Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| technical:openvpn_setup [2018/12/03 08:36] – [Customizable Web Page Setup Parameters] bob | technical:openvpn_setup [2018/12/20 13:18] (current) – [Generate the master Certificate Authority (CA) certificate & key] bob | ||
|---|---|---|---|
| Line 47: | Line 47: | ||
| ==== Generate the master Certificate Authority (CA) certificate & key ==== | ==== Generate the master Certificate Authority (CA) certificate & key ==== | ||
| - | Use easy-rsa 2, a set of scripts which is bundled with OpenVPN. With the Windows OpenVPN client open up a Command Prompt window with administrative privileges and cd to c:\Program Files\OpenVPN\easy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files): | + | Use easy-rsa 2, a set of scripts which is bundled with OpenVPN. With the Windows OpenVPN client open up a Command Prompt window with administrative privileges and cd to c:\Program Files\OpenVPN\easy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files). Skip this if you already have vars.bat setup the way you like it. : |
| < | < | ||
| Line 71: | Line 71: | ||
| build-ca | build-ca | ||
| </ | </ | ||
| + | |||
| + | The " | ||
| + | |||
| + | < | ||
| + | # Build a cert authority valid for ten years, starting now | ||
| + | openssl req -days 3650 -nodes -new -x509 -keyout %KEY_DIR%\ca.key -out %KEY_DIR%\ca.crt -config %KEY_CONFIG% | ||
| + | </ | ||
| + | |||
| + | Substitute " | ||
| The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command. My certificate looked like: | The final command (build-ca) will build the certificate authority (CA) certificate and key by invoking the interactive openssl command. My certificate looked like: | ||
| Line 220: | Line 229: | ||
| - | ==== Generate | + | ==== Generate |
| Generate a certificate and private key for the server. On Windows: | Generate a certificate and private key for the server. On Windows: | ||
| Line 233: | Line 242: | ||
| * “1 out of 1 certificate requests certified, commit? [y/n]”. | * “1 out of 1 certificate requests certified, commit? [y/n]”. | ||
| - | ==== Generate | + | The " |
| + | |||
| + | < | ||
| + | # Build a request for a cert that will be valid for ten years | ||
| + | openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG% | ||
| + | # Sign the cert request with our ca, creating a cert/key pair | ||
| + | openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -extensions server -config %KEY_CONFIG% | ||
| + | </ | ||
| + | |||
| + | ==== Generate | ||
| Generating client certificates is very similar to the previous step. On Windows: | Generating client certificates is very similar to the previous step. On Windows: | ||
| Line 244: | Line 262: | ||
| Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. “client1”, | Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. “client1”, | ||
| + | |||
| + | The “build-key” command generates client files by first building a Certificate Signing Request (CSR) and then signing the CSR. It issues these OpenSSL commands: | ||
| + | |||
| + | < | ||
| + | # Build a request for a cert that will be valid for ten years | ||
| + | openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG% | ||
| + | # Sign the cert request with our ca, creating a cert/key pair | ||
| + | openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG% | ||
| + | </ | ||
| Clients can generate their own private key locally. To do this they submit a Certificate Signing Request (CSR) to the key signer. The key-signer can then processed the CSR and returned a signed certificate to the client. | Clients can generate their own private key locally. To do this they submit a Certificate Signing Request (CSR) to the key signer. The key-signer can then processed the CSR and returned a signed certificate to the client. | ||
| - | ==== Generate Diffie Hellman | + | |
| + | ==== Generate Diffie Hellman | ||
| Diffie Hellman parameters must be generated for the OpenVPN server. On Windows: | Diffie Hellman parameters must be generated for the OpenVPN server. On Windows: | ||
| Line 276: | Line 304: | ||
| [[https:// | [[https:// | ||
| - | To avoid IP address conflicts in a routed configuration: | + | Here is another great article on setting up a [[https:// |
| + | |||
| + | When using tunneling mode, to avoid IP address conflicts in a routed configuration: | ||
| * the private LAN IP subnet | * the private LAN IP subnet | ||
| Line 282: | Line 312: | ||
| * the remote LAN subnet | * the remote LAN subnet | ||
| - | must all be different from each other. | + | must all be different from each other. I used bridge mode and avoided all the routing stuff. |
| Choose subnets for the private LAN and the VPN that are unlikely to conflict. I chose 192.168.100.x for my home LAN. | Choose subnets for the private LAN and the VPN that are unlikely to conflict. I chose 192.168.100.x for my home LAN. | ||
| Line 288: | Line 318: | ||
| ==== Customizable Web Page Setup Parameters ==== | ==== Customizable Web Page Setup Parameters ==== | ||
| - | * DD-WRT default settings in {} | + | <WRAP center round tip 80%> |
| - | * OpenVPN config example | + | Settings are stored |
| + | </ | ||
| ^ Setting | ^ Setting | ||