Introduction
Firmware management:
LoRa network management
Interfaces:
Gateway administration
Support and resources:
Introduction
Firmware management:
LoRa network management
Interfaces:
Gateway administration
Support and resources:
The following are command examples that may be used to create secrets for the VPN connection.
It is assumed that these commands are typed on the VPN server side (not on the gateway)
First, create a root certification authority. It will be used to sign the VPN server and client certificates. The certificate itself is self-signed, but it could be signed by a trusted CA (this case is not documented here).
# Work in /etc/ipsec.d cd /etc/ipsec.d # Create a 4096 bit private key ipsec pki --gen --type rsa --size 4096 --outform pem > private/rootca.pem chmod 600 private/rootca.pem # Create a 10 year certificate ipsec pki --self --ca --lifetime 3650 --in private/rootca.pem --type rsa --dn "C=FR, O=Kerlink, CN=Kerlink Root CA" --outform pem >cacerts/rootca.pem
Then, create a certificate and private key that will be used by the VPN server:
# Create a 2048 bit VPN private key ipsec pki --gen --type rsa --size 2048 --outform pem >private/vpnkey.pem chmod 600 private/vpnkey.pem # Create a 2 year VPN certificate ipsec pki --pub --in private/vpnkey.pem --type rsa \ | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=vpn.hostname.tld" --flag serverAuth --flag ikeIntermediate --outform pem >certs/vpncert.pem
Still on the server, create client secrets (certificate and private key). This step has to be repeated for each client that will connect to the VPN.
# Create a 2048 bit client private key ipsec pki --gen --type rsa --size 2048 --outform pem >private/ifemto_XXXXXX.pem chmod 600 private/ifemto_XXXXXX.pem # Create a 2 year client certificate ipsec pki --pub --in private/ifemto_XXXXXX.pem --type rsa \ | ipsec pki --issue --lifetime 730 --cacert cacerts/rootca.pem --cakey private/rootca.pem --dn "C=FR, O=Kerlink, CN=klk-wifc-XXXXXX" --outform pem > certs/ifemto_XXXXXX.pem
It is advised to have a PKCS#12 file containing the server certificate, the CA certificate, and the server private key. This will be referenced in the pkcs12 <file>
directive of the server configuration file.
The Wirnet™ gateway uses the secrets in a PKCS#12 encoded file. Use the following command to generate a .p12 file from the generated certificates/keys:
# openssl pkcs12 -export -inkey private/ifemto_XXXXXX.pem -in certs/ifemto_XXXXXX.crt -name "ifemto 0x2eXXXXXX" -certfile certs/ca.crt -caname "Kerlink root CA" -out ifemto_XXXXXX.p12
Enter Export Password: Verifying - Enter Export Password:
The password will have to be entered in the client configuration file (client-openvpn.conf
) using the askpass
directive.
OpenSSL or EasyRSA can be used to create the PKI and generate the OpenVPN keys and certificates.
Note that it is more convenient and simplier to use EasyRSA then OpenSSL.
OpenSSL is already included in your Ubuntu distribution. You can check the version used by issuing the command:
# openssl version
Openvpn must be installed:
# sudo apt install openvpn
Choose a directory (/root/ca) to store all keys and certificates.
