OpenVPN: Difference between revisions

From ThinkServer
← Older edit
Page started
Rearranged article slightly. Added more.
 
Line 1: Line 1:
OpenVPN is a leading VPN solution. VPN in a nutshell allows you to connect to your own local network over an insecure intermediate network (i.e. The Internet). Due to the security created, this also allows you to connect to open Wi-Fi hotspots that have no encryption and encrypt all your traffic over that hotspot so in effect securing the hotspot for yourself. It also means you can access local files (Samba shares, NFS shares, Intranet pages) as if you are connected at home. It uses a simple TLS connection, much like your web browser, for the security side which means it can be kept up-to-date with TLS as it evolves.
OpenVPN is a leading VPN solution. VPN in a nutshell allows you to connect to your own local network over an insecure intermediate network (i.e. The Internet). Due to the security created, this also allows you to connect to open Wi-Fi hotspots that have no encryption and encrypt all your traffic over that hotspot so in effect securing the hotspot for yourself. It also means you can access local files (Samba shares, NFS shares, Intranet pages) as if you are connected at home. It uses a simple TLS connection, much like your web browser, for the security side which means it can be kept up-to-date with TLS as it evolves.


'''This article is written for and applies to [[openSUSE Leap 42.2]]. Newer versions may have newer features not mentioned here.'''
'''This article is written for and applies to [[openSUSE Leap 42.3]]. Newer versions may have newer features not mentioned here. openSUSE Leap 15 is expected to support Elliptic Curve Cryptography and AEAD Ciphers.'''
 
openSUSE Leap 42.3 only includes OpenVPN 2.3.8, as of writing OpenVPN >2.4 was available. As such, this version does not allow use of:
* Elliptic Curve (EC) Certificates or ECDSA
* AEAD ciphers (such as AES-GCM)
 
Available features to use with OpenVPN 2.3.8 include:
* RSA with key sizes up to 4096
* Up to TLS 1.2 (Up from TLS 1.0 in 2.3.3)
* Perfect Forward Secrecy (PFS)
* SHA-2 for authentication
* Has been fixed by openSUSE to include security fixes for SWEET32, Heartbleed, etc. with OpenSSL when using undepricated ciphers (Such as RC4 and Blowfish)


== What's needed ==
== What's needed ==
Line 11: Line 22:
* <code>pam</code>
* <code>pam</code>


Also needed is EasyRSA, a simple script provided by OpenVPN that allows easy generation of certificates and security configurations. In this tutorial, we are using EasyRSA 3.0.1, the most up-to-date version available at present, which can be obtained [https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz|here].
Also needed is EasyRSA, a simple script provided by OpenVPN that allows easy generation of certificates and security configurations. This is not included with the openSUSE packages but can be downloaded seperatley and requires no installation as they are just scripts.
 
In this tutorial, we are using EasyRSA 3, the most up-to-date version available at present, which can be obtained [https://github.com/OpenVPN/easy-rsa|here].


Commands run from the terminal need to be run as a superuser, so I suggest using <code>su</code> before you start, if not, append <code>sudo</code> to each command.
Commands run from the terminal need to be run as a superuser, so I suggest using <code>su</code> before you start, if not, append <code>sudo</code> to each command.
Line 17: Line 30:
== Setting up EasyRSA ==
== Setting up EasyRSA ==


* Download the latest EasyRSA package from GitHub above (Click Download>Download ZIP)
* Make sure you have the empty directory <code>/etc/openvpn</code>. If not, created the directory:
* Make sure you have the empty directory <code>/etc/openvpn</code>. If not, created the directory:
:<pre>mkdir /etc/openvpn</pre>
:<pre>mkdir /etc/openvpn</pre>
Line 27: Line 41:


With EasyRSA, we will first be creating a Certificate Authority (CA) which will then allow us to issue security certificates to set up the Public Key Infrastructure (PKI). We also setup a Diffe-Hellman (DH) prime for communication.
With EasyRSA, we will first be creating a Certificate Authority (CA) which will then allow us to issue security certificates to set up the Public Key Infrastructure (PKI). We also setup a Diffe-Hellman (DH) prime for communication.
openSUSE Leap 42.2 only includes OpenVPN 2.3.8, as of writing OpenVPN >2.4 was available. As such, this version does not allow use of:
* Elliptic Curve (EC) Certificates or ECDSA
* Newer GCM AEAD ciphers (such as AES256-GCM)
* Perfect Forward Secrecy (PFS)
* SHA-2 or above for authentication
Allowed features of use include:
* RSA with key sizes up to 4096
* Up to TLS 1.2
* Fixed by openSUSE to include security fixes for SWEET32, Heartbleed, etc.


