The Public Key Infrastructure (PKI) is built for the EdgeRouter OpenVPN small office/home office (SOHO) network. This project is continued from the Ubiquiti EdgeRouter OpenVPN Server-Client Configuration Tutorial.

Project series index:

EdgeRouter OpenVPN: Create Public Key Infrastructure with Easy-RSA

This tutorial was extensively revised on April 7, 2018  to reflect the lastest OpenVPN and Easy-RSA releases.

The PKI consists of the Certificate Authority, Certificates and Keys. The PKI steps are illustrated in this excerpt from the OpenVPN master process diagram:

EdgeRouter OpenVPN - Create Public Key Infrastructure with Easy RSA

EdgeRouter OpenVPN – Create Public Key Infrastructure with Easy RSA

3.  Create a Public Key Infrastructure (PKI) with Easy-RSA

The PKI is built using the easy-rsa scripts on a Windows 10 Admin PC as described the tutorial introduction:

EdgeRouter Lite OpenVPN Server and Client Configuration Files

EdgeRouter Lite OpenVPN Server and Client Configuration Files

Initialize the PKI

The easy-rsa scripts are windows batch (.bat) files run from the command line. Press the Windows Logo Key + X to open the Quick Links menu, then click Command Prompt (Admin):

Windows 10 Command Prompt - Run as Admin

Windows 10 Command Prompt – Run as Admin

From the Command Prompt, change directory to the working folder:  cd C:\OpenVPN-Server-Client-Build\easy-rsa

Edit the Easy-RSA 2.0 OpenSSL Configuration File

The signature algorithm must be changed in from MD5 to something stronger like SHA256. The reasons are:

iPhone OpenVPN Connect Error - TLS received certificate signed with MD5

iPhone OpenVPN Connect Error – TLS received certificate signed with MD5

The solution is edit the C:\OpenVPN-Server-Client-Build\easy-rsa\openssl-1.0.0.cnf file and change the default_md parameter to SHA256:
default_md = sha256      # use SHA256 for the public key default MD.

Save your changes.

Initialize the PKI and copy the sample variables:

C:\OpenVPN-Server-Client-Build\easy-rsa>init-config.bat

The Command Prompt session is:

OpenVPN Easy RSA Script init-config

OpenVPN Easy RSA Script init-config

Edit vars.bat with a text editor to customize your parameters: HOME directory, key size, country, state, city, email, CN, NAME and OU. I recommend a minimum 2048 key size for stronger encryption. Refer to the Excel worksheet created in the first part of this tutorial where the CA parameters were documented. “rem” is a comment line in the following file listing.

C:\OpenVPN-Server-Client-Build\easy-rsa\vars.bat edits are highlighted in green:

rem set HOME=%ProgramFiles%\OpenVPN\easy-rsa
set HOME=C:\OpenVPN-Server-Client-Build\easy-rsa

set DH_KEY_SIZE=2048

rem Private key size
set KEY_SIZE=4096
set KEY_COUNTRY=US
set KEY_PROVINCE=GA
set KEY_CITY=Atlanta
set KEY_ORG=OpenVPN
set KEY_EMAIL=bob@handymanhowto.com
set KEY_CN=OpenVPNBobER3
set KEY_NAME=server
set KEY_OU=HomeNetwork
set PKCS11_MODULE_PATH=changeme
set PKCS11_PIN=1234

Save your changes to vars.bat.

Next run the following batch scripts:

C:\OpenVPN-Server-Client-Build\easy-rsa\vars.bat
>C:\OpenVPN-Server-Client-Build\easy-rsa\clean-all.bat

Screen grab for the above commands:

OpenVPN Easy RSA Scripts vars and clean-all

OpenVPN Easy RSA Scripts vars and clean-all

3.a Build Certificate Authority: build-ca.bat

A local Certificate Authority (CA) is built using the build-ca.bat script. Refer to the Excel worksheet for your CA parameters. Keyboard inputs are hightlighted in green. Press the Enter key to accept the default value:

C:\OpenVPN-Server-Client-Build\easy-rsa>build-ca.bat
Generating a 4096 bit RSA private key
……++
……………++
writing new private key to ‘keys\ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]: <Enter>
State or Province Name (full name) [GA]: <Enter>
Locality Name (eg, city) [Atlanta]: <Enter>
Organization Name (eg, company) [OpenVPN]: <Enter>
Organizational Unit Name (eg, section) [HomeNetwork]:BobER3CertificateAuthority
Common Name (eg, your name or your server’s hostname) [OpenVPNBobER3]:OpenVPNBobER3-CA
Name [server]:OpenVPN-CA
Email Address [bob@handymanhowto.com]: <Enter>

