EdgeRouter OpenVPN: Create Public Key Infrastructure with Easy-RSA

By | Last updated on |Home Networking|8 Comments

The Public Key Infrastructure (PKI) is built for the EdgeRouter OpenVPN small office/home office (SOHO) network. This project is continued from the Ubiquiti EdgeRouter OpenVPN Server-Client Configuration Tutorial.

Project series index:

EdgeRouter OpenVPN: Create Public Key Infrastructure with Easy-RSA

This tutorial was extensively revised on April 7, 2018  to reflect the lastest OpenVPN and Easy-RSA releases.

The PKI consists of the Certificate Authority, Certificates and Keys. The PKI steps are illustrated in this excerpt from the OpenVPN master process diagram:

EdgeRouter OpenVPN - Create Public Key Infrastructure with Easy RSA

EdgeRouter OpenVPN – Create Public Key Infrastructure with Easy RSA

3.  Create a Public Key Infrastructure (PKI) with Easy-RSA

The PKI is built using the easy-rsa scripts on a Windows 10 Admin PC as described the tutorial introduction:

EdgeRouter Lite OpenVPN Server and Client Configuration Files

EdgeRouter Lite OpenVPN Server and Client Configuration Files

Initialize the PKI

The easy-rsa scripts are windows batch (.bat) files run from the command line. Press the Windows Logo Key + X to open the Quick Links menu, then click Command Prompt (Admin):

Windows 10 Command Prompt - Run as Admin

Windows 10 Command Prompt – Run as Admin

From the Command Prompt, change directory to the working folder:  cd C:\OpenVPN-Server-Client-Build\easy-rsa

Edit the Easy-RSA 2.0 OpenSSL Configuration File

The signature algorithm must be changed in from MD5 to something stronger like SHA256. The reasons are:

iPhone OpenVPN Connect Error - TLS received certificate signed with MD5

iPhone OpenVPN Connect Error – TLS received certificate signed with MD5

The solution is edit the C:\OpenVPN-Server-Client-Build\easy-rsa\openssl-1.0.0.cnf file and change the default_md parameter to SHA256:
default_md = sha256      # use SHA256 for the public key default MD.

Save your changes.

Initialize the PKI and copy the sample variables:

C:\OpenVPN-Server-Client-Build\easy-rsa>init-config.bat

The Command Prompt session is:

OpenVPN Easy RSA Script init-config

OpenVPN Easy RSA Script init-config

Edit vars.bat with a text editor to customize your parameters: HOME directory, key size, country, state, city, email, CN, NAME and OU. I recommend a minimum 2048 key size for stronger encryption. Refer to the Excel worksheet created in the first part of this tutorial where the CA parameters were documented. “rem” is a comment line in the following file listing.

C:\OpenVPN-Server-Client-Build\easy-rsa\vars.bat edits are highlighted in green:

rem set HOME=%ProgramFiles%\OpenVPN\easy-rsa
set HOME=C:\OpenVPN-Server-Client-Build\easy-rsa

set DH_KEY_SIZE=2048

rem Private key size
set KEY_SIZE=4096
set KEY_COUNTRY=US
set KEY_PROVINCE=GA
set KEY_CITY=Atlanta
set KEY_ORG=OpenVPN
set KEY_EMAIL=bob@handymanhowto.com
set KEY_CN=OpenVPNBobER3
set KEY_NAME=server
set KEY_OU=HomeNetwork
set PKCS11_MODULE_PATH=changeme
set PKCS11_PIN=1234

Save your changes to vars.bat.

Next run the following batch scripts:

C:\OpenVPN-Server-Client-Build\easy-rsa\vars.bat
>C:\OpenVPN-Server-Client-Build\easy-rsa\clean-all.bat

Screen grab for the above commands:

OpenVPN Easy RSA Scripts vars and clean-all

OpenVPN Easy RSA Scripts vars and clean-all

3.a Build Certificate Authority: build-ca.bat

A local Certificate Authority (CA) is built using the build-ca.bat script. Refer to the Excel worksheet for your CA parameters. Keyboard inputs are hightlighted in green. Press the Enter key to accept the default value:

