OpenVPN
OpenVPN is a leading VPN solution. VPN in a nutshell allows you to connect to your own local network over an insecure intermediate network (i.e. The Internet). Due to the security created, this also allows you to connect to open Wi-Fi hotspots that have no encryption and encrypt all your traffic over that hotspot so in effect securing the hotspot for yourself. It also means you can access local files (Samba shares, NFS shares, Intranet pages) as if you are connected at home. It uses a simple TLS connection, much like your web browser, for the security side which means it can be kept up-to-date with TLS as it evolves.
This article is written for and applies to openSUSE Leap 42.3. Newer versions may have newer features not mentioned here. openSUSE Leap 15 is expected to support Elliptic Curve Cryptography and AEAD Ciphers.
openSUSE Leap 42.3 only includes OpenVPN 2.3.8, as of writing OpenVPN >2.4 was available. As such, this version does not allow use of:
- Elliptic Curve (EC) Certificates or ECDSA
- AEAD ciphers (such as AES-GCM)
Available features to use with OpenVPN 2.3.8 include:
- RSA with key sizes up to 4096
- Up to TLS 1.2 (Up from TLS 1.0 in 2.3.3)
- Perfect Forward Secrecy (PFS)
- SHA-2 for authentication
- Has been fixed by openSUSE to include security fixes for SWEET32, Heartbleed, etc. with OpenSSL when using undepricated ciphers (Such as RC4 and Blowfish)
What's needed
Make sure the following packages are installed:
openvpn
openssl
lzo
pam
Also needed is EasyRSA, a simple script provided by OpenVPN that allows easy generation of certificates and security configurations. This is not included with the openSUSE packages but can be downloaded seperatley and requires no installation as they are just scripts.
In this tutorial, we are using EasyRSA 3, the most up-to-date version available at present, which can be obtained [1].
Commands run from the terminal need to be run as a superuser, so I suggest using su
before you start, if not, append sudo
to each command.
Setting up EasyRSA
- Download the latest EasyRSA package from GitHub above (Click Download>Download ZIP)
- Make sure you have the empty directory
/etc/openvpn
. If not, created the directory:
mkdir /etc/openvpn
- If you haven't already, download EasyRSA from the link above.
- Extract the tar file to
/etc/openvpn/easyrsa
which should produce a new directoryeasyrsa
. - Once extracted, move into the new
easyrsa
directory:
cd /etc/openvpn/easyrsa/
Using EasyRSA
With EasyRSA, we will first be creating a Certificate Authority (CA) which will then allow us to issue security certificates to set up the Public Key Infrastructure (PKI). We also setup a Diffe-Hellman (DH) prime for communication.
Configure EasyRSA
We first need to edit vars.example
so that EasyRSA knows how we want it to run.
- Open
vars.example
in theeasyrsa
directory:
nano vars.eample
- We need to modify the following lines to our liking (remove any comment
#
at the beginning to uncomment or line won't take effect):#set_var EASYRSA_DN "cn_only"
toset_var EASYRSA_DN "org"
#set_var EASYRSA_REQ_COUNTRY "US"
toset_var EASYRSA_REQ_COUNTRY "GB"
(GB for the UK, not UK!)#set_var EASYRSA_REQ_PROVINCE "California"
toset_var EASYRSA_REQ_PROVINCE "Essex"
(your County in the UK)#set_var EASYRSA_REQ_CITY "San Francisco"
toset_var EASYRSA_REQ_CITY "Grays"
#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
toset_var EASYRSA_REQ_ORG "freddythechick"
#set_var EASYRSA_REQ_EMAIL "me@example.net"
toset_var EASYRSA_REQ_EMAIL "name@service.com"
(E-mail not filled out for obvious reasons, replace with correct e-mail address!)#set_var EASYRSA_REQ_OU "My Organizational Unit"
toset_var EASYRSA_REQ_OU "OpenVPN"
- Optionally, these options can be changed:
#set_var EASYRSA_KEY_SIZE 4096
toset_var EASYRSA_KEY_SIZE 1024|2048|4096
(Choose a key size from 1024, 2048 or 4096, IMPORTANT read on about key sizes!)
- Once all changed to your liking, we want to save the config file. Press Ctrl+O to save. Remove the
.example
from the end, leaving justvars
and press Enter. Press Y to confirm the name change. - Close nano by pressing Ctrl+X.
NOTE: With EASYRSA_KEY_SIZE
, 2048 is a safe compromise. It is secure enough for now (as of 2017), while being easy enough to generate and process. 1024 should only be used for legacy clients, it is considered very weak now and shouldn't be used unless you really have to. 4096 will be secure well into the future. However the DH prime generation can take a very long time to complete and it will make TLS negotiation noticeably slower (although it only affects negotiation, not once it the VPN is connected). This will only be a problem until Elliptic Curve Cryptography is supported. Most clients will accept anything up to 4096.
Initiate/Reset the Public Key Infrastructure (PKI)
Before we start, we must initiate the PKI infrastructure within EasyRSA. This sets up the correct folder heirachy and databases ready to create a fresh new PKI. If you make a mistake, you can do this again to wipe everything out and start from the beginning.
IMPORTANT: If you have already created any certificates, keys, DH primes or certificate authorities, these will be wiped out when initiating the PKI. This is also helpful if you make a mistake and want to start a fresh. This will NOT remove any configurations, such as from the last section of this guide.
- In the
easyrsa
directory, run the following command:
./easyrsa init-pki
- First time round, it will say the following:
init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /etc/openvpn/easyrsa/pki
- If this isn't your first time, it will say the following to confirm wiping everything:
WARNING!!! You are about to remove the EASYRSA_PKI at: /etc/openvpn/easyrsa/pki and initialize a fresh PKI here. Type the word 'yes' to continue, or any other input to abort. Confirm removal: _
- Type
yes
if you are happy with this, else press Enter or type anything else to cancel.
Create a Certificate Authority
- In the
easyrsa
directory, run the following command:
./easyrsa build-ca
- It will ask for a password. Use a strong password to protect the key for the CA. This will be needed each time you use the CA to sign a certificate.
- It is recommended not to leave this blank. Anybody who gets hold of the private key that is not protected will be able to sign any certificate they like and connect to your OpenVPN server!
- You should see your defaults you filled in the
vars
file above. I would recommend appendingCA
to the OU specified for above (OpenVPN CA
) so you can differentiate it later. When asked for a CN (Common Name), use your DNS address for the server (in this casethinkserver.freddythechick.uk