User Tools

Site Tools


doc:howto:openvpn-streamlined-server-setup
This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at https://openwrt.org/ <<<<<<<<<<

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
doc:howto:openvpn-streamlined-server-setup [2017/06/06 12:26]
Routetheworld Fixed Signing Client Certs With CA Command
doc:howto:openvpn-streamlined-server-setup [2018/01/18 05:21]
JW0914 [Introduction] Added a wrap box to fix ToC misalignment
Line 9: Line 9:
 ===== Introduction ===== ===== Introduction =====
  
-<​WRAP ​indent>+<​WRAP ​box 78em lo>
  
 +<tabbox Purpose>
 +<color #​508CAA>​**VPN Server Purpose**</​color>​
  
-==== VPN Requirements ====+  * Provides an encrypted remote connection over WAN to router and downstream devices
  
-<WRAP 75em lo> +  * If Gateway Redirect is utilized, it provides an encrypted connection ​for local traffic
-Five requirements ​for SSL VPNs: +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​encryption|Encryption [Certificates]]] +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​network|Network [VPN Interface]]] +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​firewall|Firewall [Traffic Rules]]] +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|Server [Config]]] +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​clients|Clients [Config]]] +
-</​WRAP>​+
  
 +<tabbox Requirements>​
 +<color #​508CAA>​**SSL VPN Requirements**</​color>​
 +
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​encryption|Encryption]] [Certificates]
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​network|Network]] [VPN Interface]
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​firewall|Firewall]] [Traffic Rules]
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|Server]] [Config]
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​clients|Clients]] [Config]\\ \\
 +
 +<tabbox Editing>
 +<wrap right button>​[[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​Vim/​.vimrc|VimRC]] ​ [[http://​vim.wikia.com/​wiki/​Tutorial|Vim Tutorial]]</​wrap>​
 +<color #​508CAA>​**Editing Configs**</​color>​
 +
 +  * Vim is the default command line text editor\\ \\
 +  * If you've never utilized Vim before, please see the Vim Tutorial
 +    * Save the VimRC to ''<​color #​C86400>​~/​.vimrc</​color>''​
 +</​tabbox>​
 </​WRAP>​ </​WRAP>​
 +
  
  
Line 38: Line 51:
  
 <WRAP box lo> <WRAP box lo>
-<wrap right button>​[[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​OpenSSL/​OpenSSL.cnf|openssl.cnf]]</​wrap>​+<wrap right button>​[[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​OpenSSL/​openssl.cnf|openssl.cnf]]</​wrap>​
  
 <tabbox Prerequisites>​ <tabbox Prerequisites>​
Line 45: Line 58:
  
   - **Install Packages:**   - **Install Packages:**
-    - //''<​color #​647D00>​opkg update ; opkg install openvpn-openssl luci-app-openvpn</​color>''//​\\ \\+    - //''<​color #​647D00>​opkg update ; opkg install openvpn-openssl luci-app-openvpn ​openssl-util</​color>''//​\\ \\
   - **Download openssl.cnf:​**   - **Download openssl.cnf:​**
     - Save as ''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''​\\ \\     - Save as ''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''​\\ \\
Line 55: Line 68:
         * Serial is in hex, not dec[//​imal//​] format\\ \\         * Serial is in hex, not dec[//​imal//​] format\\ \\
   - **Create CRLnumber file**   - **Create CRLnumber file**
-    - //''<​color #​647D00>​echo 00 > crlnumber</​color>''//​+    - //''<​color #​647D00>​echo 00 > crl/crlnumber</​color>''//​
             * CRL should be generated, but will only be utilized once a cert is revoked\\ \\             * CRL should be generated, but will only be utilized once a cert is revoked\\ \\
   - **Create Index file**   - **Create Index file**
     - //''<​color #​647D00>​touch index</​color>''//​     - //''<​color #​647D00>​touch index</​color>''//​
-      * Maintains an index of all certs issued <​sup><​color #​646464>​[lines ​698 738]</​color></​sup>​+      * Maintains an index of all certs issued <​sup><​color #​646464>​[lines ​644 689]</​color></​sup>​
         * Keeps track of certs issued; extremely important if one has revoked a cert\\ \\         * Keeps track of certs issued; extremely important if one has revoked a cert\\ \\
   - **Create Rand file**   - **Create Rand file**
Line 299: Line 312:
 **Modify the following SubjectAltNames & V3 Profiles** **Modify the following SubjectAltNames & V3 Profiles**
  
