Menu
▾
▴
Re: [Efw-user] OpenVPN clients using only certs
|
From: Vassilis V. <Big...@gm...> - 2009-11-06 22:11:25
|
Hello there! Here is the how-to I used to do it: http://www.efw-forum.de/www/forum/viewtopic.php?f=9&t=66 Since its in german I will do a translation, its based on using Endian and having Windows clients. You can actually use any client you want as long as you have the right certificates. I used a windows PC to create them. Doing it on a linux box should be very similar 1. Install OpenVPN: ==================== Download and Install OpenVPN. 2. Using Easy-RSA: ========================= easy-rsa helps in creating certificates After installing OpenVPN you should have a folder called easy-rsa. Enter it since a few configurations are needed there: openssl.cnf.sample: You need to add the folowing, otherwise there will be no nsCert Certificate. Since Endian requires one, its a mandatory step. Write the following code into openssl.cnf.sample, since this file is always copied to openssl.cnf every time you execute the command init-config.bat --Code Start-- [ client ] basicConstraints=CA:FALSE nsCertType = client nsComment = "OpenSSL Generated Client Certificate" --Code End-- 3. Create the script to generate the Server and Client certificates: ================================================================ These two scripts are made in order to make it faster and easier to create certificates. You can simply copy these scripts in the easy-rsa directory. build-key-server-pkcs12.bat is used to create the server certificate and build-key-client-pkcs12.bat is used to create the certificates you will give to each of your clients Creating build-key-server-pkcs12.bat --Code Start-- @echo off cd %HOME% rem build a request for a cert that will be valid for ten years openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG% rem sign the cert request with our ca, creating a cert/key pair openssl ca -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -extensions server -config %KEY_CONFIG% rem delete any .old files created in this process, to avoid future file creation errors del /q %KEY_DIR%\*.old openssl pkcs12 -export -inkey %KEY_DIR%\%1.key -in %KEY_DIR%\%1.crt -certfile %KEY_DIR%\ca.crt -out %KEY_DIR%\%1.p12 rem delete any .old files created in this process, to avoid future file creation errors del /q %KEY_DIR%\*.old --Code End-- Creating build-key-client-pkcs12.bat --Code Start-- @echo off cd %HOME% rem build a request for a cert that will be valid for ten years openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %KEY_CONFIG% rem sign the cert request with our ca, creating a cert/key pair openssl ca -extensions client -days 3650 -out %KEY_DIR%\%1.crt -in %KEY_DIR%\%1.csr -config %KEY_CONFIG% rem convert the key/cert and embed the ca cert into a pkcs12 file. openssl pkcs12 -export -inkey %KEY_DIR%\%1.key -in %KEY_DIR%\%1.crt -certfile %KEY_DIR%\ca.crt -out %KEY_DIR%\%1.p12 rem delete any .old files created in this process, to avoid future file creation errors del /q %KEY_DIR%\*.old --Code End-- 4. Generating the Keys: ==================== IMPORTANT: Every PC must have his own, individual client certificate, otherwise you will have conflicts. At the same time, you will be able to see inside Endian wich certificate is logged in and for how long. You could use a naming policy like: endian.$subdomain.$domain.$tld for the server and $domain-client01, $domain-client02... for the clients. In this example the server will be called "endian" and the client will be "client01". FIRST TIME USE: - open a cmd window and go to the easy-rsy folder - execute init-config.bat - Open vars.bat in an texteditor and enter your desired default information for KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG und KEY_EMAIL - execute vars.bat - execute clean-all.bat - execute build-ca.bat # accept all prompts with Enter - execute build-dh.bat # accept all prompts with Enter - execute build-key-server-plcs12.bat endian # accept all prompts with Enter/y but under "Common Name" you must enter the server name, in our example you type endian - execute build-key-client-pkcs12.bat client01 # accept all prompts with Enter/y but under "Common Name" you must enter the client name, the same you entered while executing the command. In our example that is client01 5. Importing the servercertificate into Endian Firewall: =============================================== - Weblogin on to Endian-Firewall - VPN => OpenVPN Server => Advanced - Change "Authentication settings" to "X.509 Zertifikat" - Upload the created endian.p12 Zertifikat on to Endian (Import server certificate from external Certification Authority (CA)) 6. Create the client-config: ====================== You go to your client and enter the following .conf or .ovpn file in your config Folder: --Code Start-- client dev tap proto udp remote (IP or hostname of the endian box) resolv-retry infinite nobind persist-key persist-tun pkcs12 client01.p12 verb 3 comp-lzo ns-cert-type server --Code End-- Thats it! This is roughly the How-to made by devaux, I just translated the most part here :-) Here is my bit: After you did all this you will have a /keys folder in the PC you created the certificates. This folder contains ALL certificates made, there you will find the endian.p12 and the client01.p12 files. Another very very important file you will find there is the ca.crt. This file is your certificate and whoever has this file can create more certificates for your server. So make sure you keep this file save. From what I know, you cannot recreate this file. If you loose it, you need to create new pairs of server/client certificates. Creating more client certificates at a later time: -------------------------------------- Do NOT use all steps above when you want to create more client certificates at some later time. All you need to do is have the original ca.crt file in the /keys directory and then: - execute vars.bat - execute build-key-client-pkcs12.bat NAMEOFCLIENT thats it! Now I have a few questions too though. Does the use of the certificates guarantee the identity of each client only or does it also encrypt the data send? Hope it helps you! |