C:\OpenVPN-Server-Client-Build\easy-rsa>build-ca.bat
Generating a 4096 bit RSA private key
……++
……………++
writing new private key to ‘keys\ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]: <Enter>
State or Province Name (full name) [GA]: <Enter>
Locality Name (eg, city) [Atlanta]: <Enter>
Organization Name (eg, company) [OpenVPN]: <Enter>
Organizational Unit Name (eg, section) [HomeNetwork]:BobER3CertificateAuthority
Common Name (eg, your name or your server’s hostname) [OpenVPNBobER3]:OpenVPNBobER3-CA
Name [server]:OpenVPN-CA
Email Address [bob@handymanhowto.com]: <Enter>

C:\OpenVPN-Server-Client-Build\easy-rsa>

The C:\OpenVPN-Server-Client-Build\easy-rsa\keys folder now contains the following files:

  • ca.crt – Certificate Authority root Certificate.
    The certificate is Base64 encoded:
    —–BEGIN CERTIFICATE—–
    MIIFGzCCBAOgAwIBAgIJAI3wzhfEn68QMA0GCSqGSIb3DQEBCwUAMIG5MQswCQYD
    VQQGEwJVUzELMAkGA1UECBMCR0ExEDAOBgNVBAcTB0F0bGFudGExEDAOBgNVBAoT
    …many more lines of gibberish…
    ihZOPG/8ycnp5Fkh3rBFsoAdHmjbXF0HATK+rFvOyH9jmV8ZsUYwfN+Rw0D3+NRc
    ir6ksKr4nYrR/3lOzMj9
    —–END CERTIFICATE—–
  • ca.key – Certificate Authority Private Key. This must be kept secret!
    Which looks like this:
    —–BEGIN PRIVATE KEY—–
    MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCwFnNZhIUmgXSa
    I16NP26m14pILJZueocIy7VUBKFi4Rd8hdtHX3JQ1KYFqEItxhDaN5bbOc+ATY8x
    …many more lines of gibberish…
    2gVNObBmpkQAnPAZzQE5V7l2htVNpCWya0JaCo0lxia9B+Wb+G5rRTHjc1CN0Drg
    SvehR/1UCmsvzTfcO3s8Jt9glg==
    —–END PRIVATE KEY—–
OpenVPN Easy RSA Certificate Authority Cert and Private Key Files

OpenVPN Easy RSA Certificate Authority Cert and Private Key Files

3.b  Generate Server Certificate & Keys for the EdgeRouter OpenVPN Server

Run the build-key-server.bat script to generate the server certs and keys. Refer to your Excel Worksheet for the Server parameters.

C:\OpenVPN-Server-Client-Build\easy-rsa>build-key-server server
Generating a 4096 bit RSA private key……………………………………….++
………………..++
writing new private key to ‘keys\server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]: <Enter>
State or Province Name (full name) [GA]: <Enter>
Locality Name (eg, city) [Atlanta]: <Enter>
Organization Name (eg, company) [OpenVPN]: <Enter>
Organizational Unit Name (eg, section) [HomeNetwork]: <Enter>
Common Name (eg, your name or your server’s hostname) [OpenVPNBobER3]:
Name [server]: <Enter>
Email Address [bob@handymanhowto.com]: <Enter>

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: opensaysme1
An optional company name []: <Enter>|
Using configuration from openssl-1.0.0.cnf
Can’t open keys/index.txt.attr for reading, No such file or directory
49444:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:74:fopen(‘keys/index.txt.attr’,’r’)
49444:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:81:
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’US’
stateOrProvinceName   :PRINTABLE:’GA’
localityName          :PRINTABLE:’Atlanta’
organizationName      :PRINTABLE:’OpenVPN’
organizationalUnitName:PRINTABLE:’HomeNetwork’
commonName            :PRINTABLE:’OpenVPNBobER3′
name                  :PRINTABLE:’server’
emailAddress          :IA5STRING:’bob@handymanhowto.com’
Certificate is to be certified until Apr  4 14:54:03 2028 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:\OpenVPN-Server-Client-Build\easy-rsa>

You can ignore the error message “Can’t open keys/index.txt.attr”. The file doesn’t exist on the 1st run and will be created as shown in the screen grab below.

