use easyrsa for openvpn notes

gistfile1.txt

### set base directory for further work

oxygen-router-vm /etc/openvpn # export EASYRSA_PKI=/etc/openvpn/pki

### create base directories
oxygen-router-vm /etc/openvpn # easyrsa init-pki

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/pki

### create CA
oxygen-router-vm /etc/openvpn # easyrsa build-ca

Using SSL: openssl OpenSSL 1.0.2r  26 Feb 2019

Enter New CA Key Passphrase:
Re-Enter New CA Key Passphrase:
Generating RSA private key, 2048 bit long modulus
.............................................+++++
........................................+++++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:oxygen-home CA

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/pki/ca.crt

### create diffie hellman file 
oxygen-router-vm /etc/openvpn # easyrsa gen-dh

Using SSL: openssl OpenSSL 1.0.2r  26 Feb 2019
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.....

DH parameters of size 2048 created at /etc/openvpn/pki/dh.pem

### link required directory
oxygen-router-vm /etc/openvpn # ln -s /usr/share/easy-rsa/x509-types /etc/openvpn/pki

### create certificate for server side
oxygen-router-vm /etc/openvpn/pki # easyrsa build-server-full openvpn

Using SSL: openssl OpenSSL 1.0.2r  26 Feb 2019
Generating a RSA private key
..........................................................................................................+++++
........+++++
writing new private key to '/etc/openvpn/pki/private/openvpn.key.f6DjojbMv8'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /etc/openvpn/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'openvpn'
Certificate is to be certified until Apr  3 15:35:43 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

### decrypt key so openvpn daemon can load
oxygen-router-vm /etc/openvpn/pki/private # openssl rsa -in openvpn.key -out openvpn-unprotected.key 

### generate tlsauth file for additonal security
oxygen-router-vm /etc/openvpn # openvpn --genkey --secret /etc/openvpn/pki/openvpn.tlsauth

### generate (empty) certificate revokation list
oxygen-router-vm /etc/openvpn # easyrsa gen-crl

Using SSL: openssl OpenSSL 1.0.2r  26 Feb 2019
Using configuration from /etc/openvpn/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/pki/private/ca.key:

An updated CRL has been created.
CRL file: /etc/openvpn/pki/crl.pem

### generate a client
oxygen-router-vm /etc/openvpn # easyrsa build-client-full pixelxl2

Using SSL: openssl OpenSSL 1.0.2r  26 Feb 2019
Generating a RSA private key
........+++++
.........................................................................................+++++
writing new private key to '/etc/openvpn/pki/private/pixelxl2.key.14OGJ0wXqI'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /etc/openvpn/pki/safessl-easyrsa.cnf
Enter pass phrase for /etc/openvpn/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'pixelxl2'
Certificate is to be certified until Apr  3 15:41:19 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

### generate ovpn file to be delivered
oxygen-router-vm /etc/openvpn # ./generate-ovpn.sh pixelxl2