In this section we describe how to configure an OpenVPN server. This allows is to connect OpenVino clients in the field for remote updates and testing. Clients include sensor Weather Station relays and Netrabricks at wineries.
Most of the information found here is from these tutorials: https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-centos-8 and https://vitux.com/how-to-install-openvpn-on-almalinux-8-centos-8-or-rocky-linux-8/ and https://openvpn.net/community-resources/how-to/
About OpenVPN and Easy-RSA
A Virtual Private Network (VPN) allows you to traverse untrusted networks as if you were on a private network. OpenVPN is a full featured, open-source Transport Layer Security (TLS) VPN solution that accommodates a wide range of configurations. In this section, we will set up OpenVPN on Rocky Linux 8, and then configure it to be accessible from client machines.
Easy-RSA is a public key infrastructure (PKI) management tool used to generate a certificate request that you will then verify and sign on the CA Server.
Install OpenVPN and Easy-RSA
Install OpenVPN and Easy-RSA packages
sudo dnf install openvpn easy-rsa [sudo] password for mb93837: DigitalOcean Agent 151 kB/s | 3.3 kB 00:00 DigitalOcean Droplet Agent 105 kB/s | 3.3 kB 00:00 Dependencies resolved. ============================================================================================== Package Architecture Version Repository Size ============================================================================================== Installing: easy-rsa noarch 3.0.8-1.el8 epel 47 k openvpn x86_64 2.4.12-1.el8 epel 545 k Installing dependencies: pkcs11-helper x86_64 1.22-7.el8 epel 64 k Transaction Summary ============================================================================================== Install 3 Packages Total download size: 656 k Installed size: 1.5 M Is this ok [y/N]: y Downloading Packages: (1/3): easy-rsa-3.0.8-1.el8.noarch.rpm 172 kB/s | 47 kB 00:00 (2/3): pkcs11-helper-1.22-7.el8.x86_64.rpm 234 kB/s | 64 kB 00:00 (3/3): openvpn-2.4.12-1.el8.x86_64.rpm 1.1 MB/s | 545 kB 00:00 ---------------------------------------------------------------------------------------------- Total 900 kB/s | 656 kB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : pkcs11-helper-1.22-7.el8.x86_64 1/3 Running scriptlet: openvpn-2.4.12-1.el8.x86_64 2/3 Installing : openvpn-2.4.12-1.el8.x86_64 2/3 Running scriptlet: openvpn-2.4.12-1.el8.x86_64 2/3 Installing : easy-rsa-3.0.8-1.el8.noarch 3/3 Running scriptlet: easy-rsa-3.0.8-1.el8.noarch 3/3 Verifying : easy-rsa-3.0.8-1.el8.noarch 1/3 Verifying : openvpn-2.4.12-1.el8.x86_64 2/3 Verifying : pkcs11-helper-1.22-7.el8.x86_64 3/3 Installed: easy-rsa-3.0.8-1.el8.noarch openvpn-2.4.12-1.el8.x86_64 pkcs11-helper-1.22-7.el8.x86_64 Complete!
2. Create a new directory on the OpenVPN Server as your non-root user called ~/easy-rsa
:
mkdir ~/easy-rsa
3. Create a symlink from the easyrsa
script that the package installed into the new ~/easy-rsa
directory:
ln -s /usr/share/easy-rsa/3/* ~/easy-rsa/
4. Ensure the directory’s owner is your non-root sudo user and restrict access to that user using chmod
:
chmod 700 easy-rsa/
Create PKI
Before you can create your OpenVPN server’s private key and certificate, you need to create a local Public Key Infrastructure directory on your OpenVPN server so that you can request and manage TLS certificates for clients and other servers that will connect to your VPN. You will use this directory to manage the server and clients’ certificate requests instead of making them directly on your CA server.
To build a PKI directory on your OpenVPN server, you’ll need to populate a file called vars
with some default values. First you will cd
into the easy-rsa
directory, then you will create and edit the vars
file with your preferred text editor.
cd easy-rsa vi vars set_var EASYRSA_REQ_COUNTRY "AR" set_var EASYRSA_REQ_PROVINCE "Mendoza" set_var EASYRSA_REQ_CITY "Costaflores" set_var EASYRSA_REQ_ORG "OpenVino" set_var EASYRSA_REQ_EMAIL "admin@openvino.org" set_var EASYRSA_REQ_OU "Community" set_var EASYRSA_ALGO "ec" set_var EASYRSA_DIGEST "sha512"
These lines will ensure that your private keys and certificate requests are configured to use modern Elliptic Curve Cryptography (ECC) to generate keys and secure signatures for your clients and OpenVPN server.
