Introduction

Client-server IP-only Networks

As a routed, TUN-style setup is the most commonly used deployment model, some of the sample configuration files presented in this chapter will be reused throughout the rest of the book. In particular, the configuration files such as basic-udp-server.conf, basic-

udp-client.conf, basic-tcp-server.conf, and basic-tcp-client.conf from the recipe Server-side routing will be reused often, as well as the Windows client configuration files basic-udp-client.ovpn and basic-tcp-client.ovpn from the recipe, Using an ifconfig-pool block.

Setting up the public and private keys

Before we can set up a client/server VPN, we need to set up the Public Key Infrastructure

(PKI) first. The PKI comprises the Certificate Authority, the private keys, and the certificates (public keys) for both the client and server. We also need to generate a Diffie-Hellman parameter file that is required for perfect forward secrecy.

For setting up the PKI, we make use of the easy-rsa scripts supplied by the OpenVPN distribution itself.

Getting ready

The PKI needs to be set up on a trusted computer. This can be the same as the computer on which the OpenVPN server is run, but from a security point of view, it is best if the PKI is kept completely separated from the rest of the OpenVPN services. One option is to keep the PKI

Certificate Authority (CA) key located on a separate, external disk, which is attached only when needed. Another option would be to keep the CA private key on a separate computer that is not hooked up to any network at all.

This recipe was done on Linux, but can also be done on a Mac OS machine. On Windows, the commands are very similar as well. The Linux easy-rsa scripts are meant to be run from a bash-like shell, so make sure you are not running csh/tcsh (UNIX shells).

How to do it...

1.Create the directories for the PKI and copy over the easy-rsa distribution from your OpenVPN installation:

$ mkdir -m 700 -p /etc/openvpn/cookbook/keys $ cd /etc/openvpn/cookbook

$ cp -drp /usr/share/openvpn/easy-rsa/2.0/* .

32

Chapter 2

2.Note that there is no need to run these commands as the root user, provided that the user is allowed to create the above directory path.

3.Next, we set up the vars file. Create a file containing the following:

export EASY_RSA=/etc/openvpn/cookbook export OPENSSL="openssl"

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` export KEY_DIR="$EASY_RSA/keys"

export PKCS11_MODULE_PATH="dummy" export PKCS11_PIN="dummy"

export KEY_SIZE=2048 export CA_EXPIRE=3650 export KEY_EXPIRE=1000 export KEY_COUNTRY="NL" export KEY_PROVINCE= export KEY_CITY=

export KEY_ORG="Cookbook"

export KEY_EMAIL="openvpn-ca@cookbook.example.com"

Note that the PKCS11_MODULE_PATH and PKCS11_PIN entries are needed even if you are not using smart cards.

The default KEY_SIZE of 2048 bits is sufficiently secure for the next few years. A larger key size (4096 bits) is possible, but the trade off is a performance penalty. We shall generate a 4096 bit CA private key, as performance is not an issue here.

Adjust the settings (KEY_ORG, KEY_EMAIL) to reflect your organization. The meaning of these settings is explained in more details later.

4.Source the vars file and generate the CA private key and certificate, using a 4096 bit modulus. Choose a strong password for the CA certificate. After that, simply press the

Enter key every time the script asks for input:

$ cd /etc/openvpn/cookbook $ . ./vars

$ ./clean-all

$ KEY_SIZE=4096 ./build-ca --pass

33

Client-server IP-only Networks

Sample output:

5.Next, we build the server certificate. When the script asks for input, press the Enter key. When the script asks for the ca.key password, enter the password for the CA certificate. Finally, when the script asks for a [y/n] answer, type y:

$ ./build-key-server openvpnserver

Generating a 1024 bit RSA private key

.....++++++

.......................++++++

writing new private key to 'openvpnserver.key'

-----

[…]

-----

Country Name (2 letter code) [NL]: State or Province Name (full name) []: Locality Name (eg, city) []:

Organization Name (eg, company) [Cookbook]: Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) [openvpnserver]:

Name []:

Email Address [openvpn-ca@cookbook.example.com]:

34

Chapter 2

Please enter the following 'extra' attributes to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/openvpn/cookbook/openssl.cnf Enter pass phrase for /etc/openvpn/cookbook/keys/ca.key:[enter CA key password] Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

Certificate is to be certified until Jan 30 11:59:06 2013 GMT (1000 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries

Data Base Updated

6.The first client certificate is generated in a batch. It is a very fast method for generating a client certificate but it is not possible to set a password on the client's private key file:

$ ./build-key-server --batch openvpnclient1

35

Client-server IP-only Networks

7.The second client certificate is generated with a password. Choose a strong password (but different than the CA certificate password!). The output is abbreviated for clarity:

$ ./build-key-pass openvpnclient2

Generating a 1024 bit RSA private key

...++++++

..++++++

writing new private key to 'openvpnclient2.key' Enter PEM pass phrase:[enter private key password]

Verifying - Enter PEM pass phrase: [enter password again]

[…]

Enter pass phrase for

/etc/openvpn/cookbook /keys/ca.key:[enter CA key password] […]

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries

Data Base Updated

8. Next, build the Diffie-Hellman parameter file for the server:

9. And finally, the tls-auth key file:

$ openvpn --genkey --secret ta.key

How it works...

The easy-rsa scripts are a handy set of wrapper scripts around some of the openssl ca commands. The openssl ca commands are commonly used to set up a PKI using X509 certificates. The build-dh script is a wrapper for the openssl dh command.

36

Chapter 2

There's more...

Using the easy-rsa scripts on Windows

To use the easy-rsa scripts on Windows, a command window (cmd.exe) is needed and the starting ./ needs to be removed from all the commands, for example:

[Win]C:> vars [Win]C:> clean-all [Win]C:> build-ca

Some notes on the different variables

The following variables are set in the vars file:

KEY_SIZE=2048: This is the cipher strength for all private keys. The longer the key size is, the stronger the encryption. Unfortunately, it also makes the encryption process slower.

CA_EXPIRE=3650: This gives the number of days the CA certificate is considered valid, thus translating to a period of 10 years. For a medium-secure setup, this is fine, but if stronger security is required this number needs to be lowered.

KEY_EXPIRE=1000: This gives the number of days for which the client of server certificate is considered valid, thus translating to a period of almost 3 years.

KEY_COUNTRY="NL", KEY_PROVINCE=, KEY_CITY=, KEY_ORG="Cookbook", KEY_EMAIL=openvpn-ca@cookbook.example.com: These variables are all used to form the certificate Distinguished Name (DN). None of them are required, but both

OpenVPN and OpenSSL suggest using at least KEY_COUNTRY to indicate where a certificate was issued.

See also

See Chapter 4, PKI, Certificates, and OpenSSL, for a lengthier introduction to the easy-rsa scripts and the openssl commands.

37