Re: [Openvpn-devel] [PATCH v3] Add detailed man page section to setup a OpenVPN setup with peer-fingerprint

[tincantech via Openvpn-devel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

six minor improvements, could probably be made on commit.

One comment: This tutorial will not work on Windows because it relies
on a bashism to generate the self-signed certs.  There is no mention
of that anywhere, may be it could be pointed out somewhere ?

Other than that, excellent work!

And for the record: Easy-TLS can create these cert/keys and share
fingerprints to relevant inline files with relative ease.
https://github.com/TinCanTech/easy-tls


Sent with ProtonMail Secure (but still git unfriendly) Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Wednesday, July 28th, 2021 at 16:49, Arne Schwabe <a...@rfc2549.org> wrote:

> This is meant to give new users a quickstart for a useable OpenVPN

quickstart -> quick start

> setup. Our own documentation is lacking in this regard and many
> tutorials that can be found online are often questionable in some
> aspects.
>
> Linking the individaul RST file on github also give a tutorial

individual (au->ua)

> in a nicely formatted way.
>
> Patch V2: Fix grammar/spelling mistakes (thanks ticantech), move

tincantech

>           to openvpn-examples(5).
>
> Patch v3: use server.key and server.crt instead of server.pem/serverkey.pe=
> m
>
> Signed-off-by: Arne Schwabe <a...@rfc2549.org>
> ---
>  Changes.rst                              |   4 +
>  doc/Makefile.am                          |   1 +
>  doc/man-sections/example-fingerprint.rst | 196 +++++++++++++++++++++++
>  doc/openvpn-examples.5.rst               |   1 +
>  4 files changed, 202 insertions(+)
>  create mode 100644 doc/man-sections/example-fingerprint.rst
>
> diff --git a/Changes.rst b/Changes.rst
> index 9185b55f7..5ac24307f 100644
> --- a/Changes.rst
> +++ b/Changes.rst
> @@ -25,6 +25,10 @@ Certificate pinning/verify peer fingerprint
>      fingerprint of the peer. The option takes use a number of allowed
>      SHA256 certificate fingerprints.
>
> +    See the man page section "Small OpenVPN setup with peer-fingerprint"
> +    for a tutorial on how to use this feature. This is also available onl=
> ine
> +    under https://github.com/openvpn/openvpn/blob/master/doc/man-sections=
> /example-fingerprint.rst
> +
>  TLS mode with self-signed certificates
>      When ``--peer-fingerprint`` is used, the ``--ca`` and ``--capath`` op=
> tion
>      become optional. This allows for small OpenVPN setups without setting=
>  up
> diff --git a/doc/Makefile.am b/doc/Makefile.am
> index 1e4fcdea3..1a67f7b52 100644
> --- a/doc/Makefile.am
> +++ b/doc/Makefile.am
> @@ -31,6 +31,7 @@ dist_noinst_DATA =3D \
>       man-sections/client-options.rst \
>       man-sections/connection-profiles.rst \
>       man-sections/encryption-options.rst \
> +     man-sections/example-fingerprint.rst \
>       man-sections/examples.rst \
>       man-sections/generic-options.rst \
>       man-sections/inline-files.rst \
> diff --git a/doc/man-sections/example-fingerprint.rst b/doc/man-sections/e=
> xample-fingerprint.rst
> new file mode 100644
> index 000000000..ba948dd07
> --- /dev/null
> +++ b/doc/man-sections/example-fingerprint.rst
> @@ -0,0 +1,196 @@
> +Small OpenVPN setup with peer-fingerprint
> +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> +This section consists of instructions how to build a small OpenVPN setup =
> with the
> +:code:`peer-fingerprint` option. This has the advantage of being easy to =
> setup
> +and should be suitable for most small lab and home setups without the nee=
> d for a PKI.
> +For bigger scale setup setting up a PKI (e.g. via easy-rsa) is still reco=
> mmended.
> +
> +Both server and client configuration can of be further modified to custom=

"can of be" -> can be

Also, it could simply read: "can be further customised."

