User Tools

Site Tools


doc:howto:openvpn-streamlined-server-setup

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
doc:howto:openvpn-streamlined-server-setup [2017/06/06 12:34]
Routetheworld
doc:howto:openvpn-streamlined-server-setup [2018/01/18 05:21] (current)
JW0914 [Introduction] Added a wrap box to fix ToC misalignment
Line 9: Line 9:
 ===== Introduction ===== ===== Introduction =====
  
-<​WRAP ​indent>+<​WRAP ​box 78em lo>
  
 +<tabbox Purpose>
 +<color #​508CAA>​**VPN Server Purpose**</​color>​
  
-==== VPN Requirements ====+  * Provides an encrypted remote connection over WAN to router and downstream devices
  
-<WRAP 75em lo> +  * If Gateway Redirect is utilized, it provides an encrypted connection ​for local traffic
-Five requirements ​for SSL VPNs: +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​encryption|Encryption [Certificates]]] +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​network|Network [VPN Interface]]] +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​firewall|Firewall [Traffic Rules]]] +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|Server [Config]]] +
-  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​clients|Clients [Config]]] +
-</​WRAP>​+
  
 +<tabbox Requirements>​
 +<color #​508CAA>​**SSL VPN Requirements**</​color>​
 +
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​encryption|Encryption]] [Certificates]
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​network|Network]] [VPN Interface]
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​firewall|Firewall]] [Traffic Rules]
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_server|Server]] [Config]
 +  - [[:​doc:​howto:​openvpn-streamlined-server-setup#​clients|Clients]] [Config]\\ \\
 +
 +<tabbox Editing>
 +<wrap right button>​[[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​Vim/​.vimrc|VimRC]] ​ [[http://​vim.wikia.com/​wiki/​Tutorial|Vim Tutorial]]</​wrap>​
 +<color #​508CAA>​**Editing Configs**</​color>​
 +
 +  * Vim is the default command line text editor\\ \\
 +  * If you've never utilized Vim before, please see the Vim Tutorial
 +    * Save the VimRC to ''<​color #​C86400>​~/​.vimrc</​color>''​
 +</​tabbox>​
 </​WRAP>​ </​WRAP>​
 +
  
  
Line 38: Line 51:
  
 <WRAP box lo> <WRAP box lo>
-<wrap right button>​[[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​OpenSSL/​OpenSSL.cnf|openssl.cnf]]</​wrap>​+<wrap right button>​[[https://​github.com/​JW0914/​Wikis/​blob/​master/​Scripts%2BConfigs/​OpenSSL/​openssl.cnf|openssl.cnf]]</​wrap>​
  
 <tabbox Prerequisites>​ <tabbox Prerequisites>​
Line 45: Line 58:
  
   - **Install Packages:**   - **Install Packages:**
-    - //''<​color #​647D00>​opkg update ; opkg install openvpn-openssl luci-app-openvpn</​color>''//​\\ \\+    - //''<​color #​647D00>​opkg update ; opkg install openvpn-openssl luci-app-openvpn ​openssl-util</​color>''//​\\ \\
   - **Download openssl.cnf:​**   - **Download openssl.cnf:​**
     - Save as ''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''​\\ \\     - Save as ''<​color #​C86400>/​etc/​ssl/​openssl.cnf</​color>''​\\ \\
Line 55: Line 68:
         * Serial is in hex, not dec[//​imal//​] format\\ \\         * Serial is in hex, not dec[//​imal//​] format\\ \\
   - **Create CRLnumber file**   - **Create CRLnumber file**
-    - //''<​color #​647D00>​echo 00 > crlnumber</​color>''//​+    - //''<​color #​647D00>​echo 00 > crl/crlnumber</​color>''//​
             * CRL should be generated, but will only be utilized once a cert is revoked\\ \\             * CRL should be generated, but will only be utilized once a cert is revoked\\ \\
   - **Create Index file**   - **Create Index file**
     - //''<​color #​647D00>​touch index</​color>''//​     - //''<​color #​647D00>​touch index</​color>''//​
-      * Maintains an index of all certs issued <​sup><​color #​646464>​[lines ​698 738]</​color></​sup>​+      * Maintains an index of all certs issued <​sup><​color #​646464>​[lines ​644 689]</​color></​sup>​
         * Keeps track of certs issued; extremely important if one has revoked a cert\\ \\         * Keeps track of certs issued; extremely important if one has revoked a cert\\ \\
   - **Create Rand file**   - **Create Rand file**
Line 299: Line 312:
 **Modify the following SubjectAltNames & V3 Profiles** **Modify the following SubjectAltNames & V3 Profiles**
  
