openvpn and PKI and Synology CS407

January 3rd, 2009 § 2 Comments

The following is a summary of all required steps to enable your CS407 to use openvpn with your own PKI – I was following these instructions. If you want to install and configure openvpn, follow this link.

  1. download and extract openvpn-2.x.zip

  2. copy easy-rsa folder to /opt/etc/openvpn/easy-rsa

  3. edit vars in folder /opt/etc/openvpn/easy-rsa
    export KEY_CONFIG=/opt/etc/openvpn/easy-rsa/openssl.cnf
    export KEY_DIR=/opt/etc/openvpn/private.lan/keys
    export KEY_COUNTRY=YOURCOUNTRY
    export KEY_PROVINCE=YOURPROVINCE
    export KEY_CITY=YOURCITY
    export KEY_ORG=”YOURCOMPANY”
    export KEY_EMAIL=”YOUREMAILADDRESS”

  4. switch to bash shell: bash-3.2#

  5. . vars

  6. ./clean-all

As you create certificates, keys, and certificate signing requests, understand that only .key files should be kept confidential.  .crt and .csr files can be sent over insecure channels such as plaintext email.

  • Start with building your own Certificate Authority

  • ./build-ca

Generating a 1024 bit RSA private key, writing new private key to ‘ca.key’
You are about to be asked to enter information that will be incorporated into your certificate request. This information is retrieved from your vars file
For the Common Name use  e.g. a combination of your server name and MAC address: CS4071101AF2018964

  • Create your server key files

  • ./build-key-server server

Generating a 1024 bit RSA private key, writing new private key to ‘server.key’
Common Name (eg, your name or your server’s hostname) :cs407
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

  • Then create your client key files

  • ./build-key thinkpad

Generating a 1024 bit RSA private key, writing new private key to ‘thinkpad.key’
Common Name (eg, your name or your server’s hostname) []:thinkpad
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

  • Generate Diffie Hellman parameters

  • ./build-dh

Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key:

  • openvpn –genkey –secret ta.key

In the server configuration file (server.ovpn), add:

tls-auth ta.key 0
max-clients 5 (or any number)

Copy the following files to the CS407 folder /opt/etc/openvpn/config:

  1. ca.crt

  2. dh1024.pem

  3. server.crt

  4. server.key

  5. server.ovpn

  6. ta.key

Copy the following files to your client folder C:\Program Files\OpenVPN\config

  1. ca.crt

  2. thinkpad.crt

  3. thinkpad.key

  4. client.ovpn

  5. ta.key

In the client configuration file (client.ovpn), add:

tls-auth ta.key 1

Restart openvpn on your CS407 and connect your openvpn client:

cd /opt/etc/init.d
sh S24openvpn

In case you need to revoke access for specific users:

. vars
./revoke-full “clientname”

Advertisement

§ 2 Responses to openvpn and PKI and Synology CS407

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

«

»

What’s this?

You are currently reading openvpn and PKI and Synology CS407 at Bernhard Hensler.

meta

Follow

Get every new post delivered to your Inbox.