From 7e1b33e22ce44c685293daf5c2d9709c07d33140 Mon Sep 17 00:00:00 2001 From: Steven Thomas Smith Date: Wed, 23 Nov 2022 10:13:38 -0500 Subject: [PATCH] macos-openvpn-server: Update to openvpn 2.5, easy-rsa 3, EC-based PKI --- README.md | 45 +-- enable-vpn-forward-nat.sh | 17 -- net.openvpn.enable-vpn-forward-nat.plist | 14 - openvpn-client-tun.ovpn | 57 ++-- openvpn-server-tun.tblk/README | 13 - openvpn-server-tun.tblk/config.ovpn | 39 ++- .../config.ovpn.osxfortress | 87 ------ pf.conf | 134 ++++---- readme-and-install.sh | 175 +++++------ sysctl.conf | 2 + vars | 287 ++++++++++++++---- 11 files changed, 427 insertions(+), 443 deletions(-) delete mode 100644 enable-vpn-forward-nat.sh delete mode 100644 net.openvpn.enable-vpn-forward-nat.plist delete mode 100644 openvpn-server-tun.tblk/README delete mode 100644 openvpn-server-tun.tblk/config.ovpn.osxfortress mode change 100644 => 100755 readme-and-install.sh create mode 100644 sysctl.conf diff --git a/README.md b/README.md index f10aa0d..df43b19 100644 --- a/README.md +++ b/README.md @@ -5,21 +5,31 @@ macos-openvpn-server This repo describes how to build an OpenVPN VPN server on macOS using pfctl and [Tunnelblick](../../../../Tunnelblick/Tunnelblick). -This configuration provides a TLS-based VPN server using 4096-bit certificates and UDP port 443, accessible by any OpenVPN client, especially iOS with the OpenVPN app. +This configuration provides a TLS-based VPN server using EC ed25519 certificates and UDP port 443, accessible by any OpenVPN client, especially iOS with the OpenVPN app. ![OpenVPN iPad](images/OpenVPN_iPad.PNG) +## Installation and Configuration Notes +* Configuration for `openvpn` version 2.5 and [easy-rsa](../../../../OpenVPN/easy-rsa) version 3 +* Presumes latest macOS versions that use editable `/etc/sysctl.conf` to set: +> ``` +> net.inet.ip.forwarding=1 +> net.inet6.ip6.forwarding=1 +> ``` +This is known to work for macOS 11+. See previous versions of this +repo for a `launchctl`-based approach +* Uses Edwards curve +[ed25519](https://en.wikipedia.org/wiki/Curve25519) EC-based PKI +for very fast VPN connections with 128-bit security + ## VPN Configuration Advantages This OpenVPN configuration provides the following advantages: * Secure VPN networking for all mobile clients * Secure, certificate-based VPN - * OpenVPN the only certificate-based option between macOS and iOS - * PPTP-based VPN traffic "[should be considered unencrypted](https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/)" - * L2TP VPN (available in macOS Server.app) requires a very long random PSK; "[IPSEC-PSK is arguably worse than PPTP … for a dictionary-based attack vector](https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/)" * PF-based [firewall security](../../../osxfortress) on the server -* Privatizing [Automatic Proxy Configuration](../../../osxfortress) for all mobile client devices +* Privatizing [Proxy Configuration](../../../osxfortress) for all mobile client devices * Mobile device networking through PF firewall security * Tracker blocking * Ad blocking @@ -32,28 +42,3 @@ Configure [Tunnelblick](../../../../Tunnelblick/Tunnelblick) settings so that th | [Tunnelblick](../../../../Tunnelblick/Tunnelblick) Settings | Advanced… | :------------------------------------------------------------:|:-------------------------: ![Tunnelblick