-  ​- **CRL Directory** <​sup><​color #​646464>​[Lines 68 + 69]</​color></​sup>​ +  - **Certificate Authorities** <​sup>​[Line ​177]</​sup>​
-    - In order to avoid an openssl error when generating the CA, modify the following options: +
-      - **Line 68:** crlnumber = $DIR/​crl/​crlnumber +
-      - **Line 69:** crl = $DIR/​crl/​ca.crl.pem +
- +
-  ​- **Certificate Authorities** <​sup>​[Line ​180]</​sup>​+
     - //Main//     - //Main//
-      - **Line ​186:** ''<​color #​647D00>​DNS.1 = //​Router.1//</​color>''​+      - **Line ​183:** ''<​color #​647D00>​DNS.1 = //​Router.1//</​color>''​
         * //Change// ''<​color #​007DC8>​Router.1</​color>''​ //to what you'd like the name of your Certificate Authority to be//\\ \\         * //Change// ''<​color #​007DC8>​Router.1</​color>''​ //to what you'd like the name of your Certificate Authority to be//\\ \\
   - **Certificate Authority Clients** <​sup><​color #​646464>​[Line 205]</​color></​sup>​   - **Certificate Authority Clients** <​sup><​color #​646464>​[Line 205]</​color></​sup>​
     - //Servers//     - //Servers//
-      * **Lines:​** ​211 233+      * **Lines:​** ​198 220
     - //Clients//     - //Clients//
-      * **Lines:​** ​235 239\\ \\ +      * **Lines:​** ​222 226\\ \\
-  - **Change SAN & V3 profile names from** ''<​color #​647D00>​alt_ca_main</​color>''​ **to** ''<​color #​647D00>​alt_ca_//​openwrt//</​color>''<​sup><​color #​646464>​[lines 185, 306, & 310]</​color></​sup>​ +
-    - **Line 185:** ''<​color #​647D00>​[ alt_ca_//​openwrt//​ ]</​color>''​ +
-    - **Line 306:** ''<​color #​647D00>​[ v3_ca_//​openwrt//​ ]</​color>''​ +
-    - **Line 310:** ''<​color #​647D00>​subjectAltName = @alt_ca_//​openwrt//</​color>''​+
 </​WRAP>​ </​WRAP>​
  
Line 324: Line 328:
 <color #​508CAA>​**CA OpenSSL Commands**</​color>​ <color #​508CAA>​**CA OpenSSL Commands**</​color>​
  
-  - <color #​4B4B4B4>​**Generate CA**</​color>​\\ <code bash>​openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/​OpenWrt-CA.key.pem -out ca/​OpenWrt-CA.crt.pem -config ./​openssl.cnf -extensions ​v3_ca_openwrt</​code>​+  - <color #​4B4B4B4>​**Generate CA**</​color>​\\ <code bash>​openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/​OpenWrt-CA.key.pem -out ca/​OpenWrt-CA.crt.pem -config ./​openssl.cnf -extensions ​v3_ca</​code>​
     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\
   - <color #​4B4B4B4>​**Generate CA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenWrt-CA.key.pem -cert ca/​OpenWrt-CA.crt.pem -out crl/​OpenWrt-CA.crl.pem -config ./​openssl.cnf</​code>​   - <color #​4B4B4B4>​**Generate CA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenWrt-CA.key.pem -cert ca/​OpenWrt-CA.crt.pem -out crl/​OpenWrt-CA.crl.pem -config ./​openssl.cnf</​code>​
Line 343: Line 347:
 **Modify the following SubjectAltNames & V3 Profiles** **Modify the following SubjectAltNames & V3 Profiles**
  
-  - **Certificate Authorities** <​sup><​color #​646464>​[Line ​180]</​color></​sup>​+  - **Certificate Authorities** <​sup><​color #​646464>​[Line ​177]</​color></​sup>​
     - //Router 2//     - //Router 2//
-      - **Line ​191:** ''<​color #​647D00>​DNS.1 = //​Router.2//</​color>''​+      - **Line ​188:** ''<​color #​647D00>​DNS.1 = //​Router.2//</​color>''​
         * //Change// ''<​color #​007DC8>​Router.2</​color>''​ //to what you'd like the name of your Intermediate CA to be//\\ \\         * //Change// ''<​color #​007DC8>​Router.2</​color>''​ //to what you'd like the name of your Intermediate CA to be//\\ \\
-  - **Intermediate Certificate Authority Clients** <​sup><​color #​646464>​[Line ​242]</​color></​sup>​+  - **Intermediate Certificate Authority Clients** <​sup><​color #​646464>​[Line ​229]</​color></​sup>​
     -//​Servers//​     -//​Servers//​
-      * **Lines:​** ​248 264+      * **Lines:​** ​235 251
     - //Clients//     - //Clients//
-      * **Lines:​** ​266 274:\\ \\ +      * **Lines:​** ​253 261:\\ \\
-  - **Change SAN & V3 profile names from** ''<​color #​647D00>​alt_ica_router2</​color>''​ **to** ''<​color #​647D00>​alt_ica_//​openvpn//</​color>''​ <​sup><​color #​646464>​[lines 190, 313, & 317]</​color></​sup>​ +
-    - **Line 190:** ''<​color #​647D00>​[ alt_ica_//​openvpn//​ ]</​color>''​ +
-    - **Line 313:** ''<​color #​647D00>​[ v3_ica_//​openvpn//​ ]</​color>''​ +
-    - **Line 317:** ''<​color #​647D00>​subjectAltName = @alt_ica_//​openvpn//</​color>''​+
 </​WRAP>​ </​WRAP>​
  