C:\OpenVPN-Server-Client-Build\easy-rsa>

The C:\OpenVPN-Server-Client-Build\easy-rsa\keys folder now contains the following files:

  • ca.crt – Certificate Authority root Certificate.
    The certificate is Base64 encoded:
    —–BEGIN CERTIFICATE—–
    MIIFGzCCBAOgAwIBAgIJAI3wzhfEn68QMA0GCSqGSIb3DQEBCwUAMIG5MQswCQYD
    VQQGEwJVUzELMAkGA1UECBMCR0ExEDAOBgNVBAcTB0F0bGFudGExEDAOBgNVBAoT
    …many more lines of gibberish…
    ihZOPG/8ycnp5Fkh3rBFsoAdHmjbXF0HATK+rFvOyH9jmV8ZsUYwfN+Rw0D3+NRc
    ir6ksKr4nYrR/3lOzMj9
    —–END CERTIFICATE—–
  • ca.key – Certificate Authority Private Key. This must be kept secret!
    Which looks like this:
    —–BEGIN PRIVATE KEY—–
    MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCwFnNZhIUmgXSa
    I16NP26m14pILJZueocIy7VUBKFi4Rd8hdtHX3JQ1KYFqEItxhDaN5bbOc+ATY8x
    …many more lines of gibberish…
    2gVNObBmpkQAnPAZzQE5V7l2htVNpCWya0JaCo0lxia9B+Wb+G5rRTHjc1CN0Drg
    SvehR/1UCmsvzTfcO3s8Jt9glg==
    —–END PRIVATE KEY—–
OpenVPN Easy RSA Certificate Authority Cert and Private Key Files

OpenVPN Easy RSA Certificate Authority Cert and Private Key Files

3.b  Generate Server Certificate & Keys for the EdgeRouter OpenVPN Server

Run the build-key-server.bat script to generate the server certs and keys. Refer to your Excel Worksheet for the Server parameters.

C:\OpenVPN-Server-Client-Build\easy-rsa>build-key-server server
Generating a 4096 bit RSA private key……………………………………….++
………………..++
writing new private key to ‘keys\server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]: <Enter>
State or Province Name (full name) [GA]: <Enter>
Locality Name (eg, city) [Atlanta]: <Enter>
Organization Name (eg, company) [OpenVPN]: <Enter>
Organizational Unit Name (eg, section) [HomeNetwork]: <Enter>
Common Name (eg, your name or your server’s hostname) [OpenVPNBobER3]:
Name [server]: <Enter>
Email Address [bob@handymanhowto.com]: <Enter>

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: opensaysme1
An optional company name []: <Enter>|
Using configuration from openssl-1.0.0.cnf
Can’t open keys/index.txt.attr for reading, No such file or directory
49444:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:74:fopen(‘keys/index.txt.attr’,’r’)
49444:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:81:
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’US’
stateOrProvinceName   :PRINTABLE:’GA’
localityName          :PRINTABLE:’Atlanta’
organizationName      :PRINTABLE:’OpenVPN’
organizationalUnitName:PRINTABLE:’HomeNetwork’
commonName            :PRINTABLE:’OpenVPNBobER3′
name                  :PRINTABLE:’server’
emailAddress          :IA5STRING:’bob@handymanhowto.com’
Certificate is to be certified until Apr  4 14:54:03 2028 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:\OpenVPN-Server-Client-Build\easy-rsa>

You can ignore the error message “Can’t open keys/index.txt.attr”. The file doesn’t exist on the 1st run and will be created as shown in the screen grab below.

The server.crt (Certificate) and server.key (Private Key) files are in the keys folder. Both are text format:

OpenVPN Easy RSA Create Server Certificate and Private Key build-key-server crt and key

OpenVPN Easy RSA Create Server Certificate and Private Key build-key-server crt and key

The Ubiquiti EdgeRouter requires a Server Certificate in PEM file format instead of CRT. To convert the server.crt file to .pem format, run the following commands:

C:\OpenVPN-Server-Client-Build\easy-rsa\> cd keys
C:\OpenVPN-Server-Client-Build\easy-rsa\keys>openssl x509 -in server.crt -outform PEM -out server.pem

A directly listing shows the newly created server.pem file:

C:\OpenVPN-Server-Client-Build\easy-rsa\keys>dir
Volume in drive C is OS
Volume Serial Number is 7A25-5D04

