Clark's Home page

Tecnicismi vari di un Sysadmin Linux ma anche qualcosa della sua vita

Openvpn su Devuan Daedalus —

Dopo 3 anni dall’ultima volta mi sono trovato a dover configurare un altra VPN da affiancare a quella aziendale per poter accedere al mio PC da remoto e quindi da li con IDRAC che secondo me è l’invenzione del secolo per chi fa il mio lavoro, poter riaccendere la LAN da casa durante un giorno di festa poiché la manutenzione aveva dovuto togliere tensione.

Su Devuan 5 la versione di Openvpn è la 2.6.3 e sono cambiate un bel po di cose rispetto alle versioni precedenti tant’è che partito a razzo con i soliti comandi mi son visto restituire un bel root@pc0:/etc/openvpn# . ./vars
bash: ./vars: File o directory non esistente.
Quindi al solito una rapida ricerca in Internet e ho trovato il procedimento per configurare openvpn su debian 12 che è la mamma di daedalus, e che riporto qui adattato alle mie esigenze.
fatto il solito simlynk a /usr/share/easy-rsa/ in /etc/openvpn
ed entrato in esso

root@pc0:/etc/openvpn/easy-rsa# ./easyrsa init-pki
* Notice:

init-pki complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /etc/openvpn/easy-rsa/pki

inizializza pki

root@pc0:/etc/openvpn/easy-rsa# cd pki

root@pc0:/etc/openvpn/easy-rsa/pki#cp vars.example vars quindi editare e cambiare

set_var EASYRSA_REQ_COUNTRY “IT”
set_var EASYRSA_REQ_PROVINCE “Lombardia”
set_var EASYRSA_REQ_CITY “Inveruno”
set_var EASYRSA_REQ_ORG “Myfirm S.p.A.”
set_var EASYRSA_REQ_EMAIL “clark@myfirm.com”
set_var EASYRSA_REQ_OU “Systems and Networking”

 

aggiustamento dei parametri

 

root@pc0:/etc/openvpn/easy-rsa/pki# cd ..

root@pc0:/etc/openvpn/easy-rsa#./easyrsa build-ca
* WARNING:

Unsupported  characters are present in the vars file.
These characters are not supported: (‘) (&) (`) ($) (#)
Sourcing the vars file and building certificates will probably fail ..

* Notice:
Using Easy-RSA configuration from: /etc/openvpn/easy-rsa/pki/vars

* Notice:
Using SSL: openssl OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)

Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Using configuration from /etc/openvpn/easy-rsa/pki/967c26e0/temp.34b5ff81
…….+…….+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*……+…..+.+..+…+.+…+…..+.+…..+.+…………..+…….+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*…+..+………………………+.+…+..+………+…+……….+………..
+.+…+……+…………+…+..+…+….+..+.+…………..+…………….+..+.+……+…..+…+…….+…+…..+.+…………..+.+…..+.+…..+.+..+…+…….+…..+…….+……+…+…………..+…+…….+..+………+….+…..+……….+……+…..+.+…..+….+++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+….+…..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+……………+…..+…+.+………..+.+…+..+………+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*……+…+………+.+…………+..+…….+…+..+………….+…+…..+…+…..
…..+………+..+….+…..+…….+..+……….+..+.+..+…………+.+…..+……….+..+……….+..+.+…..+…………+.+………+…..+.+…..+…….+..+…+……….+..+…….+…..+.+…+………………..+.+…+…+…..+…+……….+……………+..+…………+…+
………+……….+…..+….+…..+.+…+..+…+…+….+…+……..+…+………+…+…………+…+…….+…+…..+….+…..+.+…+…..+…….+..+.+…………………………..+…….+..+…+……….+..+…+.+..+…+….+……+..+…+……+…………….+………+…
…..+…….+…+……+………..+……+………….+………+………………+………+…..+….+……+……..+…+………………….+…+…..+………….+……+……..+……+.+…+..+……………+…+…+………………+…….+…+..+…+…….+………+……
..+…+…+….+…..+.+…………+…+…..+.+……..+……+….+…………+…..+….+………+…+…+……………+…..+………………….+……..+…….+..+.+..+…………+…+….+………+………+……+………+..+…………….+…………+..+…+…………
+.+…+..+…+.+…+..+………+….+..+………….+..+.+……………..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

* Notice:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:/etc/openvpn/easy-rsa/pki/ca.crt

e con questo si genera il CA

cd pki

vim safessl-easyrsa.cnf

cambiare default_days da 825 a 3650

cambiare default_crl_days da 180 a 3650 #per evitare dopo 6 mesi che nessun client si colleghi piu’ perche’ il certificato non e’ piu’ valido

Durata dei certificati

cd ..

root@pc0:/etc/openvpn/easy-rsa#./easyrsa gen-dh

* WARNING:

Unsupported  characters are present in the vars file.
These characters are not supported: (‘) (&) (`) ($) (#)
Sourcing the vars file and building certificates will probably fail ..

