This blog post will walk you through using EasyRSA to create
a new certificate authority, the appropriate certs and keys, moving them to
the correct location on the Ubiquiti EdgeRouter and permissioning them
appropriately there.
This post is geared for those working in a Windows environment on their PC. Sorry Mac folks, even though this is Mackintosh Tech, OSX isn't in play here.
Much of this is Command Line Interface (CLI) driven so you'll need to be comfortable working in the Windows Command Prompt as well as the Linux Shell on the EdgeRouter via Putty.
This post will also go through how to successfully use the EasyRSA application, OpenVPN & OpenSSL to create the keys needed for your EdgeRouter to accept OpenVPN connections.
Part 2 (coming soon) we will go through how to create the OVPN file so your clients are able to successfully connect to the server.
Part 3 (also coming soon) will address how to configure the EdgeRouter itself to create the OpenVPN connection parameters so it will accept incoming VPN connections.
Prerequisites
1) Install the above prerequisites
a. Putty, WinSCP, Notepad++, OpenVPN & OpenSSL may be installed in their default locations
b. Easy RSA should not be put under C:\Program Files as the permissions within that folder structure require elevation to perform any operation. This results in errors within the easyrsa shell when generating the Certificate Authority (unless you use the “nopass” option.) I have two drives in my laptop (C & D) so I put the Easy RSA folder on the root of the D drive.
2) Within the Easy RSA folder, make a copy of the vars.example file and rename it to vars with no file extension (e.g. no .txt or .example at the end of the filename)
3) In the Easy RSA folder, create a new folder named tmp
4) Edit the vars file with Notepad++ and update the following lines:
a. Uncomment line 62, “set_var EASYRSA_OPENSSL”
i. Set it to: set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL/bin/openssl.exe"
1. The section in quotes is the full path to where the actual executable for openssl resides. Change this portion as relevant to your setup.
b. Uncomment line 72, set_var EASYRSA_PKI "$PWD/pki
c. Uncomment line 76, set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI"
i. Change the variable from “$EASYRSA_PKI” to “$PWD/tmp”
1. This is where the temporary files EasyRSA uses will be created and will keep them separated from the rest of the file system.
d. Uncomment line 87, set_var EASYRSA_DN "org"
e. Uncomment lines 95-100 and set them up for your CA inputting your country code, state or province, city
i. For example, on line 95 I have mine set to set_var EASYRSA_REQ_COUNTRY "
ii. For me line 100 reads: set_var EASYRSA_REQ_OU “” There is simply an open quote and a close quote with nothing (not even a space) in between them.
iii. Setting this up in the vars file will allow you to simply press Enter when going through the creation requests for each certificate if all or most of the variables are consistent for each device you wish to create a certificate for. If any of them need to be different, an email address for example, just adjust that during the certificate creation process.
f. Uncomment line 108 set_var EASYRSA_KEY_SIZE 2048
g. Uncomment line 117 set_var EASYRSA_ALGO rsa
h. Uncomment line 125 and change the # at the end to the number of days you wish your CA to be active for before it needs renewal set_var EASYRSA_CA_EXPIRE 3650
i. Uncomment line 129 and change the # at the end to the number of days you wish your certificates themselves to be active for before they need renewal set_var EASYRSA_CERT_EXPIRE 825
j. Uncomment line 138 and set the number of days prior to expiration you wish to allow your individual certificates to be renewed set_var EASYRSA_CERT_RENEW 30
k. Uncomment line 142 set_var EASYRSA_RAND_SN "yes"
l. Uncomment line 164 set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp"
i. I changed this variable to read $EASYRSA_TEMP_DIR/extensions.tmp instead of $EASYRSA_PKI/extensions.tmp so I could redirect where the temp files went (see step 4c1 above) This is not strictly necessary but I recommend it as a housekeeping measure.
