Skip to main content

OpenVPN without TLS

OpenVPN 2.7 will remove the functionality to run a VPN without TLS.

DEPRECATION: No tls-client or tls-server option in configuration detected.
OpenVPN 2.7 will remove the functionality to run a VPN without TLS.
See the examples section in the manual page for examples of a similar quick setup with peer-fingerprint.

Global actions

Switching to TLS based is about generating certificates for clients. In order to achieve that, these are the steps:

  • Install EasyRSA v3 on the system
  • Initialize installed EasyRSA
  • Generate server certificate and key
  • Generate client certificate and key (operation to be repeated for each client to be connected)
The perfect setting would be to have a separate CA machine, generate the certificates on each machine, transfert on the CA machine for signature, copy back to the machine taht requested,... but
All can be done on the same machine.

Install EasyRSA v3 on the server

Take the latest release of EasyRSA on Github (at the time of writing it is v3.1.2)
Unarchive it in the /etc/openvpn/ folder, so that we have the /etc/openvpn/easy-rsa/ folder.
This is how I made, adapt the version to your situation: 

cd /etc/openvpn
wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.2/EasyRSA-3.1.2.tgz
tar xf EasyRSA-3.1.2.tgz
mv EasyRSA-3.1.2 easy-rsa

Initialize installed EasyRSA

In order to initialize EasyRSA, the vars file must be created, inspired by the content of vars.example
These are the values I changed from the default file: 

set_var EASYRSA_REQ_COUNTRY     "MG"
set_var EASYRSA_REQ_PROVINCE    "Analamanga"
set_var EASYRSA_REQ_CITY        "Antananarivo"
set_var EASYRSA_REQ_ORG         "RKTMB"
set_var EASYRSA_REQ_EMAIL       "mihamina@rktmb.org"
set_var EASYRSA_REQ_OU          "DT"

set_var EASYRSA_NO_PASS 1
set_var EASYRSA_CA_EXPIRE       36500
set_var EASYRSA_CERT_EXPIRE	1650

Then we have to initialize EasyRSA with the command 

./easyrsa init-pki

Note that EasyRSA will intruct you to move vars to the PKI directory: just obey.

mv vars pki/

Build the CA with

./easyrsa build-ca

Generate theDiffie-Hellman (DH) params with

./easyrsa gen-dh

These ./easyrsa init-pki, ./easyrsa build-ca and ./easyrsa gen-dh invocations have to be launched one time for the lifetime of the system.
Although you reboot the server, don't issue these anymore.

Generate the server certificate

Commands are self-explanatory

export CL_NAME="vpn.rktmb.org"
cd /etc/openvpn/easy-rsa
./easyrsa gen-req ${CL_NAME}
./easyrsa sign-req server ${CL_NAME}  # <- note the "server" word

With (all) these lines, we generated: 

/etc/openvpn/easy-rsa/pki/ca.crt
/etc/openvpn/easy-rsa/pki/private/vpn.rktmb.org.key
/etc/openvpn/easy-rsa/pki/issued/vpn.rktmb.org.crt
/etc/openvpn/easy-rsa/pki/dh.pem

Server configuration

Now we have to generate a configuration file that will tell OpenVPN to use all these generated file: 

dev tun
proto udp
local 45.51.80.32
server 10.25.0.0 255.255.255.0
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/vpn.rktmb.org.crt
key /etc/openvpn/easy-rsa/pki/private/vpn.rktmb.org.key
dh /etc/openvpn/easy-rsa/pki/dh.pem

topology subnet
;client-config-dir ccd
client-to-client
keepalive 10 120
persist-key
persist-tun
status /var/log/openvpn-status.log
log    /var/log/openvpn.log
verb 5
mute 7
explicit-exit-notify 1

Then the server can be started with: 

