We already have our OpenVPN AS running in Production, so a few more posts about last steps in its configuration.
For now – need to configure SSL to avoid alerts in clients browsers.
OpenVPN AS documentation for SSL setup – here>>>.
Contents
Let’s Encrypt
Install Let’s Encrypt client:
[simterm]
root@openvpnas2:~# git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
[/simterm]
Open port 80 in your AWS Security Group – it’s safe as OpenVPN AS listen on the 443 for clients and 943 for the admin page access.
Obtain a new certificate:
[simterm]
root@openvpnas2:~# /opt/letsencrypt/letsencrypt-auto certonly -d vpn.example.com ... 1: Spin up a temporary webserver (standalone) ... IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/vpn.example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/vpn.example.com/privkey.pem
[/simterm]
SSL in OpenVPN AS
You can change certificates using Admin UI in the Web Server Configuration, or using CLI.
On the first run OpenVPN AS generates self-signed certificates stored in the /usr/local/openvpn_as/etc/web-ssl/ directory:
[simterm]
root@openvpnas2:~# ls -l /usr/local/openvpn_as/etc/web-ssl/ total 16 -rw-r--r-- 1 root root 1111 Feb 21 14:50 ca.crt -rw------- 1 root root 1708 Feb 21 14:50 ca.key -rw-r--r-- 1 root root 1082 Feb 21 14:50 server.crt -rw------- 1 root root 1704 Feb 21 14:50 server.key
[/simterm]
They are kind of failover-certificates in case if others will be broken.
To configure SSL we need to have three files, in case of using Let’s Encrypt we will use next files to create them:
*.crt– it’s ourfullchain.pemfile*.key–privkey.pemfile*.bundle– will be created fromfullchain.pemandprivkey.pem
Check Let’s Encrypt existing files:
[simterm]
root@openvpnas2:/etc/letsencrypt/live/vpn.example.com# ls -l total 4 lrwxrwxrwx 1 root root 42 Feb 22 10:56 cert.pem -> ../../archive/vpn.example.com/cert1.pem lrwxrwxrwx 1 root root 43 Feb 22 10:56 chain.pem -> ../../archive/vpn.example.com/chain1.pem lrwxrwxrwx 1 root root 47 Feb 22 10:56 fullchain.pem -> ../../archive/vpn.example.com/fullchain1.pem lrwxrwxrwx 1 root root 45 Feb 22 10:56 privkey.pem -> ../../archive/vpn.example.com/privkey1.pem
[/simterm]
Install private key to OpenVPN server:
[simterm]
root@openvpnas2:/etc/letsencrypt/live/vpn.example.com# /usr/local/openvpn_as/scripts/sacli --key "cs.priv_key" --value_file "privkey.pem" ConfigPut
[True, {}]
[/simterm]
Install its public cert:
[simterm]
root@openvpnas2:/etc/letsencrypt/live/vpn.example.com# /usr/local/openvpn_as/scripts/sacli --key "cs.cert" --value_file "fullchain.pem" ConfigPut
[True, {}]
[/simterm]
“Generate” bundle – just by using cat for the fullchain.pem and privkey.pem:
[simterm]
root@openvpnas2:/etc/letsencrypt/live/vpn.example.com# cat fullchain.pem privkey.pem > bundle.pem
[/simterm]
Add it to the OpenVPN AS:
[simterm]
root@openvpnas2:/etc/letsencrypt/live/vpn.example.com# /usr/local/openvpn_as/scripts/sacli --key "cs.ca_bundle" --value_file "bundle.pem" ConfigPut
[True, {}]
[/simterm]
Restart service:
[simterm]
root@openvpnas2:/etc/letsencrypt/live/vpn.example.com# /usr/local/openvpn_as/scripts/sacli start
RunStart warm None
{
"errors": {},
"service_status": {
"api": "on",
"auth": "on",
"bridge": "on",
"client_query": "restarted",
"crl": "on",
"daemon_pre": "on",
"db_push": "on",
"ip6tables_live": "on",
"ip6tables_openvpn": "on",
"iptables_live": "on",
"iptables_openvpn": "on",
"iptables_web": "restarted",
"license": "on",
"log": "on",
"openvpn_0": "on",
"openvpn_1": "on",
"user": "on",
"web": "restarted"
}
}
WILL_RESTART ['web', 'client']
[/simterm]
Check UI now:
OpenVPN AS hostname
And the last step here will be to configure server’s hostname if this wasn’t made during initial setup.
Go to the Admin UI => Network Settings:
Done.
