The following is a summary of all required steps to enable your CS407 to use openvpn with your own PKI – I was following these instructions. If you want to install and configure openvpn, follow this link.

1. download and extract openvpn-2.x.zip
2. copy easy-rsa folder to /opt/etc/openvpn/easy-rsa
3. edit vars in folder /opt/etc/openvpn/easy-rsa
   export KEY_CONFIG=/opt/etc/openvpn/easy-rsa/openssl.cnf
   export KEY_DIR=/opt/etc/openvpn/private.lan/keys
   export KEY_COUNTRY=YOURCOUNTRY
   export KEY_PROVINCE=YOURPROVINCE
   export KEY_CITY=YOURCITY
   export KEY_ORG=”YOURCOMPANY”
   export KEY_EMAIL=”YOUREMAILADDRESS”
4. switch to bash shell: bash-3.2#
5. . vars
6. ./clean-all

As you create certificates, keys, and certificate signing requests, understand that only .key files should be kept confidential.  .crt and .csr files can be sent over insecure channels such as plaintext email.

• Start with building your own Certificate Authority
• ./build-ca

Generating a 1024 bit RSA private key, writing new private key to ‘ca.key’
You are about to be asked to enter information that will be incorporated into your certificate request. This information is retrieved from your vars file
For the Common Name use  e.g. a combination of your server name and MAC address: CS4071101AF2018964

• Create your server key files
• ./build-key-server server

Generating a 1024 bit RSA private key, writing new private key to ’server.key’
Common Name (eg, your name or your server’s hostname) :cs407
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

• Then create your client key files
• ./build-key thinkpad

Generating a 1024 bit RSA private key, writing new private key to ‘thinkpad.key’
Common Name (eg, your name or your server’s hostname) []:thinkpad
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

• Generate Diffie Hellman parameters
• ./build-dh

Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key:

• openvpn –genkey –secret ta.key

In the server configuration file (server.ovpn), add:

tls-auth ta.key 0
max-clients 5 (or any number)

Copy the following files to the CS407 folder /opt/etc/openvpn/config:

1. ca.crt
2. dh1024.pem
3. server.crt
4. server.key
5. server.ovpn
6. ta.key

Copy the following files to your client folder C:\Program Files\OpenVPN\config

1. ca.crt
2. thinkpad.crt
3. thinkpad.key
4. client.ovpn
5. ta.key

In the client configuration file (client.ovpn), add:

tls-auth ta.key 1

Restart openvpn on your CS407 and connect your openvpn client:

cd /opt/etc/init.d
sh S24openvpn

In case you need to revoke access for specific users:

. vars
./revoke-full “clientname”

Tags : IT, software, synology
Posted at : January 3rd, 2009 - 6:28 pm
Navigate : previous post / next post