Line 363: Line 363:
 <color #​508CAA>​**ICA OpenSSL Commands**</​color>​ <color #​508CAA>​**ICA OpenSSL Commands**</​color>​
  
-  - <color #​4B4B4B4>​**Generate Intermediate CA CSR**</​color>​\\ <code bash>​openssl req -out ca/​csr/​OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/​OpenVPN-ICA.key -config ./​openssl.cnf -extensions ​v3_ica_openvpn</​code>​+  - <color #​4B4B4B4>​**Generate Intermediate CA CSR**</​color>​\\ <code bash>​openssl req -out ca/​csr/​OpenVPN-ICA.csr -new -days 3650 -sha512 -newkey rsa:4096 -keyout ca/​OpenVPN-ICA.key -config ./​openssl.cnf -extensions ​v3_ica_router2</​code>​
     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\
-  - <color #​4B4B4B4>​**Create & Sign ICA with CA**</​color>​\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​OpenVPN-ICA.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key.pem -CAserial ./serial -out ca/​OpenVPN-ICA.crt.pem -extfile ./​openssl.cnf -extensions ​v3_ica_openvpn</​code>​+  - <color #​4B4B4B4>​**Create & Sign ICA with CA**</​color>​\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​OpenVPN-ICA.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key.pem -CAserial ./serial -out ca/​OpenVPN-ICA.crt.pem -extfile ./​openssl.cnf -extensions ​v3_ica_router2</​code>​
   - <color #​4B4B4B4>​**Generate ICA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenVPN-ICA.key -cert ca/​OpenVPN-ICA.crt.pem -out crl/​OpenVPN-ICA.crl.pem -config ./​openssl.cnf</​code>​   - <color #​4B4B4B4>​**Generate ICA CRL**</​color>​\\ <code bash>​openssl ca -gencrl -keyfile ca/​OpenVPN-ICA.key -cert ca/​OpenVPN-ICA.crt.pem -out crl/​OpenVPN-ICA.crl.pem -config ./​openssl.cnf</​code>​
   - <color #​4B4B4B4>​**Convert ICA CRL -> DER CRL**</​color>​\\ <code bash>​openssl crl -inform PEM -in crl/​OpenVPN-ICA.crl.pem -outform DER -out crl/​OpenVPN-ICA.crl</​code>​   - <color #​4B4B4B4>​**Convert ICA CRL -> DER CRL**</​color>​\\ <code bash>​openssl crl -inform PEM -in crl/​OpenVPN-ICA.crl.pem -outform DER -out crl/​OpenVPN-ICA.crl</​code>​
Line 381: Line 381:
 <color #​508CAA>​**Index Info**</​color>​ <color #​508CAA>​**Index Info**</​color>​
  
-  * **If wishing to maintain the index file automatically,​** ''​openssl ca''​ **must be used to sign certs**+  * **If wishing to maintain the index file automatically,​** ''​<color #647D00>openssl ca</​color>​''​ **must be used to sign certs**
     * ''​openssl ca''​ is not used in this wiki as it requires additional steps & adds unneeded complexity\\ \\     * ''​openssl ca''​ is not used in this wiki as it requires additional steps & adds unneeded complexity\\ \\
  
Line 442: Line 442:
 **__SubjectAltNames Profile__** **__SubjectAltNames Profile__**
  