* Notice:
Using Easy-RSA configuration from: /etc/openvpn/easy-rsa/pki/vars

* Notice:
Using SSL: openssl OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)

Generating DH parameters, 2048 bit long safe prime
………………………+…………………………………………………..+……………………………………………………………………………………………..
+……………..+…….+……………………………+……………………………………………………………………………………+……………………………….
……………………………………………………..+……………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………………………………………………………
…..+………………………………………………………………………………………………………………………………………….+………………………….
…….+…………+……………………………….
* Notice:

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/pki/dh.pem

e con questo si generano i parametri diffie hellman

root@pc0:/etc/openvpn/easy-rsa#./easyrsa build-server-full server nopass

* Notice:
Using Easy-RSA configuration from: /etc/openvpn/easy-rsa/pki/vars

* Notice:
Using SSL: openssl OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)

……..+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+…+…….+…..+…….+…..+……+…+.+………..+….+++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++*…….+……+…….+…..+.+……………+……………..+…….+..+……………+…+.+..+…….+…+…..+….+…+..+………+…………+…………+.+…………+..
.+………..+…+……+……+.+..+………….+..+……+……+….+………+……………+…..+.+..+….+………+..+………+…+……+……….+..+…….+………..+….+…….
.+…+……+.+..+…+…………+.+……+……+..+……+…….+..+.+……+………+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.+………+……+…..+…………+…+……….+……+…..+.+..+……….+..+.+……………+…..+…+……….+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+..+…+……+….+..+….+…..+……+.+…+………………………+..+……+….+…..+……+…………+…….+..+..
…………..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
—–
* Notice:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/pki/private/server.key

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 825 days:

subject=
commonName                = server

Type the word ‘yes’ to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/466eb3c1/temp.c0865d32
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
commonName            :ASN.1 12:’server’
Certificate is to be certified until Mar 25 08:51:14 2026 GMT (825 days)

Write out database with 1 new entries
Database updated

* Notice:
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/server.crt

generazione certificato server il parametro nopass evita la richiesta di password

root@pc0:/etc/openvpn/easy-rsa# openvpn –genkey secret /etc/openvpn/easy-rsa/pki/ta.key
generazione della chiave precondivisa TLS/SSL
root@pc0:/etc/openvpn/easy-rsa# ./easyrsa gen-crl
* Notice:
Using Easy-RSA configuration from: /etc/openvpn/easy-rsa/pki/vars

* Notice:
Using SSL: openssl OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)

Using configuration from /etc/openvpn/easy-rsa/pki/c06ed74f/temp.25f1295e
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:

* Notice:

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
Generazione del certificato di revoca

root@pc0:/etc/openvpn/easy-rsa# ./easyrsa build-client-full picinin3 nopass

 

* Notice:
Using Easy-RSA configuration from: /etc/openvpn/easy-rsa/pki/vars

* Notice:
Using SSL: openssl OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)

…..+..+.+..+…….+……..+…+.+…..+.+…..+…+….+…..+…….+…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*….+…..+.+…+……………+……………….
……..+……..+.+…+………..+………+……+…….+…………..+.+…..+…+………+……….+..+………….+…+…..+……….+..+.+………..+…+.+..+…+.+…………….
….+……+…+……+.+..+…….+………+……+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*….+…….+……+..+….+…..+…+.+…………+..+…….+…..+…+…
+……….+…..+…….+…..+.+……………..+…….+……+…………..+……+.+……+………+…+…..+…….+…..+………+…….+..+…+…….+..+………+…………+…+
……+.+..+.+…………..+…………+………….+……………..+.+..+……….+…..+…+….+………..+….+…..+……….+…..+…+………….+………+…+…+…+..+…+…
…………….+..+….+…..+………+.+……+…+..+….+………..+.+..+…+……………….+…..+.+……..+……….+..+………….+…………..+.+…..+…….+………+++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+….+…+…..+…….+………..+………………+……+.+..+.+…..+….+…..+…….+…..+………………+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+..+…+.
…..+……+…….+..+……………….+..+…….+..+…+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*……+…+……….+…..+………+…+…….+……+………..
.+…..+….+…………..+……………………………….+…..+…+…………+…….+……..+……………+…+.+…..+.+…+…..+.+……………+………..+…+.+………+…
……+……………+..+….+…..+…….+…………………..+……+.+………+…+…..+…+………+………….+..+…+…….+…………..+….+……+..+…….+..+.+……..+..
….+….+..+…+.+……..+…+…….+…+…………+..+………………+……….+…+………+…+..+………+.+……..+.+…..+.+…..+………….+…+…+…………+..+………
………+…+.+……+…+…..+……+…+……+…….+…+…..+…….+..+…………+….+..+…+……….+……+…+..+…+…+…+….+…+…..+…+………+.+……+………..+…
……+.+………+…..+.+…..+………+…………………+………….+………+..+.+..+…….+……..+……+……+…+……+.+…+..+.+……..+….+…..+…………….+…..+..
…………..+…..+….+…..+……….+………..+……….+………+..+……….+…+..+…………+.+..+….+……+…..+….+…+..+…+++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++
—–
* Notice:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/picinin3.req
key: /etc/openvpn/easy-rsa/pki/private/picinin3.key

You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 825 days:

subject=
commonName                = picinin3

Type the word ‘yes’ to continue, or any other input to abort.
Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/pki/a19c4363/temp.5b4d6217
Enter pass phrase for /etc/openvpn/easy-rsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
commonName            :ASN.1 12:’picinin3′
Certificate is to be certified until Mar 25 10:52:54 2026 GMT (825 days)

Write out database with 1 new entries
Database updated

* Notice:
Certificate created at: /etc/openvpn/easy-rsa/pki/issued/picinin3.crt
creazione certificati e chiavi per il client picinin3 (il mio portatile da combattimento) e a seguire stessa procedura per tutti client che si rendessero necessari.

Per il formato del file dei client un po per comodità un po per voglia di provare anche su macchine linux ho scelto l’unified format.
Unica differenza per le macchine Linux l’estensione deve essee .conf e non .ovpn

 

 

 

 

 

 

Tagged with: |

Categorised as: Linux | Networking | Openvpn | Work

Comments are disabled on this post

Comments are closed.

Hide picture