In this section we describe how to configure an OpenVPN server. This allows is to connect OpenVino clients in the field for remote updates and testing. Clients include sensor Weather Station relays and Netrabricks at wineries.
Most of the information found here is from these tutorials: https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-centos-8 and https://vitux.com/how-to-install-openvpn-on-almalinux-8-centos-8-or-rocky-linux-8/ and https://openvpn.net/community-resources/how-to/
About OpenVPN and Easy-RSA
A Virtual Private Network (VPN) allows you to traverse untrusted networks as if you were on a private network. OpenVPN is a full featured, open-source Transport Layer Security (TLS) VPN solution that accommodates a wide range of configurations. In this section, we will set up OpenVPN on Rocky Linux 8, and then configure it to be accessible from client machines.
Easy-RSA is a public key infrastructure (PKI) management tool used to generate a certificate request that you will then verify and sign on the CA Server.
Install OpenVPN and Easy-RSA
Install OpenVPN and Easy-RSA packages
| Code Block |
|---|
sudo dnf install openvpn easy-rsa [sudo] password for mb93837: DigitalOcean Agent 151 kB/s | 3.3 kB 00:00 DigitalOcean Droplet Agent 105 kB/s | 3.3 kB 00:00 Dependencies resolved. ============================================================================================== Package Architecture Version Repository Size ============================================================================================== Installing: easy-rsa noarch 3.0.8-1.el8 epel 47 k openvpn x86_64 2.4.12-1.el8 epel 545 k Installing dependencies: pkcs11-helper x86_64 1.22-7.el8 epel 64 k Transaction Summary ============================================================================================== Install 3 Packages Total download size: 656 k Installed size: 1.5 M Is this ok [y/N]: y Downloading Packages: (1/3): easy-rsa-3.0.8-1.el8.noarch.rpm 172 kB/s | 47 kB 00:00 (2/3): pkcs11-helper-1.22-7.el8.x86_64.rpm 234 kB/s | 64 kB 00:00 (3/3): openvpn-2.4.12-1.el8.x86_64.rpm 1.1 MB/s | 545 kB 00:00 ---------------------------------------------------------------------------------------------- Total 900 kB/s | 656 kB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : pkcs11-helper-1.22-7.el8.x86_64 1/3 Running scriptlet: openvpn-2.4.12-1.el8.x86_64 2/3 Installing : openvpn-2.4.12-1.el8.x86_64 2/3 Running scriptlet: openvpn-2.4.12-1.el8.x86_64 2/3 Installing : easy-rsa-3.0.8-1.el8.noarch 3/3 Running scriptlet: easy-rsa-3.0.8-1.el8.noarch 3/3 Verifying : easy-rsa-3.0.8-1.el8.noarch 1/3 Verifying : openvpn-2.4.12-1.el8.x86_64 2/3 Verifying : pkcs11-helper-1.22-7.el8.x86_64 3/3 Installed: easy-rsa-3.0.8-1.el8.noarch openvpn-2.4.12-1.el8.x86_64 pkcs11-helper-1.22-7.el8.x86_64 Complete! |
2. Create a new directory on the OpenVPN Server as your non-root user called ~/easy-rsa:
| Code Block |
|---|
mkdir ~/easy-rsa |
3. Create a symlink from the easyrsa script that the package installed into the new ~/easy-rsa directory:
| Code Block |
|---|
ln -s /usr/share/easy-rsa/3/* ~/easy-rsa/ |
4. Ensure the directory’s owner is your non-root sudo user and restrict access to that user using chmod:
| Code Block |
|---|
chmod 700 easy-rsa/ |
Create PKI
Before you can create your OpenVPN server’s private key and certificate, you need to create a local Public Key Infrastructure directory on your OpenVPN server so that you can request and manage TLS certificates for clients and other servers that will connect to your VPN. You will use this directory to manage the server and clients’ certificate requests instead of making them directly on your CA server.
To build a PKI directory on your OpenVPN server, you’ll need to populate a file called vars with some default values. First you will cd into the easy-rsa directory, then you will create and edit the vars file with your preferred text editor.
| Code Block |
|---|
cd easy-rsa vi vars set_var EASYRSA_ALGO "ec" set_var EASYRSA_DIGEST "sha512" |
These lines will ensure that your private keys and certificate requests are configured to use modern Elliptic Curve Cryptography (ECC) to generate keys and secure signatures for your clients and OpenVPN server.
Configuring your OpenVPN & CA servers to use ECC means when a client and server attempt to establish a shared symmetric key, they can use Elliptic Curve algorithms to do their exchange. Using ECC for a key exchange is significantly faster than using plain Diffie-Hellman with the classic RSA algorithm since the numbers are much smaller and the computations are faster.
| Info |
|---|
Background: When clients connect to OpenVPN, they use asymmetric encryption (also known as public/private key) to perform a TLS handshake. However, when transmitting encrypted VPN traffic, the server and clients use symmetric encryption, which is also known as shared key encryption. There is much less computational overhead with symmetric encryption compared to asymmetric: the numbers that are used are much smaller, and modern CPUs integrate instructions to perform optimized symmetric encryption operations. To make the switch from asymmetric to symmetric encryption, the OpenVPN server and client will use the Elliptic Curve Diffie-Hellman (ECDH) algorithm to agree on a shared secret key as quickly as possible. |
Once you have populated the vars file you can proceed with creating the PKI directory. To do so, run the easyrsa script with the init-pki option:
| Code Block |
|---|
./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /home/mb93837/easy-rsa/pki |
Now call the easyrsa with the gen-req option followed by a Common Name (CN) for the machine. The CN can be anything you like but it can be helpful to make it something descriptive. Throughout this tutorial, the OpenVPN Server’s CN will be server. Be sure to include the nopass option as well. Failing to do so will password-protect the request file which could lead to permissions issues later on.