-  - **Intermediate Certificate Authority Clients** <​sup>​(Line ​242)</​sup>​ +  - **Intermediate Certificate Authority Clients** <​sup>​(Line ​229)</​sup>​ 
-    - //Change the SAN alt name// ​''<​color #​647D00>​alt_vpn_server2</​color>''​ //to// ''<​color #​647D00>​alt_//​openvpn_server//</​color>''​ +    - //Change the server'SAN IP from// ''<​color #​647D00>​10.0.1.1</​color>''​ //to match your VPN Server IP// 
-      - **Line 262:** ''<​color #​647D00>​[ alt_//​openvpn_server//​ ]</​color>''​\\ \\ +      - **Line ​250:** ''<​color #​647D00>​IP.1 = //​10.0.1.1//</​color>''​\\ \\
-    - //Change the SAN IP from// ''<​color #​647D00>​10.0.1.1</​color>''​ //to match your VPN Server IP// +
-      - **Line ​263:** ''<​color #​647D00>​IP.1 = //​10.0.1.1//</​color>''​\\ \\+
     - //Change the SAN DNS from// ''<​color #​647D00>​your.ddns.com</​color>''​ //to match your own DDNS and/or FQDN//     - //Change the SAN DNS from// ''<​color #​647D00>​your.ddns.com</​color>''​ //to match your own DDNS and/or FQDN//
-      - **Line ​264:** ''<​color #​647D00>​DNS.1 = //​your.ddns.com//</​color>''​+      - **Line ​251:** ''<​color #​647D00>​DNS.1 = //​your.ddns.com//</​color>''​
         * //For each additional DNS or FQDN, add a new line in sequential order// (i.e. DNS.2, DNS.3, etc.)         * //For each additional DNS or FQDN, add a new line in sequential order// (i.e. DNS.2, DNS.3, etc.)
- 
-**__V3 Profile__** 
- 
-  - **Intermediate Certificate Authority Clients** <​sup><​color #​646464>​(Line 427)</​color></​sup>​ 
-    - //Change the V3 profile name from// ''<​color #​647D00>​[ v3_//​vpn_server2//​ ]</​color>''​ //to match alt name set above// 
-      - **Line 450:** ''<​color #​647D00>​[ v3_//​openvpn_server//​ ]</​color>''​\\ \\ 
-    - //Change the SAN alt name from// ''<​color #​647D00>​@alt_//​vpn_server2//</​color>''​ //to match alt name set above// 
-      - **Line 456:** ''<​color #​647D00>​subjectAltName = @alt_//​openvpn_server//</​color>''​ 
 </​WRAP>​ </​WRAP>​
 </​WRAP>​ </​WRAP>​
Line 466: Line 456:
 <color #​508CAA>​**Server Cert OpenSSL Commands**</​color>​ <color #​508CAA>​**Server Cert OpenSSL Commands**</​color>​
  
-  - **Generate VPN Server CSR**\\ <code bash>​openssl req -out ca/​csr/​vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​vpn-server.key.pem -config ./​openssl.cnf -extensions ​v3_openvpn_server ​-nodes</​code>​+  - **Generate VPN Server CSR**\\ <code bash>​openssl req -out ca/​csr/​vpn-server.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​vpn-server.key.pem -config ./​openssl.cnf -extensions ​v3_vpn_server ​-nodes</​code>​
     * **''​-nodes''​** creates a signing key without encryption     * **''​-nodes''​** creates a signing key without encryption
       * For server certs **//​only//​**,​ as a passphrase prevents the server from starting/​restarting without manual intervention\\ \\       * For server certs **//​only//​**,​ as a passphrase prevents the server from starting/​restarting without manual intervention\\ \\
-  - **Create & Sign Cert with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-server.csr -CA ca/​OpenVPN-ICA.crt.pem -CAkey ca/​OpenVPN-ICA.key -CAserial ./serial -out certs/​vpn-server.crt.pem -extfile ./​openssl.cnf -extensions ​v3_openvpn_server</​code>​ +  - **Create & Sign Cert with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-server.csr -CA ca/​OpenVPN-ICA.crt.pem -CAkey ca/​OpenVPN-ICA.key -CAserial ./serial -out certs/​vpn-server.crt.pem -extfile ./​openssl.cnf -extensions ​v3_vpn_server</​code>​ 
-  - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​vpn-server.p12 -inkey openvpn/​vpn-server.key.pem -in certs/​vpn-server.crt.pem -certfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem</​code>​+  - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​vpn-server.p12 -inkey openvpn/​vpn-server.key.pem -in certs/​vpn-server.crt.pem -certfile ca/OpenWrt-OpenVPN_CA-Chain.crt.pem</​code>​
     * <color #​AF0000>​**//​Do not encrypt this PKCS12//​**</​color>​\\ \\     * <color #​AF0000>​**//​Do not encrypt this PKCS12//​**</​color>​\\ \\
     * ICA is still used to sign the certs it issues     * ICA is still used to sign the certs it issues
Line 494: Line 484:
 **__SubjectAltNames Profile__** **__SubjectAltNames Profile__**
  