-  ​- **CRL Directory** <​sup><​color #​646464>​[Lines 68 + 69]</​color></​sup>​ +  - **Certificate Authorities** <​sup>​[Line ​177]</​sup>​
-    - In order to avoid an openssl error when generating the CA, modify the following options: +
-      - **Line 68:** crlnumber = $DIR/​crl/​crlnumber +
-      - **Line 69:** crl = $DIR/​crl/​ca.crl.pem +
- +
-  ​- **Certificate Authorities** <​sup>​[Line ​180]</​sup>​+
     - //Main//     - //Main//
-      - **Line ​186:** ''<​color #​647D00>​DNS.1 = //​Router.1//</​color>''​+      - **Line ​183:** ''<​color #​647D00>​DNS.1 = //​Router.1//</​color>''​
         * //Change// ''<​color #​007DC8>​Router.1</​color>''​ //to what you'd like the name of your Certificate Authority to be//\\ \\         * //Change// ''<​color #​007DC8>​Router.1</​color>''​ //to what you'd like the name of your Certificate Authority to be//\\ \\
   - **Certificate Authority Clients** <​sup><​color #​646464>​[Line 205]</​color></​sup>​   - **Certificate Authority Clients** <​sup><​color #​646464>​[Line 205]</​color></​sup>​
     - //Servers//     - //Servers//
-      * **Lines:​** ​211 233+      * **Lines:​** ​198 220
     - //Clients//     - //Clients//
-      * **Lines:​** ​235 239\\ \\ +      * **Lines:​** ​222 226\\ \\
-  - **Change SAN & V3 profile names from** ''<​color #​647D00>​alt_ca_main</​color>''​ **to** ''<​color #​647D00>​alt_ca_//​openwrt//</​color>''<​sup><​color #​646464>​[lines 185, 306, & 310]</​color></​sup>​ +
-    - **Line 185:** ''<​color #​647D00>​[ alt_ca_//​openwrt//​ ]</​color>''​ +
-    - **Line 306:** ''<​color #​647D00>​[ v3_ca_//​openwrt//​ ]</​color>''​ +
-    - **Line 310:** ''<​color #​647D00>​subjectAltName = @alt_ca_//​openwrt//</​color>''​+
 </​WRAP>​ </​WRAP>​
  
Line 324: Line 328:
 <color #​508CAA>​**CA OpenSSL Commands**</​color>​ <color #​508CAA>​**CA OpenSSL Commands**</​color>​
  
-  - <color #​4B4B4B4>​**Generate CA**</​color>​\\ <code bash>​openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/​OpenWrt-CA.key.pem -out ca/​OpenWrt-CA.crt.pem -config ./​openssl.cnf -extensions ​v3_ca_openwrt</​code>​+  - <color #​4B4B4B4>​**Generate CA**</​color>​\\ <code bash>​openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/​OpenWrt-CA.key.pem -out ca/​OpenWrt-CA.crt.pem -config ./​openssl.cnf -extensions ​v3_ca</​code>​
     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\
   - <color #​4B4B4B4>​**Generate CA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenWrt-CA.key.pem -cert ca/​OpenWrt-CA.crt.pem -out crl/​OpenWrt-CA.crl.pem -config ./​openssl.cnf</​code>​   - <color #​4B4B4B4>​**Generate CA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenWrt-CA.key.pem -cert ca/​OpenWrt-CA.crt.pem -out crl/​OpenWrt-CA.crl.pem -config ./​openssl.cnf</​code>​
Line 343: Line 347:
 **Modify the following SubjectAltNames & V3 Profiles** **Modify the following SubjectAltNames & V3 Profiles**
  
