Raspberry Pi Powered OpenVPN – Server, Part 3
So we now have a working server, what we have to do now is create certificates for our users or our selves.
If you want to you can cheat here and create one certificate per user then they can use that everywhere, but as I talked about before, if they device is every lost or stolen you will have to setup all you other devices with the new key. So I have created a separate certificate for each device.
Since I am not the only person potentially going to use my VPiN service and I alone have four or five devices all needing access I’ve gone with a naming scheme USER.DEV. So for my Nexus 5 it’s be stuart.nexus5 and my laptop is stuart.redtop
To create a device key just type
… and more prompts
- Enter PEM pass phrase – Make this something you will remember, depending on the client your running you may be asked to type this ever time you want to connect.
- A challenge password? – You still have to leave this blank
- Sign the certificate? [y/n] – The answer must be yes. You will be creating a ten year certificate
We now have an RSA key, but RSA keys have not been perfectly implemented everywhere and if you want to connect your Android or iOS device we need a Triple DES key. Triple DES is simple another encryption algorithm that applies its encryption three times for every block of data, making it harder for hackers to break by brute force. We can do this using the
openssl command. All we need to do is input the old key and tell it what to produce:
openssl rsa -in keys/KEYNAME.key -des3 -out keys/KEYNAME.3des.key
OpenSSL will now prompt you for the password of the rsa/old key, which is just entered, and ask you for a new password for the 3des/new key. I just used the same password for both keys, there is no loss of security as long as it was a good password and no need for two separate password.
And that’s it. You’ve now created your first client side key. You will have to repeat these steps for each device but its simple enough just keep changing your KEYNAME as appropriate.
In the final part of this tutorial we need to put everything together and tell OpenVPN about our configuration.