-  - **Intermediate Certificate Authority Clients** <​sup><​color #​646464>​(Line ​242)</​color></​sup>​ +  - **Intermediate Certificate Authority Clients** <​sup><​color #​646464>​(Line ​229)</​color></​sup>​
-    - //Change the SAN alt name// ''<​color #​647D00>​alt_vpn2_user1''​ //to// ''​alt_//​openvpn_<​username>//</​color>''​ +
-      - **Line 267:** ''<​color #​647D00>​[ alt_//​openvpn_<​username>//​ ]</​color>''​\\ \\+
     - //Change the SAN DNS from// ''<​color #​647D00>​VPNserver-Client1-Device-Hostname</​color>''​ //to match client username//     - //Change the SAN DNS from// ''<​color #​647D00>​VPNserver-Client1-Device-Hostname</​color>''​ //to match client username//
-      - **Line ​268:** ''<​color #​647D00>​DNS.1 = //​VPN-<​username>​-Hostname//</​color>''​+      - **Line ​255:** ''<​color #​647D00>​DNS.1 = //​VPN-<​username>​-Hostname//</​color>''​
         * //This makes configuring CCD more convenient//​\\ \\         * //This makes configuring CCD more convenient//​\\ \\
     - //Change the SAN email from// ''<​color #​647D00>​user1@email.com</​color>''​ //to user's email//     - //Change the SAN email from// ''<​color #​647D00>​user1@email.com</​color>''​ //to user's email//
-      - **Line ​269** ''<​color #​647D00>​email.1 = //​user1@email.com//</​color>''​ +      - **Line ​256** ''<​color #​647D00>​email.1 = //​user1@email.com//</​color>''​
- +
-**__V3 Profile__** +
- +
-  - **Intermediate Certificate Authority Clients** <​sup><​color #​646464>​(Line 427)</​color></​sup>​ +
-    - //Change the V3 profile name from// ''<​color #​647D00>​[ v3_vpn2_user1 ]</​color>''​ //to match alt name set above// +
-      - **Line 459:** ''<​color #​647D00>​[ v3_//​openvpn_<​username>//​ ]</​color>''​\\ \\ +
-    - //Change the SAN alt name from// ''<​color #​647D00>​@alt_vpn2_user1</​color>''​ //to match alt name set above// +
-      - **Line 465:** ''<​color #​647D00>​subjectAltName = @alt_//​openvpn_<​username>​//</​color>''​+
 </​WRAP>​ </​WRAP>​
 </​WRAP>​ </​WRAP>​
Line 518: Line 498:
 <color #​508CAA>​**Client Cert OpenSSL Commands**</​color>​ <color #​508CAA>​**Client Cert OpenSSL Commands**</​color>​
  
-  - **Generate VPN Client Certs**\\ <code bash>​openssl req -out ca/​csr/​vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.key.pem -config ./​openssl.cnf -extensions ​v3_openvpn_<​username>​</​code>​+  - **Generate VPN Client Certs**\\ <code bash>​openssl req -out ca/​csr/​vpn-client1.csr -new -days 3650 -sha512 -newkey rsa:2048 -keyout openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.key.pem -config ./​openssl.cnf -extensions ​v3_vpn2_user1</​code>​
     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\     * <color #​AF0000>​Key passphrase should be a 20 character minimum, containing at least: //2 uppercase letters, 2 lowercase letters, 2 numbers, & 2 symbols//</​color>​\\ \\
-  - **Sign Cert with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-client1.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key.pem -CAserial ./serial -out openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.crt.pem -extfile ./​openssl.cnf -extensions ​v3_openvpn_<​username>​</​code>​ +  - **Sign Cert with CA**\\ <code bash>​openssl x509 -req -sha512 -days 3650 -in ca/​csr/​vpn-client1.csr -CA ca/​OpenWrt-CA.crt.pem -CAkey ca/​OpenWrt-CA.key -CAserial ./serial -out openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.crt.pem -extfile ./​openssl.cnf -extensions ​v3_vpn2_user1</​code>​ 
-  - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​clients/​vpn-client1.p12 -inkey openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.key.pem -in openvpn/​clients/​vpn-client1-<​username>​-<​hostname>​.crt.pem -certfile ca/​OpenWrt-OpenVPN_ICA-Chain.crt.pem</​code>​ +  - **Export to PKCS12**\\ <code bash>​openssl pkcs12 -export -out openvpn/​clients/​vpn-client1.p12 -inkey openvpn/​clients/​vpn-client1.key.pem -in openvpn/​clients/​vpn-client1.crt.pem -certfile ca/​OpenWrt-OpenVPN_ICA-Chain.crt.pem</​code>​
-    * <color #​AF0000>​Check your /​etc/​ssl/​openvpn/​clients directory for correct input filenames//</​color>​\\ \\+
 </​tabbox>​ </​tabbox>​
 </​WRAP>​ </​WRAP>​
Line 549: Line 528:
 <WRAP 51.5em lo> <WRAP 51.5em lo>
  
