- Openvpn Generate Certificate
- Openvpn Easy Rsa Windows
- Generate Openvpn File
- Generate Easy Rsa Key Mac Openvpn Login
It is possible to generate your certificates on the router itself if you don't have access to a Linux machine, or if you don't have a Windows client installed with Easy-RSA. Easy-RSA is a simple to use environment that is bundled with OpenVPN, and has been included in Asuswrt-Merlin.
Setting up the environment
I want to generate clients key with PHP. When a client key generated it should give me the expiry date of the key. /etc/openvpn/easy-rsa#./build-key client1.
The first step is to initialize your work environment. Ideally this should be done on a USB disk (formatted to ext2, ext3 or ext4 (for ARM-based devices)), but it can be done in /tmp (make sure you DO keep a copy of everything generated there, because it will be lost the next time you reboot the router!). For this example, we will be using a USB disk mounted under /mnt/sda1. First, copy the easy-rsa scripts by running the following command:
# Change directory to OpenVPN's configuration directory cd /etc/openvpn/ # Copy the easy-rsa directory in the current directory cp -R /usr/share/openvpn/easy-rsa/. # Change to the freshly copied directory cd easy-rsa/2.0/ # To use the generation tool, you need to have in this very current directory an OpenSSL configuration file (openssl.cnf. Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key: openvpn -genkey -secret ta.key. This command will generate an OpenVPN static key and write it to the file ta.key. This key should be copied over a pre-existing secure channel to the server and all client machines. Sep 28, 2016 Navigate to the 'C:Program FilesOpenVPNeasy-rsa' folder or if you are on x64 'C:Program Files (x86)OpenVPNeasy-rsa' in the command prompt: Press Windows Key + R; Type 'cmd.exe' and press Enter. Cmd.exe Navigate to the correct folder whether it's x32 or x64 system: cd 'C:Program FilesOpenVPNeasy-rsa' cd 'C:Program Files (x86)OpenVPNeasy-rsa' Initialize the. This is a small RSA key management package, based on the openssl command line tool, that can be found in the easy rsa subdirectory of OpenVPN distribution.
setuprsa.sh /mnt/sda1
This will create an easy-rsa folder on your USB disk, and copy all the required scripts there. Then, enter that new directory:
cd /mnt/sda1/easy-rsa
Now step you will probably want to change the default values offered while generating the certificates. Edit the file named 'vars', either through the built-in 'vi' editor (not recommended for novice users), or by installing the 'nano' editor using Optware, or simply by copying the file edited on your computer. The only fields you might want to change are these:
- export KEY_COUNTRY='US'
- export KEY_PROVINCE='CA'
- export KEY_CITY='SanFrancisco'
- export KEY_ORG='Fort-Funston'
- export KEY_EMAIL='[email protected]'
- export [email protected]
- export KEY_CN=changeme
- export KEY_NAME=changeme
- export KEY_OU=changeme
You can also adjust the expiration date for keys if desired. I do not recommend changing the expiration date for the CA, neither the key size - increasing from 1024 bytes will have a performance impact.
Once done, setup the environment by running the script this way:
source ./vars
There, initialize the environment:
./clean-all
Your environment is now ready to be used to generate your certificates.
Generating the certificates
First, you need to generate your Certificate Authority (CA). This will be the 'master' key and certificate, which will be used to sign all client certificates, or revoke their access. Make sure you store this in a safe, secure location (preferably NOT on the router itself!). To generate the CA pair:
./build-ca
The Common Name (CN) is the most important field, as it will be what identifies your router.
Now, we need to build a router key/certificate pair:
./build-key-server server1
Use any name you want instead of 'server1', but make sure that when asked for the Common Name that you enter the exact same name. When asked to sign and to commit the new certificate, answer 'y' to both questions.
Next, let's build one client key/certificate pair. Same procedure (and once again pay attention to the Common Name, which must match the name you are specifying here instead of client1):
![Easy Easy](/uploads/1/2/6/0/126078957/691363688.jpg)
./build-key client1
You can create as many client keypairs as you need. The CA file will be what determines which keys are allowed to connect.
One last thing - we need to generate the Diffie Hellman parameters (DH file), which is used to secure the key exchange between client and router. Run the following command:
./build-dh
This operation can take a minute or two due to the low performance of the router's CPU (compared to a desktop).
