# OpenVPN with x509 certificates



RSA key, CSR and DH parameter

# openssl genrsa -out server.key 2048
# openssl req -new -key server.key -out server.csr
# openssl genrsa -out client.key 2048
# openssl req -new -key client.key -out client.csr
# openssl dhparam -out dh2048.pem 2048

CA and signed certificates

# mkdir demoCA
# mkdir demoCA/private
# mkdir demoCA/newcerts
# echo '01' > demoCA/serial
# touch demoCA/index.txt
# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
# mv cakey.pem demoCA/private/.
# cp cacert.pem demoCA/.
# openssl ca -in server.csr
# openssl ca -in client.csr
# cp demoCA/newcerts/01.pem server.pem
# cp demoCA/newcerts/02.pem client.pem

OpenVPN server configuration

# cat openvpn_server.conf
port 1194
proto udp
dev tun
ca cacert.pem
cert server.pem
key server.key
dh dh2048.pem
server 192.168.123.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20
user nobody
group nogroup
# openvpn openvpn_server.conf

OpenVPN client configuration

# cat openvpn_client.conf
client
port 1194
proto udp
dev tun
ca cacert.pem
cert client.pem
key client.key
remote 1.2.3.4 1194
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20
user nobody
group nogroup
# openvpn openvpn_client.conf

OpenVPN Android client configuration - Import profile

# cat openvpn_client.ovpn
client
port 1194
proto udp
dev tun
<ca>
// grep -A 100 'BEGIN CERTIFICATE' cacert.pem | grep -B 100 'END CERTIFICATE'
</ca>
<cert>
// grep -A 100 'BEGIN CERTIFICATE' client.pem | grep -B 100 'END CERTIFICATE'
</cert>
<key>
// grep -A 100 'BEGIN RSA PRIVATE KEY' client.key | grep -B 100 'END RSA PRIVATE KEY'
</key>
remote 1.2.3.4 1194
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20
user nobody
group nogroup
# Import openvpn_client.ovpn

No comments: