Creating certificates with Elliptic Curves:
Requirements: OpenSSL 1.1.x, OpenVPN 2.5.x, EasyRSA 3.0.x
Initializing PKI environment
# easyrsa init-pki
Creating the Certificate of Authority (CA)
# easyrsa --use-algo=ed --curve=ed25519 build-ca
Creating Certificate Request
# easyrsa --use-algo=ed --curve=ed25519 --req-c=BG --req-city=Gabrovo --req-org=Horizon9 --req-email=geroy@horizon9.org --dn-mode=org gen-req horizon9
Singning the CA request
# easyrsa sign-req server horizon9Creating OpenVPN server keys
# easyrsa build-server-full horizon9 nopass
Creating OpenVPN client keys
# easyrsa build-client-full client1 nopass
OpenVPN config file:
local 10.1.1.1 # put your IP address here
port 1194
proto tcp
dev tun
ca /path/to/ca.crt
cert /path/to/horizon9.crt
key /path/to/horizon9.key
server 10.1.11.0 255.255.255.0 # your OpenVPN network IP addresses
push "route 10.1.12.0 255.255.255.0" # your local network here
push "dhcp-option DNS 10.1.12.1"
keepalive 5 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 4
#data channel cipher
cipher AES-128-GCM
#don't negotiate ciphers, we know what we want
ncp-disable
# TLS 1.3 encryption settings
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
# TLS 1.2 encryption settings
tls-cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
#disable static Diffie-Hellman parameters since we're using ECDHE
dh none
# use this curve
ecdh-curve secp384r1
#this tells OpenVPN which side of the TLS handshake it is
tls-server
#tls-client # uncomment this on the client side