# mkdir /root/ca # cd /root/ca # mkdir certs crl newcerts private # chmod 700 private # touch index.txt # echo 1000 > serial
You must create a configuration file for OpenSSL:
vi /root/ca/openssl.cnf
[ ca ] # `man ca` default_ca = CA_default [ CA_default ] # Directory and file locations. dir = /root/ca certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/index.txt serial = $dir/serial RANDFILE = $dir/private/.rand # The root key and root certificate. private_key = $dir/private/ca.key certificate = $dir/certs/ca.crt # For certificate revocation lists. crlnumber = $dir/crlnumber crl = $dir/crl/ca.crl.pem crl_extensions = crl_ext default_crl_days = 30 # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 name_opt = ca_default cert_opt = ca_default default_days = 375 preserve = no policy = policy_strict [ policy_strict ] # The root CA should only sign intermediate certificates that match. # See the POLICY FORMAT section of `man ca`. countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_loose ] # Allow the intermediate CA to sign a more diverse range of certificates. # See the POLICY FORMAT section of the `ca` man page. countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] # Options for the `req` tool (`man req`). default_bits = 2048 distinguished_name = req_distinguished_name string_mask = utf8only # SHA-1 is deprecated, so use SHA-2 instead. default_md = sha256 # Extension to add when the -x509 option is used. x509_extensions = v3_ca [ req_distinguished_name ] # See <https://en.wikipedia.org/wiki/Certificate_signing_request>. countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name localityName = Locality Name (eg, city) 0.organizationName = Organization Name (eg, company) organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg: your user, host, or server name) emailAddress = Email Address # Optionally, specify some defaults. countryName_default = FR stateOrProvinceName_default = Bretagne localityName_default = Thorigne-Fouillard 0.organizationName_default = Kerlink organizationalUnitName_default = DSC emailAddress_default = tda@kerlink.fr [ v3_ca ] # Extensions for a typical CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ v3_intermediate_ca ] # Extensions for a typical intermediate CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, digitalSignature, cRLSign, keyCertSign [ usr_cert ] # Extensions for client certificates (`man x509v3_config`). basicConstraints = CA:FALSE nsCertType = client, email nsComment = "OpenSSL Generated Client Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, emailProtection [ server_cert ] # Extensions for server certificates (`man x509v3_config`). basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth [ crl_ext ] # Extension for CRLs (`man x509v3_config`). authorityKeyIdentifier=keyid:always [ ocsp ] # Extension for OCSP signing certificates (`man ocsp`). basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, digitalSignature extendedKeyUsage = critical, OCSPSigning
# cd /root/ca # openssl genrsa -aes256 -out private/ca.key 4096
Enter pass phrase for ca.key: secretpassword Verifying - Enter pass phrase for ca.key: secretpassword # chmod 400 private/ca.key
# cd /root/ca # openssl req -config openssl.cnf -key private/ca.key -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.crt
Enter pass phrase for ca.key: secretpassword You are about to be asked to enter information that will be incorporated into your certificate request. ----- Country Name (2 letter code) [XX]:FR State or Province Name []: Bretagne Locality Name []: Thorigne-Fouillard Organization Name []: Kerlink Organizational Unit Name []: DSC Common Name []: Kerlink CA Email Address []: tda@kerlink.fr # chmod 444 certs/ca.crt
# openssl x509 -noout -text -in certs/ca.crt # openssl verify -CAfile certs/ca.crt certs/ca.crt
# cd /root/ca/private # openssl genrsa -aes256 -out server.key 2048 # chmod 400 server.key
# cd /root/ca/csr # openssl req -config ../openssl.cnf -key ../private/server.key -new -sha256 -out server.csr
Enter pass phrase for server.key: secretpassword You are about to be asked to enter information that will be incorporated into your certificate request. ----- Country Name (2 letter code) [XX]:FR State or Province Name []:Bretagne Locality Name []:Thorigne-Fouillard Organization Name []:Kerlink Organizational Unit Name []:DSC Common Name []:server Email Address []:tda@kerlink.fr