5) Open an elevated command prompt (make sure to open it with administrator permissions)
6) Navigate to the EasyRSA directory (D:\EasyRSA)
7) Start EasyRSA (EasyRSA-Start.bat)
8) This command will clear the Private Key Infrastructure to make sure you start with a clean slate / new Certificate Authority. Do not do this if you’re adding certs to an already existing CA, it will wipe everything out, skip step 8 and go down to step 12 to create the client certificate(s)!
a. ./easyrsa init-pki
b. Type “yes” then press Enter to confirm you wish to delete any existing Private Key Infrastructure
9) Create the Certificate Authority
a. ./easyrsa build-ca
b. Enter your Certificate Authority pass phrase then confirm it
c. Enter the specific details about your CA
i. Country Name:
ii. State or Province Name:
iii. Locality Name:
iv. Organization Name:
v. Organizational Unit Name: <none / null>
vi. Common Name: <CA Name>
vii. Email address: <appropriate to the user>
10) Create the server certificate
a. ./easyrsa gen-req server (Where "server" is in the command, enter the name you would like to call your server within the infrastructure)
b. Enter the passphrase for the server certificate then confirm it
c. Enter the specific details about the server device
i. Country Name:
ii. State or Province Name:
iii. Locality Name:
iv. Organization Name:
v. Organizational Unit Name:
vi. Common Name:
vii. Email address:
11) Sign the server certificate
a. ./easyrsa sign-req server
b. Type “yes” to sign the request
c. Enter Certificate Authority passphrase
12) Create the client certificate
a. ./easyrsa gen-req
b. Enter a passphrase of your choice for the client certificate, then confirm it
c. Input the appropriate details about the client device
i. Country Name:
ii. State or Province Name:
iii. Locality Name:
iv. Organization Name:
v. Organizational Unit Name:
vi. Common Name:
vii. Email Address: <appropriate to the user>
d. Sign the request
i. ./easyrsa sign-req client
ii. Type “yes” to sign the request
iii. Enter Certificate Authority passphrase
13) Generate the Diffie-Hellman file to ensure per session encryption / secrecy
a. ./easyrsa gen-dh
14) Generate a TLS Auth (ta.key) file to harden the setup of the OpenVPN Server. Adding this additional key will prevent the OpenVPN server from even responding to packets coming in unless they contain the signature from the key file we're about to create.
a. In a different elevated command prompt separate from the one being used by the EasyRSA program, navigate to C:\Program Files\OpenVPN\bin
b. Input the following command: openvpn --genkey --secret ta.key
c. Move the ta.key file from C:\Program Files\OpenVPN\bin to D:\EasyRSA\pki
15) Remove the password from the .key file
a. In a different elevated command prompt separate from the one being used by the EasyRSA program (you may use the elevated command prompt from step 14 above), navigate to C:\Program Files\OpenSSL\bin
b. Input the following command: openssl rsa -in "insert appropriate file name here.key" -out "insert appropriate file name here-nopass.key"
i. This needs to be done for the server private key file as well as any client private key files
16) Repeat steps 12 & 13 for any additional client certificates which need to be created
17) Using WinSCP, copy the CA, server and client certificates and key files, Diffie-Hellman and TLS Auth files to the EdgeRouter
a. Open WinSCP and connect to the router
b. Copy the ca.crt file to /config/auth
i. ca.crt is located under D:\EasyRSA\pki
c. Copy the servername
i. servername.crt is located under D:\EasyRSA\pki\issued
ii. servername
i. dh.pem is located under D:\EasyRSA\pki
e. Copy the ta.key file to /config/auth
i. ta.key is located under D:\EasyRSA\pki (remember we moved it here in step 14.c above)
18) Open Putty and connect to the EdgeRouter
a. Log in with appropriate credentials
19) Change the filename of the individual server key file from
a. Type mv server
20) Use the dos2unix command on the EdgeRouter to change the LF/CR from DOS to Unix format
a. Change to the /config/auth folder in Putty
b. Type sudo dos2unix -u ca.crt and press Enter
c. Type sudo dos2unix -u servername
d. Type sudo dos2unix -u servername
e. Type sudo dos2unix -u dh.pem
f. Type sudo dos2unix -u ta.key
21) Change the permissions of the files under /config/auth so they are owned by the root user
a. Type sudo chown root * and press Enter (that's an asterix after the word root)
22) Change the permissions of the files under /config/auth so they are not readable or writeable by users other than root
a. Type sudo chmod 600 * and press Enter (that's an asterix after the number 600)
That should so it! Now you've got an OpenVPN Certificate Authority server with properly created certs and keys for your clients and have permissioned it securely on the EdgeRouter. Great work!