-  - **Certificate Authorities** <​sup><​color #​646464>​[Line ​180]</​color></​sup>​+  - **Certificate Authorities** <​sup><​color #​646464>​[Line ​177]</​color></​sup>​
     - //Router 2//     - //Router 2//
-      - **Line ​191:** ''<​color #​647D00>​DNS.1 = //​Router.2//</​color>''​+      - **Line ​188:** ''<​color #​647D00>​DNS.1 = //​Router.2//</​color>''​
         * //Change// ''<​color #​007DC8>​Router.2</​color>''​ //to what you'd like the name of your Intermediate CA to be//\\ \\         * //Change// ''<​color #​007DC8>​Router.2</​color>''​ //to what you'd like the name of your Intermediate CA to be//\\ \\
-  - **Intermediate Certificate Authority Clients** <​sup><​color #​646464>​[Line ​242]</​color></​sup>​+  - **Intermediate Certificate Authority Clients** <​sup><​color #​646464>​[Line ​229]</​color></​sup>​
     -//​Servers//​     -//​Servers//​
-      * **Lines:​** ​248 264+      * **Lines:​** ​235 251
     - //Clients//     - //Clients//
-      * **Lines:​** ​266 274:\\ \\ +      * **Lines:​** ​253 261:\\ \\
-  - **Change SAN & V3 profile names from** ''<​color #​647D00>​alt_ica_router2</​color>''​ **to** ''<​color #​647D00>​alt_ica_//​openvpn//</​color>''​ <​sup><​color #​646464>​[lines 190, 313, & 317]</​color></​sup>​ +
-    - **Line 190:** ''<​color #​647D00>​[ alt_ica_//​openvpn//​ ]</​color>''​ +
-    - **Line 313:** ''<​color #​647D00>​[ v3_ica_//​openvpn//​ ]</​color>''​ +
-    - **Line 317:** ''<​color #​647D00>​subjectAltName = @alt_ica_//​openvpn//</​color>''​+
 </​WRAP>​ </​WRAP>​
  
Line 363: Line 363:
 <color #​508CAA>​**ICA OpenSSL Commands**</​color>​ <color #​508CAA>​**ICA OpenSSL Commands**</​color>​
  
-  - <color #​4B4B4B4>​**Generate Intermediate CA CSR**</​color>​\\ <code bash>​openssl req -out ca/​csr/​OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/​OpenVPN-ICA.key -config ./​openssl.cnf -extensions ​v3_ica_openvpn</​code>​+  - <color #​4B4B4B4>​**Generate Intermediate CA CSR**</​color>​\\ <code bash>​openssl req -out ca/​csr/​OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/​OpenVPN-ICA.key -config ./​openssl.cnf -extensions ​v3_ica_router2</​code>​
     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\
-  - <color #​4B4B4B4>​**Create & Sign ICA with CA**</​color>​\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​OpenVPN-ICA.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key.pem -CAserial ./serial -out ca/​OpenVPN-ICA.crt.pem -extfile ./​openssl.cnf -extensions ​v3_ica_openvpn</​code>​+  - <color #​4B4B4B4>​**Create & Sign ICA with CA**</​color>​\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​OpenVPN-ICA.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key.pem -CAserial ./serial -out ca/​OpenVPN-ICA.crt.pem -extfile ./​openssl.cnf -extensions ​v3_ica_router2</​code>​
   - <color #​4B4B4B4>​**Generate ICA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenVPN-ICA.key -cert ca/​OpenVPN-ICA.crt.pem -out crl/​OpenVPN-ICA.crl.pem -config ./​openssl.cnf</​code>​   - <color #​4B4B4B4>​**Generate ICA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenVPN-ICA.key -cert ca/​OpenVPN-ICA.crt.pem -out crl/​OpenVPN-ICA.crl.pem -config ./​openssl.cnf</​code>​
   - <color #​4B4B4B4>​**Convert ICA CRL -> DER CRL**</​color>​\\ <code bash>​openssl crl -inform PEM -in crl/​OpenVPN-ICA.crl.pem -outform DER -out crl/​OpenVPN-ICA.crl</​code>​   - <color #​4B4B4B4>​**Convert ICA CRL -> DER CRL**</​color>​\\ <code bash>​openssl crl -inform PEM -in crl/​OpenVPN-ICA.crl.pem -outform DER -out crl/​OpenVPN-ICA.crl</​code>​
Line 381: Line 381:
 <color #​508CAA>​**Index Info**</​color>​ <color #​508CAA>​**Index Info**</​color>​
  
-  * **If wishing to maintain the index file automatically,​** ''​openssl ca''​ **must be used to sign certs**+  * **If wishing to maintain the index file automatically,​** ''​<color #647D00>openssl ca</​color>​''​ **must be used to sign certs**
     * ''​openssl ca''​ is not used in this wiki as it requires additional steps & adds unneeded complexity\\ \\     * ''​openssl ca''​ is not used in this wiki as it requires additional steps & adds unneeded complexity\\ \\
  
Line 442: Line 442:
 **__SubjectAltNames Profile__** **__SubjectAltNames Profile__**
  
