OpenVPN: Difference between revisions

OpenVPN is a leading VPN solution. VPN in a nutshell allows you to connect to your own local network over an insecure intermediate network (i.e. The Internet). Due to the security created, this also allows you to connect to open Wi-Fi hotspots that have no encryption and encrypt all your traffic over that hotspot so in effect securing the hotspot for yourself. It also means you can access local files (Samba shares, NFS shares, Intranet pages) as if you are connected at home. It uses a simple TLS connection, much like your web browser, for the security side which means it can be kept up-to-date with TLS as it evolves.

This article is written for and applies to openSUSE Leap 42.2. Newer versions may have newer features not mentioned here.

What's needed

Make sure the following packages are installed:

• openvpn
• openssl
• lzo
• pam

Also needed is EasyRSA, a simple script provided by OpenVPN that allows easy generation of certificates and security configurations. In this tutorial, we are using EasyRSA 3.0.1, the most up-to-date version available at present, which can be obtained [1].

Commands run from the terminal need to be run as a superuser, so I suggest using su before you start, if not, append sudo to each command.

Setting up EasyRSA

• Make sure you have the empty directory /etc/openvpn. If not, created the directory:

mkdir /etc/openvpn

• If you haven't already, download EasyRSA from the link above.
• Extract the tar file to /etc/openvpn/easyrsa which should produce a new directory easyrsa.
• Once extracted, move into the new easyrsa directory:

cd /etc/openvpn/easyrsa/

Using EasyRSA

With EasyRSA, we will first be creating a Certificate Authority (CA) which will then allow us to issue security certificates to set up the Public Key Infrastructure (PKI). We also setup a Diffe-Hellman (DH) prime for communication.

openSUSE Leap 42.2 only includes OpenVPN 2.3.8, as of writing OpenVPN >2.4 was available. As such, this version does not allow use of:

• Elliptic Curve (EC) Certificates or ECDSA
• Newer GCM AEAD ciphers (such as AES256-GCM)
• Perfect Forward Secrecy (PFS)
• SHA-2 or above for authentication

Allowed features of use include:

• RSA with key sizes up to 4096
• Up to TLS 1.2
• Fixed by openSUSE to include security fixes for SWEET32, Heartbleed, etc.

Configure EasyRSA

We first need to edit vars.example so that EasyRSA knows how we want it to run.

• Open vars.example in the easyrsa directory:

nano vars.eample

• We need to modify the following lines to our liking (remove any comment # at the beginning to uncomment or line won't take effect):
  • #set_var EASYRSA_DN "cn_only" to set_var EASYRSA_DN "org"
  • #set_var EASYRSA_REQ_COUNTRY "US" to set_var EASYRSA_REQ_COUNTRY "GB" (GB for the UK, not UK!)
  • #set_var EASYRSA_REQ_PROVINCE "California" to set_var EASYRSA_REQ_PROVINCE "Essex" (your County in the UK)
  • #set_var EASYRSA_REQ_CITY "San Francisco" to set_var EASYRSA_REQ_CITY "Grays"
  • #set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" to set_var EASYRSA_REQ_ORG "freddythechick"
  • #set_var EASYRSA_REQ_EMAIL "me@example.net" to set_var EASYRSA_REQ_EMAIL "xxxxxx@gmail.com" (E-mail not filled out for obvious reasons, replace with correct e-mail address!)
  • #set_var EASYRSA_REQ_OU "My Organizational Unit" to set_var EASYRSA_REQ_OU "freddythechick OpenVPN"
  • #set_var EASYRSA_CERT_EXPIRE 3650 to set_var EASYRSA_CERT_EXPIRE 365 (Makes certificates last 1 year instead of 10)
• Optionally, these options can be changed:
  • #set_var EASYRSA_KEY_SIZE 2048 to set_var EASYRSA_KEY_SIZE 1024|2048|4096 (Choose a key size from 1024, 2048 or 4096, IMPORTANT read on about key sizes!)
• Once all changed to your liking, we want to save the config file. Press Ctrl+O to save. Remove the .example from the end, leaving just vars and press Enter. Press Y to confirm the name change.
• Close nano by pressing Ctrl+O.

NOTE: With EASYRSA_KEY_SIZE, 2048 is a safe compromise. It is secure enough for now (as of 2017), while being easy enough to generate and process. 1024 should only be used for legacy clients, it is considered very weak now and shouldn't be used unless you really have to. 4096 will be secure well into the future. However the key generation is very slow, DH prime generation can take days and it will make TLS negotiation noticeably slower (although it only affects negotiation, not once it the VPN is connected). We have chosen a 2048 key size for now. Most clients will accept anything up to 4096.

Initiate/Reset the Public Key Infrastructure (PKI)

Before we start, we must initiate the PKI infrastructure within EasyRSA. This sets up the correct folder heirachy and databases ready to create a fresh new PKI. If you make a mistake, you can do this again to wipe everything out and start from the beginning.

IMPORTANT: If you have already created any certificates, keys, DH primes or certificate authorities, these will be wiped out when initiating the PKI. This is also helpful if you make a mistake and want to start a fresh. This will NOT remove any configurations, such as from the last section.

• In the easyrsa directory, run the following command:

./easyrsa init-pki

• First time round, it will say the following:

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easyrsa/pki

If this isn't your first time, it will say the following to confirm wiping everything:

WARNING!!!

You are about to remove the EASYRSA_PKI at: /etc/openvpn/easyrsa/pki
and initialize a fresh PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: _

Type yes if you are happy with this, else press Enter or type anything else to cancel.

Create a Certificate Authority