Openvpn Generate Static Key File

Posted By admin On 13.12.20
  1. Jun 30, 2014 But if you need to support multiple clients simultaneously, you will eventually need to use the OpenVPN TLS/SSL method instead. Generate OpenVPN Static Key. First, we’re going to generate a key and create a profile for the client machine. Then, we’ll configure the VPN server settings within the router, copy the key and ‘Start’ the VPN.
  2. When you have connected to the router, relocate to the directory (for example, cd /etc/easy-rsa/keys/) where you want to store your Static key and use this command: # openvpn -genkey -secret static.key The newly generated Static key will appear in the same directory where you issued the command above. Extracting the key edit edit source.
  3. Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key: openvpn -genkey -secret ta.key. This command will generate an OpenVPN static key and write it to the file ta.key. This key should be copied over a pre-existing secure channel to the server and all client machines.
  4. Encrypted communication between client and server will occur over UDP port 1194, the default OpenVPN port. Generate a static key: openvpn -genkey -secret static.key. Copy the static key to both client and server, over a pre-existing secure channel. Server configuration file dev tun ifconfig 10.8.0.1 10.8.0.2 secret static.key Client.

# You can generate a static OpenVPN key # by selecting the Generate Key option # in the start menu. # # You can also generate key.txt manually # with the following command: # openvpn -genkey secret key.txt # # key must match on both ends of the connection, # so you should generate it on one machine and # copy it to the other over a secure medium.

Translation(s): English - Français - Русский - Polski

Contents

  1. Configuration
    1. Test VPN
  2. Application to a VPN passing through a http proxy

OpenVPN is an SSL/TLS VPN solution. It is able to traverse NAT connections and firewalls. This page explains briefly how to configure a VPN with OpenVPN, from both server-side and client-side.

Install the openvpn package on both client and server.

To enable OpenVPN in the Gnome NetworkManager applet for the taskbar notification area, the additional package network-manager-openvpn-gnome has to be installed:

OpenVPN can authenticate users via user/pass, pre-shared key, certificates, etc.

Test VPN

Test a raw connection.

server test

From a server shell, run

if your client has a static IP#; otherwise, run

You should see console output resembling

While openvpn is running, check your network configuration with sudo ifconfig -a. Output should include

Note that, if you kill openvpn (e.g., with Control-c in its console), you will not see the above network interface.

client test

You may also test with ping.

Static-Key VPN

In the server's /etc/openvpn directory, run the following command to generate a static key:

Copy this static key to the clients /etc/openvpn directory using a secure channel like scp or sftp.

On the server, create a new /etc/openvpn/tun0.conf file and add the following:

Where 10.9.8.x is your VPN subnetwork, 10.9.8.1 will be IP of the server, 10.9.8.2 is IP of client.

On the client, copy /etc/openvpn/static.key from server and create a new /etc/openvpn/tun0.conf file and add the following:

On the server's firewall, open up UDP 1194 (default port).

If you are using ?shorewall, on both devices, add a new VPN zone to represent tun0 and create a default policy for it. This means adding something to the following files in /etc/shorewall:

  • zone
  • interfaces
  • policy

Bear in mind that 90% of all connection problems encountered by new OpenVPN users are firewall-related.

Start OpenVPN by hand on both sides with the following command:

Openvpn Generate Static Key File Free

You should probably configure your route at this step.

To verify that the VPN is running, you should be able to ping 10.9.8.2 from the server and 10.9.8.1 from the client.

TLS-enabled VPN

In server, copy key generating script from openvpn example to /etc/openvpn and add executable permission:

In Jessie and above easy-rsa is a separate package. So you'll have to install that in addition to openvpn.

On Wheezy:

On Jessie and above:

Edit /etc/openvpn/easy-rsa/vars bottom according to your organization.

Execute the following command:

Create a symbolic link of the OpenSSL config file with the correct version, so it can be used by the commands of Easy-RSA. In Debian Stretch, it can be done by executing the following command:

Remember:

  • only .key files should be kept confidential.
  • .crt and .csr files can be sent over insecure channels such as plaintext email.
  • do not need to copy a .key file between computers.
  • each computer will have its own certificate/key pair.