-  - **Generate TLS-Auth key** <​sup>​(<​color #​646464>​executed from</​color>​ ''<​color #​C86400>/​etc/​ssl/</​color>''​)</​sup>​\\ <code bash>​openvpn --genkey --secret openvpn/ta.key</​code>​+  - **Generate TLS-Auth key** <​sup>​(<​color #​646464>​executed from</​color>​ ''<​color #​C86400>/​etc/​ssl/</​color>''​)</​sup>​\\ <code bash>​openvpn --genkey --secret openvpn/tls-auth.key</​code>​
     * This ensures **P**erfect **F**orward **S**ecrecy is maintained when utilizing a SSL cipher\\ \\     * This ensures **P**erfect **F**orward **S**ecrecy is maintained when utilizing a SSL cipher\\ \\
     * ''​tls-auth''​ requires a static **P**re-**S**hared **K**ey, generated in advance, and shared among all clients     * ''​tls-auth''​ requires a static **P**re-**S**hared **K**ey, generated in advance, and shared among all clients
Line 738: Line 717:
     option ​ path            '/​etc/​firewall.user'​     option ​ path            '/​etc/​firewall.user'​
  
-# Default ​OpenWRT ​Rule #+# Default ​OpenWrt ​Rule #
 config defaults config defaults
     option ​ input           '​ACCEPT'​     option ​ input           '​ACCEPT'​
Line 941: Line 920:
  
   * **This specific configuration has been designed to give the best performance possible, via** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|MTU & Buffer]] **Tuning recommendations**   * **This specific configuration has been designed to give the best performance possible, via** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|MTU & Buffer]] **Tuning recommendations**
-    * DNS primary & secondary are [[https://developers.google.com/speed/public-dns/​docs/​using|Google's]]+    * DNS primary & secondary are [[https://www.opendns.com/setupguide/?​url=familyshield|OpenDNS']]
     * NTP is garnished from [[http://​tf.nist.gov/​tf-cgi/​servers.cgi|NIST]] (time-c) and can be updated to your NTP server of choice     * NTP is garnished from [[http://​tf.nist.gov/​tf-cgi/​servers.cgi|NIST]] (time-c) and can be updated to your NTP server of choice
       * NTP should be specified, but doesn'​t need to be NIST, as encryption handshakes, both server & client, must be accurate to within milliseconds\\ \\       * NTP should be specified, but doesn'​t need to be NIST, as encryption handshakes, both server & client, must be accurate to within milliseconds\\ \\
Line 948: Line 927:
   * **Two or more servers can be run from this config file**   * **Two or more servers can be run from this config file**
     * To add additional servers, copy & paste first config directly below itself, with a blank line separating the two\\ \\     * To add additional servers, copy & paste first config directly below itself, with a blank line separating the two\\ \\
-  * **The OpenVPN** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|HowTo & Man Page]] **provide every possible option for the Server & Client Configs**+  * **The OpenVPN** [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|HowTo & Man Page]] **provide every possible option for the Server & Client Configs** ​\\ \\ 
 +  * **OpenVPN 2.4 added TLS Elliptic-Curve** ''​[EC]''​ **support** 
 +    * EC ciphers are faster & more efficient to process than SSL ciphers, resulting in higher throughput & less load 
 +    * OpenVPN on OpenWrt only supports a //maximum of 256 characters//​ for ''​ <color #​647D00>​option ​ tls_cipher</​color>''​ 
 +      * Ciphers are listed in a hierarchical,​ chronological order of most secure & efficient to least efficient 
 +      * Disabled ciphers are specified at the end with an **''<​color #​960000>​!</​color>''​** in front of the cipher\\ \\ 
 +  * **Ciphers must match the capabilities of the server & clients** 
 +    * Available TLS ciphers: ''​ <color #​647D00>​openssl --show-tls</​color>​ ''​ or ''​ <color #​647D00>​openssl ciphers -V | grep TLS</​color>''​ 
 +    * Available SSL ciphers: ''​ <color #​647D00>​openssl ciphers -V | grep SSL</​color>''​ 
 +      * For Windows client: ''​ <color #​647D00>​openssl ciphers -V | findstr /R SSL</​color>''​
  
  
Line 984: Line 972:
     list    push                '​dhcp-option ​   DNS 192.168.1.1'​     list    push                '​dhcp-option ​   DNS 192.168.1.1'​
     list    push                '​dhcp-option ​   WINS 192.168.1.1'​     list    push                '​dhcp-option ​   WINS 192.168.1.1'​
-    list    push                '​dhcp-option ​   DNS 8.8.8.8+    list    push                '​dhcp-option ​   DNS 208.67.222.123
-    list    push                '​dhcp-option ​   DNS 8.8.4.4'+    list    push                '​dhcp-option ​   DNS 208.67.220.123'
     list    push                '​dhcp-option ​   NTP 129.6.15.30'​     list    push                '​dhcp-option ​   NTP 129.6.15.30'​
  
