Difference between revisions of "OpenVPN/Server"

From Zombi Wiki
Jump to navigation Jump to search
(Created page with "We're using OpenVPN with a TLS infrastructure. Clients can only connect with a certificate that has been signed by the servers CA. The server needs the following files, in ord...")
 
(add missing files)
 
Line 6: Line 6:
 
* server.conf ''(written by you from template)''
 
* server.conf ''(written by you from template)''
 
* server.key ''(generated by openvpn)''
 
* server.key ''(generated by openvpn)''
 
+
* ta.key ''(generated by openvpn)''
 +
* server.crt ''(generated by openssl or easy-rsa)''
  
 
== Setting up the Server ==
 
== Setting up the Server ==
 
Our Docker image comes with all necessary binaries, to run the server. To seed the configuration you should switch into a shell in the image with a command like <code>docker exec -it zombi/openvpn</code>. The following steps assume that you are within the OpenVPN container.
 
Our Docker image comes with all necessary binaries, to run the server. To seed the configuration you should switch into a shell in the image with a command like <code>docker exec -it zombi/openvpn</code>. The following steps assume that you are within the OpenVPN container.
  
=== Generate Static Key ===
+
=== Generate Static Keys ===
Within ''/etc/openvpn'', execute <code>openvpn --genkey --secret server.key</code> to generate the OpenVPN static key.
+
Within ''/etc/openvpn'', execute <code>openvpn --genkey --secret server.key</code> to generate the OpenVPN static key. You'll also need ta.key, which will be the shared key between all clients and the server and can be generated with the same command.
 
=== Build CA ===
 
=== Build CA ===
 
Run <code>/usr/share/easy-rsa/easyrsa init-pki</code> and <code>/usr/share/easy-rsa/easyrsa build-ca nopass</code> to build the CA (depending on your usecase, you might want to set a passphrase and remove the "nopass") and copy the files ca.crt and private/ca.key to /etc/openvpn.
 
Run <code>/usr/share/easy-rsa/easyrsa init-pki</code> and <code>/usr/share/easy-rsa/easyrsa build-ca nopass</code> to build the CA (depending on your usecase, you might want to set a passphrase and remove the "nopass") and copy the files ca.crt and private/ca.key to /etc/openvpn.
 
=== Generate Diffie Hellman Parameters ===
 
=== Generate Diffie Hellman Parameters ===
 
Within ''/etc/openvpn'', run <code>openssl dhparam -out dh4096.pem 4096</code>. This takes a long time, a smaller prime is probably enough and generates way faster, so if you want to be slightly less secure, but way faster, you might want to consider using 1024 or 2048 instead of 4096.
 
Within ''/etc/openvpn'', run <code>openssl dhparam -out dh4096.pem 4096</code>. This takes a long time, a smaller prime is probably enough and generates way faster, so if you want to be slightly less secure, but way faster, you might want to consider using 1024 or 2048 instead of 4096.
 +
=== Generate Server and Client Certificates ===
 +
Both ''server.crt'' and the clients certificates need to be signed by ca.key. You can create new certificates by running <code> openssl req -new -x509 -nodes -sha256 -key ca.key -out newcert.crt -subj "/CN=Common Name that should be unique"</code>
 +
 
[[Category:Documentation]]
 
[[Category:Documentation]]

Latest revision as of 05:54, 16 February 2021

We're using OpenVPN with a TLS infrastructure. Clients can only connect with a certificate that has been signed by the servers CA. The server needs the following files, in order to properly serve clients:

  • ca.crt (generated by easy-rsa)
  • ca.key (generated by easy-rsa)
  • dh4096.pem (generated by openssl)
  • server.conf (written by you from template)
  • server.key (generated by openvpn)
  • ta.key (generated by openvpn)
  • server.crt (generated by openssl or easy-rsa)

Setting up the Server

Our Docker image comes with all necessary binaries, to run the server. To seed the configuration you should switch into a shell in the image with a command like docker exec -it zombi/openvpn. The following steps assume that you are within the OpenVPN container.

Generate Static Keys

Within /etc/openvpn, execute openvpn --genkey --secret server.key to generate the OpenVPN static key. You'll also need ta.key, which will be the shared key between all clients and the server and can be generated with the same command.

Build CA

Run /usr/share/easy-rsa/easyrsa init-pki and /usr/share/easy-rsa/easyrsa build-ca nopass to build the CA (depending on your usecase, you might want to set a passphrase and remove the "nopass") and copy the files ca.crt and private/ca.key to /etc/openvpn.

Generate Diffie Hellman Parameters

Within /etc/openvpn, run openssl dhparam -out dh4096.pem 4096. This takes a long time, a smaller prime is probably enough and generates way faster, so if you want to be slightly less secure, but way faster, you might want to consider using 1024 or 2048 instead of 4096.

Generate Server and Client Certificates

Both server.crt and the clients certificates need to be signed by ca.key. You can create new certificates by running openssl req -new -x509 -nodes -sha256 -key ca.key -out newcert.crt -subj "/CN=Common Name that should be unique"