Help needed to setup a certificate only based OpenVPN Server

[james.bridge77@gmail]

Hi, I already have an OpenVPN server running which I setup using local authentication. I would now like to setup a server that can only be accessed from machines with matching certificates. ie. I don't want to use Usernames and Passwords.

How do I setup OpenVPN so the clients can access the server without a username and password but where the server refused access to any machine without a matching certificate?

I have created all the certificates so I really just need a simple guide to configure the server for this kind of access.

Many thanks in advance.

James.

[maikcat]

hi there,

to create keys (linux) edit first vars file and then in the same folder type:
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
./build-key keyname1
./build-key keyname2
cd keys
openvpn --genkey --secret ta.key

use a server conf like:

proto udp
port 5006
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
tls-auth keys/ta.key 0
dh keys/dh1024.pem
server 10.1.1.0 255.255.255.0
client-to-client
keepalive 10 60
cipher AES-256-CBC
client-config-dir ccd
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status /etc/openvpn/status.log
log /etc/openvpn/openvpn.log
verb 3

in the above i use: udp,port5006,tun interface,vpn ip 10.1.1.1,aes256 encryption,compression,and ccd files

your clients need the following files: ca.crt,ta.key and the certificate .crt/.key files

config client.

client
proto udp
keepalive 10 60
cipher AES-256-CBC
comp-lzo
verb 1
persist-key
persist-tun
dev tun
nobind
ns-cert-type server
tls-auth ta.key 1
cert keyname1.crt
key keyname1.key
ca ca.crt
remote ipadressofserver 5006


cheers,

michael.

[james.bridge77@gmail]

Michael,

Thanks for the very quick reply. I realise now I should have also mentioned that the clients have to be able to connect through the vpn to the internet, so does that mean I replace Client-Client with something else?

Also is there any reason/advantage in changing the port? The existing OpenVPN server uses port 443 which was set by default.

What is the purpose of cipher AES-256-CBC? I thought the TA.key certificate was 2048bit? I may be be getting confused with the encryption types.

Thanks,

James.

[maikcat]

hi there,

client-to-client is for vpn clients can communicate eachother via vpn tunnel..
ta.key is for enabling tls to avoid man-in-the-middle attacks..

the default cipher is blowfish, i use AES for better security.

please read the man page...

to tunnel all traffic through vpn you need to push to your clients the default gateway.

please read the man page..(2) )

cheers,

michael.

ps >I have created all the certificates so I really just need a simple guide to configure the server for this kind of access.

you said *simple*