The server.crt (Certificate) and server.key (Private Key) files are in the keys folder. Both are text format:

OpenVPN Easy RSA Create Server Certificate and Private Key build-key-server crt and key

OpenVPN Easy RSA Create Server Certificate and Private Key build-key-server crt and key

The Ubiquiti EdgeRouter requires a Server Certificate in PEM file format instead of CRT. To convert the server.crt file to .pem format, run the following commands:

C:\OpenVPN-Server-Client-Build\easy-rsa\> cd keys
C:\OpenVPN-Server-Client-Build\easy-rsa\keys>openssl x509 -in server.crt -outform PEM -out server.pem

A directly listing shows the newly created server.pem file:

C:\OpenVPN-Server-Client-Build\easy-rsa\keys>dir
Volume in drive C is OS
Volume Serial Number is 7A25-5D04

Directory of C:\OpenVPN-Server-Client-Build\easy-rsa\keys

04/07/2018  10:57 AM    <DIR>          .
04/07/2018  10:57 AM    <DIR>          ..
04/07/2018  10:54 AM             8,451 01.pem
04/07/2018  10:46 AM             2,528 ca.crt
04/07/2018  10:44 AM             3,324 ca.key
04/07/2018  10:54 AM               143 index.txt
04/07/2018  10:54 AM                22 index.txt.attr
04/07/2018  10:54 AM                 4 serial
04/07/2018  10:54 AM             8,451 server.crt
04/07/2018  10:54 AM             1,846 server.csr
04/07/2018  10:53 AM             3,324 server.key
04/07/2018  10:57 AM             2,648 server.pem
10 File(s)         30,741 bytes
2 Dir(s)  401,981,198,336 bytes free

C:\OpenVPN-Server-Client-Build\easy-rsa\keys> cd ..
C:\OpenVPN-Server-Client-Build\easy-rsa\>

The above warning can be ignored. The server.pem file contents look like this:

—–BEGIN CERTIFICATE—–
MIIFZTCCBE2gAwIBAgIBATANBgkqhkiG9w0BAQQFADCBuTELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkdBMRAwDgYDVQQHEwdBdGxhbnRhMRAwDgYDVQQKEwdPcGVuVlBO
…many more lines of gibberish…
PK/wfKa66UyayOyRsnhHLVoqZBfJSsOebwSuCbF7hmCqo3lVUPBtLFtr/TTBztAp

y/0wyjWeNqu7Ik2L2s1zQm9Ov3SJJczhzOp3QwLgQWbIMqOETkIn6B0=
—–END CERTIFICATE—–

3.c  Generate Client Certificates & Keys for Multiple Devices

OpenVPN client certificates and keys will be generated for an Apple iPhone and Windows Laptop. If you have additional clients, repeat the following steps being careful to choose a unique Common Name for each VPN client. Refer to the Excel worksheet for your Client parameters.

Run the build-key-pass.bat script with the unique Common Name for each client. The PEM pass phrase is optional and encrypts the client private key. Use strong passwords instead of a simple one in this tutorial:

C:\OpenVPN-Server-Client-Build\easy-rsa>build-key-pass Bob_Laptop
WARNING: can’t open config file: /etc/ssl/openssl.cnf
Generating a 4096 bit RSA private key
………………………………………………………….+++
……………………………………………………..+++
writing new private key to ‘keys\Bob_Laptop.key’
Enter PEM pass phrase: opensaysme3
Verifying – Enter PEM pass phrase: opensaysme3
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]: <Enter>
State or Province Name (full name) [GA]: <Enter>
Locality Name (eg, city) [Atlanta]: <Enter>
Organization Name (eg, company) [OpenVPN]: <Enter>
Organizational Unit Name (eg, section) [HomeNetwork]: <Enter>
Common Name (eg, your name or your server’s hostname) [OpenVPNBobER3]:Bob_Laptop
Name [server]:client
Email Address [bob@handymanhowto.com]: <Enter>

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: opensaysme3
An optional company name []: opensaysme3
Using configuration from openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’US’
stateOrProvinceName   :PRINTABLE:’GA’
localityName          :PRINTABLE:’Atlanta’
organizationName      :PRINTABLE:’OpenVPN’
organizationalUnitName:PRINTABLE:’HomeNetwork’
commonName            :T61STRING:’Bob_Laptop’
name                  :PRINTABLE:’client’
emailAddress          :IA5STRING:’bob@handymanhowto.com’
Certificate is to be certified until Apr  4 15:03:00 2028 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:\OpenVPN-Server-Client-Build\easy-rsa>

Next generate the iPhone client cert and keys, taking care to input the unique PEM pass phrase, unique Common Name (Bob_iPhone) and Name = client to the script prompts:

