OpenVPN server with several clients

marelli · January 18, 2019, 5:47pm

Hello

I am trying set up OpenWrt as a VPN server. So I followed the steps from:

https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic

I was finally able to get the server up and running and also I can connect a client to the VPN. But:

A) how can I now create another ovpn file for another client?

B) And can I create another ovpn file with another passphrase, so that each connection (or each client) has its own passphrase?

Also I found that there is a package openvpn-easy-rsa. easyrsa seems to be able to generate diferent ovpn files. But this is different from the steps explained in the openwrt user guide mentioned above.

C) Would it be wiser to create all the certificates with this package instead?

Thank you very much for your help

Sincerely

Claudio

psherman · January 18, 2019, 8:44pm

When you are generating your client certs, you can make as many as you want -- each one should just be done with a different name and you'll have unique certs for each device/person, etc, and each one can have its own passphrase. You would want to do this with the same CA as you used to generate your initial keys. If that's not possible (i.e. you no longer have access to your original CA or you made incompatible changes to the CA server), you'll probably need to regenerate all keys/certs if you want to make new ones.

EasyRSA will work fine from a functionality perspective, but there are some warnings about using this package from a security perspective. Instead, it is recommended that you use OpenSSL. But the same thing should apply.

Alternatively, there is a directive in OpenVPN that allows the same client certs to be used on multiple client devices simultaneously. This is not recommended since it is considered dangerous from a security perspective, but if you don't mind the security risk, you can enable this feature.

vgaetera · January 18, 2019, 9:37pm

Actually it's possible to update OpenVPN Basic guide to use Easy-RSA.
It should make PKI-management easier.
If there's no strong reason against, then it would be for the better.

marelli · January 18, 2019, 9:38pm

Okay, that is what I also got from reading, that EasyRSA does the job easier but with a certain security risk.

And all the provided scripts from the OpenWRT user guide are using openssl. So let's try it with openssl... What I use is something like the following two lines:

# Generating Client Cert & Key
openssl req -batch -new -keyout "user-1.key" -out "user-1.csr" -subj "/CN=vpnclient" -config "$PKI_CONF"

# Signing Client Cert
openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "user-1.csr" -out "user-1.crt" -config "$PKI_CONF" -extensions "vpnclient"

do I need the parameters -subj -extensions ?

And after that just run create-ovpn.sh again to create the config files.

vgaetera · January 18, 2019, 9:44pm

Are those warnings still relevant?

Are you sure?
Official OpenVPN How-To uses Easy-RSA:
https://openvpn.net/community-resources/how-to/

psherman · January 18, 2019, 10:47pm

Full disclosure, I have been using certs generated by Easy-RSA. As such, I cannot speak to the OpenSSL process from any personal experience.

Regarding security, though, in this thread, @JW0914 was pretty emphatic that Easy-RSA should not be used.

marelli · January 19, 2019, 9:22am

So I created a new script, based on the create-certs.sh which creates new users:

#!/bin/sh

# Using openssl.cnf
VPN_DIR="/etc/openvpn"
PKI_DIR="$VPN_DIR/ssl"
PKI_CONF="$PKI_DIR/openssl.cnf"

# Show error message
if [ $# != 1 ]
then
    echo "Please provide a user name with this script:"
    echo "Example: ./create-user.sh john"
    return
fi

# Creating new user
cd "$PKI_DIR"

# Generating Client Cert & Key
# PASSPHRASE MUST BE SET (4 chars minimum, 16+ chars recommended)
openssl req -batch -new -keyout "$1.key" -out "$1.csr" -subj "/CN=$1" -config "$PKI_CONF"
# Signing Client Cert
openssl ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "$1.csr" -out "$1.crt" -config "$PKI_CONF" -extensions
 "vpnclient"

# Correcting Permissions
chmod 600 "$1.key"

# Copying Certs & Keys to $VPN_DIR
cp "$1.*" "$VPN_DIR"

# Returning to initial working directory
cd -

Just not quite sure if I am using -subj and -extensions parameter correctly here.

marelli · January 19, 2019, 9:30am

Yesterday I went through all the steps to set up a OpenVPN server with several clients using EasyRSA. I can share my steps and help to write this down if this is in general interest.

vgaetera · January 19, 2019, 12:18pm

According to our last discussion on that topic we've come to agreement that security issues have already been resolved: