Openvpn with cert Generate the master Certificate Authority (CA) certificate & key. cd /etc/openvpn/easy-rsa . ./vars ./clean-all ./build-ca
Generate certificate & key for server ./build-key-server server Generate certificates & keys for 3 clients ./build-key client1 ./build-key client2 ./build-key client3 If you would like to password-protect your client keys, substitute the build-key-pass script.
Generate Diffie Hellman parameters Diffie Hellman parameters must be generated for the OpenVPN server. On Linux/BSD/Unix: ./build-dh
Filename Needed By Purpose Secret ca.crt server + all clients Root CA certificate NO ca.key key signing machine only Root CA key YES dh{n}.pem server only Diffie Hellman parameters NO server.crt server only Server Certificate NO server.key server only Server Key YES client1.crt client1 only Client1 Certificate NO client1.key client1 only Client1 Key YES client2.crt client2 only Client2 Certificate NO client2.key client2 only Client2 Key YES client3.crt client3 only Client3 Certificate NO client3.key client3 only Client3 Key YES
The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel.
A simple openvpn.conf file
cd /etc/openvpn proto udp port 1194 log-append /var/log/openvpn.log dev tun server 172.30.2.0 255.255.255.0 cipher BF-CBC ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key plugin /etc/openvpn/plugin/auth-passwd/openvpn-auth-passwd.so
Openvpn revoke cert cd /etc/openvpn/easy-rsa . ./vars ./revoke-full client2 a file called crl.pem in the keys subdirectory. The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:
crl-verify crl.pem
Openvpn with user auth. Download the src code and get plugin auth-passwd. Copy to src code to plugin dir and make the plugin. auth-passwd will allow to authenticate with system users (passwd/shadow)
In /etc/openvpn/openvpn.conf add line below plugin /etc/openvpn/plugin/auth-passwd/openvpn-auth-passwd.so
on client add line to /home/wrodrigues/openvpnkeys/openvpn.conf auth-user-pass (user in /etc/passwd)
on windows client add line to /home/wrodrigues/openvpnkeys/openvpn.conf auth-user-pass (user in /etc/passwd) route-method exe (or routes will fail to work) (not for latest client) route-delay 2 (or routes will fail to work) (not for latest client)
For vpn setup on srv05 1)Create the certs and edit the ccd files cat /etc/openvpn/ccd/wilson-client1 ifconfig-push 172.30.2.5 172.30.2.6 cat /etc/openvpn/ccd/prateeksha ifconfig-push 172.30.2.101 172.30.2.102
2)configure windows client vpn software
3)Set iptables on vpn server vpn traffic from prateeksha to srv04 = accept iptables -I FORWARD -i tun0 -s 172.30.2.101 -d 10.100.100.23 -j ACCEPT vpn traffic from sysadmin to any = accept iptables -I FORWARD -i tun0 -s 172.30.2.5 -j ACCEPT vpn traffic from any = drop iptables -A FORWARD -i tun0 -s 172.30.2.0/24 -j DROP