Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
install_24_4_openvpn [2025/11/18 14:47] – [Create PKI] systeminstall_24_4_openvpn [2025/11/19 04:44] (current) system
Line 93: Line 93:
   * Now everything is in place for us to sign certificate requests.   * Now everything is in place for us to sign certificate requests.
   * This will be covered in the next section.   * This will be covered in the next section.
 +
 +-------------
  
 ===== Generate Server Certificate, Key  ===== ===== Generate Server Certificate, Key  =====
Line 166: Line 168:
 * /home/system/openvpn-ca/pki/issued/server.crt * /home/system/openvpn-ca/pki/issued/server.crt
 </code> </code>
 +
 +===== Generate TLS-crypt key  =====
 +  * This step is used to harden the OpenVPN installation further and is optional (although recommended)
 +  * Issue the following command:
 +<code bash>
 +openvpn --genkey tls-crypt-v2-server tls-crypt-v2-server.key
 +</code>
 +  * This will create the **tls-crypt-v2-server.key** file which looks like this on my server:
 +<code bash>
 +cat tls-crypt-v2-server.key 
 +-----BEGIN OpenVPN tls-crypt-v2 server key-----
 +a/T1frlxbTuUYojvB/0P2csxOC04prDtWWuPIbQC+o2I+DuMWkzK0OFalucBQPki
 +9JcEXN3sZNCWYP1bohAzIYkzxiRNWSPwtzSg/etfZIXWWseJvGQ+UqbEBjQjTRVE
 +9zfhjdL6Ltm5J6LiEC1N4mqV0BTwe77xSIBJsy2LjYk=
 +-----END OpenVPN tls-crypt-v2 server key-----
 +</code>
 +  * When tls-crypt-v2 is specified in the OpenVPN config file, each client connecting will also be required to have this item defined in its config file. The client's key needs to generated using the server key.
 +  * This is an extra obfuscation on OpenVPN's control channel to hide metadata which can be used to gain more insights on the OpenVPN instance running on the server.
 +  * All the required items are now present to have a working OpenVPN server.
 +
 +----------------
 +
 +===== Server Config File =====
 +  * This is how our **/etc/openvpn/server.conf** file looks:
 +<code bash>
 +port 1194
 +proto udp
 +dev tun
 +
 +# --- PKI / TLS (ECC only, no DH) ---
 +ca ca.crt
 +cert server.crt
 +key server.key
 +
 +# No "dh none" when using EC certificates
 +dh none
 +
 +# Optional but recommended: match your Easy-RSA curve (if you set EASYRSA_CURVE)
 +# ecdh-curve prime256v1
 +
 +# Protect and hide the control channel
 +tls-crypt-v2 tls-crypt-v2-server.key
 +
 +# Only allow modern TLS
 +tls-version-min 1.2
 +remote-cert-eku "TLS Web Client Authentication"
 +
 +# --- VPN network ---
 +topology subnet
 +server 10.8.0.0 255.255.255.0
 +
 +# Push default route + DNS to clients (adjust if you want split tunnel)
 +push "redirect-gateway def1 bypass-dhcp"
 +push "dhcp-option DNS 1.1.1.1"
 +push "dhcp-option DNS 9.9.9.9"
 +
 +# --- Encryption (data channel) ---
 +data-ciphers AES-256-GCM:CHACHA20-POLY1305
 +data-ciphers-fallback AES-256-GCM
 +
 +# --- Misc hardening / behavior ---
 +user nobody
 +group nogroup
 +persist-key
 +persist-tun
 +keepalive 10 120
 +verb 3
 +
 +</code>
 +  * We also have to make sure the all the files from our PKI location is copied to the /etc/openvpn directory:
 +<code bash>
 +sudo cp pki/ca.crt pki/issued/server.crt pki/private/server.key tls-crypt-v2-server.key /etc/openvpn/
 +</code>
 +
 +----------------
 +
 +===== Start and Enable OpenVPN =====
 +<code bash>
 +sudo systemctl start openvpn@server
 +sudo systemctl enable openvpn@server
 +sudo systemctl status openvpn@server
 +</code>
 +
  • install_24_4_openvpn.1763470053.txt.gz
  • Last modified: 2025/11/18 14:47
  • by system