The Public Key Infrastructure (PKI) is built for the EdgeRouter OpenVPN small office/home office (SOHO) network. This project is continued from the Ubiquiti EdgeRouter OpenVPN Server-Client Configuration Tutorial.

Project series index:

EdgeRouter OpenVPN: Create Public Key Infrastructure with Easy-RSA

The PKI consists of the Certificate Authority, Certificates and Keys. The PKI steps are illustrated in this excerpt from the OpenVPN master process diagram:

EdgeRouter OpenVPN - Create Public Key Infrastructure with Easy RSA

EdgeRouter OpenVPN – Create Public Key Infrastructure with Easy RSA

3.  Create a Public Key Infrastructure (PKI) with Easy-RSA

The PKI is built using the easy-rsa scripts on a Windows 10 Admin PC as described the tutorial introduction:

EdgeRouter Lite OpenVPN Server and Client Configuration Files

EdgeRouter Lite OpenVPN Server and Client Configuration Files

Initialize the PKI

The easy-rsa scripts are windows batch (.bat) files run from the command line. Press the Windows Logo Key + X to open the Quick Links menu, then click Command Prompt (Admin):

Windows 10 Command Prompt - Run as Admin

Windows 10 Command Prompt – Run as Admin

From the Command Prompt, change directory to the working folder:  cd C:\OpenVPN-Server-Client-Build\easy-rsa

Initialize the PKI and copy the sample variables:

C:\OpenVPN-Server-Client-Build\easy-rsa>init-config.bat

The Command Prompt session is:

OpenVPN Easy RSA Script init-config

OpenVPN Easy RSA Script init-config

Edit vars.bat with a text editor to customize your parameters: HOME directory, key size, country, state, city, email, CN, NAME and OU. I recommend a minimum 2048 key size for stronger encryption. Refer to the Excel worksheet created in the first part of this tutorial where the CA parameters were documented. “rem” is a comment line in the following file listing.

C:\OpenVPN-Server-Client-Build\easy-rsa\vars.bat edits are highlighted in green:

rem set HOME=%ProgramFiles%\OpenVPN\easy-rsa
set HOME=C:\OpenVPN-Server-Client-Build\easy-rsa

rem set KEY_SIZE=1024
set KEY_SIZE=2048

set KEY_COUNTRY=US
set KEY_PROVINCE=GA
set KEY_CITY=Atlanta
set KEY_ORG=OpenVPN
set KEY_EMAIL=bob@handymanhowto.com
set KEY_CN=OpenVPNBobER3
set KEY_NAME=server
set KEY_OU=HomeNetwork
set PKCS11_MODULE_PATH=changeme
set PKCS11_PIN=1234

Save your changes to vars.bat.

Next run the following batch scripts:

C:\OpenVPN-Server-Client-Build\easy-rsa\vars.bat
C:\OpenVPN-Server-Client-Build\easy-rsa\clean-all.bat

Screen grab for the above commands:

OpenVPN Easy RSA Scripts vars and clean-all

OpenVPN Easy RSA Scripts vars and clean-all

3.a Build Certificate Authority: build-ca.bat

A local Certificate Authority (CA) is built using the build-ca.bat script. Refer to the Excel worksheet for your CA parameters. Keyboard inputs are hightlighted in green. Press the Enter key to accept the default value:

C:\OpenVPN-Server-Client-Build\easy-rsa>build-ca.bat
WARNING: can’t open config file: /etc/ssl/openssl.cnf
Generating a 2048 bit RSA private key
…….+++
………………..+++
writing new private key to ‘keys\ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]: <Enter>
State or Province Name (full name) [GA]: <Enter>
Locality Name (eg, city) [Atlanta]: <Enter>
Organization Name (eg, company) [OpenVPN]: <Enter>
Organizational Unit Name (eg, section) [HomeNetwork]:BobER3CertificateAuthority
Common Name (eg, your name or your server’s hostname) [OpenVPNBobER3]:OpenVPNBobER3-CA
Name [server]:OpenVPN-CA
Email Address [bob@handymanhowto.com]: <Enter>

