====== OpenVPN ======

===== CA =====
<code bash>
pacman -S easy-rsa
cd /etc/easy-rsa
export EASYRSA=$(pwd)
easyrsa init-pki
easyrsa build-ca

# The CA cert and key will be generated
# see /etc/easy-rsa/pki/ca.crt
# and /etc/easy-rsa/pki/private/ca.key

# copy the CA cert to the openvpn directory
cp /etc/easy-rsa/pki/ca.crt /etc/openvpn/server/ca.crt
</code>

===== Server/Client Cert =====
<code bash>
# cert request
easyrsa gen-req servername nopass
easyrsa gen-req clientname nopass

# self-sign
easyrsa sign-req server servername
easyrsa sign-req client clientname

# the generated cert will be saved to：
/etc/easy-rsa/pki/reqs/servername.req
/etc/easy-rsa/pki/private/servername.key
/etc/easy-rsa/pki/issued/servername.crt

/etc/easy-rsa/pki/reqs/clientname.req
/etc/easy-rsa/pki/private/clientname.key
/etc/easy-rsa/pki/issued/clientname.crt

# copy the server cert to the openvpn server directory
cp /etc/easy-rsa/pki/issued/servername.crt /etc/openvpn/server/servername.crt
cp /etc/easy-rsa/pki/private/servername.key /etc/openvpn/server/servername.key
</code>

===== DH =====
<code bash>
openssl dhparam -out /etc/openvpn/server/dh.pem 2048
</code>

===== HMAC =====
<code bash>
openvpn --genkey --secret /etc/openvpn/server/ta.key
</code>

===== Conf =====
<code bash>
cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server/server.conf

# add following for better cipher
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

# shared port 443
proto tcp
port 443
port-share 127.0.0.1 4443 # e.g. nginx open port at 4443
</code>

===== NAT =====
<code bash>
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
</code>

===== OpenSC =====
<code bash>
# combine cert into p12 format
openssl pkcs12 -export -out cert_key.p12 -inkey client.key -in client.crt -certfile ca.crt -nodes
# import cert into yubikey
yubico-piv-tool -s 9a -i cert_key.p12 -K PKCS12 -a import-key -a import-cert -k
# show id
openvpn --show-pkcs11-ids opensc-pkcs11.so
# client config: replace cert and key section with following
pkcs11-id piv_II/PKCS.................... # replace this with the id in the previous command output
pkcs11-providers opensc-pkcs11.so
</code>