Mukunda Johnson's Blog

guest@mukunda.com:/blog# ./cat 2022/openvpn-and-certificates.txt Name: OpenVPN and certificates Date: September 25th, 2022 So I wanted to set up a secure channel from my laptop to my workstation. Little did I know just how much effort is required to do it properly. OpenSSL configuration and "proper" certificate signing is a bit of a dark art, so let me help you navigate through some of it. OpenVPN comes with an "easy-rsa" program to help you build and sign certificates for your VPN profiles, but the name might be a bit misleading, as it is not the most intuitive process. I spent the weekend learning more about this, as I've noticed a lot of resources to be outdated or using invalid practices. I figure we could shed some modern light on the processes. According to one stackoverflow post, it's the wild wild west. I've dug through a lot of resources to get a grip on the whole process, and I've come up with a small script to create a CA and generate server and client certificates. It's highly convenient for my use case, where the profiles are packaged for easy use, but it does have a few drawbacks if you were to use it in a more secure environment: - All of the keys are generated on the main site, so the private keys are moving between machines. - The private keys are packaged in the profile file. This is very convenient at the cost of some security. - Certificate authority certificate renewal is left as an exercise for the reader. - It's easy enough for me to regenerate all certs when my root certificate expires, but that would be unsuitable in a corporate plan. Phil Dibowitz has a great resource on doing things properly. You can tell he's a professional in this field, so this was a major help to understand all of it. My scripts are located here on GitHub: https://github.com/mukunda-/ovpnkeys It comes with a few files. ovpnkeys.py is the main script to manage certificates and create profiles. It's usage is as follows: # Create the database and root authority. ./ovpnkeys.py init # Create a server profile ./ovpnkeys.py server --name "my server" # Create a client ./ovpnkeys.py client --name "my client" Easy, right? .ovpn profiles will be packaged to db/profiles, and they contain all the necessary keys inline in the file. (Again, at the cost of security, these are very convenient.) The prerequisites for this are mainly OpenVPN on your PATH. OpenVPN will provide the needed OpenSSL binaries. You will also need to install Python requests (pip install requests). Since it's in Python, and I'm a Windows user, you shouldn't have much trouble with execution. You can run OpenVPN as a service on Windows - just put the generated server profile in the config-auth folder, and it will load it when the service starts. If you also want to use a certificate revocation list, I've added a PHP file which handles uploading and storing a CRL file to your web server. My approach is to use OpenSSL to verify the CRL upload against a given root certificate to authenticate the request. Older CRL uploads are also rejected by checking the serial. I don't actually use a CRL, since I want to avoid unneeded complexity, but I did set it up once just to see how it worked. The readme.txt has more usage information, but the main takeaway here I'd imagine is the configuration scripts. It's quite a learning curve to understand all of the certificate generation options, so feel free to have a look at my openssl.cnf file to get an idea of what is recommended for VPN certificates in the modern world. Send the author a comment << Index