C:\OpenVPN-Server-Client-Build\easy-rsa>

The Command Prompt screen grab for the above is:

OpenVPN Easy RSA Build Certificate Authority build-ca

OpenVPN Easy RSA Build Certificate Authority build-ca

The C:\OpenVPN-Server-Client-Build\easy-rsa\keys folder now contains the following files:

  • ca.crt – Certificate Authority root Certificate.
    The certificate is Base64 encoded:
    —–BEGIN CERTIFICATE—–
    MIIFGzCCBAOgAwIBAgIJAI3wzhfEn68QMA0GCSqGSIb3DQEBCwUAMIG5MQswCQYD
    VQQGEwJVUzELMAkGA1UECBMCR0ExEDAOBgNVBAcTB0F0bGFudGExEDAOBgNVBAoT
    …many more lines of gibberish…
    ihZOPG/8ycnp5Fkh3rBFsoAdHmjbXF0HATK+rFvOyH9jmV8ZsUYwfN+Rw0D3+NRc
    ir6ksKr4nYrR/3lOzMj9
    —–END CERTIFICATE—–
  • ca.key – Certificate Authority Private Key. This must be kept secret!
    Which looks like this:
    —–BEGIN PRIVATE KEY—–
    MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCwFnNZhIUmgXSa
    I16NP26m14pILJZueocIy7VUBKFi4Rd8hdtHX3JQ1KYFqEItxhDaN5bbOc+ATY8x
    …many more lines of gibberish…
    2gVNObBmpkQAnPAZzQE5V7l2htVNpCWya0JaCo0lxia9B+Wb+G5rRTHjc1CN0Drg
    SvehR/1UCmsvzTfcO3s8Jt9glg==
    —–END PRIVATE KEY—–
OpenVPN Easy RSA Certificate Authority Cert and Private Key Files

OpenVPN Easy RSA Certificate Authority Cert and Private Key Files

3.b  Generate Server Certificate & Keys for the EdgeRouter OpenVPN Server

Run the build-key-server.bat script to generate the server certs and keys. Refer to your Excel Worksheet for the Server parameters.

C:\OpenVPN-Server-Client-Build\easy-rsa>build-key-server server
WARNING: can't open config file: /etc/ssl/openssl.cnf
Generating a 2048 bit RSA private key
.....................................................................................................................................................+++
...........+++
writing new private key to 'keys\server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]: <Enter>
State or Province Name (full name) [GA]: <Enter>
Locality Name (eg, city) [Atlanta]: <Enter>
Organization Name (eg, company) [OpenVPN]: <Enter>
Organizational Unit Name (eg, section) [HomeNetwork]: <Enter>
Common Name (eg, your name or your server's hostname) [OpenVPNBobER3]:
Name [server]: <Enter>
Email Address [bob@handymanhowto.com]: <Enter>

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: opensaysme1
An optional company name []: opensaysme1
WARNING: can’t open config file: /etc/ssl/openssl.cnf
Using configuration from openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’US’
stateOrProvinceName   :PRINTABLE:’GA’
localityName          :PRINTABLE:’Atlanta’
organizationName      :PRINTABLE:’OpenVPN’
organizationalUnitName:PRINTABLE:’HomeNetwork’
commonName            :PRINTABLE:’OpenVPNBobER3′
name                  :PRINTABLE:’server’
emailAddress          :IA5STRING:’bob@handymanhowto.com’
Certificate is to be certified until May  5 16:02:54 2027 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:\OpenVPN-Server-Client-Build\easy-rsa>

The server.crt (Certificate) and server.key (Private Key) files are in the keys folder. Both are text format:

OpenVPN Easy RSA Create Server Certificate and Private Key build-key-server crt and key