-  - **Intermediate Certificate Authority Clients** <​sup>​(Line ​242)</​sup>​ +  - **Intermediate Certificate Authority Clients** <​sup>​(Line ​229)</​sup>​ 
-    - //Change the SAN alt name// ​''<​color #​647D00>​alt_vpn_server2</​color>''​ //to// ''<​color #​647D00>​alt_//​openvpn_server//</​color>''​ +    - //Change the server'SAN IP from// ''<​color #​647D00>​10.0.1.1</​color>''​ //to match your VPN Server IP// 
-      - **Line 262:** ''<​color #​647D00>​[ alt_//​openvpn_server//​ ]</​color>''​\\ \\ +      - **Line ​250:** ''<​color #​647D00>​IP.1 = //​10.0.1.1//</​color>''​\\ \\
-    - //Change the SAN IP from// ''<​color #​647D00>​10.0.1.1</​color>''​ //to match your VPN Server IP// +
-      - **Line ​263:** ''<​color #​647D00>​IP.1 = //​10.0.1.1//</​color>''​\\ \\+
     - //Change the SAN DNS from// ''<​color #​647D00>​your.ddns.com</​color>''​ //to match your own DDNS and/or FQDN//     - //Change the SAN DNS from// ''<​color #​647D00>​your.ddns.com</​color>''​ //to match your own DDNS and/or FQDN//
-      - **Line ​264:** ''<​color #​647D00>​DNS.1 = //​your.ddns.com//</​color>''​+      - **Line ​251:** ''<​color #​647D00>​DNS.1 = //​your.ddns.com//</​color>''​
         * //For each additional DNS or FQDN, add a new line in sequential order// (i.e. DNS.2, DNS.3, etc.)         * //For each additional DNS or FQDN, add a new line in sequential order// (i.e. DNS.2, DNS.3, etc.)
- 
-**__V3 Profile__** 
- 
-  - **Intermediate Certificate Authority Clients** <​sup><​color #​646464>​(Line 427)</​color></​sup>​ 
-    - //Change the V3 profile name from// ''<​color #​647D00>​[ v3_//​vpn_server2//​ ]</​color>''​ //to match alt name set above// 
-      - **Line 450:** ''<​color #​647D00>​[ v3_//​openvpn_server//​ ]</​color>''​\\ \\ 
-    - //Change the SAN alt name from// ''<​color #​647D00>​@alt_//​vpn_server2//</​color>''​ //to match alt name set above// 
-      - **Line 456:** ''<​color #​647D00>​subjectAltName = @alt_//​openvpn_server//</​color>''​ 
 </​WRAP>​ </​WRAP>​
 </​WRAP>​ </​WRAP>​
Line 466: Line 456:
 <color #​508CAA>​**Server Cert OpenSSL Commands**</​color>​ <color #​508CAA>​**Server Cert OpenSSL Commands**</​color>​
  
-  - **Generate VPN Server CSR**\\ <code bash>​openssl req -out ca/​csr/​vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​vpn-server.key.pem -config ./​openssl.cnf -extensions ​v3_openvpn_server ​-nodes</​code>​+  - **Generate VPN Server CSR**\\ <code bash>​openssl req -out ca/​csr/​vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​vpn-server.key.pem -config ./​openssl.cnf -extensions ​v3_vpn_server ​-nodes</​code>​
     * **''​-nodes''​** creates a signing key without encryption     * **''​-nodes''​** creates a signing key without encryption
       * For server certs **//​only//​**,​ as a passphrase prevents the server from starting/​restarting without manual intervention\\ \\       * For server certs **//​only//​**,​ as a passphrase prevents the server from starting/​restarting without manual intervention\\ \\
-  - **Create & Sign Cert with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-server.csr -CA ca/​OpenVPN-ICA.crt.pem -CAkey ca/​OpenVPN-ICA.key -CAserial ./serial -out certs/​vpn-server.crt.pem -extfile ./​openssl.cnf -extensions ​v3_openvpn_server</​code>​ +  - **Create & Sign Cert with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-server.csr -CA ca/​OpenVPN-ICA.crt.pem -CAkey ca/​OpenVPN-ICA.key -CAserial ./serial -out certs/​vpn-server.crt.pem -extfile ./​openssl.cnf -extensions ​v3_vpn_server</​code>​ 
-  - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​vpn-server.p12 -inkey openvpn/​vpn-server.key.pem -in certs/​vpn-server.crt.pem -certfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem</​code>​+  - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​vpn-server.p12 -inkey openvpn/​vpn-server.key.pem -in certs/​vpn-server.crt.pem -certfile ca/OpenWrt-OpenVPN_CA-Chain.crt.pem</​code>​
     * <color #​AF0000>​**//​Do not encrypt this PKCS12//​**</​color>​\\ \\     * <color #​AF0000>​**//​Do not encrypt this PKCS12//​**</​color>​\\ \\
     * ICA is still used to sign the certs it issues     * ICA is still used to sign the certs it issues
Line 494: Line 484:
 **__SubjectAltNames Profile__** **__SubjectAltNames Profile__**
  
