ThinkServer

OpenVPN

Revision as of 00:08, 19 May 2017 by Sam (talk | contribs) (Started article)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

OpenVPN is a leading VPN solution. VPN in a nutshell allows you to connect to your own local network over an insecure intermediate network (i.e. The Internet). Due to the security created, this also allows you to connect to open Wi-Fi hotspots that have no encryption and encrypt all your traffic over that hotspot so in effect securing the hotspot for yourself. It also means you can access local files (Samba shares, NFS shares, Intranet pages) as if you are connected at home. It uses a simple TLS connection, much like your web browser, for the security side which means it can be kept up-to-date with TLS as it evolves.

This article is written for and applies to openSUSE Leap 42.2. Newer versions may have newer features not mentioned here.

What's needed

Make sure the following packages are installed:

  • openvpn
  • openssl
  • lzo
  • pam

Also needed is EasyRSA, a simple script provided by OpenVPN that allows easy generation of certificates and security configurations. In this tutorial, we are using EasyRSA 3.0.1, the most up-to-date version available at present, which can be obtained [1].

Commands run from the terminal need to be run as a superuser, so I suggest using su before you start, if not, append sudo to each command.

Setting up EasyRSA

  • Make sure you have the empty directory /etc/openvpn. If not, created the directory:
mkdir /etc/openvpn
  • If you haven't already, download EasyRSA from the link above.
  • Extract the tar file to /etc/openvpn/ which should produce a new directory easyrsa.
  • Once extracted, move into the new easyrsa directory:
cd /etc/openvpn/easyrsa/3.0.1/

Using EasyRSA

With EasyRSA, we will first be creating a Certificate Authority (CA) which will then allow us to issue security certificates to set up the Public Key Infrastructure (PKI). We also setup a Diffe-Hellman (DH) prime for communication.

openSUSE Leap 42.2 only includes OpenVPN 2.3.8, as of writing OpenVPN >2.4 was available. As such, this version does not allow use of:

  • Elliptic Curve (EC) Certificates or ECDSA
  • Newer GCM AEAD ciphers (such as AES256-GCM)
  • Perfect Forward Secrecy (PFS)
  • SHA-2 or above for authentication

Allowed features of use include:

  • RSA with key sizes up to 4096
  • Up to TLS 1.2
  • Fixed by openSUSE to include security fixes for SWEET32, Heartbleed, etc.

Initiate the Public Key (PKI)

Retrieved from ‘https://thinkserver.freddythechick.net/index.php?title=OpenVPN&oldid=362