safety

Learn how to connect to a VPN with OpenVPN

OpenVPN is a cross-platform VPN (virtual private network) client / server. It is compatible with Microsoft Windows, GNU / Linux, macOS operating systems and even has free applications for Android and iOS. Another strong point of OpenVPN is that some router manufacturers are incorporating it into their equipment, so we will have the possibility of configuring an OpenVPN server on our router. Another notable aspect is that, for example, firewall-oriented operating systems also incorporate it, PFsense and OPNSense are two highly recommended distributions to use OpenVPN and the rest of its configuration options.

What is it?

OpenVPN is a software based on free software that allows us to build a virtual private network (VPN), to connect remotely to the server. This software allows us to configure two types of VPN architectures:

  • Remote Access VPN: We have a central VPN server, and several VPN clients with the software installed on your computer, smartphone, tablet or other device, and they all connect centrally to the VPN server.
  • Site-to-Site VPN: this architecture allows us to intercommunicate between different sites to share resources through a secure network, protected with end-to-end encryption. This type of VPN allows us to intercommunicate offices, company headquarters, etc.

Some very important features of OpenVPN are that it supports extensive configuration, both to improve performance as well as security. It is based on SSL / TLS, therefore, we can create digital certificates for the authentication of VPN clients, in addition, we could also authenticate with certificates plus a user / password that we add to the system. OpenVPN is much easier to configure than IPsec, and thanks to the great support of the community, we will be able to find OpenVPN on all desktop operating systems, servers and even on smartphones and tablets.

What is it for?

If we create an OpenVPN server in our home, it can help us to connect to the Internet in a secure way from any network, be it wired or WiFi, with WEP / WPA encryption or without encryption. All traffic will be encrypted through a tunnel from our computer where we connect to our house and from there it will go to the Internet, it is like being connected to the Internet at home. We must take into account several factors, such as having a good upload speed (30Mbps or higher), and having a public IP address in our home, since if we have CG-NAT we will not be able to connect because we will not be able to do port forwarding in the router.

By setting up an OpenVPN server in our home, we can also access each and every one of the shared resources we have, such as Samba servers, FTP and even access the printer, IP cameras that we have connected, etc. All access permissions would be just as if we were physically in our home. OpenVPN is a solution for VPN that implements layer 2 or 3 connections, depending on the chosen connection mode, it will work one way or another, in addition, an important detail is that the vast majority of operating systems today support OpenVPN, although not it is usually incorporated by hardware manufacturers for firewalls or routers.

OpenVPN uses a set of SSL / TLS protocols that work at the transport layer, and we have two types of operation:

  • TUN : The TUN controller emulates a point-to-point device, it is used to create virtual tunnels operating with the IP protocol. In this way, all the packets that are transported through it can be encapsulated as TCP segments or UDP datagrams (later you will see that we choose UDP instead of TCP, and you will ask why since TCP is connective, reliable and oriented to Connection). The machines behind each end of the link will belong to different subnets.
  • TAP : Simulates an Ethernet network interface, more commonly known as bridge or bridge mode, these virtual tunnels directly encapsulate Ethernet packets. This situation allows packaging different fabrics than IP. The machines behind each end of the link can operate as part of the same subnet (if the IP protocol is used). The bridge operating mode is particularly useful for linking remote users, since they can connect to the same server and virtually be part of the main network, however, if the private network where the origin is connected coincides with the destination, we will Routing problems and communication will not work.

In the manual we will use TUN and see how we create a 10.8.0.0/24 virtual subnet where the OpenVPN clients will be when they connect. In this way, it will be much easier to identify the VPN clients that we have connected in the local network.

In this manual I am going to explain how to do it in GNU / Linux (in Debian 10), although in essence, it is the same for Windows, only the commands in the console (cmd.exe), the certificates and the keys change, they are the The same for both, that is, you can create EVERYTHING in GNU / Linux and then pass it to Windows to use it (either client or server), you will only have to change the client / server extension .conf to .ovpn, although in the latest versions OpenVPN for Windows already allows us to recognize and use .conf configuration files, so we won’t have to change the extension.

In this manual I am going to show you how to make a very secure OpenVPN configuration, customizing the symmetric, asymmetric and hash encryption algorithms. In this way, we can have the best possible encryption of communications.