-  - **Intermediate Certificate Authority Clients** <​sup><​color #​646464>​(Line ​242)</​color></​sup>​ +  - **Intermediate Certificate Authority Clients** <​sup><​color #​646464>​(Line ​229)</​color></​sup>​
-    - //Change the SAN alt name// ''<​color #​647D00>​alt_vpn2_user1''​ //to// ''​alt_//​openvpn_<​username>//</​color>''​ +
-      - **Line 267:** ''<​color #​647D00>​[ alt_//​openvpn_<​username>//​ ]</​color>''​\\ \\+
     - //Change the SAN DNS from// ''<​color #​647D00>​VPNserver-Client1-Device-Hostname</​color>''​ //to match client username//     - //Change the SAN DNS from// ''<​color #​647D00>​VPNserver-Client1-Device-Hostname</​color>''​ //to match client username//
-      - **Line ​268:** ''<​color #​647D00>​DNS.1 = //​VPN-<​username>​-Hostname//</​color>''​+      - **Line ​255:** ''<​color #​647D00>​DNS.1 = //​VPN-<​username>​-Hostname//</​color>''​
         * //This makes configuring CCD more convenient//​\\ \\         * //This makes configuring CCD more convenient//​\\ \\
     - //Change the SAN email from// ''<​color #​647D00>​user1@email.com</​color>''​ //to user's email//     - //Change the SAN email from// ''<​color #​647D00>​user1@email.com</​color>''​ //to user's email//
-      - **Line ​269** ''<​color #​647D00>​email.1 = //​user1@email.com//</​color>''​ +      - **Line ​256** ''<​color #​647D00>​email.1 = //​user1@email.com//</​color>''​
- +
-**__V3 Profile__** +
- +
-  - **Intermediate Certificate Authority Clients** <​sup><​color #​646464>​(Line 427)</​color></​sup>​ +
-    - //Change the V3 profile name from// ''<​color #​647D00>​[ v3_vpn2_user1 ]</​color>''​ //to match alt name set above// +
-      - **Line 459:** ''<​color #​647D00>​[ v3_//​openvpn_<​username>//​ ]</​color>''​\\ \\ +
-    - //Change the SAN alt name from// ''<​color #​647D00>​@alt_vpn2_user1</​color>''​ //to match alt name set above// +
-      - **Line 465:** ''<​color #​647D00>​subjectAltName = @alt_//​openvpn_<​username>​//</​color>''​+
 </​WRAP>​ </​WRAP>​
 </​WRAP>​ </​WRAP>​
Line 518: Line 498:
 <color #​508CAA>​**Client Cert OpenSSL Commands**</​color>​ <color #​508CAA>​**Client Cert OpenSSL Commands**</​color>​
  
-  - **Generate VPN Client Certs**\\ <code bash>​openssl req -out ca/​csr/​vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.key.pem -config ./​openssl.cnf -extensions ​v3_openvpn_<​username>​</​code>​+  - **Generate VPN Client Certs**\\ <code bash>​openssl req -out ca/​csr/​vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.key.pem -config ./​openssl.cnf -extensions ​v3_vpn2_user1</​code>​
     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\
-  - **Sign Cert with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-client1.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key.pem -CAserial ./serial -out openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.crt.pem -extfile ./​openssl.cnf -extensions ​v3_openvpn_<​username>​</​code>​+  - **Sign Cert with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-client1.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key -CAserial ./serial -out openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.crt.pem -extfile ./​openssl.cnf -extensions ​v3_vpn2_user1</​code>​
   - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​clients/​vpn-client1.p12 -inkey openvpn/​clients/​vpn-client1.key.pem -in openvpn/​clients/​vpn-client1.crt.pem -certfile ca/​OpenWrt-OpenVPN_ICA-Chain.crt.pem</​code>​   - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​clients/​vpn-client1.p12 -inkey openvpn/​clients/​vpn-client1.key.pem -in openvpn/​clients/​vpn-client1.crt.pem -certfile ca/​OpenWrt-OpenVPN_ICA-Chain.crt.pem</​code>​
 </​tabbox>​ </​tabbox>​
Line 548: Line 528:
 <WRAP 51.5em lo> <WRAP 51.5em lo>
  
