OpenVPN with a Certification Authority (VIII)

Server

Copying files

As a CA we created some files that need to be copied now to the OpenVPN server.

(server)_$: mkdir -p /etc/openvpn/server
(server)_$: cp /etc/openvpn/ca/keys/{ca.crt,dh2048.pem,ta.key} /etc/openvpn/server
(server)_$: cp /etc/openvpn/ca/keys/{server.dcere.com.crt,server.dcere.com.key} /etc/openvpn/server

Create an OpenVPN profile

/etc/openvpn/proxy-certs.conf:
------------------------------
# Server
server 10.200.0.0 255.255.255.0
tls-server

# Networking
topology subnet
dev tun

# Certificates
ca /etc/openvpn/server/ca.crt
dh /etc/openvpn/server/dh2048.pem
cert /etc/openvpn/server/server.dcere.com.crt
key /etc/openvpn/server/server.dcere.com.key

# Extra security
tls-auth /etc/openvpn/server/ta.key 0

Run the server

(server)_$: openvpn --config /etc/openvpn/proxy-certs.conf

Client: Desktop

Get files from the CA

We will need the following files from the CA:

ca.crt
ta.key
desktop.dcere.com.crt
desktop.dcere.com.key

(client)_$: mkdir -p /etc/openvpn/client
(client)_$: cp ca.crt ta.key /etc/openvpn/client
(client)_$: cp desktop.dcere.com.crt desktop.dcere.com.key /etc/openvpn/client

Create an OpenVPN profile

/etc/openvpn/proxy-certs.conf:
------------------------------
# Client
client

# Server
remote <server IP address>
remote-cert-tls server

# Networking
dev tun

# Certificates
ca /etc/openvpn/client/ca.crt
cert /etc/openvpn/client/desktop.dcere.com.crt
key /etc/openvpn/client/desktop.dcere.com.key

# Extra security
tls-auth /etc/openvpn/client/ta.key 0

Run the client

(client)_$: openvpn --config proxy-certs.conf
(client)_$: ping 10.200.0.1

Client: Smartphone

Get files from the CA

We will need the following files from the CA:

ca.crt
ta.key
smartphone.dcere.com.crt
smartphone.dcere.com.key

(client)_$: mkdir -p /etc/openvpn/client
(client)_$: cp ca.crt ta.key /etc/openvpn/client
(client)_$: cp smartphone.dcere.com.crt smartphone.dcere.com.key /etc/openvpn/client

Create an OpenVPN profile

In Android we will use the OpenVPN Connect app. That app requires the configuration file to have a .ovpn extension, so that will change things just a little bit.

Since we want all network traffic from smartphones to use the VPN server we must use the redirect-gateway and dhcp-option arguments.

In order to have a single file to copy to our smartphone we will include the certificates and keys directly in the OpenVPN profile.

/etc/openvpn/smartphone.ovpn:
-----------------------------
# Client
client

# Server
remote <server IP address>
remote-cert-tls server

# Networking
dev tun
redirect-gateway def1
dhcp-option DNS 8.8.8.8
dhcp-option DNS 8.8.4.4

# Certificates
<ca>
-----BEGIN CERTIFICATE-----
# Contents from /etc/openvpn/client/ca.crt
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
# Contents from /etc/openvpn/client/smartphone.dcere.com.crt
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
# Contents from /etc/openvpn/client/smartphone.dcere.com.key
-----END RSA PRIVATE KEY-----
</key>

# Extra security
key-direction 1
<tls-auth>
# Contents from /etc/openvpn/client/ta.key
</tls-auth>

Transfer files to your smartphone

We will need to copy the following files:

/etc/openvpn/smartphone.ovpn

A good place might be the Download folder of your smartphone, but since we are going to connect our smartphone to the computer we can take the time to create a new directory (e.g. OpenVPN).

Import your profile

Tap on OpenVPN -> […] -> Import -> Import Profile from SD card -> Download (or OpenVPN) -> smartphone.ovpn

Tap on the Connect button. If it connects, you will see some stats:

Connection stats:
  Duration: 0:00:03
  Packet received: 3 seconds ago
  Bytes in: 7.46 KB
  Bytes out: 4.66 KB

Check

Go to http://api.ipify.org and check that the IP address is the one of your VPN server.