Configuring your OpenVPN & CA servers to use ECC means when a client and server attempt to establish a shared symmetric key, they can use Elliptic Curve algorithms to do their exchange. Using ECC for a key exchange is significantly faster than using plain Diffie-Hellman with the classic RSA algorithm since the numbers are much smaller and the computations are faster.
Background: When clients connect to OpenVPN, they use asymmetric encryption (also known as public/private key) to perform a TLS handshake. However, when transmitting encrypted VPN traffic, the server and clients use symmetric encryption, which is also known as shared key encryption.
There is much less computational overhead with symmetric encryption compared to asymmetric: the numbers that are used are much smaller, and modern CPUs integrate instructions to perform optimized symmetric encryption operations. To make the switch from asymmetric to symmetric encryption, the OpenVPN server and client will use the Elliptic Curve Diffie-Hellman (ECDH) algorithm to agree on a shared secret key as quickly as possible.
To create the root public and private key pair for your Certificate Authority, run the ./easy-rsa
command again, this time with the build-ca
option.
In the output, you’ll see some lines about the OpenSSL version and you will be prompted to enter a passphrase for your key pair. Be sure to choose a strong passphrase, and note it down somewhere safe. You will need to input the passphrase any time that you need to interact with your CA, for example to sign or revoke a certificate.
You will also be asked to confirm the Common Name (CN) for your CA. The CN is the name used to refer to this machine in the context of the Certificate Authority. You can enter any string of characters for the CA’s Common Name but for simplicity’s sake, press ENTER to accept the default name.
./easyrsa build-ca Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021 Enter New CA Key Passphrase: Re-Enter New CA Key Passphrase: Generating RSA private key, 2048 bit long modulus (2 primes) ........................................................................................................................................................+++++ ..................................+++++ e is 65537 (0x010001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]:sierra CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /home/mtb/easy-rsa/pki/ca.crt
Once you have populated the vars
file you can proceed with creating the PKI directory. To do so, run the easyrsa
script with the init-pki
option:
./easyrsa init-pki init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /home/mb93837/easy-rsa/pki
Now call the easyrsa
with the gen-req
option followed by a Common Name (CN) for the machine. The CN can be anything you like but it can be helpful to make it something descriptive. Throughout this tutorial, the OpenVPN Server’s CN will be server
. Be sure to include the nopass
option as well. Failing to do so will password-protect the request file which could lead to permissions issues later on.
Create an OpenVPN Server Certificate Request and Private Key
Now that the OpenVPN server has all the prerequisites installed, the next step is to generate a private key and Certificate Signing Request (CSR) on the OpenVPN server. After that we’ll transfer the request over to the CA to be signed, creating the required certificate.
Once we have a signed certificate, we can transfer it back to the OpenVPN server and install it for the server to use.
To start, navigate to the ~/easy-rsa
directory on your OpenVPN Server as your non-root user:
Now we’ll call easyrsa
with the gen-req
option followed by a Common Name (CN) for the machine. The CN can be anything we like, but it can be helpful to make it something descriptive. Throughout this tutorial, the OpenVPN Server’s CN will be jujitsu
. Be sure to include the nopass
option as well. Failing to do so will password-protect the request file which could lead to permissions issues later on.
$ cd easy-rsa/ ./easyrsa gen-req jujitsu nopass Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021 Generating a RSA private key .........................+++++ ...........................................+++++ writing new private key to '/home/mtb/easy-rsa/pki/easy-rsa-167240.ZwGFxk/tmp.Jchss' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [jujitsu]: Keypair and certificate request completed. Your files are: req: /home/mtb/easy-rsa/pki/reqs/jujitsu.req key: /home/mtb/easy-rsa/pki/private/jujitsu.key
This will create a private key for the server and a certificate request file called server.req
. Copy the server key to the /etc/openvpn/server
directory:
sudo cp /home/mb93837/easy-rsa/pki/private/jujitsu.key /etc/openvpn/server/
After completing these steps, we have successfully created a private key the your OpenVPN server. We have also generated a Certificate Signing Request for the OpenVPN server. The CSR is now ready for signing by our CA.
