User Tools

Site Tools


doc:howto:openvpn-streamlined-server-setup

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
doc:howto:openvpn-streamlined-server-setup [2017/09/15 16:25]
JW0914 [Encryption] Added openssl-util as a required package to install
doc:howto:openvpn-streamlined-server-setup [2017/10/05 02:28] (current)
JW0914 Corrected V3 profile names to bring into alignment with edits done to the openssl.cnf
Line 315: Line 315:
 <color #​508CAA>​**CA OpenSSL Commands**</​color>​ <color #​508CAA>​**CA OpenSSL Commands**</​color>​
  
-  - <color #​4B4B4B4>​**Generate CA**</​color>​\\ <code bash>​openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/​OpenWrt-CA.key.pem -out ca/​OpenWrt-CA.crt.pem -config ./​openssl.cnf -extensions ​v3_ca_main</​code>​+  - <color #​4B4B4B4>​**Generate CA**</​color>​\\ <code bash>​openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/​OpenWrt-CA.key.pem -out ca/​OpenWrt-CA.crt.pem -config ./​openssl.cnf -extensions ​v3_ca</​code>​
     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\
   - <color #​4B4B4B4>​**Generate CA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenWrt-CA.key.pem -cert ca/​OpenWrt-CA.crt.pem -out crl/​OpenWrt-CA.crl.pem -config ./​openssl.cnf</​code>​   - <color #​4B4B4B4>​**Generate CA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenWrt-CA.key.pem -cert ca/​OpenWrt-CA.crt.pem -out crl/​OpenWrt-CA.crl.pem -config ./​openssl.cnf</​code>​
Line 443: Line 443:
 <color #​508CAA>​**Server Cert OpenSSL Commands**</​color>​ <color #​508CAA>​**Server Cert OpenSSL Commands**</​color>​
  
-  - **Generate VPN Server CSR**\\ <code bash>​openssl req -out ca/​csr/​vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​vpn-server.key.pem -config ./​openssl.cnf -extensions ​v3_openvpn_server ​-nodes</​code>​+  - **Generate VPN Server CSR**\\ <code bash>​openssl req -out ca/​csr/​vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​vpn-server.key.pem -config ./​openssl.cnf -extensions ​v3_vpn_server ​-nodes</​code>​
     * **''​-nodes''​** creates a signing key without encryption     * **''​-nodes''​** creates a signing key without encryption
       * For server certs **//​only//​**,​ as a passphrase prevents the server from starting/​restarting without manual intervention\\ \\       * For server certs **//​only//​**,​ as a passphrase prevents the server from starting/​restarting without manual intervention\\ \\
-  - **Create & Sign Cert with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-server.csr -CA ca/​OpenVPN-ICA.crt.pem -CAkey ca/​OpenVPN-ICA.key -CAserial ./serial -out certs/​vpn-server.crt.pem -extfile ./​openssl.cnf -extensions ​v3_openvpn_server</​code>​+  - **Create & Sign Cert with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-server.csr -CA ca/​OpenVPN-ICA.crt.pem -CAkey ca/​OpenVPN-ICA.key -CAserial ./serial -out certs/​vpn-server.crt.pem -extfile ./​openssl.cnf -extensions ​v3_vpn_server</​code>​
   - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​vpn-server.p12 -inkey openvpn/​vpn-server.key.pem -in certs/​vpn-server.crt.pem -certfile ca/​OpenWrt-OpenVPN_CA-Chain.crt.pem</​code>​   - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​vpn-server.p12 -inkey openvpn/​vpn-server.key.pem -in certs/​vpn-server.crt.pem -certfile ca/​OpenWrt-OpenVPN_CA-Chain.crt.pem</​code>​
     * <color #​AF0000>​**//​Do not encrypt this PKCS12//​**</​color>​\\ \\     * <color #​AF0000>​**//​Do not encrypt this PKCS12//​**</​color>​\\ \\
Line 1635: Line 1635:
   * **//The answer to any question about an OpenVPN Client or Server configuration is contained within the//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_wikis|VPN Wiki]]// **//or//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​openssl|OpenSSL]]//​ **//​sections//​**   * **//The answer to any question about an OpenVPN Client or Server configuration is contained within the//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_wikis|VPN Wiki]]// **//or//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​openssl|OpenSSL]]//​ **//​sections//​**
     * //If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the [[:​doc:​howto:​openvpn-streamlined-server-setup#​openwrt|OpenWrt]] or [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|OpenVPN]] forums//\\ \\     * //If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the [[:​doc:​howto:​openvpn-streamlined-server-setup#​openwrt|OpenWrt]] or [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|OpenVPN]] forums//\\ \\
-  * <color #​960000>​**//​Please do not publish questions directly to this Wiki//​**</​color>​**//, as://**+  * <color #​960000>​**//​Please do not publish questions directly to this Wiki, as://​**</​color>​
     * //Most importantly,​ it's __not__ monitored for questions//     * //Most importantly,​ it's __not__ monitored for questions//
     * //It clutters the Wiki, possibly making it more difficult for others to navigate//     * //It clutters the Wiki, possibly making it more difficult for others to navigate//
 </​WRAP>​ </​WRAP>​
doc/howto/openvpn-streamlined-server-setup.txt · Last modified: 2017/10/05 02:28 by JW0914