> ise the
> +setup.
> +
> +Server setup
> +------------
> +1. Install openvpn
> +
> +   Compile from source-code (see `INSTALL` file) or install via a distrib=
> ution (apt/yum/ports)
> +   or via installer (Windows).

The following method does not work in Windows.

> +
> +2. Generate a self-signed certificate for the server:
> +   ::
> +
> +    openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyo=
> ut server.key -out server.crt -nodes -sha256 -days 3650 -subj '/CN=3Dserve=
> r'
> +
> +3. Generate SHA256 fingerprint of the server certificate
> +
> +   Use the OpenSSL command line utility to view the fingerprint of just
> +   created certificate:
> +   ::
> +
> +    openssl x509 -fingerprint -sha256 -in server.crt -noout
> +
> +   This output something similar to:
> +   ::
> +
> +     SHA256 Fingerprint=3D00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff=
> :00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
> +
> +
> +3. Write a server configuration (`server.conf`):
> +::
> +
> +    # The server certificate we created in step 1
> +    cert server.crt
> +    key server.key
> +
> +    dh none
> +    dev tun
> +
> +    # Listen on IPv6+IPv4 simultaneously
> +    proto udp6
> +
> +    # The ip address the server will distribute
> +    server 10.8.0.0 255.255.255.0
> +    server-ipv6 fd00:6f76:706e::/64
> +
> +    # A tun-mtu of 1400 avoids problems of too big packets after VPN enca=
> psulation
> +    tun-mtu 1400
> +
> +    # The fingerprints of your clients. After adding/removing one here re=
> start the
> +    # server
> +    <peer-fingerprint>
> +    </peer-fingerprint>
> +
> +    # Notify clients when you restart the server to reconnect quickly
> +    explicit-exit-notify 1
> +
> +    # Ping every 60s, restart if no data received for 5 minutes
> +    keepalive 60 300
> +
> +4. Add at least one client as described in the client section.
> +
> +5. Start the server.
> +    - On systemd based distributions move `server.crt`, `server.key` and
> +      `server.conf` to :code:`/etc/openvpn/server` and start it via syste=
> mctl
> +
> +      ::
> +
> +          sudo mv server.conf server.key server.crt /etc/openvpn/server
> +
> +          sudo systemctl start openvpn-server@server
> +
> +Adding a client
> +---------------
> +1. Install OpenVPN
> +
> +2. Generate a self-signed certificate for the client. In this example the=
>  client
> +   name is alice. Each client should have a unique name. Replace alice wi=
> th a
> +   different name for each client.
> +   ::
> +
> +      openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -no=
> des -sha256 -days 3650 -subj '/CN=3Dalice'
> +
> +   This generate a certificate and a key for the client. The output of th=
> e command will look
> +   something like this:
> +   ::
> +
> +      -----BEGIN PRIVATE KEY-----
> +      [base64 content]
> +      -----END PRIVATE KEY-----
> +      -----
> +      -----BEGIN CERTIFICATE-----
> +      [base 64 content]
> +      -----END CERTIFICATE-----
> +
> +
> +3. Create a new client configuration file. In this example we will name t=
> he file
> +   `alice.ovpn`:
> +
> +   ::
> +
> +      # The name of your server to connect to
> +      remote yourserver.example.net
> +      client
> +      # use a random source port instead the fixed 1194
> +      nobind
> +
> +      # Uncomment the following line if you want to route
> +      # all traffic via the VPN
> +      # redirect-gateway def1 ipv6
> +
> +      # To set a a DNS server

a a !