-  - **Generate TLS-Auth key** <​sup>​(<​color #​646464>​executed from</​color>​ ''<​color #​C86400>/​etc/​ssl/</​color>''​)</​sup>​\\ <code bash>​openvpn --genkey --secret openvpn/ta.key</​code>​+  - **Generate TLS-Auth key** <​sup>​(<​color #​646464>​executed from</​color>​ ''<​color #​C86400>/​etc/​ssl/</​color>''​)</​sup>​\\ <code bash>​openvpn --genkey --secret openvpn/tls-auth.key</​code>​
     * This ensures **P**erfect **F**orward **S**ecrecy is maintained when utilizing a SSL cipher\\ \\     * This ensures **P**erfect **F**orward **S**ecrecy is maintained when utilizing a SSL cipher\\ \\
     * ''​tls-auth''​ requires a static **P**re-**S**hared **K**ey, generated in advance, and shared among all clients     * ''​tls-auth''​ requires a static **P**re-**S**hared **K**ey, generated in advance, and shared among all clients
Line 737: Line 717:
     option ​ path            '/​etc/​firewall.user'​     option ​ path            '/​etc/​firewall.user'​
  
-# Default ​OpenWRT ​Rule #+# Default ​OpenWrt ​Rule #
 config defaults config defaults
     option ​ input           '​ACCEPT'​     option ​ input           '​ACCEPT'​
Line 940: Line 920:
  
   * **This specific configuration has been designed to give the best performance possible, via** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|MTU & Buffer]] **Tuning recommendations**   * **This specific configuration has been designed to give the best performance possible, via** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|MTU & Buffer]] **Tuning recommendations**
-    * DNS primary & secondary are [[https://developers.google.com/speed/public-dns/​docs/​using|Google's]]+    * DNS primary & secondary are [[https://www.opendns.com/setupguide/?​url=familyshield|OpenDNS']]
     * NTP is garnished from [[http://​tf.nist.gov/​tf-cgi/​servers.cgi|NIST]] (time-c) and can be updated to your NTP server of choice     * NTP is garnished from [[http://​tf.nist.gov/​tf-cgi/​servers.cgi|NIST]] (time-c) and can be updated to your NTP server of choice
       * NTP should be specified, but doesn'​t need to be NIST, as encryption handshakes, both server & client, must be accurate to within milliseconds\\ \\       * NTP should be specified, but doesn'​t need to be NIST, as encryption handshakes, both server & client, must be accurate to within milliseconds\\ \\
Line 947: Line 927:
   * **Two or more servers can be run from this config file**   * **Two or more servers can be run from this config file**
     * To add additional servers, copy & paste first config directly below itself, with a blank line separating the two\\ \\     * To add additional servers, copy & paste first config directly below itself, with a blank line separating the two\\ \\
-  * **The OpenVPN** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|HowTo & Man Page]] **provide every possible option for the Server & Client Configs**+  * **The OpenVPN** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|HowTo & Man Page]] **provide every possible option for the Server & Client Configs** ​\\ \\ 
 +  * **OpenVPN 2.4 added TLS Elliptic-Curve** ''​[EC]''​ **support** 
 +    * EC ciphers are faster & more efficient to process than SSL ciphers, resulting in higher throughput & less load 
 +    * OpenVPN on OpenWrt only supports a //maximum of 256 characters//​ for ''​ <color #​647D00>​option ​ tls_cipher</​color>''​ 
 +      * Ciphers are listed in a hierarchical,​ chronological order of most secure & efficient to least efficient 
 +      * Disabled ciphers are specified at the end with an **''<​color #​960000>​!</​color>''​** in front of the cipher\\ \\ 
 +  * **Ciphers must match the capabilities of the server & clients** 
 +    * Available TLS ciphers: ''​ <color #​647D00>​openssl --show-tls</​color>​ ''​ or ''​ <color #​647D00>​openssl ciphers -V | grep TLS</​color>''​ 
 +    * Available SSL ciphers: ''​ <color #​647D00>​openssl ciphers -V | grep SSL</​color>''​ 
 +      * For Windows client: ''​ <color #​647D00>​openssl ciphers -V | findstr /R SSL</​color>''​
  