Directory of C:\OpenVPN-Server-Client-Build\easy-rsa\keys

04/07/2018  10:57 AM    <DIR>          .
04/07/2018  10:57 AM    <DIR>          ..
04/07/2018  10:54 AM             8,451 01.pem
04/07/2018  10:46 AM             2,528 ca.crt
04/07/2018  10:44 AM             3,324 ca.key
04/07/2018  10:54 AM               143 index.txt
04/07/2018  10:54 AM                22 index.txt.attr
04/07/2018  10:54 AM                 4 serial
04/07/2018  10:54 AM             8,451 server.crt
04/07/2018  10:54 AM             1,846 server.csr
04/07/2018  10:53 AM             3,324 server.key
04/07/2018  10:57 AM             2,648 server.pem
10 File(s)         30,741 bytes
2 Dir(s)  401,981,198,336 bytes free

C:\OpenVPN-Server-Client-Build\easy-rsa\keys> cd ..
C:\OpenVPN-Server-Client-Build\easy-rsa\>

The above warning can be ignored. The server.pem file contents look like this:

—–BEGIN CERTIFICATE—–
MIIFZTCCBE2gAwIBAgIBATANBgkqhkiG9w0BAQQFADCBuTELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkdBMRAwDgYDVQQHEwdBdGxhbnRhMRAwDgYDVQQKEwdPcGVuVlBO
…many more lines of gibberish…
PK/wfKa66UyayOyRsnhHLVoqZBfJSsOebwSuCbF7hmCqo3lVUPBtLFtr/TTBztAp

y/0wyjWeNqu7Ik2L2s1zQm9Ov3SJJczhzOp3QwLgQWbIMqOETkIn6B0=
—–END CERTIFICATE—–

3.c  Generate Client Certificates & Keys for Multiple Devices

OpenVPN client certificates and keys will be generated for an Apple iPhone and Windows Laptop. If you have additional clients, repeat the following steps being careful to choose a unique Common Name for each VPN client. Refer to the Excel worksheet for your Client parameters.

Run the build-key-pass.bat script with the unique Common Name for each client. The PEM pass phrase is optional and encrypts the client private key. Use strong passwords instead of a simple one in this tutorial:

C:\OpenVPN-Server-Client-Build\easy-rsa>build-key-pass Bob_Laptop
WARNING: can’t open config file: /etc/ssl/openssl.cnf
Generating a 4096 bit RSA private key
………………………………………………………….+++
……………………………………………………..+++
writing new private key to ‘keys\Bob_Laptop.key’
Enter PEM pass phrase: opensaysme3
Verifying – Enter PEM pass phrase: opensaysme3
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]: <Enter>
State or Province Name (full name) [GA]: <Enter>
Locality Name (eg, city) [Atlanta]: <Enter>
Organization Name (eg, company) [OpenVPN]: <Enter>
Organizational Unit Name (eg, section) [HomeNetwork]: <Enter>
Common Name (eg, your name or your server’s hostname) [OpenVPNBobER3]:Bob_Laptop
Name [server]:client
Email Address [bob@handymanhowto.com]: <Enter>

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: opensaysme3
An optional company name []: opensaysme3
Using configuration from openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’US’
stateOrProvinceName   :PRINTABLE:’GA’
localityName          :PRINTABLE:’Atlanta’
organizationName      :PRINTABLE:’OpenVPN’
organizationalUnitName:PRINTABLE:’HomeNetwork’
commonName            :T61STRING:’Bob_Laptop’
name                  :PRINTABLE:’client’
emailAddress          :IA5STRING:’bob@handymanhowto.com’
Certificate is to be certified until Apr  4 15:03:00 2028 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:\OpenVPN-Server-Client-Build\easy-rsa>

Next generate the iPhone client cert and keys, taking care to input the unique PEM pass phrase, unique Common Name (Bob_iPhone) and Name = client to the script prompts:

C:\OpenVPN-Server-Client-Build\easy-rsa\>build-key-pass Bob_iPhone

The C:\OpenVPN-Server-Client-Build\easy-rsa\keys> directory now contains the Bob_Laptop and Bob_iPhone certificates (.crt) and keys (.key):

C:\OpenVPN-Server-Client-Build\easy-rsa>dir keys
Volume in drive C is OS
Volume Serial Number is 7A25-5D04

