Navigation Menu

I recently had to reinstall a VPN on the latest OpenBSD, using the latest easyRSA.
As I had to fiddle to things to get everything to work, please find my solution hereby.

I you just want to get things going, you can get my summary script at: supereasyrsa on github

If you come through some trouble or want some details, go through this:

Generating a secure VPN infrastructure with easy-rsa 3.

First get easy-rsa, doing

git clone git://github.com/OpenVPN/easy-rsa

The only folder that we really need is the easyrsa folder, and we will need two copies of that folder

For security measures, I uncomment and set change key size to 4096 in vars.example
#set_var EASYRSA_KEY_SIZE 2048
by
set_var EASYRSA_KEY_SIZE 4096
and then rename this file to vars (so that it is taken into account for the next steps)
mv vars.examples vars

We will build our test architecture as following:

mkdir -p VPN_test/server VPN_test/clients

cp -R easy-rsa/easyrsa3/* VPN_test/clients

cp -R easy-rsa/easyrsa3/* VPN_test/server

At this point, our infrastructure is in place, now we need to generate keys.
First wel will generate the client keys and requests in the client directory.
Then we will generate server and shared keys in the server directory, and finally we will accept the client requests in the serv dir.

1. generate the client keys:

cd VPN_test/clients

./easyrsa init-pki

./easyrsa gen-req Client_01

./easyrsa gen-req Client_02

./easyrsa gen-req Backup nopass

#You will be prompted to give a password for Client_01 and Client_02, while Backup is assumed to be another server that needs authentication without someone typing a password

2. Build the CA for the signing

cd ../VPN_test/server

./easyrsa init-pki

./easyrsa build-ca

#set a STRONG passphrase for this PEM – it will be required to accept requests later
#We then generate a certificate for the server
./easyrsa gen-req MyServer nopass

#And request to sign it as server type
./easyrsa sign-req server MyServer

3. We generate a DH parameter and a ta.key as following (If you didn’t switch to 4096, then use 2048)

openssl dhparam -out dh4096.pem 4096

/usr/sbin/openvpn –genkey –secret ta.key

4. We import and sign all our clients requests (for each one, you will have to say yes and give the STRONG PEM passphrase mentioned in 2.

for cliient in $(ls ../clients/pki/reqs/|sed -e ‘s/.req//g’); do

./easyrsa import-req ../clients/pki/reqs/$cliient.req $cliient

./easyrsa sign-req client $cliient

done

Once this is done, you should have all the keys required, All you need is the right config with the right files at the right space.
Server:
cat /etc/openvpn/server.conf

local 10.10.10.2
port 1194
proto udp
dev tun0
daemon
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/TR_Server.crt
key /etc/openvpn/keys/TR_Server.key
dh /etc/openvpn/keys/dh4096.pem
tls-auth /etc/openvpn/keys/ta.key 0 #0 for server
remote-cert-tls client #very important
server 10.5.2.0 255.255.255.0 #the range that will be given to vpn clients
ifconfig-pool-persist ipp.txt
push “route 192.168.1.0 255.255.255.0” #the internal network they will have access to
push “dhcp-options DNS 192.168.1.15” #the internal dns they will use
keepalive 10 120
cipher BF-CBC
comp-lzo
max-clients 10
user _openvpn
group _openvpn
persist-key
persist-tun
status openvpn-status.log
log /etc/openvpn/openvpn.log
log-append /etc/openvpn/openvpn.log
verb 1
client-config-dir /etc/openvpn/ccd

ls keys/
MyServer.crt # from server/pki/issed/
MyServer.key # from server/pki/private/
ca.crt # from server/pki/
dh4096.pem # from server/
ta.key # from server/

You can also push the routes through having a ccd dir with the right definitions:
cat ccd/client_01
iroute 10.5.2.0 255.255.255.0
Next we go on the client,
Client:

cat client.conf
client
remote 1.2.3.4 1194
proto udp
dev tun0
keepalive 10 120
nobind
persist-key
persist-tun
cipher BF-CBC
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
dh keys/dh4096.pem
tls-auth keys/ta.key 1
remote-cert-tls server
comp-lzo
status openvpn-status.log
verb 1
log openvpn.log

ls keys/
ca.crt # from server/pki/
client.crt # the right one from server/pki/issued/
client.key # the right one from clients/pki/private/
dh4096.pem from server/
ta.key from server/

And starting openvpn on both with:
/usr/local/sbin/openvpn –config /etc/openvpn/server.conf >/dev/null 2>&1 # on the server
and
openvpn –config client.conf # on the client

should now be working.