Creating OpenSSL Certs 08-15-2015, 07:47 AM (This post was last modified: 08-15-2015, 08:22 AM by Garrett.) **Use this setup at your own risk as this is my first adventure into setting up an SSLVPN** If anyone can recommend changes for better performance or security please feel free to let me know. Instructions For Creating Certs On The Shield: 1) SSH into the Sheilds Command Line Interface 2) Run the following commands: cd /etc/ssl/ mkdir certs mkdir crls mkdir newcerts mkdir private touch index.txt echo 01 > serial 3) Modify the /etc/ssl/openssl.cnf file to match the file attached to this post. 4) cd /etc/ssl/certs 5) Create the CA to sign the certs: First create the private key: OpenSSL> genrsa -aes256 -out cakey.pem 2048 Then create the CA cert OpenSSL> req -new -x509 -key cakey.pem -out ca.crt -days 3650 6) Creating the openvpn server private key and cert signing request: Create the private key: OpenSSL> genrsa -aes256 -out server.key 2048 Create the cert request OpenSSL> req -out server.csr -new -key server.key 7) Sign the Server Cert with the CA Cert OpenSSL> ca -out server.crt -in server.csr -keyfile cakey.pem -cert ca.crt -policy policy_anything 8) Create the Windows client key and certificate signing request (Note: This step will need to be performed for each client you want to access the VPN...just change the name of the client) Create Windows client key: OpenSSL> req -out windows-client.csr -new -keyout windows-client.key Sign Windows Cert with CA Cert: OpenSSL> ca -out windows-client.crt -in windows-client.csr -keyfile cakey.pem -cert ca.crt -policy policy_anything 9) Create dhparam file OpenSSL> dhparam -out dh1024.pem 1024 Configure the Shield for OpenVPN Connections Note: I found some of the commands in the document provided by Itus to have typos. The corrections have been included below. 1) SSH to the shield and perform all steps below in the command line of the shield. 2) Copy and paste the following commands: uci set network.vpn0=interface uci set network.vpn0.ifname=tun0 uci set network.vpn0.proto=none 3) Allow inbound VPN traffic uci add firewall rule uci set firewall.@rule[-1].name=Allow-OpenVPN-Inbound uci set firewall.@rule[-1].target=ACCEPT uci set firewall.@rule[-1].src=* uci set firewall.@rule[-1].proto=udp uci set firewall.@rule[-1].dest_port=1194 4) Allow OpenVPN tunnel traffic: uci add firewall zone uci set firewall.@zone[-1].name=vpn uci set firewall.@zone[-1].input=ACCEPT uci set firewall.@zone[-1].forward=ACCEPT uci set firewall.@zone[-1].output=ACCEPT uci set firewall.@zone[-1].network=vpn0 5) Commit Changes: uci commit network /etc/init.d/network reload uci commit firewall /etc/init.d/firewall reload 6) Configure the Shield SSLVPN settings: echo >> /etc/config/openvpn uci set openvpn.SSLVPN_Server=openvpn uci set openvpn.SSLVPN_Server.enabled=1 uci set openvpn.SSLVPN_Server.dev=tun uci set openvpn.SSLVPN_Server.port=1194 uci set openvpn.SSLVPN_Server.proto=udp uci set openvpn.SSLVPN_Server.keepalive='10 120' uci set openvpn.SSLVPN_Server.log=/tmp/openvpn.log uci set openvpn.SSLVPN_Server.verb=3 uci set openvpn.SSLVPN_Server.server='10.8.0.0 255.255.255.0' uci set openvpn.SSLVPN_Server.push='route 10.10.10.0 255.255.255.0' uci set openvpn.SSLVPN_Server.askpass=/etc/openvpn/cert.pass uci commit openvpn 7) Create the password file for the OpenVPN private key: touch /etc/openvpn/cert.pass chmod 600 /etc/openvpn/cert.pass echo Password > /etc/openvpn/cert.pass 8) Follow instructions for uploading Certs to the Shield in the Itus document (Attached to this post) Configure Windows OpenVPN client 1) Download & Install OpenVPN (https://openvpn.net/index.php/open-source/downloads.html) 2) Whitelist OpenVPN Daemon & OpenVPN GUI in Windows Firewall 3) In the OpenVPN config directory upload the following files: ca.crt windows-client.crt windows-client.key 4) Create new windows-client.ovpn file and paste the following configuration into the file and save Note: The redirect-gateway setting will direct ALL network traffic from the Windows PC through the VPN redirect-gateway dev tun tls-client float remote 1194 pull proto udp reneg-sec 3600 tun-mtu 1500 mssfix 1400 ca ca.crt cert windows-client.crt key windows-client.key 5) Then try to connect! 6) If you want to be able to browse the internet via the VPN and not just connect to internal network devices you will need to forward VPN0 to the WAN - Login to Shield WebGUI -> Network -> Firewall -> Edit VPN0 -> Check "WAN" under Allow Forward to destination zones" -> Save & Apply [url=https://openvpn.net/index.php/open-source/downloads.html][/url] Attached Files