Directory of C:\OpenVPN-Server-Client-Build\easy-rsa\keys

04/07/2018  11:05 AM    <DIR>          .
04/07/2018  11:05 AM    <DIR>          ..
04/07/2018  10:54 AM             8,451 01.pem
04/07/2018  11:03 AM             8,334 02.pem
04/07/2018  11:05 AM             8,334 03.pem
04/07/2018  11:05 AM             8,334 Bob_iPhone.crt
04/07/2018  11:05 AM             1,860 Bob_iPhone.csr
04/07/2018  11:04 AM             3,468 Bob_iPhone.key
04/07/2018  11:03 AM             8,334 Bob_Laptop.crt
04/07/2018  11:02 AM             1,860 Bob_Laptop.csr
04/07/2018  11:01 AM             3,468 Bob_Laptop.key
04/07/2018  10:46 AM             2,528 ca.crt
04/07/2018  10:44 AM             3,324 ca.key
04/07/2018  11:05 AM               437 index.txt
04/07/2018  11:05 AM                22 index.txt.attr
04/07/2018  11:05 AM                 4 serial
04/07/2018  10:54 AM             8,451 server.crt
04/07/2018  10:54 AM             1,846 server.csr
04/07/2018  10:53 AM             3,324 server.key
04/07/2018  10:57 AM             2,648 server.pem
18 File(s)         75,027 bytes
2 Dir(s)  401,977,573,376 bytes free

BTW – the .csr files are Certificate Signing Request temporary files.

3.d  Generate Diffie-Hellman Parameters

Diffie-Hellman key-exchange parameters are generated by the Easy RSA build-dh.bat script. An advantage of building the PKI on a Windows 10 Desktop PC is this step only took 37 seconds versus over 30 minutes on the EdgeRouter Lite because the EdgeRouter CPU isn’t as powerful as the desktop PC:

C:\OpenVPN-Server-Client-Build\easy-rsa>build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
…….+…….+…………….+……………………………………….
…………………………………………………..+……………….
<many more lines>
…………………..+……………….++*++*

C:\OpenVPN-Server-Client-Build\easy-rsa>

dh2048.pem file is created in the C:\OpenVPN-Server-Client-Build\easy-rsa\keys> folder. The 2048 bit key size was specified in the vars.bat file.

3.e  Harden OpenVPN – Generate TLS Authorization Pre-Shared Key

A TLS Authorization Pre-Shared Key provides increased security and better resistance to Denial of Service (DoS) attacks by dropping unauthorized connections attempts to the EdgeRouter faster. Run the command:

C:\OpenVPN-Server-Client-Build\easy-rsa\keys>openvpn ––genkey ––secret ta.key

A 2048 bit OpenVPN static key file ta.key is created in the C:\OpenVPN-Server-Client-Build\easy-rsa\keys> folder.

Aside: When TLS Authorization is enabled you’ll see entries in the EdgeRouter log (tail -n 100 /var/log/messages) where TLS connection attempts on port 443 are dropped before the hacker can try guessing login credentials. In this log excerpt a Russian IP address is trying to hack my network:

openvpn[2466]: Local Options String: ‘V4,dev-type tun,link-mtu 1572,
               tun-mtu 1500,proto TCPv4_SERVER,
               comp-lzo,keydir 0,cipher AES-256-CBC,
               auth SHA256,keysize 256,tls-auth,key-method 2,tls-server’
openvpn[2466]: Expected Remote Options String: ‘V4,dev-type tun,
               link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,
               keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,
               tls-auth,key-method 2,tls-client’
openvpn[2466]: Local Options hash (VER=V4): ‘165db97f’
openvpn[2466]: Expected Remote Options hash (VER=V4): ‘504bba81’
openvpn[2466]: TCP connection established with [AF_INET]185.40.4.109:44468
openvpn[2466]: TCPv4_SERVER link local: [undef]
openvpn[2466]: TCPv4_SERVER link remote: [AF_INET]185.40.4.109:44468
openvpn[2466]: 185.40.4.109:44468 WARNING: Bad encapsulated packet length
               from peer (18245), which must be > 0 and <= 1572 — please ensure
               that –tun-mtu or –link-mtu is equal on both peers — this
               condition could also indicate a possible active attack on the
               TCP link — [Attempting restart…]
openvpn[2466]: 185.40.4.109:44468 Connection reset, restarting [0]
openvpn[2466]: 185.40.4.109:44468 SIGUSR1[soft,connection-reset] received,
               client-instance restarting
openvpn[2466]: TCP/UDP: Closing socket

Probing and unauthorized connection attempts happen all the time. I monitor my logs and update the EdgeRouter firewall block list.

This project is continued in EdgeRouter OpenVPN Server – Client Mode Configuration Steps.

Best,

Bob

Copyright © 2019 HandymanHowTo.com   Reproduction strictly prohibited.