All the generated files will now be located in the keys/ subdirectory. Once again, make SURE you copy these in a safe location! You now have all the required keys and certificates to configure your OpenVPN server.
If you need additional information, take a look at this excellent tutorial designed for Tomato.
-no edit made-
This guide covers how to create certificates and keys for OpenVPN server and clients using the EasyRSA tool on MacOS.
The instructions are very similar for most flavours of linux such as Ubuntu once the correct packages are installed (e.g. on Ubuntu:
apt-get install openvpn easy-rsa
).If privacy and security are of the utmost concern, generate all certificates and keys on a “clean” machine and verify the signatures of each download.
Step 1: Resolve MacOS Dependencies
This guide assumes that you’re running MacOS Sierra or later.
XCode and Command Line Tools
Ensure that you have installed the XCode Command Line Tools.
To check, the command
xcode-select -p
outputs a file path beginning with /Applications/Xcode.app/ if they are already installed.If Command Line Tools is not installed, open the Terminal app and enter
xcode-select --install
to trigger the installation app.Another way to trigger the installation app is to attempt to use a command line developer tool such as the GNU C compiler
gcc
(e.g. gcc --version
). If the tools are not installed, you will be greeted by a graphical MacOS installation prompt instead of the expected Terminal output from gcc. You don’t necessarily need the full XCode so you can click the “install” button for just the command line tools.Work your way through the installer and follow Apple’s steps until you can start working with the necessary commands. The CLI commands will become available to you after you agree to all of Apple’s terms and conditions.
If you experience troubles with the next step, assuming that it is the result of some future change by Apple, it may be beneficial to install the full XCode in addition to the CLI tools. It’s available for free on the App Store, but take note that it’s a hefty multi-gigabyte download.
OpenSSL
EasyRSA requires a late-version of the open-source openssl library.
Apple bundles its own crypto libraries in MacOS but these are generally out of date. At the time of writing, the
openssl
command bundled with MacOS is not likely compatible with EasyRSA and will produce errors if you try to use it (note: the binary is at /usr/bin/openssl
).A newer EasyRSA-compatible version of OpenSSL is easy to install with the
brew
package manager (https://brew.sh/). Installing via brew will not clobber or harm the Apple version that’s already on your system. If you need to install brew
, go to the project’s website and follow the simple instructions on the landing page.Assuming you have
brew
installed, open a Terminal and run the command:Brew will download and install openssl to its default package install directory of
/usr/local/Cellar
.The package will be installed in “keg only” mode: brew will not create a symlink for its openssl in
/usr/local/bin
or anywhere else in your $PATH. You will not have a conflicting openssl
command, and Apple’s binary will remain intact.To get EasyRSA to use the openssl binary installed by the brew package, you will need to know its path. Run brew’s package info command and examine the output:
In my example, I could see that openssl resolved to
/usr/local/Cellar/openssl/1.0.2n
. In your case, this may be a different path due to a more recent version being available in the future. Next, inspect this folder to locate the binary and determine the full path to it. In my example case, the full path to the binary was:Note down the correct path to the openssl binary for your case. When configuring EasyRSA in the next step, you will need to specify this path in an
EASYRSA_OPENSSL
variable.Step 2: Download EasyRSA
Go to https://github.com/OpenVPN/easy-rsa/releases and download the latest .tgz version for your Mac.
Save the file to a folder that you wish to work from (your certificates and keys will be generated here) and unpack it using the Archive utility (double click on it in Finder).
Note that the easy-rsa tools were written with traditional linux/unix-type environments in mind and therefore assume that all paths to the scripts have no spaces in them.
Going forward I will assume the path of your unpacked EasyRSA folder is:
~/vpn/easyrsa
. The ‘~’ character is a shortcut to your home folder that works in Terminal, i.e. on a Mac its a placeholder for /Users/your_username
and on a typical linux environment /home/username
.Openvpn Generate Certificate
Step 3: Configure EasyRSA
![Generate Easy Rsa Key Mac Openvpn Generate Easy Rsa Key Mac Openvpn](/uploads/1/2/6/0/126078957/198154561.png)
Assuming that the path of your unpacked EasyRSA folder is:
~/vpn/easyrsa
, open Terminal and navigate to the unpacked folder:Copy the
vars.example
“starter” configuration file to vars
:Now customize the initial “starter” configuration file’s settings in
vars
to reflect your own.Open it in a text editor and look for the following lines. Uncomment them (i.e. delete the preceding
#
character) and fill them in with your appropriate values. Specify something for each field below:Look for the following field and uncomment it:
We’ll be using a 2048-bit key (the current default) for this example so the value will not be changed.
