The objective of this project was to install a vpn server on one of the boxes in the cloud (initially asafoetida, then moved to tarragon), in order to provide a VPN server service for a friend who was traveling. My friend uses the name Darrell for his client, so in what follows the vpn is called by this name.<\/p>\n
A lot of the instructions, even from openvpn site, say to use the \u201ceasyrsa\u201d package to generate the certificates for openvpn. This package seems to be put out by the openvpn boys, or at least with their cooperation. But I didn\u2019t do that. I created a ca with raw openssl.<\/p>\n
<\/p>\n
I built the ca on my laptop\u00a0 in \/etc\/ssl\/mycerts\/ca. The root ca is in that directory, but a subdirectory called intermediate has an intermediate ca, and that is where the actual signing is done. I probably won\u2019t leave it on the laptop. Not sure yet what I will do with the ca.<\/p>\n
Once the ca is in place, we generate the certificates for server and client as follows:<\/p>\n
First I generated 2048 private keys, one for server, one for client, with: and generated the csr (one for each), using those keys with: There are directories within \/etc\/ssl\/mycerts\/ca\/intermediate, certs\/ for the certs, and csr\/ for the requests:<\/p>\n Now use the csr to generate the certs (one for each): I also created a diffie-hellman parameter for the link: And I generated a “ta key”, which is apparently a shared key used to resist certain attacks: Also on both server and client sides, I had to build the config files for openvpn. They are called, respectively, darrell.server.conf and darrell.vpn.conf. Maybe I should have called the latter darrell.client.conf. The client side is shown later on. Here is the server side configuration file:<\/p>\n Ok, so on the server (asafoetida initially, later moved to tarragon), in \/etc\/openvpn\/server, I have the following files: The file ca-chain.cert.pem has in it both the certificate for the intermediate ca and the certificate for the root ca which signed the intermediate. Both of these are needed on the server side, for sending to the client. Later, when we build the client side, it really only needs the root ca cert.<\/p>\n Initially, I started the openvpn server manually, with: But see below discussion of automatic startup.<\/p>\n On the client side (on lemongrass), in \/etc\/openvpn\/client, I have these files: And on lemongrass also, I (initially) started the client manually with: —–END CERTIFICATE—– —–END CERTIFICATE—– —–END OpenVPN Static key V1—– The server is an amazon ec2 instance, and all ec2 instances have a firewall, called a \u201csecurity group\u201d provided by amazon. I used the same \u201csecurity group\u201d rules at the amazon level for asafoetida as for tarragon (http+mail+ssh, etc), but with an additional rule to admit udp 1194.<\/p>\n On asafoetida proper, there was not an additional iptables firewall \u2013 it had a default Accept-Accept-Accept filter table and no nat table. I added a couple of forward rules to filter, to accept forwarding of tun+ to eth0 and eth0 to tun+. Also I added a nat table postrouting rule to masquerade all output through eth0 to the vpn address.<\/p>\n On tarragon, the default redhat firewall sends forward traffic through the input chain (?), and I only had to accept udp 1194, and accept tun+., and add the nat table postrouting, so in \/etc\/sysconfig\/iptables I added: I had not previously had a nat table in the tarragon firewall, so I had to put one in: The link gets made, and the routing table on both client and server seem to be adjusted properly, but traffic doesn\u2019t flow out of the server. The problem turned out to be that I had failed to turn on ip forwarding on the box. And to make that last, I put it in \/etc\/sysctl There are systemd instance scripts for starting a client (openvpn-client@) and for starting a server (openvpn-server@). So if you put a conf file in the \/etc\/openvpn\/client directory named fred.conf, you can then do: And similarly, for an openvpn server config named darrell.conf in \/etc\/openvpn\/server: This is just a parenthetical note, to record one additional bit of experience, to help me remember. I had to reissue the certs because I failed the first time to specify the \u201cextensions\u201d part. However, you cannot reissue a cert with the same common_name (i.e. you can\u2019t generate a new cert using the same csr) until you remove the old cert, which is a better practice anyway. Then I reissued the 2 certs, with the names server2 and client2. But that isn’t relavent to these instructions, and so in the instructions above I continued to reference the certs as darrell_server.cert.pem and darrell_client.cert.pem, even though on the box the names really had the “2” appended.