> +      # dhcp-option DNS 192.168.234.1
> +
> +      <key>
> +      -----BEGIN PRIVATE KEY-----
> +      [Insert here the key created in step 2]
> +      -----END PRIVATE KEY-----
> +      </key>
> +      <cert>
> +      -----BEGIN CERTIFICATE-----
> +      [Insert here the certificate created in step 2]
> +      -----END CERTIFICATE-----
> +      </cert>
> +
> +      # This is the fingerprint of the server that we trust. We generated=
>  this fingerprint
> +      # in step 2 of the server setup
> +      peer-fingerprint 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00=
> :11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
> +
> +      # The tun-mtu of the client should match the server MTU
> +      tun-mtu 1400
> +      dev tun
> +
> +
> +4. Generate the fingerprint of the client certificate. For that we will
> +   let OpenSSL read the client configuration file as the x509 command wil=
> l
> +   ignore anything that is not between the begin and end markers of the c=
> ertificate:
> +
> +   ::
> +
> +      openssl x509 -fingerprint -sha256 -noout -in alice.ovpn
> +
> +   This will again output something like
> +   ::
> +
> +        SHA256 Fingerprint=3Dff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11=
> :00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00
> +
> +5. Edit the `server.conf` configuration file and add this new client
> +   fingerprint as additional line  between :code:`<peer-fingerprint>`
> +   and :code:`</peer-fingerprint>`
> +
> +   After adding *two* clients the part of configuration would look like t=
> his:
> +
> +   ::
> +
> +      <peer-fingerprint>
> +      ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:9=
> 9:88:77:66:55:44:33:22:11:00
> +      99:88:77:66:55:44:33:22:11:00:ff:ee:dd:cc:bb:aa:99:88:77:66:55:44:3=
> 3:22:11:00:88:77:66:55:44:33
> +      </peer-fingperint>
> +
> +6. (optional) if the client is an older client that does not support the
> +   :code:`peer-fingerprint` (e.g. OpenVPN 2.5 and older, OpenVPN Connect =
> 3.3
> +   and older), the client config `alice.ovpn` can be modified to still wo=
> rk with
> +   these clients.
> +
> +   Remove the line starting with :code:`peer-fingerprint`. Then
> +   add a new :code:`<ca>` section at the end of the configuration file
> +   with the contents of the :code:`server.crt` created in step 2 of the
> +   server setup. The end of `alice.ovpn` file should like:
> +
> +   ::
> +
> +      [...]  # Beginning of the file skipped
> +      </cert>
> +
> +      # The tun-mtu of the client should match the server MTU
> +      tun-mtu 1400
> +      dev tun
> +
> +      <ca>
> +      [contents of the server.crt]
> +      </ca>
> +
> +   Note that we put the :code:`<ca>` section after the :code:`<cert>` sec=
> tion
> +   to make the fingerprint generation from step 4 still work since it wil=
> l
> +   only use the first certificate it find.

'it find' -> found

> +
> +7. Import the file into the OpenVPN client or just use the
> +   :code:`openvpn alice.ovpn` to start the VPN.
> diff --git a/doc/openvpn-examples.5.rst b/doc/openvpn-examples.5.rst
> index 988b6027b..0e1b6c4f6 100644
> --- a/doc/openvpn-examples.5.rst
> +++ b/doc/openvpn-examples.5.rst
> @@ -14,4 +14,5 @@ INTRODUCTION
>
>  This man page gives a few simple examples to create OpenVPN setups and co=
> nfiguration files.
>
> +.. include:: man-sections/example-fingerprint.rst
>  .. include:: man-sections/examples.rst
> --
> 2.32.0
>

-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsBzBAEBCAAGBQJhAbdiACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ3NdQgAscHRyr3wCUuRtnIdbMBWjAfbvfP5iwPiGHyGh1S00PAUDHeJ
RRSjJAIPlDcVhJircaeRzOVe+rPIf6icwdrzOzkE8wnifE570ivq/z8BtT6d
zgC9s2CXKBVRTY5L/UGWlWkk15yaSzFjHS3ZtXGVlTyfQ2SItHbHh6ceeazo
l44PxOt+qJtDqA6FKzj7SfnAVyVBLq1XSpkebnuL/CXJzVdVXsXGCDl1CSwf
srnLPfAoW8dcKrJyUE4meYovCq8Ym+zHZZY70iLfB6kxfz+1Uyase/BkmrAY
b+j9BUOQ+OPFtGABBJB+FBR9dIN44Q6KTbgmXUC0mq1bYK7QfLZMdw==
=0swD
-----END PGP SIGNATURE-----

publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys

publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel