OpenVPN and certificates

Posted on October 2, 2012
Tags: hackhard

1 Overview

graph LR CSR -->|Generated by the user| CA CA -->|Issues| LocalCert LocalCert -->|Contains| CertData LocalCert -->|Dependent on| CertPrivateKey
graph LR subgraph Client CA -->|Issues| LC["LC: Client Certificate"] LC -->|Contains| CD["CD: Certificate Data"] LC -->|Dependent on| PKI["PKI: Certificate Private Key"] PKI -->|Installed on client| ClientX["VPN Client"] end subgraph Server CSR2["CSR: Certificate Signing Request"] -->|Generated| CA["CA: Certificate Authority"] CA -->|Issues| LC2["LC: Server Certificate"] LC2 -->|Contains| CD2["CD: Certificate Data"] LC2 -->|"Dependent on"| PKI2["PKI: Certificate Private Key"] PKI2 -->|"Installed on server"| ServerX["VPN Server"] end Client --> Server["Encrypted VPN Connection"]

2 OpenVPN on OpenWrt

2.1 IMPORTANT set up directory

opkg install openvpn-openssl openvpn-easy-rsa
cd /etc/openvpn
#mkdir if it doesnt exist

ALL commands must be executed within /etc/openvpn

2.2 modify the default expiration duration

  • expiration duration of cert root authority (CA) normally set at 10 yrs
  • server cert normally set at 825 days
nano /usr/lib/easy-rsa/vars
#set-var EASYRSA_CA_EXPIRE      3650
#set_var EASYRSA_CERT_EXPIRE    825

2.3 Generate cert root authority

  • init-pki creates a pki folder
    • all easyrsa commands must be in the directory that contains pki meaning ALL easyrsa commands must be executed within /etc/openvpn
easyrsa init-pki
#creates PKI directory in /etc/openvpn/pki
easyrsa build-ca
#Enter New CA Key Passphrase: bleh   <--- you can leave it blank
#Enter PEM pass phrase: bleh    <--- you can leave it blank
#Common Name: Easy-RSA OpenVPN CA
#root cert created in /etc/openvpn/pki/ca.crt

2.4 Generate 2048 diffie-hellman key exchange

easyrsa gen-dh
#diffie hellman parameters of size 2048 created in /etc/openvpn/pki/dh.pem

2.5 Generate Server .crt and .key

easyrsa --subject-alt-name="DNS:bleh.local" build-server-full 830montrose.local nopass
#Enter pass phrase for /etc/openvpn/pki/private/ca.key > bleh
# the above is the pass phrase we used when we made the root cert authority

#830montrose.local.crt is created at /etc/openvpn/pki/issued/830montrose.local.crt
#830montrose.local.key is created at /etc/openvpn/pki/private/830montrose.local.key

2.6 Generate Client .crt and .key

easyrsa build-client-full root nopass

2.7 (Optional) deleting server crt and key via revoking

  • Maybe your server key has too short of an expiration date so now you want to remove it. By revoking it, 830montrose.local.key, 830montrose.local.crt will be deleted and also the database will be updated
  • Manually deleting the key and crt isnt secure
  • You can’t overwrite your old server with a crt of the same name
easyrsa revoke 830montrose.local
easyrsa gen-crl