Differences

This shows you the differences between two versions of the page.

--- install_24_4_openvpn [2025/11/18 14:21] – system
+++ install_24_4_openvpn [2025/11/19 04:44] (current) – system
@@ Line 68: / Line 68: @@
 <code bash>
 Using Easy-RSA 'vars' configuration:
-* /home/system/Documents/openvpn-ca/vars
+* /home/system/openvpn-ca/vars
 Using SSL:
@@ Line 89: / Line 89: @@
 ------
 CA creation complete. Your new CA certificate is at:
-* /home/system/Documents/openvpn-ca/pki/ca.crt
+* /home/system/openvpn-ca/pki/ca.crt
 </code>
   * Now everything is in place for us to sign certificate requests.
   * This will be covered in the next section.
+-------------
+===== Generate Server Certificate, Key  =====
+  * To create a certificate is a two step process.
+    * First we generate a sign request for the certificate.
+    * Then we (as the CA) sign the request in order generate a complete and usable certificate.
+<code bash>
+./easyrsa gen-req server nopass
+</code>
+  * This is the feedback from the command on my server:
+<code bash>
+Using Easy-RSA 'vars' configuration:
+* /home/system/openvpn-ca/vars
+Using SSL:
+* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
+-----
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Common Name (eg: your user, host, or server name) [server]:
+Notice
+------
+Private-Key and Public-Certificate-Request files created.
+Your files are:
+* req: /home/system/openvpn-ca/pki/reqs/server.req
+* key: /home/system/openvpn-ca/pki/private/server.key
+</code>
+  * Now we can sign the request. You will be asked to confirm the process by typing **yes** and you also need to supply the CA's passphrase.
+<code bash>
+./easyrsa sign-req server server
+</code>
+  * This is the feedback from the command on my server:
+<code bash>
+./easyrsa sign-req server server
+Using Easy-RSA 'vars' configuration:
+* /home/system/openvpn-ca/vars
+Using SSL:
+* openssl OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
+You are about to sign the following certificate:
+Please check over the details shown below for accuracy. Note that this request
+has not been cryptographically verified. Please be sure it came from a trusted
+source or that you have verified the request checksum with the sender.
+Request subject, to be signed as a server certificate
+for '825' days:
+subject=
+    commonName                = server
+Type the word 'yes' to continue, or any other input to abort.
+  Confirm request details: yes
+Using configuration from /home/system/openvpn-ca/pki/openssl-easyrsa.cnf
+Enter pass phrase for /home/system/openvpn-ca/pki/private/ca.key:
+Check that the request matches the signature
+Signature ok
+The Subject's Distinguished Name is as follows
+commonName            :ASN.1 12:'server'
+Certificate is to be certified until Feb 21 12:44:13 2028 GMT (825 days)
+Write out database with 1 new entries
+Database updated
+Notice
+------
+Certificate created at:
+* /home/system/openvpn-ca/pki/issued/server.crt
+</code>
+===== Generate TLS-crypt key  =====
+  * This step is used to harden the OpenVPN installation further and is optional (although recommended)
+  * Issue the following command:
+<code bash>
+openvpn --genkey tls-crypt-v2-server tls-crypt-v2-server.key
+</code>
+  * This will create the **tls-crypt-v2-server.key** file which looks like this on my server:
+<code bash>
+cat tls-crypt-v2-server.key
+-----BEGIN OpenVPN tls-crypt-v2 server key-----
+a/T1frlxbTuUYojvB/0P2csxOC04prDtWWuPIbQC+o2I+DuMWkzK0OFalucBQPki
+JcEXN3sZNCWYP1bohAzIYkzxiRNWSPwtzSg/etfZIXWWseJvGQ+UqbEBjQjTRVE
+zfhjdL6Ltm5J6LiEC1N4mqV0BTwe77xSIBJsy2LjYk=
+-----END OpenVPN tls-crypt-v2 server key-----
+</code>
+  * When tls-crypt-v2 is specified in the OpenVPN config file, each client connecting will also be required to have this item defined in its config file. The client's key needs to generated using the server key.
+  * This is an extra obfuscation on OpenVPN's control channel to hide metadata which can be used to gain more insights on the OpenVPN instance running on the server.
+  * All the required items are now present to have a working OpenVPN server.
+----------------
+===== Server Config File =====
+  * This is how our **/etc/openvpn/server.conf** file looks:
+<code bash>
+port 1194
+proto udp
+dev tun
+# --- PKI / TLS (ECC only, no DH) ---
+ca ca.crt
+cert server.crt
+key server.key
+# No "dh none" when using EC certificates
+dh none
+# Optional but recommended: match your Easy-RSA curve (if you set EASYRSA_CURVE)
+# ecdh-curve prime256v1
+# Protect and hide the control channel
+tls-crypt-v2 tls-crypt-v2-server.key
+# Only allow modern TLS
+tls-version-min 1.2
+remote-cert-eku "TLS Web Client Authentication"
+# --- VPN network ---
+topology subnet
+server 10.8.0.0 255.255.255.0
+# Push default route + DNS to clients (adjust if you want split tunnel)
+push "redirect-gateway def1 bypass-dhcp"
+push "dhcp-option DNS 1.1.1.1"
+push "dhcp-option DNS 9.9.9.9"
+# --- Encryption (data channel) ---
+data-ciphers AES-256-GCM:CHACHA20-POLY1305
+data-ciphers-fallback AES-256-GCM
+# --- Misc hardening / behavior ---
+user nobody
+group nogroup
+persist-key
+persist-tun
+keepalive 10 120
+verb 3
+</code>
+  * We also have to make sure the all the files from our PKI location is copied to the /etc/openvpn directory:
+<code bash>
+sudo cp pki/ca.crt pki/issued/server.crt pki/private/server.key tls-crypt-v2-server.key /etc/openvpn/
+</code>
+----------------
+===== Start and Enable OpenVPN =====
+<code bash>
+sudo systemctl start openvpn@server
+sudo systemctl enable openvpn@server
+sudo systemctl status openvpn@server
+</code>