OpenVPN Easy RSA Create Server Certificate and Private Key build-key-server crt and key

The Ubiquiti EdgeRouter requires a Server Certificate in PEM file format instead of CRT. To convert the server.crt file to .pem format, run the following commands:

C:\OpenVPN-Server-Client-Build\easy-rsa\> cd keys
C:\OpenVPN-Server-Client-Build\easy-rsa\keys>openssl x509 -in server.crt -outform PEM -out server.pem

WARNING: can’t open config file: /etc/ssl/openssl.cnf

C:\OpenVPN-Server-Client-Build\easy-rsa\keys> cd ..
C:\OpenVPN-Server-Client-Build\easy-rsa\>

The above warning can be ignored. The server.pem file contents look like this:

—–BEGIN CERTIFICATE—–
MIIFZTCCBE2gAwIBAgIBATANBgkqhkiG9w0BAQQFADCBuTELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkdBMRAwDgYDVQQHEwdBdGxhbnRhMRAwDgYDVQQKEwdPcGVuVlBO
…many more lines of gibberish…
PK/wfKa66UyayOyRsnhHLVoqZBfJSsOebwSuCbF7hmCqo3lVUPBtLFtr/TTBztAp

y/0wyjWeNqu7Ik2L2s1zQm9Ov3SJJczhzOp3QwLgQWbIMqOETkIn6B0=
—–END CERTIFICATE—–

3.c  Generate Client Certificates & Keys for Multiple Devices

OpenVPN client certificates and keys will be generated for an Apple iPhone and Windows Laptop. If you have additional clients, repeat the following steps being careful to choose a unique Common Name for each VPN client. Refer to the Excel worksheet for your Client parameters.

Run the build-key-pass.bat script with the unique Common Name for each client. The PEM pass phrase is optional and encrypts the client private key. Use strong passwords instead of a simple one in this tutorial:

C:\OpenVPN-Server-Client-Build\easy-rsa>build-key-pass Bob_Laptop
WARNING: can’t open config file: /etc/ssl/openssl.cnf
Generating a 2048 bit RSA private key
………………………………………………………….+++
………………………………………………………….+++
writing new private key to ‘keys\Bob_Laptop.key’
Enter PEM pass phrase: opensaysme3
Verifying – Enter PEM pass phrase: opensaysme3
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]: <Enter>
State or Province Name (full name) [GA]: <Enter>
Locality Name (eg, city) [Atlanta]: <Enter>
Organization Name (eg, company) [OpenVPN]: <Enter>
Organizational Unit Name (eg, section) [HomeNetwork]: <Enter>
Common Name (eg, your name or your server’s hostname) [OpenVPNBobER3]:Bob_Laptop
Name [server]:client
Email Address [bob@handymanhowto.com]: <Enter>

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: opensaysme3
An optional company name []: opensaysme3
WARNING: can’t open config file: /etc/ssl/openssl.cnf
Using configuration from openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’US’
stateOrProvinceName   :PRINTABLE:’GA’
localityName          :PRINTABLE:’Atlanta’
organizationName      :PRINTABLE:’OpenVPN’
organizationalUnitName:PRINTABLE:’HomeNetwork’
commonName            :T61STRING:’Bob_Laptop’
name                  :PRINTABLE:’client’
emailAddress          :IA5STRING:’bob@handymanhowto.com’
Certificate is to be certified until May  5 16:44:48 2027 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

C:\OpenVPN-Server-Client-Build\easy-rsa>

Next generate the iPhone client cert and keys, taking care to input the unique PEM pass phrase, unique Common Name (Bob_iPhone) and Name = client to the script prompts:

C:\OpenVPN-Server-Client-Build\easy-rsa\>build-key-pass Bob_iPhone

The C:\OpenVPN-Server-Client-Build\easy-rsa\keys> directory now contains the Bob_Laptop and Bob_iPhone certificates (.crt) and keys (.key):

OpenVPN Easy RSA Create Client Certificates and Keys build-key-pass

OpenVPN Easy RSA Create Client Certificates and Keys build-key-pass

BTW – the .csr files are Certificate Signing Request temporary files.

