LPI Linux Certification/OpenVPN

Detailed Objectives (212.5)
(LPIC-2 Version 4.5)

Weight: 2

Description: Candidates should be able to configure a VPN (Virtual Private Network) and create secure point-to-point or site-to-site connections.

Key Knowledge Areas:
 * OpenVPN

Terms and Utilities:

Description
OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications. The official website is openvpn.net.

Motivation
Due to ongoing development, many of the information available for OpenVPN on the web can no longer be used. This book is intended to provide assistance based on currently available software. This does not mean that the very latest software is the basis of the descriptions. If possible, the versions used are mentioned here. The description should avoid technical terms as far as possible. Anyone can make additions and changes here.

Ubuntu
sudo apt-get install network-manager-openvpn network-manager-openvpn-gnome

On Windows
The executable files are available on https://openvpn.net/community-downloads.

Consider, for 64 bit systems the 32 bit binary does not work. You need the 64 executable file. For example, for Windows. The following instructions was tested with the OpenVPN 2.5.7 version.

If only keys are to be created, it is sufficient to use these files: https://github.com/OpenVPN/easy-rsa/releases.

E.g: EasyRSA-3.1.0-win64.zip

During the installation process, the installer ask for quick install or custom install. Use custom installation. Espically, click all extensions to install. In particular, easyrsa is needed if you want to create certificates. OpenVPN installs some folders and files. If you want to install it in  you need administrator rights or you need to give everyone write rights in the   folder. However, the fewest problems and surprises arise from installing OpenVPN in.

Create keys and certificates
If you have to realized highest security, the keys and certificates have to generated on a computer that has no network connection, let alone an Internet connection, and will never do so again in the future. A certificate (*.crt) and an associated private key (*.key) shall never be transmitted over the same way. A private key (*.key) should only be in one place at a time. Compare a  to your credit card and the   to your credit card PIN.

OpenSSL
Keys and certificates can easily be generated with OpenSSL. OpenSSL is not a part of Windows. OpenSSL is also not as a single software package available. However, usable OpenSSL is part of some software packages. A search for "openssl.exe" in the  folder shows whether OpenSSL was along the way installed another time. Git use very up to date OpenSSL. But e.g. OpenVPN also contains OpenSSL. When you find, double-click on it; if no error message appears, it is already the usuable command line. If it's not there, install e.g. the OpenVPN software.

The certificates and keys should be stored clearly at one place. A folder can be created for this as follows:.

Into this folder is to place a configuration file, following with a minimal content: [req] distinguished_name = req_distinguished_name [req_distinguished_name] [v3_req]

At first, the central secret core RSA key is to be created. In addition, a pass phrase must be entered twice, which must be remembered. genrsa -aes256 -out C:/myvpnfiles/ca.key 2048
 * Core key and certificate

After that, the certificate can be created: req -new -x509 -sha256 -days 36500 -key C:/myvpnfiles/ca.key -subj '/CN=fooCore' -out C:/myvpnfiles/ca.crt -config C:/myvpnfiles/myopenssl.cnf

These steps for generating the RSA key and certificate are to be repeated for the server and the clients.

These two commands above can also be combined into one statement. With  it is also specified for the server that no pass phrase is assigned here. A pass phrase would require special measures on the server and is not necessary since the server is owned by us.
 * Server

req -newkey rsa:2048 -nodes -subj '/CN=fooServer1' -keyout C:/myvpnfiles/server1.key -out C:/myvpnfiles/server1.csr -config C:/myvpnfiles/myopenssl.cnf

Now the certificate is to be validated: x509 -req -sha256 -CA C:/myvpnfiles/ca.crt -CAkey C:/myvpnfiles/ca.key -days 36500 -in C:/myvpnfiles/server1.csr -CAcreateserial -out C:/myvpnfiles/server1.crt

For the clients, the steps are repeated in the same way as for the server. However, a end user pass phrase is assigned here. Because the client files are given to someone else. If these files accidentally fall into the wrong hands, they remain useless without the pass phrase. req -newkey rsa:2048 -subj '/CN=fooClient1' -keyout C:/myvpnfiles/client1.key -out C:/myvpnfiles/client1.csr -config C:/myvpnfiles/myopenssl.cnf
 * Clients

x509 -req -sha256 -CA C:/myvpnfiles/ca.crt -CAkey C:/myvpnfiles/ca.key -days 36500 -in C:/myvpnfiles/client1.csr -CAcreateserial -out C:/myvpnfiles/client1.crt

For more clients these steps are to be repaeted with name client2 or something else.

For the server are additional Diffie Hellmann params required for the encrypted transmission. These values are stored in a file dh.pem. This is just a parameter file, which is in no way required for the previously generated keys or certificates. dhparam -out C:/myvpnfiles/dh.pem 2048
 * Additionals

One and the same dh-file can be used for several servers, since the values only are used for software support.

Easy-RSA
Precondisioned OpenVPN is installed in a folder with full write permissions. The core key and certificate are generated as follows:


 * 1) Go to  . Run
 * 2)   A new pki folder will be created.
 * 3)   There you have to put in a password, called a passphrase, and a server name. For the server name, you can use the default name inside the square brackets "fooCore" or another. You will get the files   and  . These files are the core files for all other generations. Don't lose them and put them in a safe place. If you lose control of your private CA key, you can no longer trust any certificate.

The files for keys and certificates for a server are generated with this commands. "server1" can be replaced by any other name:
 * 1)    Use , since it is usually not possible to use passwords on a server. These files are generated:  ,.
 * 2)   generates.
 * 3)   does generate.
 * Alternatively all the commands before can be processed with one command:

Furthermore files for keys and certificates for a client device are required. "client1" can be replaced by any other name.
 * 1)   These files are generated: ,   and.