Differences

This shows you the differences between two versions of the page.

--- networking:openvpn [2024/08/14 17:21] – [5. TLS-AUTH] oscar
+++ networking:openvpn [2024/08/14 17:45] (current) – [7. Deploy Certificates & Keys] oscar
@@ Line 65: / Line 65: @@
   tls-auth ta.key 1
-===== Copy certificates & keys =====
+===== 6. Create Client Certificate and Key Pair =====
-When the command finishes, copy the two new files to your /etc/openvpn/ directory:
+n this step, you will first generate the client key and certificate pair. If you have more than one client, you can repeat this process for each one. Please note, though, that you will need to pass a unique name value to the script for every client. Throughout this tutorial, the first certificate/key pair is referred to as MyVPNClient.
-    sudo cp ~/easy-rsa/ta.key /etc/openvpn/
+  $ easyrsa gen-req MyClientName nopass
-    sudo cp ~/easy-rsa/pki/dh.pem /etc/openvpn/
-With that, all the certificate and key files needed by your server have been generated. You’re ready to create the corresponding certificates and keys that your client machine will use to access your OpenVPN server.
+This will create a private key for the client and a certificate request file called MyClientName.req. Then sign the request by running easyrsa with the sign-req option, followed by the request type and the common name. The request type can either be client or server, so for the OpenVPN server’s certificate request, be sure to use the server request type.
+  $ easyrsa sign-req server MyClientName
+In the output, you’ll be asked to verify that the request comes from a trusted source. Type yes and press ENTER to confirm this.
+===== 7. Deploy Certificates & Keys =====
+With that, all the certificate and key files needed by your server have been generated. You’re ready to deploy the corresponding certificates and keys to both OpenVPN Server and Client systems.
-===== Key Files =====
 Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files:
-^Filename 	^Needed By 	^Purpose 	^Secret
+^Filename 	^Needed By 	^Purpose 	^Secret^
-|ca.crt 	|server + all clients 	|Root CA certificate 	|NO
+|ca.crt 	|server + all clients 	|Root CA certificate 	|NO|
-|ca.key 	|key signing machine only 	|Root CA key 	|YES
+|ca.key 	|key signing machine only 	|Root CA key 	|YES|
-|dh{n}.pem 	|server only 	|Diffie Hellman parameters 	|NO
+|dh2048.pem 	|server only 	|Diffie Hellman parameters 	|NO|
-|server.crt 	|server only 	|Server Certificate 	|NO
+|MyServerName.crt 	|server only 	|Server Certificate 	|NO|
-|server.key 	|server only 	|Server Key 	|YES
+|MyServerName.key 	|server only 	|Server Key 	|YES|
-|client1.crt 	|client1 only 	|Client1 Certificate 	|NO
+|MyClientName.crt 	|client1 only 	|Client1 Certificate 	|NO|
-|client1.key 	|client1 only 	|Client1 Key 	|YES
+|MyClientName.key 	|client1 only 	|Client1 Key 	|YES|
+=== Server Deployment ===
+Insert the following options in the openvpn configuration file:
+  vi /etc/config/openvpn
+  ----------------------
+  option ca '/etc/easy-rsa/keys/ca.crt'
+  option key '/etc/easy-rsa/keys/myvpnserver.key'
+  option cert '/etc/easy-rsa/keys/myvpnserver.crt'
+  option dh '/etc/easy-rsa/keys/dh2048.pem'
+=== Client Deployment ===
+Insert the various certificates and keys in the following sections of the client.ovpn configuration file:
+  - **ca.cert** --> insert contents --> between the <ca></ca>. Including the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines.
+  - **MyClientName.key** --> insert contents --> between the <key></key>. Including the "-----BEGIN PRIVATE KEY-----" and "-----END PRIVATE KEY-----" lines.
+  - **MyClientName.crt** --> insert contents --> between the <cert></cert>. Including everything.
+  - **ta.key** --> insert contents --> between the <tls-auth></tls-auth>. Including everything.
 ===== Links =====