Summary of the cryptography to use

  • Digital certificates : We will use EC (Elliptical Curves) for the creation of the Public Key Infrastructure. We will create both the certificates of the CA (Certification Authority), as well as the certificates of the server and VPN clients that want to connect. The EC algorithm used is secp521r1, although we have many others available. The hash algorithm that we will use will be SHA512. An important detail is that not all OpenVPN clients / servers support it, we must have our OpenVPN and cryptographic libraries updated, but nowadays it is rare to find ourselves in a scenario that is not compatible.
  • OpenVPN control channel : we will use at least TLS 1.2, and always using PFS (Perfect Forward Secrecy) based on Diffie-Hellmann with elliptical curves (ECDHE). That is, we will use a selection of secure crypto suites, such as TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384. If you want to check if your server or client supports this type of encryption, you must put in the console “openvpn –show-tls”.
  • OpenVPN data channel : We will use the AES-256-GCM symmetric encryption algorithm , the most secure currently and which has been incorporated into OpenVPN 2.4 and later. If you want to check if your server or client supports this type of encryption, you must put in the console « openvpn –show-ciphers «. If we use AES-256-GCM as data channel encryption, we will not use any HASH algorithm since it is AEAD, however, if we use AES-256-CBC we will use SHA512.

In the latest versions of OpenVPN, and if the cryptographic library of your operating system allows it, we can use the TLS 1.3 protocol in the control channel. If we go to the command line of the OpenVPN server or client, and we put the following command:

openvpn --show-tls

We can see if our OpenVPN server and / or client support TLS 1.3, in our case, we have a total of three cipher suites that we can use:

  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256

To define TLS 1.3 in the configuration files we must use the argument ” tls-ciphersuites ” instead of the typical ” tls-cipher “, followed by the cipher suite that we want, the three suites that we have available are the safest that we can use Nowadays, in addition, thanks to the TLS 1.3 protocol, the establishment of the connection will be somewhat faster, ideal for establishing the VPN tunnel quickly.

From OpenVPN version 2.5 onwards, we also have a symmetric encryption algorithm for the OpenVPN data channel, we can use CHACHA20-POLY1305which is a 256-bit stream encryption, and can be used to speed up the actual speed of the VPN we are setting up. If our processor does not support AES-NI to accelerate AES-GCM traffic, then we recommend always using CHACHA20-POLY1305 because you will have better performance, however, if it supports AES-NI, our recommendation is that you perform speed tests using both to see what speed you will get. We must remember that this symmetric encryption algorithm is used by default in the WireGuard VPN, one of the safest and fastest VPNs that we can use today. In this case, to configure this encryption algorithm, it would be done in the same way as AES-256-GCM, putting «cipher» and then the name of the encryption as we have put it for you.

In addition to these security measures, we will include an additional HMAC signature for the first TLS negotiation, in this way, we will protect the system from possible denial of service attacks, UDP Port Flooding attacks and also TCP SYN attacks. When connecting to the server, if the client does not have the correct HMAC signature, it will be blocked. In previous versions of OpenVPN 2.4 the directive was tls-auth, which was only responsible for the authentication of a pre-shared key generated by OpenVPN itself. Now in versions higher than OpenVPN 2.4 it is called tls-crypt, the main difference is that in addition to authenticating, it also encrypts the channel so that no one is able to capture said pre-shared key. The configuration is very similar, the key generation is exactly the same in both.

Finally, we will use the UDP protocol instead of TCP, because it is stronger against denial of service attacks, we must remember that UDP is non-connective, unreliable and not connection-oriented. However, we can use TCP without any problem to provide the VPN with all the benefits of this protocol.

Steps to follow to work with OpenVPN

Below you will be able to see in detail how to install this software, and also everything you need to start it up with the best possible security that this solution offers us to create a virtual private network.

Download and install

The first thing we have to do is install OpenVPN on our computer, either with Windows or Linux. If you use Windows you must go to the official OpenVPN download website and install everything in the installation wizard. If you use an operating system like Debian (we will be using Debian 10 throughout this manual), you will have to enter the following command:

sudo apt update

sudo apt install openvpn

Easy-RSA 3 download for certificates

Once installed, we must download the Easy-RSA 3 software package, this software package is used to create digital certificates easily and quickly. We can modify the length of the key, the type of key, if we want to put a password to the private keys, etc. On the official website of the Easy-RSA 3 project on GitHub you have all the information and the possibility of downloading a .zip with everything.

If you are on a Linux system, we recommend using the wget command to download the .zip:

wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.8/EasyRSA-3.0.8.tgz

Next, we must unzip this downloaded file and enter the folder to start configuring the vars file.

tar -zxvf EasyRSA-3.0.8.tgz

Configure Easy-RSA 3 «vars»

The vars.example file is the center of all the configuration of the certificates, it is where we must define if we want to create certificates based on RSA or based on EC. Likewise, it will also allow us to sign the certificates with SHA256 or SHA512 among others. That is, we must configure this configuration file correctly to later create the digital certificates.

