Setting Up Your VPN Server Using Certificate Authority

The example shown in Section 15.2 is useful for testing, but not for daily work. This section explains how to build a VPN server that allows more than one connection at the same time. This is done with a public key infrastructure (PKI). A PKI consists of a pair of public and private keys for the server and each client and a master certificate authority (CA), which is useed to sign every server and client certificate.

The general overview of this process involves the following steps:

  1. Build your public key infrastructure (see Section 15.3.1, “Creating Certificates”).

  2. Configure your server (see Section 15.3.2, “Configuring the Server”).

  3. Configure your clients (see Section 15.3.3, “Configuring the Clients”).

Creating Certificates

Before a VPN connection gets established, the client must authenticate the server certificate. Conversely, the server must also authenticate the client certificate. This is called mutual authentication.

You can use two methods to create the respective certificates and keys:

Generating Certificates with easy-rsa

The easy-rsa utilities use the openssl.cnf file stored under /usr/share/openvpn/easy-rsa/VER. In most cases you can leave this file as it is.

Procedure 15.1. Generate the Master CA And Key

  1. Open a shell and become root.

  2. Change the directory to /usr/share/openvpn/easy-rsa/VER/. Replace the placeholder VER with the version, currently either 1.0 or 2.0.

  3. Copy the file vars to /etc/openvpn and edit the value of export EASY_RSA to /usr/share/openvpn/easy-rsa.

  4. Edit the default values in the file vars. Change the variables KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL.

  5. Initialize the PKI:

    source /etc/openvpn/vars && ./clean-all && 
     ./build-ca
  6. Enter the data required by the build-ca script. Usually you can take the defaults that you have set in Step 4. The only parameters that are not set are the Organizational Unit Name and Common Name.

After this procedure, the master certificate and key is saved as /usr/share/openvpn/easy-rsa/VER/keys/ca.*.

Procedure 15.2. Generate The Private Server Key

  1. Make sure the directory is /usr/share/openvpn/easy-rsa/VER/.

  2. Run the following script:

    ./build-key-server server

    The argument (here: server) is used for the private key filename.

  3. Accept the default parameters, but fill server for the Common Name option.

  4. Answer the next two questions (Sign the certificate? [y/n] and 1 out of 1 certificate requests certified, commit? [y/n]) with y (yes).

After this procedure, the private server key is saved /usr/share/openvpn/easy-rsa/VER/keys/server.*.

Procedure 15.3. Generate Certificates and Keys for a Client

  1. Make sure your current directory is /usr/share/openvpn/easy-rsa/VER/. Replace the placeholder VER with the version, currently either 1.0 or 2.0.

  2. Create the key as in Step 2 from Procedure 15.2, “Generate The Private Server Key”:

    ./build-key client
  3. Repeat the previous step for each client that is allowed to connect to the VPN server. Make sure you use a different name (other than client) and an appropriate Common Name, because this parameter has to be unique for each client.

After this procedure, the certificate client keys are saved in /usr/share/openvpn/easy-rsa/keys/client.* (depending on the name that you have given for the build-key command.)

Procedure 15.4. Final Configuration Steps

  1. Make sure your current working directory is /usr/share/openvpn/easy-rsa/VER/.

  2. Create the Diffie-Hellman parameter:

    ./build-dh
  3. Create /etc/openvpn/ssl.

  4. Copy the following files:

    cp keys/ca.{crt,key} keys/dh1024.pem keys/server.{crt,key} /etc/openvpn/ssl/
  5. Copy the client keys to the relevant client machine. You should have the files client.crt and client.key in the /etc/openvpn/ssl directory.

Configuring Certificates with YaST CA

You can skip this section if you have already configured the certificates with the easy-rsa utilties.

Configuring the Server

The configuration file is mostly a summary of /usr/share/doc/packages/openvpn/sample-config-files/server.conf without the comments and with some small changes to some paths.

Example 15.1. VPN Server Configuration File

# /etc/openvpn/server.conf
port 1194 1
proto udp 2
dev tun0 3

# Security 4
ca   ssl/ca.crt
cert ssl/server.crt
key  ssl/server.key
dh   ssl/dh1024.pem

server 10.8.0.0  255.255.255.0 5
ifconfig-pool-persist /var/run/openvpn/ipp.txt 6

# Privleges 7
user nobody
group nobody

# Other configuration 8
keepalive 10 120
comp-lzo
persist-key
persist-tun
status      /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 4

1

The TCP/UDP port to which OpenVPN listens. You have to open up the port in the Firewall, see Chapter 14, Masquerading and Firewalls. The standard port for VPN is 1194, so in most cases you can leave that as it is.

2

The protocol, either UDP or TCP.

3

The tun or tap device, see Section 15.1.2, “Tun and Tap Devices” for the differences.

4

The following lines contain the relative or absolute path to the root server CA certificate (ca), the root CA key (cert), the private server key (key) and the Diffie Hellman parameters (dh). These were generated in Section 15.3.1, “Creating Certificates”.

5

Supplies a VPN subnet. The server can be reached by 10.8.0.1.

6

Records a mapping of clients and its virtual IP address in the given file. Useful when the server goes down and (after the restart) the clients get their previously assigned IP address.

7

For security reasons it is a good idea to run the OpenVPN daemon with reduced privileges. For this reason the group and user nobody is used.

8

Several other configurations, see comment in the original configuration from /usr/share/doc/packages/openvpn/sample-config-files.

After this configuration, you can see log messages from your OpenVPN server under /var/log/openvpn.log. When you have started it for the first time, it should finish it with:

... Initialization Sequence Completed

If you do not get this message, check the log carefully. Usually OpenVPN gives you some hints what is wrong in your configuration file.

Configuring the Clients

The configuration file is mostly a summary from /usr/share/doc/packages/openvpn/sample-config-files/client.conf without the comments and with some small changes to some paths.

Example 15.2. VPN Client Configuration File

# /etc/openvpn/client.conf
client 1
dev tun 2
proto udp 3
remote IP_OR_HOSTNAME 1194 4
resolv-retry infinite
nobind

# Privleges 5
user nobody
group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# Security 6
ca   ssl/ca.crt
cert ssl/client.crt
key  ssl/client.key

comp-lzo 7

1

We have to specify that this machine is a client.

2

The network device. Both clients and server must use the same device.

3

The protocol. Use the same settings as on the server.

4

Replace the placeholder IP_OR_HOSTNAME with the respective hostname or IP address of your VPN server. After the hostname the port of the server is given. You can have multiple lines of remote entries pointing to different VPN servers. This is useful for load balancing between different VPN servers.

5

For security reasons it is a good idea to run the OpenVPN daemon with reduced privileges. For this reason the group and user nobody is used.

6

Contains the client files. For security reasons, it is better to have a separate file pair for each client.

7

Turns compression on. Use it only when the server has this parameter switched on as well.