SupereasyRSA - the easiest way to get an OpenVPN configuration using easyrsa3

SupereasyRSA - the easiest way to get an OpenVPN configuration using easyrsa3

Warning 20210818: I am not using OpenVPN at all anymore and would tend to recommend you to switch to Wireguard instead. I wrote a small script to help in Wireguard's configuration for mesh VPN in OpenBSD 6.9.

update: While this was "supereasy" a few years ago, Wireguard is now out and has replaced OpenVPN in all my setups.

I recently had to reinstall a VPN on the latest OpenBSD, using the latest easyRSA.
As I had to fiddle to things to get everything to work, please find my solution hereby.

I you just want to get things going, you can get my summary script at: supereasyrsa on github

If you come through some trouble or want some details, go through this:

Generating a secure VPN infrastructure with easy-rsa 3.

First get easy-rsa, doing
git clone git://github.com/OpenVPN/easy-rsa
The only folder that we really need is the easyrsa folder, and we will need two copies of that folder
For security measures, I uncomment and set change key size to 4096 in vars.example
#set_var EASYRSA_KEY_SIZE 2048
by
set_var EASYRSA_KEY_SIZE 4096
and then rename this file to vars (so that it is taken into account for the next steps)
mv vars.examples vars
We will build our test architecture as following:
mkdir -p VPN_test/server VPN_test/clients cp -R easy-rsa/easyrsa3/* VPN_test/clients cp -R easy-rsa/easyrsa3/* VPN_test/server
At this point, our infrastructure is in place, now we need to generate keys.
First wel will generate the client keys and requests in the client directory.
Then we will generate server and shared keys in the server directory, and finally we will accept the client requests in the serv dir.
1. generate the client keys:
cd VPN_test/clients ./easyrsa init-pki ./easyrsa gen-req Client_01 ./easyrsa gen-req Client_02 ./easyrsa gen-req Backup nopass#You will be prompted to give a password for Client_01 and Client_02, while Backup is assumed to be another server that needs authentication without someone typing a password
2. Build the CA for the signing
cd ../VPN_test/server ./easyrsa init-pki ./easyrsa build-ca#set a STRONG passphrase for this PEM – it will be required to accept requests later
#We then generate a certificate for the server
./easyrsa gen-req MyServer nopass
#And request to sign it as server type
./easyrsa sign-req server MyServer
3. We generate a DH parameter and a ta.key as following (If you didn’t switch to 4096, then use 2048)
openssl dhparam -out dh4096.pem 4096 /usr/sbin/openvpn –genkey –secret ta.key
4. We import and sign all our clients requests (for each one, you will have to say yes and give the STRONG PEM passphrase mentioned in 2.
for cliient in $(ls ../clients/pki/reqs/|sed -e ‘s/.req//g’); do ./easyrsa import-req ../clients/pki/reqs/$cliient.req $cliient ./easyrsa sign-req client $cliient done
Once this is done, you should have all the keys required, All you need is the right config with the right files at the right space.
Server:
cat /etc/openvpn/server.conf
local 10.10.10.2 port 1194 proto udp dev tun0 daemon ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/TR_Server.crt key /etc/openvpn/keys/TR_Server.key dh /etc/openvpn/keys/dh4096.pem tls-auth /etc/openvpn/keys/ta.key 0 #0 for server remote-cert-tls client #very important server 10.5.2.0 255.255.255.0 #the range that will be given to vpn clients ifconfig-pool-persist ipp.txt push “route 192.168.1.0 255.255.255.0” #the internal network they will have access to push “dhcp-options DNS 192.168.1.15” #the internal dns they will use keepalive 10 120 cipher BF-CBC comp-lzo max-clients 10 user _openvpn group _openvpn persist-key persist-tun status openvpn-status.log log /etc/openvpn/openvpn.log log-append /etc/openvpn/openvpn.log verb 1 client-config-dir /etc/openvpn/ccd ls keys/ MyServer.crt # from server/pki/issed/ MyServer.key # from server/pki/private/ ca.crt # from server/pki/ dh4096.pem # from server/ ta.key # from server/ #You can also push the routes through having a ccd dir with the right definitions: cat ccd/client_01 iroute 10.5.2.0 255.255.255.0

Next we go on the client,
Client:
cat client.conf client remote 1.2.3.4 1194 proto udp dev tun0 keepalive 10 120 nobind persist-key persist-tun cipher BF-CBC ca keys/ca.crt cert keys/client.crt key keys/client.key dh keys/dh4096.pem tls-auth keys/ta.key 1 remote-cert-tls server comp-lzo status openvpn-status.log verb 1 log openvpn.log ls keys/ ca.crt # from server/pki/ client.crt # the right one from server/pki/issued/ client.key # the right one from clients/pki/private/ dh4096.pem from server/ ta.key from server/
And starting openvpn on both with:
/usr/local/sbin/openvpn –config /etc/openvpn/server.conf >/dev/null 2>&1 # on the server
and
openvpn –config client.conf # on the client
should now be working.