In the next section of this tutorial we will learn how to sign a CSR with the CA server’s private key.
Signing the OpenVPN Server’s Certificate Request
In the previous step we created a Certificate Signing Request (CSR) and private key for the OpenVPN server. Now the CA server needs to know about the jujitsu
certificate and validate it. Once the CA validates and relays the certificate back to the OpenVPN server, clients that trust our CA will be able to trust the OpenVPN server as well.
On the OpenVPN server, as our non-root user, use SCP or another transfer method to copy the jujitsu.req
certificate request to the CA server for signing:
scp /home/mb93837/easy-rsa/pki/reqs/jujitsu.req mb93837@your_ca_server:/tmp
Now log in to the CA server as the non-root user that owns the easy-rsa
directory, where you created your PKI. Import the certificate request using the easyrsa
script:
cd ~/easy-rsa ./easyrsa import-req /tmp/jujitsu server Output . . . The request has been successfully imported with a short name of: server You may now use this name to perform signing operations on this request.
Next, sign the request by running the easyrsa
script with the sign-req
option, followed by the request type and the Common Name. The request type can either be client
or server
. Since we’re working with the OpenVPN server’s certificate request, be sure to use the server
request type:
./easyrsa sign-req server jujitsu Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a server certificate for 825 days: subject= commonName = jujitsu Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /home/mb93837/easy-rsa/pki/easy-rsa-173154.vNkGC/tmp.N1FFKn Enter pass phrase for /home/mb93837/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'jujitsu' Certificate is to be certified until Oct 16 14:56:37 2024 GMT (825 days) Write out database with 1 new entries Data Base Updated Certificate created at: /home/mb93837/easy-rsa/pki/issued/jujitsu.crt
Note that if you encrypted your CA private key, you’ll be prompted for your password at this point.
With those steps complete, you have signed the OpenVPN server’s certificate request using the CA server’s private key. The resulting jujitsu.crt
file contains the OpenVPN server’s public encryption key, as well as a signature from the CA server. The point of the signature is to tell anyone who trusts the CA server that they can also trust the OpenVPN server when they connect to it.
To finish configuring the certificates, copy the jujitsu.crt
and ca.crt
files from the CA server to the OpenVPN server:
scp pki/issued/jujitsu.crt sammy@your_vpn_server_ip:/tmp scp pki/ca.crt sammy@your_vpn_server_ip:/tmp
Now back on your OpenVPN server, copy the files from /tmp
to /etc/openvpn/server
:
sudo cp /tmp/{jujitsu.crt,ca.crt} /etc/openvpn/server
Now your OpenVPN server is nearly ready to accept connections. In the next step you’ll perform some additional steps to increase the security of the server.
Configuring OpenVPN Cryptographic Material
For an additional layer of security, we’ll add an extra shared secret key that the server and all clients will use with OpenVPN’s tls-crypt
directive. This option is used to obfuscate the TLS certificate that is used when a server and client connect to each other initially. It is also used by the OpenVPN server to perform quick checks on incoming packets: if a packet is signed using the pre-shared key, then the server processes it; if it is not signed, then the server knows it is from an untrusted source and can discard it without having to perform additional decryption work.
This option will help ensure that your OpenVPN server is able to cope with unauthenticated traffic, port scans, and Denial of Service attacks, which can tie up server resources. It also makes it harder to identify OpenVPN network traffic.
To generate the tls-crypt
pre-shared key, run the following on the OpenVPN server in the ~/easy-rsa
directory:
cd ~/easy-rsa openvpn --genkey --secret ta.key
The result will be a file called ta.key
. Copy it to the /etc/openvpn/server/
directory:
sudo cp ta.key /etc/openvpn/server
With these files in place on the OpenVPN server we are ready to create client certificates and key files for your users, which you will use to connect to the VPN.
Generating a Client Certificate and Key Pair
Although you can generate a private key and certificate request on your client machine and then send it to the CA to be signed, this guide outlines a process for generating the certificate request on the OpenVPN server. The benefit of this approach is that we can create a script that will automatically generate client configuration files that contain all of the required keys and certificates. This lets you avoid having to transfer keys, certificates, and configuration files to clients and streamlines the process of joining the VPN.