C:\OpenVPN-Server-Client-Build\easy-rsa\>build-key-pass Bob_iPhone

The C:\OpenVPN-Server-Client-Build\easy-rsa\keys> directory now contains the Bob_Laptop and Bob_iPhone certificates (.crt) and keys (.key):

C:\OpenVPN-Server-Client-Build\easy-rsa>dir keys
Volume in drive C is OS
Volume Serial Number is 7A25-5D04

Directory of C:\OpenVPN-Server-Client-Build\easy-rsa\keys

04/07/2018  11:05 AM    <DIR>          .
04/07/2018  11:05 AM    <DIR>          ..
04/07/2018  10:54 AM             8,451 01.pem
04/07/2018  11:03 AM             8,334 02.pem
04/07/2018  11:05 AM             8,334 03.pem
04/07/2018  11:05 AM             8,334 Bob_iPhone.crt
04/07/2018  11:05 AM             1,860 Bob_iPhone.csr
04/07/2018  11:04 AM             3,468 Bob_iPhone.key
04/07/2018  11:03 AM             8,334 Bob_Laptop.crt
04/07/2018  11:02 AM             1,860 Bob_Laptop.csr
04/07/2018  11:01 AM             3,468 Bob_Laptop.key
04/07/2018  10:46 AM             2,528 ca.crt
04/07/2018  10:44 AM             3,324 ca.key
04/07/2018  11:05 AM               437 index.txt
04/07/2018  11:05 AM                22 index.txt.attr
04/07/2018  11:05 AM                 4 serial
04/07/2018  10:54 AM             8,451 server.crt
04/07/2018  10:54 AM             1,846 server.csr
04/07/2018  10:53 AM             3,324 server.key
04/07/2018  10:57 AM             2,648 server.pem
18 File(s)         75,027 bytes
2 Dir(s)  401,977,573,376 bytes free

BTW – the .csr files are Certificate Signing Request temporary files.

3.d  Generate Diffie-Hellman Parameters

Diffie-Hellman key-exchange parameters are generated by the Easy RSA build-dh.bat script. An advantage of building the PKI on a Windows 10 Desktop PC is this step only took 37 seconds versus over 30 minutes on the EdgeRouter Lite because the EdgeRouter CPU isn’t as powerful as the desktop PC:

C:\OpenVPN-Server-Client-Build\easy-rsa>build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
…….+…….+…………….+……………………………………….
…………………………………………………..+……………….
<many more lines>
…………………..+……………….++*++*

C:\OpenVPN-Server-Client-Build\easy-rsa>

dh2048.pem file is created in the C:\OpenVPN-Server-Client-Build\easy-rsa\keys> folder. The 2048 bit key size was specified in the vars.bat file.

3.e  Harden OpenVPN – Generate TLS Authorization Pre-Shared Key

A TLS Authorization Pre-Shared Key provides increased security and better resistance to Denial of Service (DoS) attacks by dropping unauthorized connections attempts to the EdgeRouter faster. Run the command:

C:\OpenVPN-Server-Client-Build\easy-rsa\keys>openvpn –genkey –secret ta.key

A 2048 bit OpenVPN static key file ta.key is created in the C:\OpenVPN-Server-Client-Build\easy-rsa\keys> folder.

Aside: When TLS Authorization is enabled you’ll see entries in the EdgeRouter log (tail -n 100 /var/log/messages) where TLS connection attempts on port 443 are dropped before the hacker can try guessing login credentials. In this log excerpt a Russian IP address is trying to hack my network:

openvpn[2466]: Local Options String: ‘V4,dev-type tun,link-mtu 1572,
               tun-mtu 1500,proto TCPv4_SERVER,
               comp-lzo,keydir 0,cipher AES-256-CBC,
               auth SHA256,keysize 256,tls-auth,key-method 2,tls-server’
openvpn[2466]: Expected Remote Options String: ‘V4,dev-type tun,
               link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,
               keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,
               tls-auth,key-method 2,tls-client’
openvpn[2466]: Local Options hash (VER=V4): ‘165db97f’
openvpn[2466]: Expected Remote Options hash (VER=V4): ‘504bba81’
openvpn[2466]: TCP connection established with [AF_INET]185.40.4.109:44468
openvpn[2466]: TCPv4_SERVER link local: [undef]
openvpn[2466]: TCPv4_SERVER link remote: [AF_INET]185.40.4.109:44468
openvpn[2466]: 185.40.4.109:44468 WARNING: Bad encapsulated packet length
               from peer (18245), which must be > 0 and <= 1572 — please ensure
               that –tun-mtu or –link-mtu is equal on both peers — this
               condition could also indicate a possible active attack on the
               TCP link — [Attempting restart…]
openvpn[2466]: 185.40.4.109:44468 Connection reset, restarting [0]
openvpn[2466]: 185.40.4.109:44468 SIGUSR1[soft,connection-reset] received,
               client-instance restarting
openvpn[2466]: TCP/UDP: Closing socket

Probing and unauthorized connection attempts happen all the time. I monitor my logs and update the EdgeRouter firewall block list.