Line 999: Line 987:
     option ​ cipher ​             AES-256-CBC     option ​ cipher ​             AES-256-CBC
     option ​ auth                '​SHA512'​     option ​ auth                '​SHA512'​
-    option ​ tls_auth ​           '/​etc/​ssl/​openvpn/​ta.key 0'+    option ​ tls_auth ​           '/​etc/​ssl/​openvpn/​tls-auth.key 0'
     ​     ​
     # TLS:     # TLS:
     option ​ tls_server ​         1     option ​ tls_server ​         1
     option ​ tls_version_min ​    1.2     option ​ tls_version_min ​    1.2
-    option ​ tls_cipher ​         '​TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:​TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:​TLS-RSA-WITH-AES-256-CBC-SHA256:​!aNULL:​!eNULL:​!LOW:​!3DES:​!MD5:​!SHA:​!EXP:​!PSK:​!SRP:​!DSS:​!RC4'​+    option ​ tls_cipher ​         '​TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:​TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:​!aNULL:​!eNULL:​!LOW:​!3DES:​!MD5:​!SHA:​!EXP:​!PSK:​!SRP:​!DSS:​!RC4:!kRSA'
  
     # Logging #      # Logging # 
Line 1057: Line 1045:
         # option ​ dh                        /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​dh2048.pem         # option ​ dh                        /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​dh2048.pem
         # option ​ pkcs12 ​                   /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​vpn-server.p12         # option ​ pkcs12 ​                   /​var/​chroot-openvpn/​etc/​ssl/​openvpn/​vpn-server.p12
-        # option ​ tls_auth ​                 '/​var/​chroot-openvpn/​etc/​ssl/​openvpn/​ta.key 0'+        # option ​ tls_auth ​                 '/​var/​chroot-openvpn/​etc/​ssl/​openvpn/​tls-auth.key 0'
 </​code>​ </​code>​
   - **Commit changes**\\ <code bash>/​etc/​init.d/​openvpn enable ; /​etc/​init.d/​openvpn start ; sleep 2 ; cat /​tmp/​openvpn.log</​code>​   - **Commit changes**\\ <code bash>/​etc/​init.d/​openvpn enable ; /​etc/​init.d/​openvpn start ; sleep 2 ; cat /​tmp/​openvpn.log</​code>​
Line 1105: Line 1093:
 Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09 Thu Oct 20 13:35:00 2016 us=668891 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09
 Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key Thu Oct 20 13:35:00 2016 us=669836 Diffie-Hellman initialized with 2048 bit key
-Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​ta.key' as a OpenVPN static key file+Thu Oct 20 13:35:00 2016 us=705181 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​tls-auth.key' as a OpenVPN static key file
 Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:00 2016 us=705286 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
 Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:00 2016 us=705351 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
Line 1139: Line 1127:
 Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09 Thu Oct 20 13:35:30 2016 us=653403 library versions: OpenSSL 1.0.2j ​ 26 Sep 2016, LZO 2.09
 Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key Thu Oct 20 13:35:30 2016 us=654598 Diffie-Hellman initialized with 2048 bit key
-Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​ta.key' as a OpenVPN static key file+Thu Oct 20 13:35:30 2016 us=706454 Control Channel Authentication:​ using '/​etc/​ssl/​openvpn/​tls-auth.key' as a OpenVPN static key file
 Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:30 2016 us=706592 Outgoing Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
 Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication Thu Oct 20 13:35:30 2016 us=706679 Incoming Control Channel Authentication:​ Using 512 bit message hash '​SHA512'​ for HMAC authentication
Line 1198: Line 1186:
   * **PKCS12 certs are installed into the //Android Keychain//​**   * **PKCS12 certs are installed into the //Android Keychain//​**
     * As a security feature, a warning toast will always appear in the notification area due to user installed certs     * As a security feature, a warning toast will always appear in the notification area due to user installed certs
-      * This toast can be removed if you have a rooted device by following Toast Removal tutorial+      * This toast can be removed if you have a rooted device by following Toast Removal tutorial ​\\ \\
     * Another option is to include all certs & keys via inline XML within the client config file     * Another option is to include all certs & keys via inline XML within the client config file
-    ​* //​Regardless if all certs are referenced as inline xml or not, the final generated config inlines all certs//\\ \\ +      ​* //​Regardless if all certs are referenced as inline xml or not, the final generated config inlines all certs//\\ \\ 
-  * **If you choose to reference the ''//​ta.key//'',​ instead of utilizing inline XML**+  * **If you choose to reference the ''//​tlsauth.key//'',​ instead of utilizing inline XML**
     - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>     - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>
     # Encryption #     # Encryption #
Line 1215: Line 1203:
     # Encryption #     # Encryption #
 #​------------------------------------------------ #​------------------------------------------------
-tls-auth ​   '/​path/​to/​ta.key' 1</​code>​+tls-auth ​   '/​path/​to/​tlsauth.key' 1</​code>​
   * <color #​960000>​**Some Android devices are not able to convert PKCS12 certs to x509 certs**</​color>​   * <color #​960000>​**Some Android devices are not able to convert PKCS12 certs to x509 certs**</​color>​
     * If your device is affected, you will need to reference your individual certs in your Server Config     * If your device is affected, you will need to reference your individual certs in your Server Config
Line 1290: Line 1278:
 cert      '/​sdcard/​openvpn/​vpn-client1.crt.pem'​ cert      '/​sdcard/​openvpn/​vpn-client1.crt.pem'​
 key       '/​sdcard/​openvpn/​vpn-client1.key.pem'​ key       '/​sdcard/​openvpn/​vpn-client1.key.pem'​
-tls-auth ​ '/​path/​to/​ta.key' 1</​code>​+tls-auth ​ '/​path/​to/​tlsauth.key' 1</​code>​
   - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>   - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>
     # Encryption #     # Encryption #
 #​------------------------------------------------ #​------------------------------------------------
 +
 +# --- TLS --- #
 +key-direction 1
 +
 <ca> <ca>
 #​PASTE-CA-CERT-INLINE-HERE#​ #​PASTE-CA-CERT-INLINE-HERE#​
Line 1435: Line 1427:
  