Generate CERTIFICATE AUTHORITY (CA) CERTIFICATE/KEY:

It will generate ca.crt and ca.key in /etc/openvpn/easy-rsa/keys/ directory.

Generate BUILD AN INTERMEDIATE CERTIFICATE AUTHORITY CERTIFICATE/KEY (optional):

It will generate server.crt and server.key in /etc/openvpn/easy-rsa/keys/, and signed with your root certificate.

Generate BUILD DIFFIE-HELLMAN PARAMETERS (necessary for the server end of a SSL/TLS connection):

Generate key for each client: Use one of the two (build-key or build-key-pass). You'll be asked for 'Enter PEM pass phrase', this is the passphrase you'll need to login at the client.

Generate key with password (this protect the key and request the password every time that you connect to the server), for each client:

It will generate keys in /etc/openvpn/easy-rsa/keys/

Copy the ca.crt, clientname.crt, clientname.key from Server to Client/etc/openvpn/easy-rsa/keys/ directory.

Check OpenVPN RSA Key and code.mixpanel.com VPN for details.

Test the connectivity from command line.

Server:

Client:

If the connection is successful create file configuration.

In Server create /etc/openvpn/server.conf as follows:

Check code.mixpanel.com VPN and rackspace OpenVPN for details.

Create log directory:

Restart OpenVPN.

Note that the /etc/init.d/openvpn script will start an openvpn server for every .conf file in /etc/openvpn/, so if you still have the tun0.conf file from above, rename it to something else than *.conf. In the case of systemd only one openvpn server is started by default.

In Client create /etc/openvpn/client.conf as follows:

(note: you may use graphical vpn tool network-manager UI by providing the key and certificates)

Restart OpenVPN:

Debian Server with Android / iOS devices

OpenVPN can be configured to use with Android / iOS devices.

In Debian Server, create required certificates if you have a fresh installation of ?OpenVpn:

Modify below lines in /etc/openvpn/server.conf:

8.8.8.8 is Google DNS server. You may change to your preferred DNS server.

Test that the configuration works:

If it does, Ctrl-C out of this and restart OpenVPN server to use the new configuration:

Or on systems using systemd:

Create client profile file /etc/openvpn/client.ovpn and attach certificates to it:

Modify below lines in client profile file /etc/openvpn/client.ovpn:

where ?YourServerIp and ?YourServerPort should be changed to your server. Three lines (#ca, #cert, #key) are remarked as the required certificates were attached to the profile file instead of individual files.

e-mail or upload the client configuration file /etc/openvpn/client.ovpn to google drive in order to download to iPhone.

For iOS devices, install OpenVPN Connect client. Then transfer the client configuration file /etc/openvpn/client.ovpn to the device by e-mail or by Google Drive. Open the configuration file in Mail apps or Google Drive apps.

For Android devices, install OpenVPN Connect client. Then copy the client configuration file /etc/openvpn/client.ovpn to the storage of the device. Open the configuration file in OpenVPN apps.

You'll also want to run the server parts of the 'Forward traffic via VPN' steps below. Your phone OpenVPN client should take care of the client parts automatically.

In Server enable runtime IP forwarding:

Edit /etc/sysctl.conf uncomment the following line to make it permanent:

Execute the following command in server for testing:

You may also use the rc.firewall-iptables script from TLDP Masquerade as an alternative.

In client:

If you use graphical client generally you may not need to execute these command.

If everying is working fine, save the iptables rules:

To restore:

add this to startup script. Debian wiki iptables page for details.

By default, all configured VPNs are started during system boot. Edit /etc/default/openvpn to start specific VPNs or to disable this behavior. Systemd users may need to run systemctl daemon-reload once to enable new VPNs.

openvpn ifupdown hooks are also available for starting/stopping tunnels using /etc/network/interfaces, e.g.:

See /usr/share/doc/openvpn/README.Debian.gz for more information.

