OPENVPN - The Easy Tutorial

OpenVPN SSL & PKI
Last Change : Feb 28 2008

Tool
Install
Ergonomy
Forum

Details What is OpenVPN?
Screenshots
Prerequisites & Installation
Tutorial OpenVPN
-----SECURITY MODE-----------
Transparent Tunnel
Static key
SSL & PKI (certificates)
-----CASE STUDY-----------
IP VPN (TUN)
Ethernet VPN (TAP)
VPN Advanced Settings
----------------
Bridging
Routing

⚠️⚠️⚠️
Please check our website about
attractions in Western Switzerland !! (Please use english translation).

⚠️⚠️⚠️
Merci de consulter notre site sur les
activités à faire en Suisse romande !!

Public Key Infrastructure (PKI):

PKI is a set of physical devices used to create certificates which bind a user public key to its real identity.

Concept:

The concept of the PKI (also known as asymmetric cryptography) is based on the fact that each peer has its own set of private and public key. SSL will use the PKI to authenticate the OpenVPN peers before transmitting ciphered data.

Private keys and certificates:

The private key of a peer is kept secret and its public key publicly diffused via Certificates.
The goal of a certificate is to certify that a public key belongs to the person who claims to be its owner (ie: the people owning the mathing private key).
Without certificates, you couldn't be sure that a public key really matches the people who owns the matching private key.

Certification Authority (CA):

To certify its identity, a certificate is signed by an authority that can be trusted by everyone: the Certification Autority (CA).
Some companies like VeriSign (No1) and Comodo (No2) have made their business selling certificates.
It is also possible to create a private CA in an internal network for testing purposes. As a matter of fact, this is what will be done in our tutorials.

CA certificate:

The CA signs certificates with its private key and publishes its public key under the shape of a certificate to everyone. (The CA certificate is signed by its own private).

For example, you can check your CA certificates, also called root certificates, on your web browsers. (click on the web links to see screenshots)

Opera 9:

FireFox 2:
IE 7:
Tools -> Preferences -> Advanced tab -> Security -> Manage certificates Authorities tab.
Tools -> Options -> Advanced -> View Certificates -> Authorities tab.
Tools -> Internet Options -> Content tab -> Encryption tab -> Certificates -> Trusted Root Certification Authorities.
Private key and certificate creation:

The client first creates a private key and a certificate request file using the RSA algorithm. This file is sent to the CA which will build the client certificate and send it back to the client.

In our scenario, we will use a simpler process as we are in a laboratory.
The client private key is created on the CA machine together with the certificate. The client no longer needs to send a certificate request to the CA.
The client private key and certificate are transferred from the CA to the client.
Of course this way of creating certificates must only be used in test environements for obvious security reasons. Indeed, the private key could be captured during its transfer.
In the first process described above, the private key never leaves the client machine.

Asymmetric keys usage:

Two peers called Alice and Bob are used to illustrate the asymmetric keys usages.

-

-

-

To sign a document
Alice signs a file with her private key. The signature will have the forms of a series of unreadable characters that can only be decrypted with Alice's public key. So Bob will need Alice's public key to read in clear text the signature file.

To build a shared key used for the symmetric cryptography
Alice uses her private key with Bob's public key to generate a shared key which will be the same one generated by Bob using his private key and Alice's public key. This shared secret is then used by a symmetric algorithms such as DES or AES. It has the advantage of being much quicker than asymmetric encryption.

To cipher data
When Alice wants to send encrypted data to Bob, Alice uses Bob's certificate to cipher the data. Thank to his private, Bob will be the only people able to decipher that data.
PKI building:

OpenVPN provides a set of scripts based on OpenSSL in order to make the certificates and keys generation process easier. We will study the PKI building under Linux and Windows platforms.

To get full details about OpenSSL use, see the OpenSSL website.

On Linux, copy the OpenVPN files in your user directory:

#cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /home/user/openvpn/ -R
#cd /home/user/openvpn/

Start the PKI building:

On Windows you may need to create two files:

C:\Program Files\OpenVPN\easy-rsa>init-config.bat
C:\Program Files\OpenVPN\easy-rsa>copy vars.bat.sample vars.bat
The system cannot find the file specified.

C:\Program Files\OpenVPN\easy-rsa>copy openssl.cnf.sample openssl.cnf
1 file(s) copied.

Set the variables:

Edit the "C:\Program Files\OpenVPN\easy-rsa\vars.bat" (Microsoft Windows) or the "/home/user/openvpn/vars" (Linux) file and set your variables:

set KEY_COUNTRY=US
set KEY_PROVINCE=CA
set KEY_CITY=San Francisco
set KEY_ORG=OpenManiak
set KEY_EMAIL=webmaster@openvpntest.com

Initialise the variables:

C:\Program Files\OpenVPN\easy-rsa>vars

/home/user/openvpn/#. ./vars

Clean the keys folder and remove any old key.

#clean-all.bat

/home/user/openvpn/#./clean-all
1 file(s) copied.
1 file(s) copied.

Certification authority creation:

Create the CA private key and certificate. The certificate includes the public key.

C:\Program Files\OpenVPN\easy-rsa>build-ca.bat

/home/user/openvpn/#./build-ca

Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
...++++++
.........++++++
writing new private key to 'keys\ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [OpenManiak]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:master-openmaniak
Email Address [TeddyBear@openvpntest.com]:

Two files will be created:
The CA private key and the CA certificate
The CA certificate which includes the CA public key, is signed by its own private key.

Create the OpenVPN server private key and certificate.

C:\Program Files\OpenVPN\easy-rsa>build-key-server.bat server

/home/user/openvpn/#./build-key-server server

Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
........................................................++++++
.........................++++++
writing new private key to 'keys\server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [OpenManiak]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server
Email Address [TeddyBear@openvpntest.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'OpenManiak'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'TeddyBear@openvpntest.com'
Certificate is to be certified until Sep 6 17:36:18 2017 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
This script has two openssl commands, the first will create a private key and a request certificate file and the second will create the certificate with the CA private key.

Create the OpenVPN client private key and certificate.

C:\Program Files\OpenVPN\easy-rsa>build-key.bat client

/home/user/openvpn/#./build-key client

Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
........................................................++++++
.........................++++++
writing new private key to 'keys\client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [OpenManiak]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:client
Email Address [TeddyBear@openvpntest.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'OpenManiak'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'TeddyBear@openvpntest.com'
Certificate is to be certified until Sep 6 17:36:18 2017 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
That's it!!!

We now have the OpenVPN client and server certificates and private keys. You need to copy the private keys and certificates on the appropriate Open devices, i.e. the client private key and certificate must be copied onto the OpenVPN client and same thing for the server.

Very important notice:

As already explained earlier, we used the Certificat Autority (CA) to generate the private keys and certificates. This process should be only used in a laboratory environment due to the fact that the CA must transfer the client's private key.

Diffie-Hellmann key exchange

The Diffie-Hellman key exchange is a cryptography process used by two peers to establish a shared secret known to them only.

Let's create the Diffie-Hellman (DH) settings.

C:\Program Files\OpenVPN\easy-rsa>build-dh.bat

/home/user/openvpn/#./build-dh

Loading 'screen' into random state - done
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.................................................................
....+.................................................+..........
.....................+.....+......................+..............
.............................................+...................
.....+...........................................................
..............................................................+..
.................+............+............................+.....
.......+.....................................................+...
...+......+..+...........................+.........+...+.........
..............................++*++*++*

Only the OpenVPN server needs the DH settings, not the OpenVPN client.

Top of the page