====== OpenVPN ====== ===== CA ===== pacman -S easy-rsa cd /etc/easy-rsa export EASYRSA=$(pwd) easyrsa init-pki easyrsa build-ca # The CA cert and key will be generated # see /etc/easy-rsa/pki/ca.crt # and /etc/easy-rsa/pki/private/ca.key # copy the CA cert to the openvpn directory cp /etc/easy-rsa/pki/ca.crt /etc/openvpn/server/ca.crt ===== Server/Client Cert ===== # cert request easyrsa gen-req servername nopass easyrsa gen-req clientname nopass # self-sign easyrsa sign-req server servername easyrsa sign-req client clientname # the generated cert will be saved to: /etc/easy-rsa/pki/reqs/servername.req /etc/easy-rsa/pki/private/servername.key /etc/easy-rsa/pki/issued/servername.crt /etc/easy-rsa/pki/reqs/clientname.req /etc/easy-rsa/pki/private/clientname.key /etc/easy-rsa/pki/issued/clientname.crt # copy the server cert to the openvpn server directory cp /etc/easy-rsa/pki/issued/servername.crt /etc/openvpn/server/servername.crt cp /etc/easy-rsa/pki/private/servername.key /etc/openvpn/server/servername.key ===== DH ===== openssl dhparam -out /etc/openvpn/server/dh.pem 2048 ===== HMAC ===== openvpn --genkey --secret /etc/openvpn/server/ta.key ===== Conf ===== cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server/server.conf # add following for better cipher cipher AES-256-CBC auth SHA512 tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA # shared port 443 proto tcp port 443 port-share 127.0.0.1 4443 # e.g. nginx open port at 4443 ===== NAT ===== iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE ===== OpenSC ===== # combine cert into p12 format openssl pkcs12 -export -out cert_key.p12 -inkey client.key -in client.crt -certfile ca.crt -nodes # import cert into yubikey yubico-piv-tool -s 9a -i cert_key.p12 -K PKCS12 -a import-key -a import-cert -k # show id openvpn --show-pkcs11-ids opensc-pkcs11.so # client config: replace cert and key section with following pkcs11-id piv_II/PKCS.................... # replace this with the id in the previous command output pkcs11-providers opensc-pkcs11.so