The goal is to delivered certificates for openvpn servers and clients. We are going to create a self-signed certificate authority
root_ca: Global auto-generated Certification authority vpn_ca: Intermediate certification authority from root_ca
mkdir -p /etc/ssl/root_ca/{certs,crl,newcerts,private}
mkdir -p /etc/ssl/vpn_ca/{certs,crl,newcerts,private}
touch /etc/ssl/root_ca/index.txt
touch /etc/ssl/vpn_ca/index.txt
touch /etc/ssl/root_ca/serial
touch /etc/ssl/vpn_ca/serial
I also create a directory where I put the created certificates
mkdir /etc/ssl/generate_certs
Replace the openssl.cnf file by the one located in 3 Annex 1 :
cd /etc/ssl/root_ca/ openssl req -x509 -config /etc/ssl/openssl.cnf -newkey rsa:8192 -sha256 -extensions ROOT_CA -days 3650 -keyout private/root_ca.key -out root_ca.pem
You must input a passphrase and a FQDN specific for the root_ca (ex: root_ca@example.org)
chmod -R 600 /etc/ssl/root_ca/private
openssl x509 -serial -noout -in root_ca.pem | cut -d= -f2 > serial
openssl req -new -newkey rsa:2048 -keyout private/cakey.pem -out careq.pem -config /etc/ssl/openssl.cnf
You must input a new passphrase and a FQDN specific for the root_ca certificate (ex: ca-root-cert.example.org)
openssl ca -create_serial -out cacert.pem -days 365 -keyfile private/cakey.pem -selfsign -config /etc/ssl/openssl.cnf -infiles careq.pem
cd /etc/ssl/vpn_ca openssl req -newkey rsa:8192 -sha256 -keyout private/vpn_ca.key -out vpn_ca.req
You must create a new passphrase (again). Add also a commpn name dedicated (for example: vpn-ca-cert.example.org)
chmod -R 600 /etc/ssl/vpn_ca/private
openssl ca -extensions VPN_CA -in vpn_ca.req -out vpn_ca.pem
openssl x509 -serial -noout -in vpn_ca.pem | cut -d= -f2 > serial
cd /etc/ssl/generate_certs cat /etc/ssl/root_ca/root_ca.pem /etc/ssl/vpn_ca/vpn_ca.pem > /etc/ssl/vpn_ca-chain.pem
cd /etc/ssl/generate_certs openssl req -nodes -newkey rsa:4096 -keyout razorback.key -out razorback.req openssl ca -name vpn_ca -extensions VPN_SERVER -in razorback.req -out razorback.pem
cd /etc/ssl/generate_certs openssl req -nodes -newkey rsa:4096 -keyout vesta.key -out vesta.req openssl ca -name vpn_ca -extensions VPN_CLIENT -in vesta.req -out vesta.pem openssl req -nodes -newkey rsa:4096 -keyout yahweh.key -out yahweh.req openssl ca -name vpn_ca -extensions VPN_CLIENT -in yahweh.req -out yahweh.pem
mkdir –p /etc/ssl/generate_keys cd /etc/ssl/generate_keys openssl dhparam -out dh2048.pem 2048
mkdir -p /usr/local/etc/openvpn/ssl mkdir –p /usr/local/etc/openvpn/log touch /usr/local/etc/openvpn/log/openvpn.log touch /usr/local/etc/openvpn/log/openvpn-status.log
openvpn --genkey secret /usr/local/etc/openvpn/ssl/ta.key
Adapt the source files for the copy command cp opvn-srv1.pem /usr/local/etc/openvpn/ssl/ cp opvn-srv1.key /usr/local/etc/openvpn/ssl/ cp dh2048.pem /usr/local/etc/openvpn/ssl/ cp vpn_ca-chain.pem /usr/local/etc/openvpn/ssl/
Create the file usrlocal/etc/openvpn/ovpnesm.conf # Network parameters port 1195 proto udp dev tap1 # Certificates and keys ca ssl/vpn_ca-chain.pem cert ssl/razorback.pem key ssl/razorback.key dh ssl/dh2048.pem tls-auth ssl/ta.key 0 # Vpn parameters server-ipv6 fec0::/64 client-to-client keepalive 10 120 cipher AES-256-CBC persist-key persist-tun # Log status log/openvpn-status.log log log/openvpn.log log-append log/openvpn.log verb 3 explicit-exit-notify 1 persist-tun
cp /usr/local/etc/rc.d/openvpn /usr/local/etc/rc.d/openvpn_ovpnesm.conf sysrc openvpn_ovpnesm_configfile=”/usr/local/etc/rc.d/openvpn_ovpnesm.conf” sysrc openvpn_ovpnesm_enable=YES service openvpn_ovpnesm start
ps -ax | grep openvpn
Result:
7002 - Ss 0:00.02 /usr/local/sbin/openvpn --cd /usr/local/etc/openvpn --daemon openvpn --config /usr/local/etc/openvpn/ovpnesm.conf --writepid /var/run/openvpn.pid
netstat -4anl | grep 1195
Result:
Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) udp46 0 0 *.1195 *.*
cat /usr/local/etc/openvpn/log/openvpn-status.log
Result :
OpenVPN CLIENT LIST Updated,2021-04-23 05:11:36 Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since ROUTING TABLE Virtual Address,Common Name,Real Address,Last Ref GLOBAL STATS Max bcast/mcast queue length,0 END
ifconfig tap0
Result :
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        ether 58:9c:fc:10:ff:91
        inet6 fec0::1 prefixlen 64
        inet6 fe80::5a9c:fcff:fe10:ff91%tap0 prefixlen 64 scopeid 0x4
        groups: tap
        media: Ethernet autoselect
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 7002
mkdir -p /usr/local/etc/openvpn/ssl mkdir –p /usr/local/etc/openvpn/log mkdir –p /usr/local/etc/openvpn/scripts touch /usr/local/etc/openvpn/log/openvpn.log