A larger key size is more secure but will result in longer connection + wait times over the VPN. At the time of writing in late 2017, its generally believed that a 2048-bit key is sufficient for most usage scenarios. A 4096-bit key is believed to provide additional privacy vs. more powerful state-sponsored actors.
EasyRSA by default uses the
openssl
binary found in the $PATH. Find the following line, uncomment it, and update the value with the path to the brew-installed openssl
binary from Step 1. For example, in my case, the following line:became:
Step 4: Generate Certificate Authority (CA)
Navigate into your easyrsa/ folder. For example:
Initialize the PKI (public key infrastructure) with the
easyrsa
script. This will create a pki/ subfolder:Create the CA (certificate authority):
You will be prompted to input a Common Name. Input the name server and hit ENTER.
The generated CA certificate can now be found at
pki/ca.crt
.Step 5: Generate Server Certificate + Key + DH Parameters
Assuming you’re still inside your easyrsa/ folder from the previous step, generate your server certificate and key:
The generated server certificate can now be found at:
pki/issued/server.crt
The generated server key can now be found at:
pki/private/server.key
Now generate the Diffie-Hellman (DH) parameters for key exchange. This process can take several minutes depending on your system:
The generated DH parameters can be found at:
pki/dh.pem
.You now have all of the files necessary to configure an OpenVPN server.
Step 6: Generate client credentials
You should generate a unique set of credentials for each and every client that will connect to your VPN. You can repeat this step for any client that you need to create credentials for.
All clients in your setup should have a unique name. Change exampleclient in the following to something descriptive that you will recognize and be able to associate with the user/client:
The generated client certificate:
pki/issued/exampleclient.crt
The generated client key can be found at:
pki/private/exampleclient.key
When distributing credentials to a client, they will need at least these 3 files:
- A client certificate (e.g.
pki/issued/exampleclient.crt
) - The corresponding client key (e.g.
pki/private/exampleclient.key
) - A copy of the CA certificate (
pki/ca.crt
)
These client credentials can be loaded into a VPN app like Tunnelblick or Viscosity along with client configuration information that corresponds to your VPN server’s specific settings.
Understanding client config files
Client configuration information is usually provided in the form of an additional file: a plaintext config file with the
.ovpn
extension. Both Tunnelblick and Viscosity recognize the .ovpn
extension and file format.Later versions of openvpn support specifying all of the client configuration information, client certificate, client key, and CA certificate as demarcated blocks within the config file itself, so that clients only need to be provided with a single
.ovpn
file.Security reminder
It is good to practice to try and keep all
.ovpn
, certificate, and key files as safe as possible with exposure to as few eyes/hands/hard-disks/clouds/etc as possible. Distribute them as securely as you can to your clients/users.Next steps
Now you need a working openvpn server and a client that wishes to connect to your VPN!
I hope this guide was helpful to you. For all the server tutorials out there, as far as I know this is one of the few comprehensive guides out there for creating all required certificates and keys on MacOS.
Router as OpenVPN server
If your openvpn server is your router, you can now login to it’s admin control panel and input the server-related certificate + key + DH parameters that you created above.
Openvpn Easy Rsa Windows
Before you activate the VPN server, ensure that your router’s firmware is up-to-date and that you have set a long and reasonably secure password for the admin user.
Generate Openvpn File
Running your own server
Generate Easy Rsa Key Mac Openvpn Login
If you are planning to setup your own openvpn server, there are numerous other resources available online to guide you through the server installation and configuration process for a variety of different operating systems.
You will find that you need all the keys and certificates that you created by following this guide.
These resources will generally include guidance for crafting
.ovpn
client configuration files to include specific settings that correspond to your server’s particular setup, so that clients can successfully connect.