guest@mukunda.com:/blog# ./cat 2022/openvpn-and-certificates.txt
Name: OpenVPN and certificates
Date: September 25th, 2022
So I wanted to set up a secure channel from my laptop to my
workstation. Little did I know just how much effort is
required to do it properly.
OpenSSL configuration and "proper" certificate signing is a
bit of a dark art, so let me help you navigate through some
of it.
OpenVPN comes with an "easy-rsa" program to help you build
and sign certificates for your VPN profiles, but the name
might be a bit misleading, as it is not the most intuitive
process.
I spent the weekend learning more about this, as I've
noticed a lot of resources to be outdated or using invalid
practices. I figure we could shed some modern light on the
processes. According to one stackoverflow post, it's the
wild wild west.
I've dug through a lot of resources to get a grip on the
whole process, and I've come up with a small script to
create a CA and generate server and client certificates.
It's highly convenient for my use case, where the profiles
are packaged for easy use, but it does have a few drawbacks
if you were to use it in a more secure environment:
- All of the keys are generated on the main site, so the
private keys are moving between machines.
- The private keys are packaged in the profile file. This
is very convenient at the cost of some security.
- Certificate authority certificate renewal is left as an
exercise for the reader.
- It's easy enough for me to regenerate all certs when
my root certificate expires, but that would be
unsuitable in a corporate plan.
Phil Dibowitz has a great resource on doing things properly.
You can tell he's a professional in this field, so this was
a major help to understand all of it.
My scripts are located here on GitHub:
https://github.com/mukunda-/ovpnkeys
It comes with a few files. ovpnkeys.py is the main script
to manage certificates and create profiles. It's usage is
as follows:
# Create the database and root authority.
./ovpnkeys.py init
# Create a server profile
./ovpnkeys.py server --name "my server"
# Create a client
./ovpnkeys.py client --name "my client"
Easy, right? .ovpn profiles will be packaged to db/profiles,
and they contain all the necessary keys inline in the file.
(Again, at the cost of security, these are very convenient.)
The prerequisites for this are mainly OpenVPN on your PATH.
OpenVPN will provide the needed OpenSSL binaries. You will
also need to install Python requests (pip install requests).
Since it's in Python, and I'm a Windows user, you shouldn't
have much trouble with execution.
You can run OpenVPN as a service on Windows - just put the
generated server profile in the config-auth folder, and it
will load it when the service starts.
If you also want to use a certificate revocation list, I've
added a PHP file which handles uploading and storing a CRL
file to your web server. My approach is to use OpenSSL to
verify the CRL upload against a given root certificate to
authenticate the request. Older CRL uploads are also
rejected by checking the serial. I don't actually use a CRL,
since I want to avoid unneeded complexity, but I did set it
up once just to see how it worked.
The readme.txt has more usage information, but the main
takeaway here I'd imagine is the configuration scripts. It's
quite a learning curve to understand all of the certificate
generation options, so feel free to have a look at my
openssl.cnf file to get an idea of what is recommended for
VPN certificates in the modern world.
Send the author a comment
<< Index