This project is continued in EdgeRouter OpenVPN Server – Client Mode Configuration Steps.

Best,

Bob

Copyright © 2018 HandymanHowTo.com   Reproduction strictly prohibited.

8 Comments

  1. Victor October 16, 2017 at 8:04 am - Reply

    Look promising but I’m stuck with the openssl install on windows stuff, I tried with windows 10 &7 but nothing work…

  2. Tyrone November 30, 2017 at 10:15 am - Reply

    Thanks for the tutorial. May i suggest to put a date of create this at the very beginning to make sure the reader can check if this still relevant?

    • Bob Jackson December 1, 2017 at 6:53 pm - Reply

      The tutorial was authored in May 2017. I’ll update it as needed and post a notice in the article.

      The PKI build process hasn’t changed in years. What does change is new cipher suites are introduced (faster, more secure), key length recommendations change (1024 bit is insecure, 2048 is the current minimum) and updated OpenVPN software releases. Version 2.4.1 for Windows 10 was used to generate the PKI as illustrated in the intro Ubiquiti EdgeRouter OpenVPN Server-Client Configuration Tutorial.

      Ubiquiti bundles OpenVPN with the EdgeMax firmware so the version there will be different, but it’s interoperable with the PKI and clients on various platforms – smartphones, laptops, etc.

  3. Brandon January 12, 2018 at 3:11 pm - Reply

    I can’t generate a key. It says something about serial.old and that it wasn’t able to generate a key for a user. What’s the solution to this? How can i refresh the serial in order to create keys again?

    • Bob Jackson January 15, 2018 at 10:57 am - Reply

      Are working from the instructions in my tutorial or did you run into the problem and find my site when searching for a solution?

      Did the problem occur when creating the CA or client certificates? If when creating the CA, delete all the working files and start fresh following my tutorial.

      The serial.txt holds the certification serial #. Initially it contains “01” without quotes and increments by 1 for each new certificate, e.g. 02, 03, 04, etc. The serial # can be anything, a random number, etc. and each certification should have a unique serial # for easier administration. See https://www.openssl.org/docs/manmaster/man1/ca.html.

  4. James April 10, 2018 at 9:10 pm - Reply

    First, your write up on this is excellent and thank you.

    I did want to point out a few things that I had to work through just in case you wanted to edit. When running my biuld-dh.bat it kept building 4096 key. I thought maybe you had a typo in your var.bat example above because mine has a “set DH_KEY_SIZE=2048” line where yours does not. I dug into the build-dh.bat file and noticed it was referencing KEY_SIZE and not DH_KEY_SIZE. So that is where the issue was, I fixed that and now things work how I suspect they should. DH_KEY_SIZE=2048 is used for build-dh and KEY_SIZE=4096 is used for the other keys.

    The other issue I had that I spent the most time on was not anything to do with your write up but just with my iphone and openvpn app. When I tried to go secure with my edgerouter I was getting this in the router log:

    TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
    TLS Error: TLS object -> incoming plaintext read error TLS Error: TLS handshake failed
    Fatal TLS error (check_tls_errors_co), restarting
    SIGUSR1[soft,tls-error] received, client-instance restarting

    After a bit of googlefoo I found out that I had to go into my iphone /settings/openvpn/advanced settings/ and then enable “Force AES-CBC ciphersuites”

    works like a champ now, thanks again.

    • Bob Jackson April 11, 2018 at 2:20 pm - Reply

      I corrected the typo in the vars.bat narrative; it’s now “set DH_KEY_SIZE=2048″. Normally this would be set automatically when init-config.bat is run which copies vars.bat.sample to vars.bat, since the sample file has “set DH_KEY_SIZE=2048” as the default.

      Thanks for letting me know and glad you got it working!

Leave A Comment