  
Line 983: Line 972:
     list    push                '​dhcp-option ​   DNS 192.168.1.1'​     list    push                '​dhcp-option ​   DNS 192.168.1.1'​
     list    push                '​dhcp-option ​   WINS 192.168.1.1'​     list    push                '​dhcp-option ​   WINS 192.168.1.1'​
-    list    push                '​dhcp-option ​   DNS 8.8.8.8+    list    push                '​dhcp-option ​   DNS 208.67.222.123
-    list    push                '​dhcp-option ​   DNS 8.8.4.4'+    list    push                '​dhcp-option ​   DNS 208.67.220.123'
     list    push                '​dhcp-option ​   NTP 129.6.15.30'​     list    push                '​dhcp-option ​   NTP 129.6.15.30'​
  
Line 998: Line 987:
     option ​ cipher ​             AES-256-CBC     option ​ cipher ​             AES-256-CBC
     option ​ auth                '​SHA512'​     option ​ auth                '​SHA512'​
-    option ​ tls_auth ​           '/​etc/​ssl/​openvpn/​ta.key 0'+    option ​ tls_auth ​           '/​etc/​ssl/​openvpn/​tls-auth.key 0'
     ​     ​
     # TLS:     # TLS:
     option ​ tls_server ​         1     option ​ tls_server ​         1
     option ​ tls_version_min ​    1.2     option ​ tls_version_min ​    1.2
-    option ​ tls_cipher ​         '​TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:​TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:​TLS-RSA-WITH-AES-256-CBC-SHA256:​!aNULL:​!eNULL:​!LOW:​!3DES:​!MD5:​!SHA:​!EXP:​!PSK:​!SRP:​!DSS:​!RC4'​+    option ​ tls_cipher ​         '​TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:​TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:​!aNULL:​!eNULL:​!LOW:​!3DES:​!MD5:​!SHA:​!EXP:​!PSK:​!SRP:​!DSS:​!RC4:!kRSA'
  
     # Logging #      # Logging # 
Line 1056: Line 1045:
         # option ​ dh                        /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​dh2048.pem         # option ​ dh                        /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​dh2048.pem
         # option ​ pkcs12 ​                   /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​vpn-server.p12         # option ​ pkcs12 ​                   /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​vpn-server.p12
-        # option ​ tls_auth ​                 '/​var/​chroot-openvpn/​etc/​ssl/​openvpn/​ta.key 0'+        # option ​ tls_auth ​                 '/​var/​chroot-openvpn/​etc/​ssl/​openvpn/​tls-auth.key 0'
 </​code>​ </​code>​
   - **Commit changes**\\ <code bash>/​etc/​init.d/​openvpn enable ; /​etc/​init.d/​openvpn start ; sleep 2 ; cat /​tmp/​openvpn.log</​code>​   - **Commit changes**\\ <code bash>/​etc/​init.d/​openvpn enable ; /​etc/​init.d/​openvpn start ; sleep 2 ; cat /​tmp/​openvpn.log</​code>​
Line 1104: Line 1093:
 Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09 Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09
 Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key
-Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​ta.key' as a OpenVPN static key file+Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​tls-auth.key' as a OpenVPN static key file
 Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
 Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
Line 1138: Line 1127:
 Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09 Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09
 Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key
-Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​ta.key' as a OpenVPN static key file+Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​tls-auth.key' as a OpenVPN static key file
 Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
 Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
Line 1197: Line 1186:
   * **PKCS12 certs are installed into the //Android Keychain//​**   * **PKCS12 certs are installed into the //Android Keychain//​**
     * As a security feature, a warning toast will always appear in the notification area due to user installed certs     * As a security feature, a warning toast will always appear in the notification area due to user installed certs
-      * This toast can be removed if you have a rooted device by following Toast Removal tutorial+      * This toast can be removed if you have a rooted device by following Toast Removal tutorial ​\\ \\
     * Another option is to include all certs & keys via inline XML within the client config file     * Another option is to include all certs & keys via inline XML within the client config file
-    ​* //​Regardless if all certs are referenced as inline xml or not, the final generated config inlines all certs//\\ \\ +      ​* //​Regardless if all certs are referenced as inline xml or not, the final generated config inlines all certs//\\ \\ 
-  * **If you choose to reference the ''//​ta.key//'',​ instead of utilizing inline XML**+  * **If you choose to reference the ''//​tlsauth.key//'',​ instead of utilizing inline XML**
     - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>     - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>
     # Encryption #     # Encryption #
Line 1214: Line 1203:
     # Encryption #     # Encryption #
 #​------------------------------------------------ #​------------------------------------------------
-tls-auth ​   '/​path/​to/​ta.key' 1</​code>​+tls-auth ​   '/​path/​to/​tlsauth.key' 1</​code>​
   * <color #​960000>​**Some Android devices are not able to convert PKCS12 certs to x509 certs**</​color>​   * <color #​960000>​**Some Android devices are not able to convert PKCS12 certs to x509 certs**</​color>​
     * If your device is affected, you will need to reference your individual certs in your Server Config     * If your device is affected, you will need to reference your individual certs in your Server Config
Line 1289: Line 1278:
 cert      '/​sdcard/​openvpn/​vpn-client1.crt.pem'​ cert      '/​sdcard/​openvpn/​vpn-client1.crt.pem'​
 key       '/​sdcard/​openvpn/​vpn-client1.key.pem'​ key       '/​sdcard/​openvpn/​vpn-client1.key.pem'​
-tls-auth ​ '/​path/​to/​ta.key' 1</​code>​+tls-auth ​ '/​path/​to/​tlsauth.key' 1</​code>​
   - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>   - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>
     # Encryption #     # Encryption #
 #​------------------------------------------------ #​------------------------------------------------
 +
 +# --- TLS --- #
 +key-direction 1
 +
 <ca> <ca>
 #​PASTE-CA-CERT-INLINE-HERE#​ #​PASTE-CA-CERT-INLINE-HERE#​
Line 1434: Line 1427:
  