The first thing we must do is copy the vars.example file in the same folder with the name “vars”, if we do not have it with this name “vars” it will not work. We also have the possibility to rename the file vars.example in “vars”, but we recommend you better make a backup in case you delete something and then it doesn’t work for you.

We place ourselves in the main folder of Easy-RSA3 and copy the file in this way:

cp vars.example vars

Once we have the “vars” file, we must edit it with any file editor via console or graphical interface, we will use nano due to its ease. In the following «vars» configuration file you can see how EC would look with the secp521r1 algorithm, signed with SHA512 and we have used a DN (Distinguished Name) putting the CN (Common Name) instead of the typical «organization data »As we have always done before, in this way, we facilitate the creation of the certificates, however, we could also do it by indicating the typical organization data.

In the file itself are the original comments in English, and in Spanish we have put ours to facilitate the location of what needs to be modified. A very important detail, WordPress automatically puts these symbols << and >> when it should just put double quotes: »

# Easy-RSA 3 parameter settings

# NOTE: If you installed Easy-RSA from your distro’s package manager, don’t edit
# this file in place – instead, you should copy the entire easy-rsa directory
# to another location so future upgrades don’t wipe out your changes .

# HOW TO USE THIS FILE
#
# vars.example contains built-in examples to Easy-RSA settings. You MUST name
# this file ‘vars’ if you want it to be used as a configuration file. If you do
# not, it WILL NOT be automatically read when you call easyrsa commands.
#
# It is not necessary to use this config file unless you wish to change
# operational defaults. These defaults should be fine for many uses without the
# need to copy and edit the ‘vars’ file.
#
# All of the editable settings are shown commented and start with the command
# ‘set_var’ – this means any set_var command that is uncommented has been
# modified by the user. If you’re happy with a default, there is no need to
# define the value to its default.

# NOTES FOR WINDOWS USERS
#
# Paths for Windows * MUST * use forward slashes, or optionally double-esscaped
# backslashes (single forward slashes are recommended.) This means your path to
# the openssl binary might look like this:
# «C: / Program Files / OpenSSL-Win32 / bin / openssl.exe »

# A little housekeeping: DON’T EDIT THIS SECTION
#
# Easy-RSA 3.x doesn’t source into the environment directly.
# Complain if a user tries to do this:
if [-z “$ EASYRSA_CALLER”]; then
echo “You appear to be sourcing an Easy-RSA ‘vars’ file.” > & 2
echo «This is no longer necessary and is disallowed. See the section called »> & 2
echo« ‘How to use this file’ near the top comments for more details. » > & 2
return 1
fi

# DO YOUR EDITS BELOW THIS POINT

# This variable is used as the base location of configuration files needed by
# easyrsa. More specific variables for specific files (eg, EASYRSA_SSL_CONF)
# may override this default.
#
# The default value of this variable is the location of the easyrsa script
# itself, which is also where the configuration files are located in the
# easy-rsa tree.

#set_var EASYRSA “$ {0% / *}”

# If your OpenSSL command is not in the system PATH, you will need to define the
# path to it here. Normally this means a full path to the executable, otherwise
# you could have left it undefined here and the shown default would be used.
#
# Windows users, remember to use paths with forward-slashes (or escaped
# back-slashes.) Windows users should declare the full path to the openssl
# binary here if it is not in their system PATH.

#set_var EASYRSA_OPENSSL “openssl”
#
# This sample is in Windows syntax – edit it for your path if not using PATH:
#set_var EASYRSA_OPENSSL “C: / Program Files / OpenSSL-Win32 / bin / openssl.exe”

# Edit this variable to point to your soon-to-be-created key directory. By
# default, this will be “$ PWD / pki” (ie the “pki” subdirectory of the
# directory you are currently in).
#
# WARNING: init-pki will do a rm -rf on this directory so make sure you define
# it correctly! (Interactive mode will prompt before acting.)

#set_var EASYRSA_PKI “$ PWD / pki”

# Define X509 DN mode.
# This is used to adjust what elements are included in the Subject field as the DN
# (this is the «Distinguished Name.»)
# Note that in cn_only mode the Organizational fields further below aren’t used.
#
# Choices are:
# cn_only – use just a CN value
# org – use the «traditional» Country / Province / City / Org / OU / email / CN format

#ELEGIMOS cn_only FOR THE CREATION OF CERTIFICATES

set_var EASYRSA_DN “cn_only”

# Organizational fields (used with ‘org’ mode and ignored in ‘cn_only’ mode.)
# These are the default values ​​for fields which will be placed in the
# certificate. Don’t leave any of these fields blank, although interactively
# you may omit any specific field by typing the «.» symbol (not valid for
# email.)

