OpenVPN Server

Running on Debian 9 Stretch.

# apt install openvpn easy-rsa

# make-cadir /etc/openvpn/certs

# cd /etc/openvpn/certs/

# vim vars

export KEY_SIZE=4096
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
export KEY_NAME="VPNServer"

# source vars

# ./clean-all

# ./build-ca

Generating a 4096 bit RSA private key
........................................................................................................................................................++
.................................................................................................................................................................................................................................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [SE]:
State or Province Name (full name) [VM]:
Locality Name (eg, city) [Vasteras]:
Organization Name (eg, company) [ASBRA]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [ASBRA CA]:
Name [AsbraRSA]:
Email Address [j@asbra.nu]:

# ./build-key-server server

Skip using a challange password! And ignore the following error:  system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen(‘/etc/openvpn/certs/keys/index.txt.attr’,’r’)

Certificate is to be certified until Oct 25 20:11:10 2028 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

# openssl dhparam 4096 > /etc/openvpn/dh4096.pem

Go get some coffee, this will take a while.

Require that incoming packets have a valid signature generated using a PSK (Pre Shared Key) named ta.key

# openvpn --genkey --secret /etc/openvpn/certs/keys/ta.key

# adduser --system --shell /usr/sbin/nologin --no-create-home openvpn

# vim /etc/openvpn/server.conf

port 1194
proto udp
dev tun
ca /etc/openvpn/certs/keys/ca.crt
cert /etc/openvpn/certs/keys/server.crt
key /etc/openvpn/certs/keys/server.key  # This file should be kept secret
dh dh4096.pem
server 10.10.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.8.0.0 255.255.255.0"
push "route 192.168.99.0 255.255.255.0"
push "route 192.168.10.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 80.80.80.80"
push "dhcp-option DNS 80.80.81.81"
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/certs/keys/ta.key 0 # This file is secret
cipher AES-256-CBC
user openvpn
group nogroup
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 4
explicit-exit-notify 1
auth SHA512

Now start the services

# systemctl start openvpn
# systemctl start openvpn@server

And enable at boot

# systemctl enable openvpn
# systemctl enable openvpn@server

Client keys

# cd /etc/openvpn/certs

# source ./vars

# ./build-key firstclient

# mkdir -p /etc/openvpn/clients/firstclient

# vim /etc/openvpn/clients/firstclient/firstclient.ovpn

client
dev tun
proto udp
remote 85.250.50.101 1194
resolv-retry infinite
nobind
;user nobody
;group nogroup
persist-key
persist-tun
ca ca.crt
cert firstclient.crt
key firstclient.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3
auth SHA512

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128
-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

# cp /etc/openvpn/certs/keys/{ca.crt,firstclient.crt,firstclient.key,ta.key}  /etc/openvpn/clients/firstclient

ChromeOS

# openssl pkcs12 -export -in firstclient.crt -inkey firstclient.key -out firstclient.p12 -name FirstClientp12

# grep -v ‘#’ ./ta.key | perl -p -e ‘s/\n/\\n/’ > ./ta-oneliner.key

BBL……

chrome://net-internals#chromeos

import onk file

 

I got most of this from linuxconfig.org

Published by Nimpen J. Nordström

System Developer and Network Security Enthusiast

Leave a comment

Your email address will not be published. Required fields are marked *