=== Configure EasyRSA ===
=== Configure EasyRSA ===
Line 51: Line 54:
**<code>#set_var EASYRSA_REQ_CITY "San Francisco"</code> to <code>set_var EASYRSA_REQ_CITY "Grays"</code>
**<code>#set_var EASYRSA_REQ_CITY "San Francisco"</code> to <code>set_var EASYRSA_REQ_CITY "Grays"</code>
**<code>#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"</code> to <code>set_var EASYRSA_REQ_ORG "freddythechick"</code>
**<code>#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"</code> to <code>set_var EASYRSA_REQ_ORG "freddythechick"</code>
**<code>#set_var EASYRSA_REQ_EMAIL "me@example.net"</code> to <code>set_var EASYRSA_REQ_EMAIL "xxxxxx@gmail.com"</code> (E-mail not filled out for obvious reasons, replace with correct e-mail address!)
**<code>#set_var EASYRSA_REQ_EMAIL "me@example.net"</code> to <code>set_var EASYRSA_REQ_EMAIL "name@service.com"</code> (E-mail not filled out for obvious reasons, replace with correct e-mail address!)
**<code>#set_var EASYRSA_REQ_OU "My Organizational Unit"</code> to <code>set_var EASYRSA_REQ_OU "freddythechick OpenVPN"</code>
**<code>#set_var EASYRSA_REQ_OU "My Organizational Unit"</code> to <code>set_var EASYRSA_REQ_OU "OpenVPN"</code>
**<code>#set_var EASYRSA_CERT_EXPIRE 3650</code> to <code>set_var EASYRSA_CERT_EXPIRE 365</code> (Makes certificates last 1 year instead of 10)
* Optionally, these options can be changed:
* Optionally, these options can be changed:
**<code>#set_var EASYRSA_KEY_SIZE 2048</code> to <code>set_var EASYRSA_KEY_SIZE 1024|2048|4096</code> (Choose a key size from 1024, 2048 or 4096, '''IMPORTANT''' read on about key sizes!)
**<code>#set_var EASYRSA_KEY_SIZE 4096</code> to <code>set_var EASYRSA_KEY_SIZE 1024|2048|4096</code> (Choose a key size from 1024, 2048 or 4096, '''IMPORTANT''' read on about key sizes!)
* Once all changed to your liking, we want to save the config file. Press ''Ctrl+O'' to save. Remove the <code>.example</code> from the end, leaving just <code>vars</code> and press ''Enter''. Press ''Y'' to confirm the name change.
* Once all changed to your liking, we want to save the config file. Press ''Ctrl+O'' to save. Remove the <code>.example</code> from the end, leaving just <code>vars</code> and press ''Enter''. Press ''Y'' to confirm the name change.
* Close nano by pressing ''Ctrl+O''.
* Close nano by pressing ''Ctrl+X''.
'''NOTE:''' With <code>EASYRSA_KEY_SIZE</code>, 2048 is a safe compromise. It is secure enough for now (as of 2017), while being easy enough to generate and process. '''1024 should only be used for legacy clients, it is considered very weak now and shouldn't be used unless you really have to'''. 4096 will be secure well into the future. However the key generation is very slow, DH prime generation can take days and it will make TLS negotiation noticeably slower (although it only affects negotiation, not once it the VPN is connected). We have chosen a 2048 key size '''for now'''. Most clients will accept anything up to 4096.
'''NOTE:''' With <code>EASYRSA_KEY_SIZE</code>, 2048 is a safe compromise. It is secure enough for now (as of 2017), while being easy enough to generate and process. '''1024 should only be used for legacy clients, it is considered very weak now and shouldn't be used unless you really have to'''. 4096 will be secure well into the future. However the DH prime generation can take a very long time to complete and it will make TLS negotiation noticeably slower (although it only affects negotiation, not once it the VPN is connected). This will only be a problem until Elliptic Curve Cryptography is supported. Most clients will accept anything up to 4096.


