Tuesday, May 25, 2021

Configuring OpenVPN with Ed25519 certificates and TLS 1.3

Creating certificates with Elliptic Curves: 

Requirements: OpenSSL 1.1.x, OpenVPN 2.5.x, EasyRSA 3.0.x

Initializing PKI environment

# easyrsa init-pki

Creating the Certificate of Authority (CA)

# easyrsa --use-algo=ed --curve=ed25519 build-ca

Creating Certificate Request

# easyrsa --use-algo=ed --curve=ed25519 --req-c=BG --req-city=Gabrovo --req-org=Horizon9 --req-email=geroy@horizon9.org --dn-mode=org gen-req horizon9

Singning the CA request

# easyrsa sign-req server horizon9
Creating OpenVPN server keys
# easyrsa build-server-full horizon9 nopass

Creating OpenVPN client keys

# easyrsa build-client-full client1 nopass

 

OpenVPN config file:

local 10.1.1.1 # put your IP address here
port 1194
proto tcp
dev tun
ca /path/to/ca.crt
cert /path/to/horizon9.crt
key /path/to/horizon9.key
server 10.1.11.0 255.255.255.0 # your OpenVPN network IP addresses
push "route 10.1.12.0 255.255.255.0" # your local network here
push "dhcp-option DNS 10.1.12.1"
keepalive 5 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 4

#data channel cipher
cipher AES-128-GCM

#don't negotiate ciphers, we know what we want
ncp-disable

# TLS 1.3 encryption settings
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

# TLS 1.2 encryption settings
tls-cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

#disable static Diffie-Hellman parameters since we're using ECDHE
dh none

# use this curve
ecdh-curve secp384r1

#this tells OpenVPN which side of the TLS handshake it is
tls-server

#tls-client # uncomment this on the client side