OpenVPN
configurationserveropenvpn
Note: This page is under development
#!/bin/bash
set -x
export EASYRSA_BATCH=1

easyrsa init-pki
cp /etc/easy-rsa/openssl-easyrsa.cnf pki/
cp /etc/easy-rsa/openssl-easyrsa.cnf pki/safessl-easyrsa.cnf
cp -r /etc/easy-rsa/x509-types pki/
EASYRSA_REQ_CN="`hostname -f`" EASYRSA_KEY_SIZE=4096 easyrsa build-ca


easyrsa build-serverClient-full serverclient1 nopass
easyrsa build-serverClient-full serverclient2 nopass
easyrsa build-serverClient-full serverclient3 nopass

# easyrsa gen-req         client1 nopass
# easyrsa sign-req client client1
# easyrsa gen-req         server1 nopass
# easyrsa sign-req server server1

openssl dhparam -out dh.pem 4096

client1.conf

client
dev tun
proto udp
remote vpn.example.com 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ca pki/ca.crt
cert pki/issued/client1.crt
key pki/private/client1.key
remote-cert-tls server
tls-auth ta/ta.key 1
verb 1
tar -czvf backup/client1.tar.gz pki/private/client1.key pki/issued/client1.crt pki/ca.crt ta/ta.key client1.conf
root@SERVER/etc/openvpn
$ cp -r /etc/easy-rsa/ SERVER4

root@SERVER/etc/openvpn
$ cd SERVER4

root@SERVER/etc/openvpn/SERVER4
$ ls -l
total 28
-rw-r--r-- 1 root root  424 2016-09-28 01:49 dh.pem
-rw-r--r-- 1 root root 4560 2016-09-28 01:49 openssl-1.0.cnf
drwx------ 6 root root 4096 2016-09-28 01:49 pki
-rw-r--r-- 1 root root 8124 2016-09-28 01:49 vars
drwxr-xr-x 2 root root 4096 2016-09-28 01:49 x509-types

root@SERVER/etc/openvpn/SERVER4
$ rm -rf pki/

root@SERVER/etc/openvpn/SERVER4
$ export EASYRSA_VARS_FILE=./vars

root@SERVER/etc/openvpn/SERVER4
$ vim vars

root@SERVER/etc/openvpn/SERVER4
$ easyrsa init-pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/SERVER4/pki


root@SERVER/etc/openvpn/SERVER4
$ easyrsa build-ca nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 8192 bit RSA private key
.............................++
................................................................................................++
writing new private key to '/etc/openvpn/SERVER4/pki/private/ca.key.GxRUt9nv4u'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:SERVER

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/SERVER4/pki/ca.crt


root@SERVER/etc/openvpn/SERVER4
$ easyrsa build-server-full SERVER nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 8192 bit RSA private key
................................................................................++
.............................................................................................................................................................................................................................................................................................................................................................................................................................................++
writing new private key to '/etc/openvpn/SERVER4/pki/private/SERVER.key.znWIlv0gCs'
-----
Using configuration from /etc/openvpn/SERVER4/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'SERVER'
Certificate is to be certified until Sep 25 2026 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

root@SERVER/etc/openvpn/SERVER4
$ easyrsa build-client-full notebook nopass

Note: using Easy-RSA configuration from: ./vars
Generating a 8192 bit RSA private key
..................................................................................................................................................................................................................................++
............................++
writing new private key to '/etc/openvpn/SERVER4/pki/private/notebook.key.ksRFn8q1F9'
-----
Using configuration from /etc/openvpn/SERVER4/openssl-1.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'notebook'
Certificate is to be certified until Sep 25 2026 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

root@SERVER/etc/openvpn/SERVER4
$ find .
.
./openssl-1.0.cnf
./vars
./dh.pem
./x509-types
./x509-types/COMMON
./x509-types/ca
./x509-types/client
./x509-types/server
./pki
./pki/certs_by_serial
./pki/certs_by_serial/02.pem
./pki/certs_by_serial/01.pem
./pki/index.txt.old
./pki/index.txt.attr.old
./pki/.rnd
./pki/index.txt
./pki/serial.old
./pki/private
./pki/private/SERVER.key
./pki/private/notebook.key
./pki/private/ca.key
./pki/reqs
./pki/reqs/notebook.req
./pki/reqs/SERVER.req
./pki/ca.crt
./pki/index.txt.attr
./pki/issued
./pki/issued/SERVER.crt
./pki/issued/notebook.crt
./pki/serial

root@SERVER/etc/openvpn/SERVER4
$ vim ../server.conf

root@SERVER/etc/openvpn/SERVER4
$ systemctl start openvpn@server

root@SERVER/etc/openvpn/SERVER4
$ systemctl status openvpn@server
● openvpn@server.service - OpenVPN connection to server
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
   Active: active (running) since Mi 2016-09-28 CEST; 5s ago
     Docs: man:openvpn(8)
  Process: 629 ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config %i.conf --daemon openvpn@%i --writepid /run/openvpn@%i.pid --status-version 2 (code=exited, status=0/SUCCESS)
 Main PID: 631 (openvpn)
    Tasks: 1 (limit: 4915)
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           └─631 /usr/bin/openvpn --cd /etc/openvpn --config server.conf --daemon openvpn@server --writepid /run/openvpn@server.pid --status-version 2

Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: MULTI: multi_init called, r=256 v=256
Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: IFCONFIG POOL: base=10.23.0.4 size=62, ipv6=0
Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: ifconfig_pool_read(), in='client01,10.23.0.4', TODO: IPv6
Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: succeeded -> ifconfig_pool_set()
Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: ifconfig_pool_read(), in='nemti,10.23.0.8', TODO: IPv6
Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: succeeded -> ifconfig_pool_set()
Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: IFCONFIG POOL LIST
Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: client01,10.23.0.4
Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: nemti,10.23.0.8
Sep 28 SERVER.entwicklerseite.de openvpn@server[631]: Initialization Sequence Completed

root@SERVER/etc/openvpn/SERVER4
$ scp pki/ca.crt pki/issued/notebook.crt pki/private/notebook.key max@192.168.1.102:/tmp/openvpn/
max@192.168.1.102's password:
ca.crt                                                                                                                                                   100% 3223   283.5KB/s   00:00
notebook.crt                                                                                                                                             100%   12KB   1.1MB/s   00:00
notebook.key                                                                                                                                             100% 6392   981.3KB/s   00:00

strengethening the security

$ openssl dhparam -out /etc/openvpn/dh.pem 4096
$ openvpn --genkey --secret /etc/openvpn/ta.key

register clients in powerdns #

The following scripts can be added to the server configuration file.

openvpn-server.conf

[...]
client-connect     /usr/local/etc/openvpn/client-up.sh
client-disconnect  /usr/local/etc/openvpn/client-down.sh
[...]

client-up.sh

#!/bin/sh -x
curl -v -H 'X-API-Key: changeme' -X PATCH --data '{"rrsets":[{"name":"'$common_name'.example.com.", "type":"A", "ttl":3600, "changetype":"REPLACE", "records":[{"content":"'$ifconfig_pool_remote_ip'", "disabled":false}]}]}' http://dns.example.com/api/v1/servers/localhost/zones/example.com || :

client-down.sh

#!/bin/sh -x
curl -v -H 'X-API-Key: changeme' -X PATCH --data '{"rrsets":[{"name":"'$common_name'.example.com.", "type":"A", "changetype":"DELETE"}]}' http://dns.entwicklerseite.de/api/v1/servers/localhost/zones/example.com || :
top