cp /usr/local/etc/rc.d/openvpn /usr/local/etc/rc.d/openvpn_ovpnesm.conf sysrc openvpn_ovpnesm_configfile=”/usr/local/etc/rc.d/openvpn_ovpnesm.conf” sysrc openvpn_ovpnesm_enable=YES
Adapt the source files for the copy command
cp vesta.pem /usr/local/etc/openvpn/ssl/ cp vesta.key /usr/local/etc/openvpn/ssl/ cp vpn_ca-chain.pem /usr/local/etc/openvpn/ssl/ cp ta.key /usr/local/etc/openvpn/ssl/
Adapt the source files for the copy command
cat > /usr/local/etc/openvpn/scripts/bridgeParams.sh << EOF #!/bin/sh ovpnAction=$1 if [ "$ovpnAction" = "up" ]; then ifconfig bridge create name ovpnb0 ifconfig ovpnb0 addm tap1 ifconfig ovpnb0 addm re1 ifconfig re1 up ifconfig ovpnb0 up elif [ "$ovpnAction" = "down" ]; then ifconfig ovpnb0 destroy ifconfig re1 down else echo nothing fi EOF chmod a+x /usr/local/etc/openvpn/scripts/bridgeParams.sh
cat > /usr/local/etc/openvpn/ovpnesm.conf << EOF # Network parameters client dev tap1 proto udp remote 5.196.65.162 1195 # Certificates and keys ca ssl/vpn_ca-chain.pem cert ssl/vesta.pem key ssl/vesta.key remote-cert-tls server tls-auth ssl/ta.key 1 # Vpn parameters resolv-retry infinite nobind cipher AES-256-CBC persist-key persist-tun # Log log log/openvpn.log log-append log/openvpn.log verb 3 script-security 2 up "./scripts/bridgeParams.sh up" down "./scripts/bridgeParams.sh down" ping-restart 10 EOF
service openvpn_ovpnesm start
ps -ax | grep openvpn
Result:
85363 - Ss 5:44.68 /usr/local/sbin/openvpn --cd /usr/local/etc/openvpn --daemon openvpn_ovpnesm --config /usr/local/etc/openvpn/ovpnesm.conf --writepid /var/run/openvpn_ovpnesm
ifconfig tap1
Result :
tap1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        ether 58:9c:fc:10:ff:91
        inet6 fec0::1000 prefixlen 64
        inet6 fe80::5a9c:fcff:fe10:ff91%tap0 prefixlen 64 scopeid 0x4
        groups: tap
        media: Ethernet autoselect
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 7002
ping -6 -c 5 fec0::1
Result :
16 bytes from fec0::1, icmp_seq=0 hlim=64 time=1.014 ms 16 bytes from fec0::1, icmp_seq=1 hlim=64 time=1.035 ms 16 bytes from fec0::1, icmp_seq=2 hlim=64 time=1.219 ms 16 bytes from fec0::1, icmp_seq=3 hlim=64 time=1.760 ms 16 bytes from fec0::1, icmp_seq=4 hlim=64 time=1.212 ms
HOME = . #RANDFILE = $ENV::HOME/.rnd #oid_file = $ENV::HOME/.oid oid_section = new_oids [ new_oids ] tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 #################################################################### [ ca ] default_ca = root_ca # The default ca section #################################################################### [ root_ca ] dir = /etc/ssl/root_ca certs = $dir/certs new_certs_dir = $dir/newcerts database = $dir/index.txt certificate = $dir/root_ca.pem serial = $dir/serial private_key = $dir/private/root_ca.key default_days = 3650 default_md = sha256 preserve = no policy = policy_match #unique_subject = no # Set to 'no' to allow creation of several certs with same subject. [ vpn_ca ] dir = /etc/ssl/vpn_ca certs = $dir/certs new_certs_dir = $dir/newcerts database = $dir/index.txt certificate = $dir/vpn_ca.pem serial = $dir/serial private_key = $dir/private/vpn_ca.key default_days = 3650 default_md = sha256 preserve = no policy = policy_match #unique_subject = no # Set to 'no' to allow creation of several certs with same subject. [ policy_match ] countryName = match stateOrProvinceName = match localityName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 4096 distinguished_name = req_distinguished_name string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = FR countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Pays de la Loire localityName = Locality Name (eg, city) localityName_default = Nantes 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Orange # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL=2 [ROOT_CA] nsComment = "ROOT CA" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always basicConstraints = critical,CA:TRUE,pathlen:1 keyUsage = keyCertSign, cRLSign [VPN_CA] nsComment = "VPN CA" basicConstraints = critical,CA:TRUE,pathlen:0 subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always issuerAltName = issuer:copy keyUsage = keyCertSign, cRLSign nsCertType = sslCA [VPN_SERVER] nsComment = "VPN Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always issuerAltName = issuer:copy basicConstraints = critical,CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment nsCertType = server extendedKeyUsage = serverAuth [VPN_CLIENT] nsComment = "VPN CLIENT Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always issuerAltName = issuer:copy basicConstraints = critical,CA:FALSE keyUsage = digitalSignature, nonRepudiation nsCertType = client extendedKeyUsage = clientAuth