3.d  Generate Diffie-Hellman Parameters

Diffie-Hellman key-exchange parameters are generated by the Easy RSA build-dh.bat script. An advantage of building the PKI on a Windows 10 Desktop PC is this step only took 37 seconds versus over 30 minutes on the EdgeRouter Lite because the EdgeRouter CPU isn’t as powerful as the desktop PC:

C:\OpenVPN-Server-Client-Build\easy-rsa>build-dh
WARNING: can’t open config file: /etc/ssl/openssl.cnf
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
…+…………………………………………….+……………+..+…………………………………………………………………………………………………………………………………………………………………………………………………………..+……………………
<many more lines>
………+………………………………………………………………………………………………………………..+………..+……………………………………………………………………………………………………….+………………………+…………….+………………………………………………………….+……………………………………………………………….++*++*

C:\OpenVPN-Server-Client-Build\easy-rsa>

dh2048.pem file is created in the C:\OpenVPN-Server-Client-Build\easy-rsa\keys> folder. The 2048 bit key size was specified in the vars.bat file.

3.e  Harden OpenVPN – Generate TLS Authorization Pre-Shared Key

A TLS Authorization Pre-Shared Key provides increased security and better resistance to Denial of Service (DoS) attacks by dropping unauthorized connections attempts to the EdgeRouter faster. Run the command:

C:\OpenVPN-Server-Client-Build\easy-rsa\keys>openvpn –genkey –secret ta.key

A 2048 bit OpenVPN static key file ta.key is created in the C:\OpenVPN-Server-Client-Build\easy-rsa\keys> folder.

Aside: When TLS Authorization is enabled you’ll see entries in the EdgeRouter log (tail -n 100 /var/log/messages) where TLS connection attempts on port 443 are dropped before the hacker can try guessing login credentials. In this log excerpt a Russian IP address is trying to hack my network:

openvpn[2466]: Local Options String: ‘V4,dev-type tun,link-mtu 1572,
               tun-mtu 1500,proto TCPv4_SERVER,
               comp-lzo,keydir 0,cipher AES-256-CBC,
               auth SHA256,keysize 256,tls-auth,key-method 2,tls-server’
openvpn[2466]: Expected Remote Options String: ‘V4,dev-type tun,
               link-mtu 1572,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,
               keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,
               tls-auth,key-method 2,tls-client’
openvpn[2466]: Local Options hash (VER=V4): ‘165db97f’
openvpn[2466]: Expected Remote Options hash (VER=V4): ‘504bba81’
openvpn[2466]: TCP connection established with [AF_INET]185.40.4.109:44468
openvpn[2466]: TCPv4_SERVER link local: [undef]
openvpn[2466]: TCPv4_SERVER link remote: [AF_INET]185.40.4.109:44468
openvpn[2466]: 185.40.4.109:44468 WARNING: Bad encapsulated packet length
               from peer (18245), which must be > 0 and <= 1572 — please ensure
               that –tun-mtu or –link-mtu is equal on both peers — this
               condition could also indicate a possible active attack on the
               TCP link — [Attempting restart…]
openvpn[2466]: 185.40.4.109:44468 Connection reset, restarting [0]
openvpn[2466]: 185.40.4.109:44468 SIGUSR1[soft,connection-reset] received,
               client-instance restarting
openvpn[2466]: TCP/UDP: Closing socket

Probing and unauthorized connection attempts happen all the time. I monitor my logs and update the EdgeRouter firewall block list.

This project is continued in EdgeRouter OpenVPN Server – Client Mode Configuration Steps.

Best,

Bob

Copyright © 2017 HandymanHowTo.com   Reproduction strictly prohibited.