/usr/bin/openvpn --config    /etc/openvpn/server/server-config.conf

Generate certificates for clients

Generating certificates for the client is done by a few self-explanatory lines:

export CL_NAME="mihamina-workstation"
cd /etc/openvpn/easy-rsa
./easyrsa gen-req         ${CL_NAME}
./easyrsa sign-req client ${CL_NAME} # <- note the "client" word here

Then we need to isolate these files in order to bring them to the client 

rm -rfv /tmp/${CL_NAME} ; mkdir /tmp/${CL_NAME}
cp /etc/openvpn/easy-rsa/pki/ca.crt                 /tmp/${CL_NAME}/
cp /etc/openvpn/easy-rsa/pki/private/${CL_NAME}.key /tmp/${CL_NAME}/client.key
cp /etc/openvpn/easy-rsa/pki/issued/${CL_NAME}.crt  /tmp/${CL_NAME}/client.crt

Fetch client certificates then connect

We are now in the client and we can fetch the isolated files from the server with:

export CL_NAME="mihamina-workstation"
rm -rfv /tmp/${CL_NAME}
scp -r root@vpn.rktmb.org:/tmp/${CL_NAME} /tmp/
find /tmp/${CL_NAME}/
cp -r /tmp/${CL_NAME} ~/VPN
cd ~/VPN

This is the client configuration file that will use those certificates. Say we store it in ~/VPN/config

client
remote vpn.rktmb.org
port 10901
dev tun
ca ca.crt
cert client.crt
key client.key
;redirect-gateway def1
;dhcp-option DNS 8.8.8.8

Finally we can connect with the command: 

sudo openvpn --config ./config

Popular posts from this blog

npm run build base-href

Using NPM to specify base-href When building an Angular application, people usually use "ng" and pass arguments to that invocation. Typically, when wanting to hard code "base-href" in "index.html", one will issue: ng build --base-href='https://ngx.rktmb.org/foo' I used to build my angular apps through Bamboo or Jenkins and they have a "npm" plugin. I got the habit to build the application with "npm run build" before deploying it. But the development team once asked me to set the "--base-href='https://ngx.rktmb.org/foo'" parameter. npm run build --base-href='https://ngx.rktmb.org/foo did not set the base href in indext.html After looking for a while, I found https://github.com/angular/angular-cli/issues/13560 where it says: You need to use −− to pass arguments to npm scripts. This did the job! The command to issue is then: npm run build -- --base-href='https://ngx.rktmb.org/foo&
Read more

emacs29 intelephense

Emacs 29 and PHP Intelephense I use to use Emacs and PHP Intelephense for PHP development. I recently upgraded to Emacs 29 and PHP Intelephense stopped working. I found a solution on Reddit Based on that, I rewrote my .emacs file to use eglot instead of lsp-mode, and this is the result. (use-package eglot :ensure t) (add-hook 'php-mode-hook 'eglot-ensure) (use-package php-mode :ensure t :mode ("\\.php\\'" . php-mode)) (add-to-list 'auto-mode-alist '("\\.php$" . php-mode)) (provide 'lang-php) (use-package company :ensure t :config (setq company-idle-delay 0.3) (global-company-mode 1) (global-set-key (kbd "M- ") 'company-complete)) (require 'eglot) (add-to-list 'eglot-server-programs '((php-mode :language-id "php") . ("intelephense" "--stdio" :initializationOptions (:licenseKey "98989898989898989898"
Read more

Jenkins invalid privatekey

Publish over SSH, Message "invalid privatekey:" With quite recent (June-July 2020) installations of Jenkins and OpenSSH, I have the following error message when using the "Deploy overs SSH" Jenkins plug-in and publishing artifacts to the target overs SSH: jenkins.plugins.publish_over.BapPublisherException: Failed to add SSH key. Message [invalid privatekey: [B@d8d395a] This problem seems to be referenced here: https://issues.jenkins-ci.org/browse/JENKINS-57495 Just regenerate a key with the right parameters To solve it: ssh-keygen -t rsa -b 4096 Or ssh-keygen -t rsa -b 4096 -m PEM
Read more