To automatically start a VPN located in /etc/openvpn/client/ or /etc/openvpn/server/, enable openvpn-client@<name>.service or openvpn-server@<name>.service. For instance, a client configuration located in /etc/openvpn/client/vpn0.conf would be automatically started by enabling openvpn-client@vpn0.service.

This part describe how to configure a VPN to pass through a http proxy, which allow only trafic on port 443 (and 80). This use the http_proxy of OpenVPN.

  1. First of all, check that the port 443 isn't already used by another service on your server.
  2. Configure OpenVPN on server side by adding port 443 and proto tcp-server to the configuration file.

  3. Configure OpenVPN on the client side by adding port 443, proto tcp-client and http-proxy 1.1.1.1 8080 to the configuration file.

Where 1.1.1.1 and 8080 are IP and port of your proxy.

  1. Now you should launch OpenVPN on the server and next on the client.
  2. At this time, you should configure routes to use the VPN tunnel:
    • Remove the default route through the proxy: route del default eth0

    • Add default route through your VPN: route add default gw 10.9.8.1 dev tun0

    • You should keep the route to the proxy with: route add 1.1.1.1 eth0

Update your /etc/resolv.conf according to your needs.

TODO

  1. Explain how to enable the management interface (http://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html)

  • OpenVPN home-page

  • code.mixpanel.com VPN

  • rackspace OpenVPN

  • openvpn pki how to

  • RSA key Management OpenVPN

  • OpnVPN Howto

  • Ubuntu OpenVPN

  • TLDP Masquerade

  • Other VPN clients

Sometimes, it can be useful to have VPN clients with static ip, for instance when the client is a backup destination for rsync. Here's how to do it on Asus router with Merlin firmware.

Generate Openvpn File

1.1. Generate certs with easy-rsa

You need to generate cert for the server and unique certs for each client using easy-rsa tool. To do so, just follow this tutorial:
https://github.com/RMerl/asuswrt-merlin.ng/wiki/Generating-OpenVPN-keys-using-Easy-RSA
Once it is done, just get all the files generated in the [folder you've chosen]/easy-rsa/keys. You can use WinSCP for that.

1.2. Use the generated certs in the router

In the keys folder you've downloaded, there's 3 files for each clients (.csr, .crt, .key), 3 for the server (.csr, .crt, .key), and 3 files related to the certificate authority (ca.crt, ca.key, dh1024.pem). You can ignore the other files.

You now have to use the certs in the server. To do so, in the GUI of the router, go to VPN > VPN Server > Select your server (1 or 2), go to advanced settings,

Then edit the 'Keys and Certificates'.

  • In the Certificate Authority field, paste the content of the ca.crt file.
  • In the Server Certificate, paste the content of the server.crt file (only from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----, including those two lines).
  • In the Server Key, paste the content of the server.key file.
  • Finally, in the Diffie Hellman parameters, paste the content of the dh1024.pem.

1.3. Setup ifconfig-pool-persist

Openvpn Generate Static Key File System

Still in the advanced settings in the GUI, add this line in the custom configuration :

Finally, still on this screen, select yes for the 'Manage Client-Specific Options', we'll need this for a later step.

In a terminal, we'll create the ipp.txt file. So:

Then type i to type text and you'll have to create a file like this one:

wth the static ip adresses you want for each client. Use the common names that you've set using easy-rsa. Press ESC then type ZZ to exit vi.

Go back to general settings in the VPN settings in the router GUI. Create usernames and passwords for each clients.

We now have to create ccd files for each client. To do so, create a file per client named after the common name set with easy-rsa in /jffs/configs/openvpn/ccd1.
In this file, just type:

with the static ip adress you want for this client, obviously the same adress than in the ipp.txt file. Use vi to create this file.

Generate A Static Openvpn Key

The server is now set. Back in the router GUI, in the VPN Server page, click on Export OpenVPN Configuration file. Save the client1.ovpn file and edit it.

Openvpn Static Key Ssh

In the end of the file, paste the content of the .crt file of your first client between the tags, and the content of the .key file of your first client between the tags.
Office 365 2019 key generator. Save the file and then use it to connect to your VPN.

Enjoy.