#set_var EASYRSA_REQ_COUNTRY “US”
#set_var EASYRSA_REQ_PROVINCE “California”
#set_var EASYRSA_REQ_CITY “San Francisco”
#set_var EASYRSA_REQ_ORG “Copyleft Certificate Co”
#set_var EASYRSA “me_REQ_EMAILAS_set_var EASYRSA “_REQ_EMAILUational.net”
meset_var EASYRSA ” _REQ_EMAILAS@set_var EASYRSA “_REQ_EMAILUational.net ” meset_var EASYRSA “_REQ_EMAILAS_set_var EASYRSA ” _REQ_EMAILAS_set_var EASYRSA “_REQ_EMAILASPROVINCE” California ” #set_var EASYRSA_PROVINCE.

# Choose a size in bits for your keypairs. The recommended value is 2048. Using
# 2048-bit keys is considered more than sufficient for many years into the
# future. Larger keysizes will slow down TLS negotiation and make key / DH param
# generation take much longer. Values ​​up to 4096 should be accepted by most
# software. Only used when the crypto alg is rsa (see below.)

#set_var EASYRSA_KEY_SIZE 2048

# The default crypto mode is rsa; ec can enable elliptic curve support.
# Note that not all software supports ECC, so use care when enabling it.
# Choices for crypto alg are: (each in lower-case)
# * rsa
# * ec

# WE CHOOSE ELIPTICAL CURVE FOR THE CREATION OF CERTIFICATES, BY DEFAULT IT IS RSA.

set_var EASYRSA_ALGO ec

# WE DEFINE THE NAME OF THE ELIPTICAL CURVE CHOSEN

set_var EASYRSA_CURVE secp521r1

# WE CONFIGURE THE EXPIRY OF THE AC

set_var EASYRSA_CA_EXPIRE 3650

# WE CONFIGURE THE EXPIRY OF THE CERTIFICATES CREATED.

set_var EASYRSA_CERT_EXPIRE 1080

# How many days until the next CRL publish date? Note that the CRL can still be
# parsed after this timeframe passes. It is only used for an expected next
# publication date.

# How many days before its expiration date a certificate is allowed to be
# renewed?
#set_var EASYRSA_CERT_RENEW 30

#set_var EASYRSA_CRL_DAYS 180

# Support deprecated “Netscape” extensions? (choices “yes” or “no”.) The default
# is “no” to discourage use of deprecated extensions. If you require this
# feature to use with –ns-cert-type, set this to “yes” here. This support
# should be replaced with the more modern –remote-cert-tls feature. If you do
# not use –ns-cert-type in your configs, it is safe (and recommended) to leave
# this defined to “no”. When set to “yes”, server-signed certs get the
# nsCertType = server attribute, and also get any NS_COMMENT defined below in the
# nsComment field.

#set_var EASYRSA_NS_SUPPORT “no”

# When NS_SUPPORT is set to «yes», this field is added as the nsComment field.
# Set this blank to omit it. With NS_SUPPORT set to “no” this field is ignored.

#set_var EASYRSA_NS_COMMENT “Easy-RSA Generated Certificate”

# A temp file used to stage cert extensions during signing. The default should
# be fine for most users; However, some users might want an alternative under a
# RAM-based FS, such as / dev / shm or / tmp on some systems.

#set_var EASYRSA_TEMP_FILE “$ EASYRSA_PKI / extensions.temp”

# !!
# NOTE: ADVANCED OPTIONS BELOW THIS POINT
# PLAY WITH THEM AT YOUR OWN RISK
# !!

# Broken shell command aliases: If you have a largely broken shell that is
# missing any of these POSIX-required commands used by Easy-RSA, you will need
# to define an alias to the proper path for the command. The symptom will be
# some form of a ‘command not found’ error from your shell. This means your
# shell is BROKEN, but you can hack around it here if you really need. These
# shown values ​​are not defaults: it is up to you to know what you’re doing if
# you touch these.
#
#alias awk = »/ alt / bin / awk»
#alias cat = »/ alt / bin / cat»

# X509 extensions directory:
# If you want to customize the X509 extensions used, set the directory to look
# for extensions here. Each cert type you sign must have a matching filename,
# and an optional file named ‘COMMON’ is included first when present. Note that
# when undefined here, default behavior is to look in $ EASYRSA_PKI first, then
# fallback to $ EASYRSA for the ‘x509-types’ dir. You may override this
# detection with an explicit dir here.
#
#set_var EASYRSA_EXT_DIR “$ EASYRSA / x509-types”

# OpenSSL config file:
# If you need to use a specific openssl config file, you can reference it here.
# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the
# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
# specific and you cannot just use a standard config file, so this is an
# advanced feature.

