177
edits
Changes
From SME Server
Jump to navigationJump to search
mLine 16:
Line 16: − + − + − . vars + − ./clean-all + − ./build-ca + − Using configuration from /etc/openvpn/easy-rsa/openssl.cnf − Generating a 1024 bit RSA private key − /build-key server + − Using configuration from /etc/openvpn/easy-rsa/openssl.cnf − Generating a 1024 bit RSA private key − ./build-key client + − Using configuration from /etc/openvpn/easy-rsa/openssl.cnf − Generating a 1024 bit RSA private key − ./build-dh + − + − + − + − + − +
no edit summary
rpm -Uvh *.rpm
rpm -Uvh *.rpm
Now its time to create the keys. The openvpn configs live in /etc/openvpn. First we need to edit the file with default values to match our installation. Open the file "vars" and Edit the default values to reflect your setup at the bottom of the file. The paths should be correct.
Now its time to create the keys. The openvpn configs live in /etc/openvpn. First we need to edit the file with default values to match our installation. Open the file "vars" and Edit the default values to reflect your setup at the bottom of the file (KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL). Default we use 1024 bit Diffie Hellman but this can be changed to 2048 or even 4096 bit keys (depending of your paranoia level..)
cd /etc/openvpn/easy-rsa
cd /usr/share/doc/openvpn-2.0.9/easy-rsa
pico vars
pico vars
Now we can create the master certificate. Choose the defaults as entered into the vars file. You will need to enter values for the "Organizational Unit Name" which you can set to "VPN" and"Common Name" could be set to "Server"
Now we can create the master certificate. Choose the defaults as entered into the vars file. You will need to enter values for the "Organizational Unit Name" which you can set to "VPN" and"Common Name" could be set to "Server"
source vars
sh clean-all
sh build-ca
Now we can build the certificate/private-key pairs for both the server and clients. Again choose choose "Organizational Unit Name" and "Common Name" as above. Do not add "A Challenge password" when asked, just press <ENTER>. The same goes for "An optional company name". Sign the certificate in the end.
Now we can build the certificate/private-key pairs for both the server and clients. Again choose choose "Organizational Unit Name" and "Common Name" as above. Do not add "A Challenge password" when asked, just press <ENTER>. The same goes for "An optional company name". Sign the certificate in the end.
sh build-key server
Now its time for the Client certificate which is pretty much the same as before. Use "Client" as "Common Name" and "VPN" for "Organizational Unit Name". Do not add "A Challenge password" when asked, just press <ENTER>. The same goes for "An optional company name". Sign the certificate in the end.
Now its time for the Client certificate which is pretty much the same as before. Use "Client" as "Common Name" and "VPN" for "Organizational Unit Name". Do not add "A Challenge password" when asked, just press <ENTER>. The same goes for "An optional company name". Sign the certificate in the end.
sh build-key client
Finally we build the Diffie Hellman parameters.
Finally we build the Diffie Hellman parameters.
sh build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
This is going to take a long time
..................
..................
And it can take a long time. Your generated keys will be in /etc/openvpn/easy-rsa/keys. The key names - "Server" and "Client" are simply descriptive. Choose names that suit your setup. You can create as many keys as you like using the above method. ./clean-all will clean out your keys directory - so be careful.
And it can take a long time. Your generated keys will be in /usr/share/doc/openvpn-2.0.9/easy-rsa/keys. The key names - "Server" and "Client" are simply descriptive. Choose names that suit your setup. You can create as many keys as you like using the above method. ''clean-all'' will clean out your keys directory - so be careful.
The newly generated keys needs to be copied to the the OpenVPN directory.
The newly generated keys needs to be copied to the the OpenVPN directory.
cp keys/ca.crt ..
cp keys/ca.crt /etc/openvpn
cp keys/server.crt ..
cp keys/server.crt /etc/openvpn
cp keys/server.key ..
cp keys/server.key /etc/openvpn
cp keys/dh1024.pem ..
cp keys/dh1024.pem /etc/openvpn
The OpenVPN configuration along with authentication scripts file can be downloaded from my site. Download them and make the executable for root. There will be log files created in /var/log/openvpn indicating when users have logged in and out as well as login failures. Only users that have VPN Client Access enabled in Server-Manager will be allowed to VPN.
The OpenVPN configuration along with authentication scripts file can be downloaded from my site. Download them and make the executable for root. There will be log files created in /var/log/openvpn indicating when users have logged in and out as well as login failures. Only users that have VPN Client Access enabled in Server-Manager will be allowed to VPN.