   * **If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced**   * **If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced**
-    * You must use double backslashes for the path: ''<​color #​C86400>​C:​\\Path\\to\\PKCS12</​color>''​+    * You must use double backslashes for the path: ''<​color #​C86400>​C:​\\Path\\to\\PKCS.p12</​color>''​
  
  
Line 1548: Line 1541:
  
   - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>   - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>
-    list    push                '​dhcp-option ​   DNS 8.8.8.8+    list    push                '​dhcp-option ​       DNS 208.67.222.123
-    list    push                '​dhcp-option ​   DNS 8.8.4.4'</​code>​+    list    push                '​dhcp-option ​       DNS 208.67.220.123'</​code>​
   - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>   - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>
     list    push                '​redirect-gateway ​  def1 local'     list    push                '​redirect-gateway ​  def1 local'
Line 1654: Line 1647:
     * //If you refuse to help yourself, don't expect someone else to help you//\\ \\     * //If you refuse to help yourself, don't expect someone else to help you//\\ \\
   * **//The answer to any question about an OpenVPN Client or Server configuration is contained within the//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_wikis|VPN Wiki]]// **//or//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​openssl|OpenSSL]]//​ **//​sections//​**   * **//The answer to any question about an OpenVPN Client or Server configuration is contained within the//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_wikis|VPN Wiki]]// **//or//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​openssl|OpenSSL]]//​ **//​sections//​**
-    * //If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the [[:​doc:​howto:​openvpn-streamlined-server-setup#​openwrt|OpenWRT]] or [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|OpenVPN]] forums//\\ \\ +    * //If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the [[:​doc:​howto:​openvpn-streamlined-server-setup#​openwrt|OpenWrt]] or [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|OpenVPN]] forums//\\ \\ 
-  * <color #​960000>​**//​Please do not publish questions directly to this Wiki//​**</​color>​**//, as://**+  * <color #​960000>​**//​Please do not publish questions directly to this Wiki, as://​**</​color>​
     * //Most importantly,​ it's __not__ monitored for questions//     * //Most importantly,​ it's __not__ monitored for questions//
     * //It clutters the Wiki, possibly making it more difficult for others to navigate//     * //It clutters the Wiki, possibly making it more difficult for others to navigate//
 </​WRAP>​ </​WRAP>​
doc/howto/openvpn-streamlined-server-setup.txt · Last modified: 2018/02/03 14:28 by ssdnvv