<< Back to part 1 <<
3. Create user (Alice) certificate for authentication :
Generate Alice private key# openssl genrsa -out alice.key 2048
Generate Alice certificate request
Notice : the common name (CN) should match the username = alice
# openssl req -out alice.req -key alice.key -new -days 365
Sign Alice request by using rootCA
# openssl x509 -in alice.req -out alice.cert -days 365 -req -CA rootCA.cert -CAkey rootCA.key -CAcreateserial
To make the config file for Alice, copy the content of the rootCA.cert, alice.key, alice.cert and place them in one file alice.ovpn like this :
# vim alice.ovpn :
client
dev tun
proto tcp
# Connect to server
remote vpn.tipstuff.org 443
# rootCA.cert
<ca>
-----BEGIN CERTIFICATE-----
MIIDnzCCAoegAwIBAgIJAOhAI1gmMWVxMA0GCSqGSIb3DQEBBQUAMGYxCzAJBgNV
BAYTAlZOMQswCQYDVQQIDAJTRzELMAkGA1UEBwwCU0cxFTATBgNVBAoMDHRpcH
...............
...............
FULLqBe+kY+XaZrlPVn787aEwN0tF1DtXwG8pQ3cR7eohOAZWrZDHXEFTKYYJkvu
RKgJvl0Hw3zsCX9faPK/Z90chg==
-----END CERTIFICATE-----
</ca>
# alice.cert
<cert>
-----BEGIN CERTIFICATE-----
MIIDRzCCAi8CCQDU+B80lYb0/zANBgkqhkiG9w0BAQUFADBmMQswCQYDVQQGEwJW
............
............
8vvzrS9AltShgZYNt1ODHvNYMFHzyQHMNmVG
-----END CERTIFICATE-----
</cert>
# alice.key
<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAsf4LwkRjoStpRjAj9gXL46r5K3s26+Kf3k+iLS/5OoieLJlT
W9Mj5OAUjxm+fgUeQw79n+BRsB2OIsARE7NmHyryw8XhU/pPwhFp/1oGCOQmUwA0
............
............
gDLtXax8Vj+UwIPDOIlLHckqgHsDASpbM0hckxJtvZzKBRFww3DJOA==
-----END RSA PRIVATE KEY-----
</key>
Now copy or email the config file to Alice, guide her to download the appropriate OpenVPN client. For example for Winxp 32bit : http://swupdate.openvpn.org/community/releases/openvpn-install-2.3.4-I003-i686.exeAfter installation, place the config file at : C:\Program Files\OpenVPN\config\
On the desktop, right click on the icon OpenVPN GUI, choose Run As Administrator ( to have permission right to modify the routing table ). The OpenVPN GUI then stay at bottom right of the taskbar, right clicked and choose Connect.
The client receives the IP and DNS address provided by the OpenVPN server.
Push static route to the client :
and Alice has connected to the VPN network.
The login process use ssl certificate to authenticate Users (cn=alice), no password is required and the vpn server only accept certificates which are signed by the rootCA.
No comments:
Post a comment