Creating OpenSSL Certs

08-15-2015, 07:47 AM (This post was last modified: 08-15-2015, 08:22 AM by Garrett.)
**Use this setup at your own risk as this is my first adventure into setting up an SSLVPN**
If anyone can recommend changes for better performance or security please feel free to let me know.

Instructions For Creating Certs On The Shield:

1) SSH into the Sheilds Command Line Interface

2) Run the following commands:
cd /etc/ssl/
mkdir certs
mkdir crls
mkdir newcerts
mkdir private
touch index.txt
echo 01 > serial

3) Modify the /etc/ssl/openssl.cnf file to match the file attached to this post.

4) cd /etc/ssl/certs

5) Create the CA to sign the certs:

First create the private key:
OpenSSL> genrsa -aes256 -out cakey.pem 2048

Then create the CA cert
OpenSSL> req -new -x509 -key cakey.pem -out ca.crt -days 3650

6) Creating the openvpn server private key and cert signing request:
Create the private key:
OpenSSL> genrsa -aes256 -out server.key 2048

Create the cert request
OpenSSL> req -out server.csr -new -key server.key

7) Sign the Server Cert with the CA Cert
OpenSSL> ca -out server.crt -in server.csr -keyfile cakey.pem -cert ca.crt -policy policy_anything

8) Create the Windows client key and certificate signing request
 (Note: This step will need to be performed for each client you want to access the VPN...just change the name of the client)
Create Windows client key:
OpenSSL> req -out windows-client.csr -new -keyout windows-client.key

Sign Windows Cert with CA Cert:
OpenSSL> ca -out windows-client.crt -in windows-client.csr -keyfile cakey.pem -cert ca.crt -policy policy_anything

9) Create dhparam file
OpenSSL> dhparam -out dh1024.pem 1024

Configure the Shield for OpenVPN Connections
Note: I found some of the commands in the document provided by Itus to have typos.  The corrections have been included below.

1) SSH to the shield and perform all steps below in the command line of the shield.

2) Copy and paste the following commands:
uci set network.vpn0=interface
uci set network.vpn0.ifname=tun0
uci set network.vpn0.proto=none

3) Allow inbound VPN traffic
uci add firewall rule
uci set firewall.@rule[-1].name=Allow-OpenVPN-Inbound
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].src=*
uci set firewall.@rule[-1].proto=udp
uci set firewall.@rule[-1].dest_port=1194

4) Allow OpenVPN tunnel traffic:
uci add firewall zone
uci set firewall.@zone[-1].name=vpn
uci set firewall.@zone[-1].input=ACCEPT
uci set firewall.@zone[-1].forward=ACCEPT
uci set firewall.@zone[-1].output=ACCEPT
uci set firewall.@zone[-1].network=vpn0

5) Commit Changes:
uci commit network
/etc/init.d/network reload
uci commit firewall
/etc/init.d/firewall reload

6) Configure the Shield SSLVPN settings:
echo >> /etc/config/openvpn
uci set openvpn.SSLVPN_Server=openvpn
uci set openvpn.SSLVPN_Server.enabled=1
uci set openvpn.SSLVPN_Server.dev=tun
uci set openvpn.SSLVPN_Server.port=1194
uci set openvpn.SSLVPN_Server.proto=udp
uci set openvpn.SSLVPN_Server.keepalive='10 120'
uci set openvpn.SSLVPN_Server.log=/tmp/openvpn.log
uci set openvpn.SSLVPN_Server.verb=3
uci set openvpn.SSLVPN_Server.server='10.8.0.0 255.255.255.0'
uci set openvpn.SSLVPN_Server.push='route 10.10.10.0 255.255.255.0'
uci set openvpn.SSLVPN_Server.askpass=/etc/openvpn/cert.pass
uci commit openvpn

7) Create the password file for the OpenVPN private key:
touch /etc/openvpn/cert.pass
chmod 600 /etc/openvpn/cert.pass
echo Password > /etc/openvpn/cert.pass

8) Follow instructions for uploading Certs to the Shield in the Itus document (Attached to this post)

Configure Windows OpenVPN client

1) Download & Install OpenVPN (https://openvpn.net/index.php/open-source/downloads.html)

2) Whitelist OpenVPN Daemon & OpenVPN GUI in Windows Firewall

3) In the OpenVPN config directory upload the following files:
ca.crt
windows-client.crt
windows-client.key

4) Create new windows-client.ovpn file and paste the following configuration into the file and save
Note: The redirect-gateway setting will direct ALL network traffic from the Windows PC through the VPN

redirect-gateway
dev tun
tls-client
float
remote <Internet/External IP Address of the shield> 1194
pull
proto udp
reneg-sec 3600
tun-mtu 1500
mssfix 1400
ca ca.crt
cert windows-client.crt
key windows-client.key

5) Then try to connect!

6) If you want to be able to browse the internet via the VPN and not just connect to internal network devices you will need to forward VPN0 to the WAN
- Login to Shield WebGUI -> Network -> Firewall -> Edit VPN0 -> Check "WAN" under Allow Forward to destination zones" -> Save & Apply



[url=https://openvpn.net/index.php/open-source/downloads.html][/url]


Attached Files