We will generate a single client key and certificate pair for this guide. If you have more than one client, you can repeat this process for each one. Please note, though, that you will need to pass a unique name value to the script for every client. Throughout this tutorial, the first certificate/key pair is referred to as client1
.
Get started by creating a directory structure within your home directory to store the client certificate and key files:
mkdir -p ~/client-configs/keys
Since you will store your clients’ certificate/key pairs and configuration files in this directory, you should lock down its permissions now as a security measure:
chmod -R 700 ~/client-configs
Next, navigate back to the EasyRSA directory and run the easyrsa
script with the gen-req
and nopass
options, along with the common name for the client:
cd ~/easy-rsa ./easyrsa gen-req foxtrot nopass
Press ENTER
to confirm the common name. Then, copy the client1.key
file to the ~/client-configs/keys/
directory you created earlier:
cp pki/private/foxtrot.key ~/client-configs/keys/
Next, transfer the foxtrot.req
file to your CA Server using a secure method:
scp pki/reqs/foxtrot.req sammy@your_ca_server_ip:/tmp
Now log in to your CA Server. Then, navigate to the EasyRSA directory, and import the certificate request:
cd ~/easy-rsa ./easyrsa import-req /tmp/foxtrot.req foxtrot_opvn
Next, sign the request the same way as you did for the server in the previous step. This time, though, be sure to specify the client
request type:
./easyrsa sign-req client foxtrot_opvn
When prompted, enter yes
to confirm that you intend to sign the certificate request and that it came from a trusted source.
Again, if you encrypted your CA key, you’ll be prompted for your password here.
This will create a client certificate file named foxtrot.crt
. Transfer this file back to the server:
./easyrsa sign-req client foxtrot_opvn Using SSL: openssl OpenSSL 1.1.1k FIPS 25 Mar 2021 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 825 days: subject= commonName = foxtrot Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /home/mtb/easy-rsa/pki/easy-rsa-2126405.rYvSXd/tmp.0bCYxi Enter pass phrase for /home/mtb/easy-rsa/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'foxtrot' Certificate is to be certified until Oct 27 09:00:51 2024 GMT (825 days) Write out database with 1 new entries Data Base Updated Certificate created at: /home/mtb/easy-rsa/pki/issued/foxtrot_opvn.crt
This will create a client certificate file named foxtrot_opvn.crt
. Transfer this file back to the server:
scp pki/issued/client1.crt sammy@your_server_ip:/tmp
Back on your OpenVPN server, copy the client certificate to the ~/client-configs/keys/
directory:
cp /tmp/client1.crt ~/client-configs/keys/
Next, copy the ca.crt
and ta.key
files to the ~/client-configs/keys/
directory as well, and set the appropriate permissions for your sudo user:
cp ~/easy-rsa/ta.key ~/client-configs/keys/ sudo cp /etc/openvpn/server/ca.crt ~/client-configs/keys/ sudo chown mb93837:mb93837 ~/client-configs/keys/*
With that, your server and client’s certificates and keys have all been generated and are stored in the appropriate directories on your OpenVPN server. There are still a few actions that need to be performed with these files, but those will come in a later step. For now, you can move on to configuring OpenVPN.
Configuring OpenVPN
Like many other widely used open-source tools, OpenVPN has numerous configuration options available to customize your server for your specific needs. In this section, we will provide instructions on how to set up an OpenVPN server configuration based on one of the sample configuration files that is included within this software’s documentation.
First, copy the sample server.conf
file as a starting point for your own configuration file:
sudo cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server
Open the new file for editing with the text editor of your choice. We’ll use vi for our example, because we weren’t born yesterday:
sudo vi /etc/openvpn/server/server.conf
We’ll need to change a few lines in this file. First, find the HMAC
section of the configuration by searching for the tls-auth
directive. This line should be uncommented. Comment it out by adding a ;
to the beginning of the line. Then add a new line after it containing the value tls-crypt ta.key
only:
;tls-auth ta.key 0 # This file is secret tls-crypt ta.key
Next, find the section on cryptographic ciphers by looking for the cipher
lines. The default value is set to AES-256-CBC
, however, the AES-256-GCM
cipher offers a better level of encryption, performance, and is well supported in up-to-date OpenVPN clients. We’ll comment out the default value by adding a ;
sign to the beginning of this line, and then we’ll add another line after it containing the updated value of AES-256-GCM
:
;cipher AES-256-CBC cipher AES-256-GCM