How to create pki with easy-rsa?

D

DVoropaev2017-09-21 11:36:32

linux

DVoropaev, 2017-09-21 11:36:32

Installed openvpn on fedora:
sudo yum install openvpn
Installed openvpn version 2.3.14
In the official HOWTO, the next step was to create a PKI
, for this you need to go to the easy-rsa directory, which
is located in /usr/share/doc/packages/openvpn or /usr/share/doc/ openvpn, edit the vars file, and run the build-ca.
But the first directory does not exist, and the second does not have what we need:

$ cd /usr/share/doc/openvpn
$ ls
AUTHORS  COPYING        INSTALL  README           README.down-root
contrib  COPYRIGHT.GPL  PORTS    README.auth-pam  sample

Searching the file system for something with the names of these files, as well as the easy-rsa directory, turned up nothing.
The obvious solution to the problem for me was:
yum install easy-rsa
Successfully!
There are 3 folders with the following content:

ls /usr/share/easy-rsa
3  3.0  3.0.1

 ls /usr/share/licenses/easy-rsa
gpl-2.0.txt

 ls /usr/share/doc/easy-rsa
ChangeLog  COPYING  README.quickstart.md  vars.example

The README.quickstart.md file contained a short, uninformative instruction. For more information, it was suggested to run easyrsa help.

$easyrsa help
bash: easyrsa: команда не найдена...

I found the easyrsa binary in the /usr/share/easy-rsa/3 folder
BUT running it with the help command suggests running it with the help command (WTF?)

cd /usr/share/easy-rsa/3
[[email protected] 3]$ ls
easyrsa  openssl-1.0.cnf  x509-types
[[email protected] 3]$ ./easyrsa help

Easy-RSA 3 usage and overview

USAGE: easyrsa [options] COMMAND [command-options]

A list of commands is shown below. To get detailed usage and help for a
command, run:
  ./easyrsa help COMMAND

For a listing of options that can be supplied before the command, use:
  ./easyrsa help options

Here is the list of commands available with a short syntax reminder. Use the
'help' command above to get full usage details.

Reply

Answer the question

In order to leave comments, you need to log in

[[+comments_count]] answer(s)

M

mureevms, 2017-09-21
@DVoropaev

easy-rsa can be omitted, it's just a set of scripts. Grab them from the OpenVPN turnip https://github.com/OpenVPN/easy-rsa/archive/master.zip:

wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
unzip master.zip

Then
Change to the easyrsa3 directory and declare variables for it:

cd ~/easy-rsa-master/easyrsa3
cp ~/easy-rsa-master/easyrsa3/vars.example ~/easy-rsa-master/easyrsa3/vars

Initialize PKI (Public Key Infrastructure - Public Key Infrastructure):
Create a root certificate. Be sure to enter a complex password and the Common Name of the server, for example my vpn server:
Generate Diffie-Hellman Keys:
Generate a certificate request for the OVPN server. Please note that the certificate will not be password-protected (the nopass parameter), otherwise OpenVPN will ask for this password every time it starts:
Create the OVPN server certificate itself:
Copy the received keys to the openvpn working directory:

mkdir -p /etc/openvpn/keys
cp ~/easy-rsa-master/easyrsa3/pki/ca.crt /etc/openvpn/keys
cp ~/easy-rsa-master/easyrsa3/pki/issued/vpn-server.crt /etc/openvpn/keys
cp ~/easy-rsa-master/easyrsa3/pki/private/vpn-server.key /etc/openvpn/keys
cp ~/easy-rsa-master/easyrsa3/pki/dh.pem /etc/openvpn/keys

Create "HMAC firewall" to protect against DoS attacks and UDP port flood:

cd /etc/openvpn/keys/
openvpn --genkey --secret ta.key

Start openvpn:
From here

R

res2001, 2017-09-21
@res2001

build-ca and other scripts were in version 2 of easy-rsa, in the third version there was only one script - easyrsa, but with the same parameters. easy-rsa is an add-on for openssl, just a script that automates operations.
I didn’t deal with version 3, somehow I came across version 2 all the time. Open the script in a text editor, there are usually quite intelligible comments. Having instructions for version 2, you can easily adapt it to version 3, I think so. The vars script remained from the previous version. In vars, you initialize variables to generate keys that will be used in the main script.
PS: not so long ago I set up OpenVPN for Windows, I took the kit from the developer's site, there were also scripts of the second version. But for Windows, easy-rsa scripts have always required file modification.