  
-| Server Mode | The mode of tunneling. TUN: routing (layer 3), TAP: bridging networks (layer 2). | {} [dev-type tun/tap] +| Server Mode | The mode of tunneling. TUN: routing (layer 3), TAP: bridging networks (layer 2). |  
-| DHCP-Proxy mode | Only in bridge mode. Let the clients use the network DHCP server not the OpenVPN DHCP. | {} [] +| DHCP-Proxy mode | Only in bridge mode. Let the clients use the network DHCP server not the OpenVPN DHCP. |  
-| Pool start IP | 1st IP of the IP pool used (Only in bridge mode). | [] +| Pool start IP | 1st IP of the IP pool used (Only in bridge mode). |  
-| Pool end IP | Last IP of the IP pool used (Only in bridge mode). | [] +| Pool end IP | Last IP of the IP pool used (Only in bridge mode). |  
-| Gateway | Default gateway to use (Only in bridge mode). | [] +| Gateway | Default gateway to use (Only in bridge mode). |  
-| Network (e.g. 10.10.10.0) | Network to use for the tunnel (Only in routing mode). | [] +| Network (e.g. 10.10.10.0) | Network to use for the tunnel (Only in routing mode). |  
-| Netmask (e.g. 255.255.255.0) | Netmask of the used network. | [] +| Netmask (e.g. 255.255.255.0) | Netmask of the used network. |  
-| Block DHCP accross the tunnel | Don't allow DHCP requests across tunnel (Only in bridge mode).| | +| Block DHCP across the tunnel | Don't allow DHCP requests across tunnel (Only in bridge mode).|  
-| Port | Port which OpenVPN server listens on. | {1194} [port xxx] +| Port | Port which OpenVPN server listens on. | 1194 | 
-| Tunnel Protocol | The subprotocol the connection will use on the real used tcp connection. | {udp} [proto udp/tcp] +| Tunnel Protocol | The subprotocol the connection will use on the real used tcp connection. | UDP 
-| Encryption Cipher | The encryption algorithm that will be used for the tunnel. Blowfish: fastest to AES512 safest. | {AES128} [cipher xxx] +| Encryption Cipher | The encryption algorithm that will be used for the tunnel. Blowfish: fastest to AES512 safest. | AES128 | 
-| Hash Algorithm (None and MD4 to SHA512) | The hash algorithm that will be used. MD4: fastest (maybe unsafe) to SHA512. | {SHA256} [auth xxx] +| Hash Algorithm (None and MD4 to SHA512) | The hash algorithm that will be used. MD4: fastest (maybe unsafe) to SHA512. | SHA256 | 
-| Advanced options | Leave defaults as is if you dont know what you are doing. | {disabled+| Advanced options | Leave defaults as is if you dont know what you are doing. | disabled | 
-| LZO Compression | Enables compression over VPN. This might speedup the connection. Must be the same value as on server. | {yes} [comp-lzo yes/no/adaptive/disabled] +| LZO Compression | Enables compression over VPN. This might speedup the connection. Must be the same value as on server. | yes | 
-| Redirect default Gateway | Force the clients to use the tunnel as default gateway. | {disabled} [] +| Redirect default Gateway | Force the clients to use the tunnel as default gateway. | disabled | 
-| Allow Client to Client | Allow clients to see each other. | {disabled} [client-to-client] |+| Allow Client to Client | Allow clients to see each other. | disabled |
 | Allow duplicate cn | Allow to use 1 client cert to use on multiple clients (security risk) |  | | Allow duplicate cn | Allow to use 1 client cert to use on multiple clients (security risk) |  |
-| TUN MTU Setting | Set the MTU of the tunnel | {1500} [tun-mtu xxx] |  +| TUN MTU Setting | Set the MTU of the tunnel | 1500 |  
-| MSS-Fix/Fragment across the tunnel | Set mss-fix and fragmentaion accross the tunnel. | {empty} [fragment xxx] [mssfix] +| MSS-Fix/Fragment across the tunnel | Set mss-fix and fragmentaion accross the tunnel. |  
-| TLS Cipher | What encryption algorithm OpenVPN should use for encrypting its control channel. | {disabled} [] +| TLS Cipher | What encryption algorithm OpenVPN should use for encrypting its control channel. | disabled | 
-| Additional Config | Any additional configurations you want to define for the VPN connection. | {empty} |+| Additional Config | Any additional configurations you want to define for the VPN connection. |  |
 | Public Server Cert | Server certificate issued by CA for this particular router (usually server.crt); also only part between 'BEGIN' and 'END' is required. |  | | Public Server Cert | Server certificate issued by CA for this particular router (usually server.crt); also only part between 'BEGIN' and 'END' is required. |  |
 | CA Cert | The master key which is used to sign each of the server and client certificates. Certificate in PEM form (usually ca.crt); only part between (and including) -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- is necessary; as it is stored in NVRAM, everything else from that file should be removed to conserve space. |  | | CA Cert | The master key which is used to sign each of the server and client certificates. Certificate in PEM form (usually ca.crt); only part between (and including) -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- is necessary; as it is stored in NVRAM, everything else from that file should be removed to conserve space. |  |
 | Private Server Key | Key associated with certificate above (usually server.key); should be kept secret because anybody who knows this key can successfully authenticate client certificates. |  | | Private Server Key | Key associated with certificate above (usually server.key); should be kept secret because anybody who knows this key can successfully authenticate client certificates. |  |
 | DH PEM | Diffie Hellman parameters generated for the OpenVPN server (usually dh1024.pem) |  | | DH PEM | Diffie Hellman parameters generated for the OpenVPN server (usually dh1024.pem) |  |
-| Additional Config | Any additional configurations you want to define for the VPN connection. | {empty} |+| Additional Config | Any additional configurations you want to define for the VPN connection. |  |
 | TLS Auth Key | The static key OpenVPN should use for generating HMAC send/receive keys. For extra security beyond that provided by SSL/TLS, create an "HMAC firewall" to help block DoS attacks and UDP port flooding. The server and each client must have a copy of this key. |  | | TLS Auth Key | The static key OpenVPN should use for generating HMAC send/receive keys. For extra security beyond that provided by SSL/TLS, create an "HMAC firewall" to help block DoS attacks and UDP port flooding. The server and each client must have a copy of this key. |  |
 | Certificate Revoke List |  |  | | Certificate Revoke List |  |  |