OpenVPN – How to build X509 Server Certificates and Public Key Encryption on Windows
X509 certificates increase security compared to shared single symmetric keys. Therefore we’ll generate X509 Certificates to authenticate our server and clients. This means our clients contact the server, and if the server is their mothership, then they can connect. Only children of the mothership can connect – which should keep out the NSA.
1. Download zipped Easy RSA
c:\Program Files\ OpenVPN
Right click > extract files
Following files will be extracted and a KEYS directory created.
Step 2 – Initialise the Configuration (Template files)
Open Command prompt with Admin rights
Start > All Programs > Accessories > Command prompt >
Right click > Run as Administrator
Navigate to easy-rsa-ca
Double check that you have around 15 files plus a “keys” directory
2 template files will be copied – vars.bat and openssl.cnf
Next we select our variables (key sizes) and add them in.
Step 3 – Set Variables in Vars.bat
The vars.bat stores our variables for reuse and sets the Encryption key size
Use Windows Explorer to Right click on Vars.bat
The Vars file allows us to increase the Symmetric Encryption key size
set KEY_SIZE=1024 (or set KEY_SIZE=2048)
set HOME to the directory where you saved easy-rsa-ca (eg. set HOME=%ProgramFiles%\OpenVPN\easy-rsa-ca)
Autoset the last five files – for location, city, email address as this saves typing later on.
Next we create our own certificate authority.
Step 4 – Build a Certificate Authority (Build-ca)
Go back to your command prompt and:
Type vars and hit Enter.
Then type clean-all and hit Enter.
Finally, type build-ca and hit Enter.
It starts to GENERATE the KEYS .
It will autofill from the vars.bat file (just hit enter and the defaults will appear).
Only the ORG UNIT & Common Name needs to be typed in this time (eg common name = company name or VPNSERVER)
Next we create the server keys
Step 5 – Build Server Key and a Server Certificate
In the same command prompt, type build-key-server server
Common name of server could be VPNSERVER or UKSERVER
Sign = Y
Commit = Y
This command will output two files (a Server Key and a Server Certificate) in the easy-rsa/keys folder.
Look in your Keys folderThe file with the extension .key is the server key, the file with extension .crt contains the server certificate, and the file with extension .csr hold the certificate signing request.
Whomever owns the ca.key and ca.crt is able to sign requests for your Certificate Authority. This file must be kept totally secret, and should never leave the CA server, as it is the central essential key for your VPN.
Right click on the server.crt or server certificate – to see the info you used to create it
Now we need to build some client keys. Each client will need it’s own key. The “pairs” allow the client to dial into the mothership… and only the “blood relations” will be authenticated. This prevents NSA surveillance, hackers and DDOS attacks.
Step 6 – Build your Client Key (repeat for each vpn client)
In the same command prompt type build-key vpnclient1.
Enter client password
Enter Common name eg vpnclient1
Enter a client challenge password
Enter Variables for client
Sign = Y
You will be asked to sign the certificate and to commit.
Type “y” for both and click Enter.
If you check the “keys” directory, you’ll find 3 files for VPNClient1.
vpnclient1.crt = Signed certificate of the vpn client, must be on the vpn client.
vpnclient1.csr = Certificate signing request of vpnclient – can be deleted.
vpnclient1.key = Private RSA key of the vpn client, must be on the vpn client.
Step 7 – Create the Asymmetrical Key (Diffie Helman Key)
The diffie Helman or DHkey is the public or asymmetrical key that protects the shared symmetrical RSA key.
In the same command prompt type build-dh.
This command will output one file (dh1024.pem or dh2048.pem) in the easy-rsa/keys folder.
Check the DH2048 key
As a test a DH8192 key was generated – and it takes hours. The Server certificate, server keys and client keys are fast.. it’s the DH keys that are slow.
That’s it. The X509 certificate, server key, client key and DH public keys have been created.. So what’s next to make it operational…
Well, I’ll cheat and give you a short overview.
Step 8 – Set up a Dynamic DNS for your IP (going beyond Key creation now)
Most home networks have dynamic IP’s – so we need to arrange a way for others to find you if the IP changes.
It’s important for OpenVPN to always know your network’s public IP address, and by using DynDNS, OpenVPN will always know how to locate your network no matter what your public IP address is.
Step 9 – .ovpn – client config files
In Windows Explorer, navigate to C:\Program Files (x86)\OpenVPN\sample-config if you’re running 64-bit Windows 7 or
C:\Program Files\OpenVPN\sample-config if you’re running 32-bit Windows 7.
In this folder you will find the client.ovpn file.
Right click on client.ovpn and open it with Notepad.
We place in the details of our OpenVPN Server for the client to connect to.
What the .ovpn looks like using the VPNBook- UDP Port 53 Client config file
– Protocol = UDP
– Remote = Server IP and Port
-Resolve & retry = infinite = keep trying
-tun-mtu 1500 – standard MTU for Windows 7 (it autotunes the Maximum Transmission Unit).
ca = server.crt
comp-lzo = compression
We then connect using the client config file – following this how to guide.
How to automate your login for OpenVPN
VPN Server at 4096 bits
VPN’s are fun. Encryption is fun. Now we put all the pieces of the puzzle together. 🙂