Tuesday, May 25, 2021

Configuring OpenVPN with Ed25519 certificates and TLS 1.3

Creating certificates with Elliptic Curves: 

Requirements: OpenSSL 1.1.x, OpenVPN 2.5.x, EasyRSA 3.0.x

Initializing PKI environment

# easyrsa init-pki

Creating the Certificate of Authority (CA)

# easyrsa --use-algo=ed --curve=ed25519 build-ca

Creating Certificate Request

# easyrsa --use-algo=ed --curve=ed25519 --req-c=BG --req-city=Gabrovo --req-org=Horizon9 --dn-mode=org gen-req horizon9

Singning the CA request

# easyrsa sign-req server horizon9
Creating OpenVPN server keys
# easyrsa build-server-full horizon9 nopass

Creating OpenVPN client keys

# easyrsa build-client-full client1 nopass


OpenVPN config file:

local # put your IP address here
port 1194
proto tcp
dev tun
ca /path/to/ca.crt
cert /path/to/horizon9.crt
key /path/to/horizon9.key
server # your OpenVPN network IP addresses
push "route" # your local network here
push "dhcp-option DNS"
keepalive 5 120
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 4

#data channel cipher
cipher AES-128-GCM

#don't negotiate ciphers, we know what we want

# TLS 1.3 encryption settings
tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

# TLS 1.2 encryption settings

#disable static Diffie-Hellman parameters since we're using ECDHE
dh none

# use this curve
ecdh-curve secp384r1

#this tells OpenVPN which side of the TLS handshake it is

#tls-client # uncomment this on the client side