openpvn howto make CA,server,client sertificate on openvpn [Part1]

On SERVER ip 192.168.5.1

# cd /etc/openvpn/
# mkdir my_keys/
# cd my_keys/

copied entire easy-rsa to my_keys
# cp /usr/share/openvpn/easy-rsa/2.0/* .

edit vars
# vim vars


	 export EASY_RSA="/etc/openvpn/my_keys"
	 export	OPENSSL="openssl"
	 export PKCS11TOOL="pkcs11-tool"
	 export GREP="grep"


	 export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
	 export KEY_DIR="$EASY_RSA/keys"
	 echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR


	 export PKCS11_MODULE_PATH="dummy"
	 export PKCS11_PIN="dummy"


	 export KEY_SIZE=2048
	 export CA_EXPIRE=3650
	 export KEY_EXPIRE=1000


	 export KEY_COUNTRY="ID"
	 export KEY_PROVINCE="BANTEN"
	 export KEY_CITY="TANGERANG"
	 export KEY_ORG="Fort-Funston"
	 export KEY_EMAIL="me@myhost.mydomain"

update vars
# . ./vars
# ./clean-all

build dh
# ./build-dh

build ca
# ./build-ca

build server sertificate
# ./build-key-server openvpnserver

build client sertificate
# ./build-key openvpnclient1

generate tls key
# openvpn --genkey --secret ta.key

copied ca.crt,dh2048.pem,server.crt,server.key
# cp keys/ca.crt /etc/openvpn/my_keys/ca.crt
# cp keys/dh2048.pem /etc/openvpn/my_keys/dh2048.pem
# cp keys/openvpnserver.crt /etc/openvpn/my_keys/server.crt
# cp keys/openvpnserver.key /etc/openvpn/my_keys/server.key

make server config file
# cp /usr/share/doc/openvpn-2.1.1/sample-config-files/server.conf /etc/openvpn/
# cd /etc/openvpn/
# vim /etc/openvpn/server.conf


	port 1194
	proto udp
	dev tun
	ca   my_keys/ca.crt
	cert my_keys/server.crt
	key  my_keys/server.key  
	dh   my_keys/dh2048.pem
	server 10.8.0.0 255.255.255.0
	ifconfig-pool-persist ipp.txt
	keepalive 10 120
	comp-lzo
	persist-key
	persist-tun
	;script-security 2
        ;tls-verify /etc/openvpn/my_keys/ocsp.sh
	;tls-auth   /etc/openvpn/my_keys/ta.key 0
	status openvpn-status.log
	verb 3

running openvpn
# openvpn --config server.conf
# ifconfig -a

<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On Client ip 192.168.5.5

# cd /etc/openvpn
# mkdir /etc/openvpn/my_keys

on server copied openvpnclient1.crt,openvpnclient1.key and rename into client.crt,client.key
client certificate
# scp /etc/openvpn/my_keys/keys/openvpnclient1.crt  root@192.168.5.5:/etc/openvpn/my_keys/client.crt


client certificate key
# scp /etc/openvpn/my_keys/keys/openvpnclient1.key  root@192.168.5.5:/etc/openvpn/my_keys/client.key


ta key
# scp /etc/openvpn/my_keys/ta.key  root@192.168.5.5:/etc/openvpn/my_keys/ta.key

back to client, make client config file
# cp /usr/share/doc/openvpn-2.1.1/sample-config-files/client.conf /etc/openvpn/
# cd /etc/openvpn/
# vim client.conf

	client
	dev tun
	proto udp
	remote 192.168.5.1 1194
	resolv-retry infinite
	nobind
	persist-key
	persist-tun
	ca    /etc/openvpn/my_keys/ca.crt
	cert  /etc/openvpn/my_keys/client.crt
	key   /etc/openvpn/my_keys/client.key
	;ns-cert-type server
	;tls-auth /etc/openvpn/my_keys/ta.key 1	
	comp-lzo
	verb 3

running openvpn client
# openvpn --config client.conf
# ifconfig -a

Comments

  1. how if you have a hundreds or even thousand clients?
    HOW to build client keys quickly and effectively?

    is it cannot be done, else building the client keys one-by-one????

    ReplyDelete

Post a Comment

Popular posts from this blog

authentication failure using SSH pam_unix(sshd:auth): authentication failure;

Howto configure SPLUNK Universal Forwarder

openvpn howto make OCSP server using OpenSSL [Part2]