# cd /root/ca/certs # openssl ca -config ../openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in server.csr -out server.crt # chmod 444 server.crt
# cd /root/CA/certs/ # openssl verify -CAfile ca.crt server.crt
# cd /root/ca/private # openssl genrsa -aes256 -out client.key 2048 # chmod 400 client.key
# cd /root/ca/cert # openssl req -config ../openssl.cnf -key ../private/client.key -new -sha256 -out client.csr
Enter pass phrase for client.key: secretpassword You are about to be asked to enter information that will be incorporated into your certificate request. ----- Country Name (2 letter code) [XX]:FR State or Province Name []:Bretagne Locality Name []:Thorigne-Fouillard Organization Name []:Kerlink Organizational Unit Name []:DSC Common Name []:client Email Address []:tda@kerlink.fr
# cd /root/ca/certs # openssl ca -config ../openssl.cnf \ -extensions usr_cert -days 375 -notext -md sha256 \ -in client.csr \ -out client.crt # chmod 444 client.crt
# cd /root/ca/certs/ # openssl verify -CAfile ca.crt client.crt
# cd /root/ca # openssl dhparam -out dh2048.pem 2048
# sudo apt install openvpn easy-rsa
# cp -a /usr/share/easy-rsa /root/easy-rsa
# mv vars.example vars
Edit the file and modify the following parameters :
# Choices are: # cn_only - use just a CN value # org - use the "traditional" Country/Province/City/Org/OU/email/CN format set_var EASYRSA_DN "org" # Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.) # These are the default values for fields which will be placed in the # certificate. Don't leave any of these fields blank, although interactively # you may omit any specific field by typing the "." symbol (not valid for # email.) set_var EASYRSA_REQ_COUNTRY "FR" set_var EASYRSA_REQ_PROVINCE "Bretagne" set_var EASYRSA_REQ_CITY "Thorigne-Fouillard" set_var EASYRSA_REQ_ORG "Kerlink" set_var EASYRSA_REQ_EMAIL "tda@kerlink.fr" set_var EASYSA_REQ_OU "DSC"
# ./easyrsa init-pki
# ./easyrsa build-ca
Generating a 2048 bit RSA private key .............................+++ ................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [Bretagne]: Locality Name (eg, city) [Thorigne-Fouillard]: Organization Name (eg, company) [kerlink]: Organizational Unit Name (eg, section) [DSC]: Common Name (eg, your name or your server's hostname) []: CA Name []: Kerlink CA Email Address [tda@kerlink.fr]:
Use default values and just define the CN and name.
# ./easyrsa gen-req server nopass
Generating a 2048 bit RSA private key .........+++ ............................................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [FR]: State or Province Name (full name) [Bretagne]: Locality Name (eg, city) [Thorigne-Fouillard]: Organization Name (eg, company) [kerlink]: Organizational Unit Name (eg, section) [DSC]: Common Name (eg, your name or your server's hostname) []:server Name []: server Email Address [tda@kerlink.fr]: Keypair and certificate request completed. Your files are: req: /root/easy-rsa/pki/reqs/server.req key: /root/easy-rsa/pki/private/server.key
# ./easyrsa sign-req server server
The option build-client-full <client name> nopass generates a client certificate and key.
# ./easyrsa build-client-full client1 nopass
# ./easyrsa gen-dh
It is advised to have a PKCS#12 file containing the public certificate, the CA certificate, and the private key.
This will be referenced in the pkcs12 <file>
directive in the server and client's configuration file.
The Wirnet™ gateway uses the secrets in a PKCS#12 encoded file. Use the following command to generate a .p12 file from the generated certificates/keys:
For the server:
# openssl pkcs12 -export -inkey private/server.key -in certs/server.crt -certfile certs/ca.crt -out server.p12
Enter Export Password: Verifying - Enter Export Password:
The password will have to be entered in the server configuration file (server-openvpn.conf
) using the askpass
directive.
For the client:
# openssl pkcs12 -export -inkey private/client1.key -in certs/client1.crt -certfile certs/ca.crt -out client1.p12
Enter Export Password: Verifying - Enter Export Password:
The password will have to be entered in the client configuration file (client-openvpn.conf
) using the askpass
directive.
Note: if certificates have been generated by easyRSA, please replace the directory certs/ by issued/.
https://jamielinux.com/docs/openssl-certificate-authority/introduction.html explains how to create a PKI with OpenSSL.
EasyRSA EasyRSA GITHub.
https://openvpn.net/community-resources/setting-up-your-own-certificate-authority-ca/ explains how to use EasyRSA to create a PKI (applicable to Ubuntu 14.04).
https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-ubuntu-20-04-fr explains how to use EasyRSA to create a PKI (applicable to Ubuntu 20.04)(french).
https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts explains how to create a PKI using Easy-RSA (applicable to Ubuntu 20.04)(english).
https://stackoverflow.com/questions/21141215/creating-a-p12-file explains how to create a PKCS#12 (P12) archive.