15.3 Setting Up Your VPN Server Using Certificate Authority

The example shown in Creating the Simplest VPN Example is useful for testing, but not for daily work. This section explains how to build a VPN server that allows more than one connection at the same time. This is done with a public key infrastructure (PKI). A PKI consists of a pair of public and private keys for the server and each client and a master certificate authority (CA).

The general overview of this process involves these steps, which are explained in the following subsections:

Build your public key infrastructure (see Section 15.3.1, Creating Certificates).
Configure your server (see Section 15.3.2, Configuring the Server).
Configure your clients (see Section 15.3.3, Configuring the Clients).

15.3.1 Creating Certificates

Before a VPN connection gets established, the client must authenticate the server certificate. On the other side, the server must also authenticate the client certificate. This is called mutual authentication. Section 16.0, Managing X.509 Certification

You can use two methods to create the respective certificates and keys:

Use the YaST CA module (see Section 16.0, Managing X.509 Certification), or
Use the scripts included with the openvpn package.

Generating Certificates with easy-ca

The easy-ca utilities use the configuration file openssl.cnf stored under /usr/share/openvpn/easy-ca. In most cases you can leave this file as it is.

Generate the Master CA And Key

Open a shell and become root.
Change the directory to /usr/share/openvpn/easy-ca.
Edit the default values in the file vars. Change the variables KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL.

Initialize the PKI:

source ./vars && ./clean-all && ./build-ca

Enter the respective data that is asked by the build-ca script. Usually you can take the defaults that you have set in Step 3. The only parameter that is not set is the Common Name.

After this procedure, the master certificate and key is saved as /usr/share/openvpn/easy-ca/keys/ca.*.

Generate The Private Server Key

Make sure the directory is /usr/share/openvpn/easy-ca.
Run the following script:
```
./build-key-server server
```
The argument (here: server) is used for the private key filename.
Accept the default parameters, but insert for Common Name the value server.
Answer the next two questions (Sign the certificate? [y/n] and 1 out of 1 certificate requests certified, commit? [y/n]) with y (yes).

After this procedure, the private server key is saved /usr/share/openvpn/easy-ca/keys/server.*.

Generate Certificates and Keys for a Client

Make sure your current directory is /usr/share/openvpn/easy-ca.
Create the key as in Step 2 from Generate The Private Server Key:
```
./build-key client
```
Repeat the previous step for each client that is allowed to connect to the VPN server. Make sure you use a different name (other than client) and an appropriate Common Name, because this parameter has to be unique for each client.

After this procedure, the certificate client keys are saved in /usr/share/openvpn/easy-ca/keys/client.* (depending on the name that you have given for the build-key command.)

Some Final Configuration Steps

Make sure your current directory is /usr/share/openvpn/easy-ca.
Create the Diffie-Hellman parameter:
```
./build-dh
```

Copy the following files:

cp keys/ca.{crt,key} keys/dh1024.pem keys/server.{crt,key} /etc/openvpn/ssl/

Copy the client keys to the respective client machine. You should have the files client.crt and client.key in the /etc/openvpn/ssl directory.

Configuring Certificates with YaST CA

You can skip this section if you have already configured the certificates with the easy-ca utilties.

15.3.2 Configuring the Server

The configuration file is mostly a summary from /usr/share/doc/packages/openvpn/sample-config-files/server.conf without the comments and with some small changes to some paths.

Example 15-1 VPN Server Configuration File

# /etc/openvpn/server.conf
port 1194 
proto udp 
dev tun0 

# Security 
ca   ssl/ca.crt
cert ssl/server.crt
key  ssl/server.key
dh   ssl/dh1024.pem

server 10.8.0.0  255.255.255.0 
ifconfig-pool-persist /var/run/openvpn/ipp.txt 

# Privleges 
user nobody
group nobody

# Other configuration 
keepalive 10 120
comp-lzo
persist-key
persist-tun
status      /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 4

	The TCP/UDP port to which OpenVPN listens. You have to open up the port in the Firewall, see Section 14.0, Masquerading and Firewalls. The standard port for VPN is 1194, so in most cases you can leave that as it is.
	The protocol, either UDP or TCP.
	The tun or tap device, see Section 15.1.2, Tun and Tap Devices for the differences.
	The following lines contain the relative or absolute path to the root server CA certificate (ca), the root CA key (cert), the private server key (key) and the Diffie Hellman parameters (dh). These were generated in Section 15.3.1, Creating Certificates.
	Supplies a VPN subnet. The server can be reached by 10.8.0.1.
	Records a mapping of clients and its virtual IP address in the given file. Useful when the server goes down and (after the restart) the clients get their previously assigned IP address.
	For security reasons it is a good idea to run the OpenVPN daemon with reduced privileges. For this reason the group and user nobody is used.
	Several other configurations, see comment in the original configuration from /usr/share/doc/packages/openvpn/sample-config-files.

After this configuration, you can see log messages from your OpenVPN server under /var/log/openvpn.log. When you have started it for the first time, it should finish it with:

... Initialization Sequence Completed

If you do not get this message, check the log carefully. Usually OpenVPN gives you some hints what is wrong in your configuration file.

15.3.3 Configuring the Clients

The configuration file is mostly a summary from /usr/share/doc/packages/openvpn/sample-config-files/client.conf without the comments and with some small changes to some paths.

Example 15-2 VPN Client Configuration File

# /etc/openvpn/client.conf
client 
dev tun 
proto udp 
remote IP_OR_HOSTNAME 1194 
resolv-retry infinite
nobind

# Privleges 
user nobody
group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# Security 
ca   ssl/ca.crt
cert ssl/client.crt
key  ssl/client.key

comp-lzo

	We have to specify that this machine is a client.
	The network device. Both clients and server must use the same device.
	The protocol. Use the same settings as on the server.
	Replace the placeholder IP_OR_HOSTNAME with the respective hostname or IP address of your VPN server. After the hostname the port of the server is given. You can have multiple lines of remote entries pointing to different VPN servers. This is useful for load balancing between different VPN servers.
	For security reasons it is a good idea to run the OpenVPN daemon with reduced privileges. For this reason the group and user nobody is used.
	Contains the client files. For security reasons, it is better to have a separate file pair for each client.
	Turns compresson on. Use it only when the server has this parameter switched on, as well.