=== Initiate/Reset the Public Key Infrastructure (PKI) ===
=== Initiate/Reset the Public Key Infrastructure (PKI) ===
Line 64: Line 66:
Before we start, we must initiate the PKI infrastructure within EasyRSA. This sets up the correct folder heirachy and databases ready to create a fresh new PKI. If you make a mistake, you can do this again to wipe everything out and start from the beginning.
Before we start, we must initiate the PKI infrastructure within EasyRSA. This sets up the correct folder heirachy and databases ready to create a fresh new PKI. If you make a mistake, you can do this again to wipe everything out and start from the beginning.


'''IMPORTANT:''' If you have already created any certificates, keys, DH primes or certificate authorities, these will be wiped out when initiating the PKI. This is also helpful if you make a mistake and want to start a fresh. This will '''NOT''' remove any configurations, such as from the last section.
'''IMPORTANT:''' If you have already created any certificates, keys, DH primes or certificate authorities, these will be wiped out when initiating the PKI. This is also helpful if you make a mistake and want to start a fresh. This will '''NOT''' remove any configurations, such as from the last section of this guide.


* In the <code>easyrsa</code> directory, run the following command:
* In the <code>easyrsa</code> directory, run the following command:
Line 75: Line 77:


=== Create a Certificate Authority ===
=== Create a Certificate Authority ===
* In the <code>easyrsa</code> directory, run the following command:
:<pre>./easyrsa build-ca</pre>
* It will ask for a password. Use a strong password to protect the key for the CA. This will be needed each time you use the CA to sign a certificate.
:'''It is recommended not to leave this blank. Anybody who gets hold of the private key that is not protected will be able to sign any certificate they like and connect to your OpenVPN server!'''
* You should see your defaults you filled in the <code>vars</code> file above. I would recommend appending <code>CA</code> to the OU specified for above (<code>OpenVPN CA</code>) so you can differentiate it later. When asked for a CN (Common Name), use your DNS address for the server (in this case <code>thinkserver.freddythechick.uk</code>

Latest revision as of 00:59, 13 March 2018

OpenVPN is a leading VPN solution. VPN in a nutshell allows you to connect to your own local network over an insecure intermediate network (i.e. The Internet). Due to the security created, this also allows you to connect to open Wi-Fi hotspots that have no encryption and encrypt all your traffic over that hotspot so in effect securing the hotspot for yourself. It also means you can access local files (Samba shares, NFS shares, Intranet pages) as if you are connected at home. It uses a simple TLS connection, much like your web browser, for the security side which means it can be kept up-to-date with TLS as it evolves.

This article is written for and applies to openSUSE Leap 42.3. Newer versions may have newer features not mentioned here. openSUSE Leap 15 is expected to support Elliptic Curve Cryptography and AEAD Ciphers.

openSUSE Leap 42.3 only includes OpenVPN 2.3.8, as of writing OpenVPN >2.4 was available. As such, this version does not allow use of:

  • Elliptic Curve (EC) Certificates or ECDSA
  • AEAD ciphers (such as AES-GCM)

Available features to use with OpenVPN 2.3.8 include:

  • RSA with key sizes up to 4096
  • Up to TLS 1.2 (Up from TLS 1.0 in 2.3.3)
  • Perfect Forward Secrecy (PFS)
  • SHA-2 for authentication
  • Has been fixed by openSUSE to include security fixes for SWEET32, Heartbleed, etc. with OpenSSL when using undepricated ciphers (Such as RC4 and Blowfish)

What's needed

Make sure the following packages are installed:

  • openvpn
  • openssl
  • lzo
  • pam

Also needed is EasyRSA, a simple script provided by OpenVPN that allows easy generation of certificates and security configurations. This is not included with the openSUSE packages but can be downloaded seperatley and requires no installation as they are just scripts.

In this tutorial, we are using EasyRSA 3, the most up-to-date version available at present, which can be obtained [1].

Commands run from the terminal need to be run as a superuser, so I suggest using su before you start, if not, append sudo to each command.

