I customized the steps on this page from the OpenVPN wiki.
Install OpenVPN on the server you just built like this:
yum install -y easy-rsa openvpn
This should create empty directories, /etc/openvpn, /etc/openvpn/client, and /etc/openvpn/server.
OpenVPN depends on the easy-rsa scripts and should have its own copy of them. Copy the easy-rsa scripts and files like this:
mkdir /etc/openvpn/easy-rsa; cp -rai /usr/share/easy-rsa/3/* /etc/openvpn/easy-rsa/
If Alice needs to access private information inside Bob’s company, it’s vital that Bob makes sure Alice really is Alice, and Alice makes sure Bob really is Bob. We call this mutual authentication. It’s a big deal.
Today’s best practice checks some attribute from two of the three possible factors. These are:
- something you have
- something you know
- something you are
There are lots of choices. For this OpenVPN setup, I chose certificates – something both the client and server have, and a certificate password – something people know.
See my presentation about trust on the internet for more about certificates. Here is a summary of the theory.
- Alice and Bob need to mutually authenticate.
- They both trust Cathy. Cathy takes on a role called certificate authority, or CA.
- Cathy attests they both are who they claim to be.
- Since Alice and Bob both trust Cathy, now they also trust each other.
Cathy does this by signing certificates for both Alice and Bob. The trick is, how do Alice and Bob know Cathy signed the certificates, and not somebody impersonating Cathy? A technology called public key cryptography solves this problem. It works like this:
- Find a cryptography algorithm that encrypts with one key and decrypts with another.
- Declare one key private and share the other key with the public.
- Cathy shares her public key and a clear text copy of her signature with the world.
- Cathy encrypts her signature with her private key. Anyone can decrypt it with her public key.
- If Cathy’s decrypted signature matches the clear text copy, then Alice and Bob can trust Cathy really did sign it.
We use this same technology every day when we buy goods and services online.
The OpenVPN documentation suggests setting up a certificate authority (CA) on a separate system, or at least a separate directory on the OpenVPN server. The documentation also suggests generating server and client certificates from the server and clients. But this is a simple setup using Windows clients, and so we’ll use the OpenVPN server as its own CA and put the certificates and keys into specified directories on the server. Generate certificates from the server and copy them to each client as part of client setup.
This implementation uses self-signed certificates. This works because the server trusts itself, and clients trust the server. And so, the server is the best CA to sign certificates.
From the OpenVPN server, set up the CA like this:
mkdir /etc/openvpn/ca cd /etc/openvpn/ca /etc/openvpn/easy-rsa/easyrsa init-pki /etc/openvpn/easy-rsa/easyrsa build-ca
Use an easy-to-remember, but hard-to-guess passphrase. See my presentation about passphrases for more.
Set up the server keypair and certificate request like this:
cd /etc/openvpn/server /etc/openvpn/easy-rsa/easyrsa init-pki /etc/openvpn/easy-rsa/easyrsa gen-req OVPNserver2020 nopass # (Where OVPNserver2020 is the hostname of your OpenVPN server from earlier)
Send the server request to the CA and generate and sign the server certificate. This step essentially copies the request file from /etc/openvpn/server/pki/reqs/OVPNserver2020.req to /etc/openvpn/ca/pki/reqs/OVPNserver2020.req to prepare it for review and signing.
cd /etc/openvpn/ca /etc/openvpn/easy-rsa/easyrsa import-req /etc/openvpn/server/pki/reqs/OVPNserver2020.req OVPNserver2020 # (Where OVPNserver2020is the hostname of your OpenVPN server)
Review the request.
cd /etc/openvpn/ca /etc/openvpn/easy-rsa/easyrsa show-req OVPNserver2020
Sign as the server.
cd /etc/openvpn/ca /etc/openvpn/easy-rsa/easyrsa sign-req server OVPNserver2020
Put a copy of the server and CA certificates where they belong for the config file to pick them up.
cp /etc/openvpn/ca/pki/issued/OVPNserver2020.crt /etc/openvpn/server/pki/ cp /etc/openvpn/ca/pki/ca.crt /etc/openvpn/server/pki/
Generate Diffie-Hellman parameters so clients and the server can exchange session keys.
cd /etc/openvpn/server /etc/openvpn/easy-rsa/easyrsa gen-dh
One time set up PKI for clients:
This turns out not to be necessary. I simplified the process, and all client certificates will live at /etc/openvpn/ca.
cd /etc/openvpn/client /etc/openvpn/easy-rsa/easyrsa init-pki