#set_var EASYRSA_SSL_CONF “$ EASYRSA / openssl-easyrsa.cnf”

# Default CN:
# This is best left alone. Interactively you will set this manually, and BATCH
# callers are expected to set this themselves.

#set_var EASYRSA_REQ_CN “ChangeMe”

# Cryptographic digest to use.
# Do not change this default unless you understand the security implications.
# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512

# WE SELECT THE HASH SHA512

set_var EASYRSA_DIGEST “sha512”

# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
# in batch mode without any user input, confirmation on dangerous operations,
# or most output. Setting this to any non-blank string enables batch mode.

#set_var EASYRSA_BATCH «»

Once we have modified everything, we save the file since later we are going to use it with these values.

Creation of the PKI: CA, server and client certificates

When we already have the «vars» file configured, we proceed to create the Public Key Infrastructure (PKI) with the following command (we assume that you are still in the main Easy-RSA3 directory):

./easyrsa init-pki

root @ debian-vm: /home/bron/EasyRSA-v3.0.6# ./easyrsa init-pki

Note: using Easy-RSA configuration from: ./vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /home/bron/EasyRSA-v3.0.6/pki

Once the PKI is initialized, we must create the Certification Authority (CA):

./easyrsa build-ca

Once executed, we must follow the simple CA generation wizard. The password you ask is to protect the private key of the CA, something essential.

root @ debian-vm: /home/bron/EasyRSA-v3.0.6# ./easyrsa build-ca

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019

Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
read EC key
writing EC key
Can’t load /home/bron/EasyRSA-v3.0.6/pki/.rnd into RNG
139864421569664: error: 2406F079: random number generator : RAND_load_file: Cannot open file: ../ crypto / rand / randfile.c: 98: Filename = / home / bron / EasyRSA-v3.0.6 / pki / .rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, The field will be left blank.
—–
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: AUTHORITY-CERTIFICATION

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/home/bron/EasyRSA-v3.0.6/pki/ca.crt

If we do not want to enter a password in the private key of the CA (it is not recommended for security reasons), we must put this command:

./easyrsa build-ca nopass

Once we have created the CA, we must create the server certificate, and the client certificates. Next, we must sign it with the CA.

Creating the server certificate and signing it with the CA

When creating the server and client certificates, we can give them a password for the private key, however, it is not recommended to do it on the server since every time we start it, it will ask us for the password to use it. If we do not want a password, we will put “nopass” behind each order that you will see below.

./easyrsa gen-req servidor-openvpn-redeszone nopass

The terminal output is as follows:

root @ debian-vm: /home/bron/EasyRSA-v3.0.6# ./easyrsa gen-req server-openvpn-redeszone nopass

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019
Generating an EC private key
writing new private key to ‘/home/bron/EasyRSA-v3.0.6/pki/private/servidor-openvpn-redeszone.key.bHJsAFg0KR’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, The field will be left blank.
—–
Common Name (eg: your user, host, or server name) [server-openvpn-redeszone]:

Keypair and certificate request completed. Your files are:
req: /home/bron/EasyRSA-v3.0.6/pki/reqs/server-openvpn-redeszone.req
key: /home/bron/EasyRSA-v3.0.6/pki/private/server-openvpn-redeszone .key

Once the certificate is created, we must sign it with the CA in “server” mode:

./easyrsa sign-req server servidor-openvpn-redeszone

root @ debian-vm: /home/bron/EasyRSA-v3.0.6# ./easyrsa sign-req server server-openvpn-redeszone

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.1.1d 10 Sep 2019

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 1080 days:

subject =
commonName = server-openvpn-redeszone

Type the word ‘yes’ to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /home/bron/EasyRSA-v3.0.6/pki/safessl-easyrsa.cnf
Enter pass phrase for /home/bron/EasyRSA-v3.0.6/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
commonName: ASN.1 12: ‘server-openvpn-redeszone’
Certificate is to be certified until Dec 23 11:40:22 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /home/bron/EasyRSA-v3.0.6/pki/issued/servidor-openvpn-redeszone.crt

And we have already created the .crt that we will use later in the OpenVPN configuration file.

Create client certificates and sig

Leave a Reply

Your email address will not be published.

Back to top button