Setting up EasyRSA

  • Download the latest EasyRSA package from GitHub above (Click Download>Download ZIP)
  • Make sure you have the empty directory /etc/openvpn. If not, created the directory:
mkdir /etc/openvpn
  • If you haven't already, download EasyRSA from the link above.
  • Extract the tar file to /etc/openvpn/easyrsa which should produce a new directory easyrsa.
  • Once extracted, move into the new easyrsa directory:
cd /etc/openvpn/easyrsa/

Using EasyRSA

With EasyRSA, we will first be creating a Certificate Authority (CA) which will then allow us to issue security certificates to set up the Public Key Infrastructure (PKI). We also setup a Diffe-Hellman (DH) prime for communication.

Configure EasyRSA

We first need to edit vars.example so that EasyRSA knows how we want it to run.

  • Open vars.example in the easyrsa directory:
nano vars.eample
  • We need to modify the following lines to our liking (remove any comment # at the beginning to uncomment or line won't take effect):
    • #set_var EASYRSA_DN "cn_only" to set_var EASYRSA_DN "org"
    • #set_var EASYRSA_REQ_COUNTRY "US" to set_var EASYRSA_REQ_COUNTRY "GB" (GB for the UK, not UK!)
    • #set_var EASYRSA_REQ_PROVINCE "California" to set_var EASYRSA_REQ_PROVINCE "Essex" (your County in the UK)
    • #set_var EASYRSA_REQ_CITY "San Francisco" to set_var EASYRSA_REQ_CITY "Grays"
    • #set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" to set_var EASYRSA_REQ_ORG "freddythechick"
    • #set_var EASYRSA_REQ_EMAIL "me@example.net" to set_var EASYRSA_REQ_EMAIL "name@service.com" (E-mail not filled out for obvious reasons, replace with correct e-mail address!)
    • #set_var EASYRSA_REQ_OU "My Organizational Unit" to set_var EASYRSA_REQ_OU "OpenVPN"
  • Optionally, these options can be changed:
    • #set_var EASYRSA_KEY_SIZE 4096 to set_var EASYRSA_KEY_SIZE 1024|2048|4096 (Choose a key size from 1024, 2048 or 4096, IMPORTANT read on about key sizes!)
  • Once all changed to your liking, we want to save the config file. Press Ctrl+O to save. Remove the .example from the end, leaving just vars and press Enter. Press Y to confirm the name change.
  • Close nano by pressing Ctrl+X.

NOTE: With EASYRSA_KEY_SIZE, 2048 is a safe compromise. It is secure enough for now (as of 2017), while being easy enough to generate and process. 1024 should only be used for legacy clients, it is considered very weak now and shouldn't be used unless you really have to. 4096 will be secure well into the future. However the DH prime generation can take a very long time to complete and it will make TLS negotiation noticeably slower (although it only affects negotiation, not once it the VPN is connected). This will only be a problem until Elliptic Curve Cryptography is supported. Most clients will accept anything up to 4096.

Initiate/Reset the Public Key Infrastructure (PKI)

Before we start, we must initiate the PKI infrastructure within EasyRSA. This sets up the correct folder heirachy and databases ready to create a fresh new PKI. If you make a mistake, you can do this again to wipe everything out and start from the beginning.

IMPORTANT: If you have already created any certificates, keys, DH primes or certificate authorities, these will be wiped out when initiating the PKI. This is also helpful if you make a mistake and want to start a fresh. This will NOT remove any configurations, such as from the last section of this guide.

  • In the easyrsa directory, run the following command:
./easyrsa init-pki
  • First time round, it will say the following:
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easyrsa/pki
If this isn't your first time, it will say the following to confirm wiping everything:
WARNING!!!

You are about to remove the EASYRSA_PKI at: /etc/openvpn/easyrsa/pki
and initialize a fresh PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: _
Type yes if you are happy with this, else press Enter or type anything else to cancel.

Create a Certificate Authority

  • In the easyrsa directory, run the following command:
./easyrsa build-ca
  • It will ask for a password. Use a strong password to protect the key for the CA. This will be needed each time you use the CA to sign a certificate.
It is recommended not to leave this blank. Anybody who gets hold of the private key that is not protected will be able to sign any certificate they like and connect to your OpenVPN server!
  • You should see your defaults you filled in the vars file above. I would recommend appending CA to the OU specified for above (OpenVPN CA) so you can differentiate it later. When asked for a CN (Common Name), use your DNS address for the server (in this case thinkserver.freddythechick.uk
Retrieved from ‘https://thinkserver.freddythechick.net/index.php?title=OpenVPN&oldid=411