<\/p>\n","protected":false},"excerpt":{"rendered":" The objective of this project was to install a vpn server on one of the boxes in the cloud (initially asafoetida, then moved to tarragon), in order to provide a VPN server service for a friend who was traveling. My friend uses the name Darrell for his client, so in what follows the vpn is … Continue reading Setting Up Openvpn Server<\/span>
\nopenssl genrsa -aes256 -out client.key 2048<\/code>
\nopenssl genrsa -aes256 -out server.key 2048<\/code><\/p>\n
\nopenssl req -new -sha256 -key client.key -out client.csr<\/code>
\nopenssl req -new -sha256 -key server.key -out server.csr<\/code><\/p>\n
\ncd \/etc\/ssl\/mycerts\/ca\/intermediate
\nopenssl ca -config openssl.cnf -days 365 -notext -md sha256 -extensions server_cert -in csr\/server.csr -out certs\/darrell_server.cert.pem<\/code>
\n
\nopenssl ca -config openssl.cnf -days 365 -notext -md sha256 -extensions usr_cert -in csr\/client.csr -out certs\/darrell_client.cert.pem<\/code><\/p>\n
\nopenssl dhparam -out dhparams.pem 4096<\/code><\/p>\n
\nopenvpn --genkey --secret \/etc\/openvpn\/ta.key<\/code><\/p>\n
\n[root@tarragon server]# cat darrell.server.conf
\nport 1194
\nproto udp
\ndev tun
\nca \/etc\/openvpn\/server\/ca-chain.cert.pem
\ncert \/etc\/openvpn\/server\/certs\/darrell_server.cert.pem
\nkey \/etc\/openvpn\/server\/private\/server.key
\ndh \/etc\/openvpn\/server\/dhparams.pem
\ntopology subnet
\nserver 10.8.0.0 255.255.255.0
\nifconfig-pool-persist ipp.txt
\npush \"redirect-gateway def1 bypass-dhcp\"
\npush \"dhcp-option DNS 8.8.8.8\"
\npush \"dhcp-option DNS 1.1.1.1\"
\nkeepalive 10 120
\ntls-auth \/etc\/openvpn\/server\/ta.key 0
\ncipher AES-256-CBC
\ncompress lz4-v2
\npush \"compress lz4-v2\"
\nuser nobody
\ngroup nobody
\npersist-key
\npersist-tun
\nstatus \/etc\/openvpn\/server\/darrell-status.log
\nverb 3
\nexplicit-exit-notify 1
\ntls-auth ta.key 0
\nauth SHA512
\n<\/code><\/p>\n
\nca-chain.cert.pem
\ncerts\/darrell_server.cert.pem
\ndhparams.pem
\nprivate\/server.key
\ndarrell.server.conf
\nta.key<\/code><\/p>\n
\ncd \/etc\/openvpn\/server
\nopenvpn darrell.server.conf<\/code><\/p>\nClient Side<\/h5>\n
\nclient.key
\ndarrell_client.cert.pem
\ndarrell.vpn.conf<\/code><\/p>\n
\ncd \/etc\/openvpn\/client
\nopenvpn darrell.vpn.conf<\/code>
\nHere is the entire client config file \/etc\/openvpn\/client\/darrell.vpn.conf:
\nroot@lemongrass:#cd \/etc\/openvpn\/client
\nroot@lemongrass:#cat darrell.vpn.conf
\nclient
\ndev tun
\nproto udp
\nremote 54.203.69.119 1194
\nresolv-retry infinite
\nremote-random
\nnobind
\npersist-key
\npersist-tun
\nping 15
\nping-restart 0
\nping-timer-rem
\nreneg-sec 0
\nexplicit-exit-notify 3
\nverb 3
\npull
\nfast-io
\ncipher AES-256-CBC
\nauth SHA512
\ncert darrell_client.cert.pem
\nkey client.key
\nremote-cert-tls server
\n<ca>
\n-----BEGIN CERTIFICATE-----
\nMIIF5DCCA8ygAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYcxCzAJBgNVBAYTAlVT
\nMREwDwYDVQQIDAhDb2xvcmFkbzETMBEGA1UEBwwKQnJvb21maWVsZDETMBEGA1UE
\n...<\/code><\/p>\n
\n—–BEGIN CERTIFICATE—–
\nMIIF9jCCA96gAwIBAgIJAMrX0lux8xc+MA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD
\nVQQGEwJVUzERMA8GA1UECAwIQ29sb3JhZG8xEzARBgNVBAcMCkJyb29tZmllbGQx
\n…<\/p>\n
\n<\/ca>
\nkey-direction 1
\n<tls-auth>
\n#
\n# 2048 bit OpenVPN static key
\n#
\n—–BEGIN OpenVPN Static key V1—–
\nfb167340f0c74c249b435dcddc75e7e7
\nadffe06ea124488cf244724749306f6f
\n…<\/p>\n
\n<\/tls-auth><\/p>\nFirewall adjustments<\/h5>\n
\n-A RH-Firewall-1-INPUT -i tun+ -j ACCEPT
\n-A RH-Firewall-1-INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT<\/code><\/p>\n
\n*nat
\n:PREROUTING ACCEPT [4:240]
\n:INPUT ACCEPT [4:240]
\n:OUTPUT ACCEPT [2:135]
\n:POSTROUTING ACCEPT [2:135]
\n-A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE<\/code><\/p>\n
\necho \u201c1\u201d > \/proc\/sys\/net\/ipv4\/ip_forward<\/code><\/p>\n
\nnet.sys.ipv4.ip_forward = 1<\/code><\/p>\nStarting Automatically<\/h5>\n
\nsystemctl enable openvpn-client@fred<\/code><\/p>\n
\nsystemctl enable openvpn-server@darrell<\/code><\/p>\nRevoking Certificates<\/h5>\n
\nopenssl ca -config openssl.cnf -revoke certs\/darrell_server.cert.pem<\/code><\/p>\n