OpenVPN

From ThinkServer
Revision as of 00:59, 13 March 2018 by Sam (talk | contribs) (Rearranged article slightly. Added more.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

OpenVPN is a leading VPN solution. VPN in a nutshell allows you to connect to your own local network over an insecure intermediate network (i.e. The Internet). Due to the security created, this also allows you to connect to open Wi-Fi hotspots that have no encryption and encrypt all your traffic over that hotspot so in effect securing the hotspot for yourself. It also means you can access local files (Samba shares, NFS shares, Intranet pages) as if you are connected at home. It uses a simple TLS connection, much like your web browser, for the security side which means it can be kept up-to-date with TLS as it evolves.

This article is written for and applies to openSUSE Leap 42.3. Newer versions may have newer features not mentioned here. openSUSE Leap 15 is expected to support Elliptic Curve Cryptography and AEAD Ciphers.

openSUSE Leap 42.3 only includes OpenVPN 2.3.8, as of writing OpenVPN >2.4 was available. As such, this version does not allow use of:

  • Elliptic Curve (EC) Certificates or ECDSA
  • AEAD ciphers (such as AES-GCM)

Available features to use with OpenVPN 2.3.8 include:

  • RSA with key sizes up to 4096
  • Up to TLS 1.2 (Up from TLS 1.0 in 2.3.3)
  • Perfect Forward Secrecy (PFS)
  • SHA-2 for authentication
  • Has been fixed by openSUSE to include security fixes for SWEET32, Heartbleed, etc. with OpenSSL when using undepricated ciphers (Such as RC4 and Blowfish)

What's needed

Make sure the following packages are installed:

  • openvpn
  • openssl
  • lzo
  • pam

Also needed is EasyRSA, a simple script provided by OpenVPN that allows easy generation of certificates and security configurations. This is not included with the openSUSE packages but can be downloaded seperatley and requires no installation as they are just scripts.

In this tutorial, we are using EasyRSA 3, the most up-to-date version available at present, which can be obtained [1].

Commands run from the terminal need to be run as a superuser, so I suggest using su before you start, if not, append sudo to each command.

Setting up EasyRSA

  • Download the latest EasyRSA package from GitHub above (Click Download>Download ZIP)
  • Make sure you have the empty directory /etc/openvpn. If not, created the directory:
mkdir /etc/openvpn
  • If you haven't already, download EasyRSA from the link above.
  • Extract the tar file to /etc/openvpn/easyrsa which should produce a new directory easyrsa.
  • Once extracted, move into the new easyrsa directory:
cd /etc/openvpn/easyrsa/

Using EasyRSA

With EasyRSA, we will first be creating a Certificate Authority (CA) which will then allow us to issue security certificates to set up the Public Key Infrastructure (PKI). We also setup a Diffe-Hellman (DH) prime for communication.

Configure EasyRSA

We first need to edit vars.example so that EasyRSA knows how we want it to run.

  • Open vars.example in the easyrsa directory:
nano vars.eample
  • We need to modify the following lines to our liking (remove any comment # at the beginning to uncomment or line won't take effect):
    • #set_var EASYRSA_DN "cn_only" to set_var EASYRSA_DN "org"
    • #set_var EASYRSA_REQ_COUNTRY "US" to set_var EASYRSA_REQ_COUNTRY "GB" (GB for the UK, not UK!)
    • #set_var EASYRSA_REQ_PROVINCE "California" to set_var EASYRSA_REQ_PROVINCE "Essex" (your County in the UK)
    • #set_var EASYRSA_REQ_CITY "San Francisco" to set_var EASYRSA_REQ_CITY "Grays"
    • #set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" to set_var EASYRSA_REQ_ORG "freddythechick"
    • #set_var EASYRSA_REQ_EMAIL "me@example.net" to set_var EASYRSA_REQ_EMAIL "name@service.com" (E-mail not filled out for obvious reasons, replace with correct e-mail address!)
    • #set_var EASYRSA_REQ_OU "My Organizational Unit" to set_var EASYRSA_REQ_OU "OpenVPN"
  • Optionally, these options can be changed:
    • #set_var EASYRSA_KEY_SIZE 4096 to set_var EASYRSA_KEY_SIZE 1024|2048|4096 (Choose a key size from 1024, 2048 or 4096, IMPORTANT read on about key sizes!)
  • Once all changed to your liking, we want to save the config file. Press Ctrl+O to save. Remove the .example from the end, leaving just vars and press Enter. Press Y to confirm the name change.
  • Close nano by pressing Ctrl+X.

NOTE: With EASYRSA_KEY_SIZE, 2048 is a safe compromise. It is secure enough for now (as of 2017), while being easy enough to generate and process. 1024 should only be used for legacy clients, it is considered very weak now and shouldn't be used unless you really have to. 4096 will be secure well into the future. However the DH prime generation can take a very long time to complete and it will make TLS negotiation noticeably slower (although it only affects negotiation, not once it the VPN is connected). This will only be a problem until Elliptic Curve Cryptography is supported. Most clients will accept anything up to 4096.

Initiate/Reset the Public Key Infrastructure (PKI)

Before we start, we must initiate the PKI infrastructure within EasyRSA. This sets up the correct folder heirachy and databases ready to create a fresh new PKI. If you make a mistake, you can do this again to wipe everything out and start from the beginning.

IMPORTANT: If you have already created any certificates, keys, DH primes or certificate authorities, these will be wiped out when initiating the PKI. This is also helpful if you make a mistake and want to start a fresh. This will NOT remove any configurations, such as from the last section of this guide.

  • In the easyrsa directory, run the following command:
./easyrsa init-pki
  • First time round, it will say the following:
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easyrsa/pki
If this isn't your first time, it will say the following to confirm wiping everything:
WARNING!!!

You are about to remove the EASYRSA_PKI at: /etc/openvpn/easyrsa/pki
and initialize a fresh PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: _
Type yes if you are happy with this, else press Enter or type anything else to cancel.

Create a Certificate Authority

  • In the easyrsa directory, run the following command:
./easyrsa build-ca
  • It will ask for a password. Use a strong password to protect the key for the CA. This will be needed each time you use the CA to sign a certificate.
It is recommended not to leave this blank. Anybody who gets hold of the private key that is not protected will be able to sign any certificate they like and connect to your OpenVPN server!
  • You should see your defaults you filled in the vars file above. I would recommend appending CA to the OU specified for above (OpenVPN CA) so you can differentiate it later. When asked for a CN (Common Name), use your DNS address for the server (in this case thinkserver.freddythechick.uk
Retrieved from ‘https://thinkserver.freddythechick.net/index.php?title=OpenVPN&oldid=411