   * **If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced**   * **If PKCS12 cert isn't stored in the same directory as the ovpn config , the path to the PKCS12 cert must be referenced**
-    * You must use double backslashes for the path: ''<​color #​C86400>​C:​\\Path\\to\\PKCS12</​color>''​+    * You must use double backslashes for the path: ''<​color #​C86400>​C:​\\Path\\to\\PKCS.p12</​color>''​
  
  
Line 1549: Line 1541:
  
   - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>   - <color #​960000>​**//​Remove://​**</​color>​\\ <code cpp>
-    list    push                '​dhcp-option ​   DNS 8.8.8.8+    list    push                '​dhcp-option ​       DNS 208.67.222.123
-    list    push                '​dhcp-option ​   DNS 8.8.4.4'</​code>​+    list    push                '​dhcp-option ​       DNS 208.67.220.123'</​code>​
   - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>   - <color #​789600>​**//​Add://​**</​color>​\\ <code cpp>
     list    push                '​redirect-gateway ​  def1 local'     list    push                '​redirect-gateway ​  def1 local'
Line 1655: Line 1647:
     * //If you refuse to help yourself, don't expect someone else to help you//\\ \\     * //If you refuse to help yourself, don't expect someone else to help you//\\ \\
   * **//The answer to any question about an OpenVPN Client or Server configuration is contained within the//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_wikis|VPN Wiki]]// **//or//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​openssl|OpenSSL]]//​ **//​sections//​**   * **//The answer to any question about an OpenVPN Client or Server configuration is contained within the//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​vpn_wikis|VPN Wiki]]// **//or//** //​[[:​doc:​howto:​openvpn-streamlined-server-setup#​openssl|OpenSSL]]//​ **//​sections//​**
-    * //If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the [[:​doc:​howto:​openvpn-streamlined-server-setup#​openwrt|OpenWRT]] or [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|OpenVPN]] forums//\\ \\ +    * //If one is still unable to find a solution to their issue, please post a question in the applicable device or topic thread in the [[:​doc:​howto:​openvpn-streamlined-server-setup#​openwrt|OpenWrt]] or [[:​doc:​howto:​openvpn-streamlined-server-setup#​openvpn|OpenVPN]] forums//\\ \\ 
-  * <color #​960000>​**//​Please do not publish questions directly to this Wiki//​**</​color>​**//, as://**+  * <color #​960000>​**//​Please do not publish questions directly to this Wiki, as://​**</​color>​
     * //Most importantly,​ it's __not__ monitored for questions//     * //Most importantly,​ it's __not__ monitored for questions//
     * //It clutters the Wiki, possibly making it more difficult for others to navigate//     * //It clutters the Wiki, possibly making it more difficult for others to navigate//
 </​WRAP>​ </​WRAP>​
doc/howto/openvpn-streamlined-server-setup.1496745277.txt.bz2 · Last modified: 2017/06/06 12:34 by Routetheworld