Settings](images/Tunnelblick%20Settings.png)|![Tunnelblick Advanced Settings](images/Tunnelblick%20Advanced%20Settings.png) - -## Privatizing Proxy for Mobile Devices - -A privatizing proxy is necessary to block mobile carriers from adding uniquely identifying HTTP headers used for customer tracking. See, for example, __[ -Does your phone company track you?](http://arstechnica.com/security/2014/11/does-your-phone-company-track-you/)__. The repo [essandess/osxfortress](../../../osxfortress) provides a firewall, -blackhole, and privatizing proxy . Use the server configuration -[config.ovpn.osxfortress](openvpn-server-tun.tblk/config.ovpn.osxfortress) for these features, including blocking the mobile carrier tracking headers: - -``` -# Mobile carrier uniquely identifying headers -request_header_access MSISDN deny all # T-Mobile -request_header_access X-MSISDN deny all # T-Mobile -request_header_access X-UIDH deny all # Verizon -request_header_access x-up-subno deny all # AT&T -request_header_access X-ACR deny all # AT&T -request_header_access X-UP-SUBSCRIBER-COS deny all -request_header_access X-OPWV-DDM-HTTPMISCDD deny all -request_header_access X-OPWV-DDM-IDENTITY deny all -request_header_access X-OPWV-DDM-SUBSCRIBER deny all -request_header_access CLIENTID deny all -request_header_access X-VF-ACR deny all -request_header_access X_MTI_USERNAME deny all -request_header_access X_MTI_EMAIL deny all -request_header_access X_MTI_EMPID deny all -``` diff --git a/enable-vpn-forward-nat.sh b/enable-vpn-forward-nat.sh deleted file mode 100644 index 50353b6..0000000 --- a/enable-vpn-forward-nat.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -# -# References: The Book of PF, p. 21; https://forums.openvpn.net/topic11401.html -# -# Sleep is necessary cause network has to be up at the time of following commands -# Otherwise the network will not work at all -# -sleep 15 -# -/usr/sbin/sysctl -w net.inet.ip.fw.enable=1 -/usr/sbin/sysctl -w net.inet.ip.forwarding=1 -/usr/sbin/sysctl -w net.inet6.ip6.forwarding=1 - -# natd and ipfw are DEPRECATED. Use pfctl(8) instead with nat, e.g. -# nat on en0 from 10.0.0.0/8 to any -> (en0) -###/usr/sbin/natd -interface en0 -###/sbin/ipfw add divert natd ip from any to any via en0 diff --git a/net.openvpn.enable-vpn-forward-nat.plist b/net.openvpn.enable-vpn-forward-nat.plist deleted file mode 100644 index 2470a9c..0000000 --- a/net.openvpn.enable-vpn-forward-nat.plist +++ /dev/null @@ -1,14 +0,0 @@ - - - - - Label - net.openvpn.enable-vpn-forward-nat - ProgramArguments - - /Library/Application Support/vpn/enable-vpn-forward-nat.sh - - RunAtLoad - - - diff --git a/openvpn-client-tun.ovpn b/openvpn-client-tun.ovpn index 6b165b1..ceb53e0 100644 --- a/openvpn-client-tun.ovpn +++ b/openvpn-client-tun.ovpn @@ -1,46 +1,35 @@ #### -## Domainname Mac UDP client configuration version 2.0 +## Mac UDP client configuration version 2.0 #### client dev tun proto udp -remote server.domainname.com 443 +remote domainname.tld 443 redirect-gateway def1 -resolv-retry infinite -nobind ;user nobody ;group nobody -persist-key -persist-tun -;ca ca.crt -;cert clientname.crt -;key clientname.key +remote-cert-tls server ------BEGIN CERTIFICATE----- -MY CERT from ca.crt ------END CERTIFICATE----- +; paste ca.pem and remove these comments: +; openssl x509 -in pki/ca.crt | pbcopy -ns-cert-type server -;tls-auth ta.key 1 + +; paste client cert and remove these comments: +; openssl x509 -in pki/issued/client-domainname.crt -text | pbcopy + + +; paste client key and remove these comments: +; openssl pkey -in pki/private/client-domainname.key -out pki/private/client-domainname.key.decrypted +; pbcopy < pki/private/client-domainname.key.decrypted +; rm pki/private/client-domainname.key.decrypted + key-direction 1 - -# -# 4096 bit OpenVPN static key -# ------BEGIN OpenVPN Static key V1----- -MY CERT from ta.key ------END OpenVPN Static key V1----- - -; fields from server certificate: sudo cat keys/server-domainname.crt -verify-x509-name 'C=US, O=DomainName, OU=OpenVPN, CN=domainname.tld' subject -;auth-user-pass -;tls-remote server-domainname -;cipher BF-CBC ; susceptible to SWEET32 attacks -cipher AES-256-CBC + +; paste ta.key and remove these comments: +; pbcopy < pki/ta.key + +cipher AES-256-GCM +tls-version-min 1.3 ; openvpn --show-tls | grep -e '^TLS' | grep -v 128 | grep -v -e 'SHA$' | grep -v GCM -tls-cipher TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-DSS-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 -tls-version-min 1.2 -auth SHA512 -;client-http-proxy 10.0.1.3 3128 -verb 3 -# shaper 50000 +; tls-cipher TLS_CHACHA20_POLY1305_SHA256:TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 +;client-http-proxy 10.0.1.3 8118 diff --git a/openvpn-server-tun.tblk/README b/openvpn-server-tun.tblk/README deleted file mode 100644 index 9ab2529..0000000 --- a/openvpn-server-tun.tblk/README +++ /dev/null @@ -1,13 +0,0 @@ -# These files must appear in this directory: -# -# dh4096.pem ta.key -# ca.crt server-domainname.crt -# config.ovpn server-domainname.key - -# Install from the easy-rsa-tunnelblick directory with these permissions: - -sudo install -m 644 ./easy-rsa-tunnelblick/keys/ca.crt ./osx-openvpn-server-tun.tblk -sudo install -m 600 ./easy-rsa-tunnelblick/keys/dh4096.pem ./osx-openvpn-server-tun.tblk -sudo install -m 644 ./easy-rsa-tunnelblick/keys/server-domainname.crt ./osx-openvpn-server-tun.tblk -sudo install -m 600 ./easy-rsa-tunnelblick/keys/server-domainname.key ./osx-openvpn-server-tun.tblk -sudo install -m 600 ./easy-rsa-tunnelblick/keys/ta.key ./osx-openvpn-server-tun.tblk diff --git a/openvpn-server-tun.tblk/config.ovpn b/openvpn-server-tun.tblk/config.ovpn index 4fb7d17..c82bbe1 100644 --- a/openvpn-server-tun.tblk/config.ovpn +++ b/openvpn-server-tun.tblk/config.ovpn @@ -25,15 +25,15 @@ port 443 proto udp dev tun -;dev tap ca ca.crt -cert server-domainname.crt -key server-domainname.key +cert hostname.domainname.tld.crt +key hostname.domainname.tld.key -tls-auth ta.key 0 +tls-crypt ta.key 0 -dh dh4096.pem +dh none +ecdh-curve ed25519 server 10.8.0.0 255.255.255.0 route 10.0.1.0 255.255.255.0 @@ -41,7 +41,7 @@ route 10.8.0.0 255.255.255.0 ;server-bridge 10.0.1.3 255.255.255.0 10.0.1.50 10.0.1.90 -;topology subnet +topology subnet # Push routes to the client to allow it # to reach other private subnets behind @@ -54,31 +54,26 @@ push "route 10.0.1.0 255.255.255.0" push "route 10.8.0.0 255.255.255.0" push "redirect-gateway def1" -; push "dhcp-option DNS 10.8.0.1" -push "dhcp-option DNS 8.8.8.8" -push "dhcp-option DNS 4.4.4.4" -; push "dhcp-option DOMAIN server.domainname.com" +push "dhcp-option DNS 10.0.1.3" +push "dhcp-option DOMAIN domainname.tld" ; push "dhcp-option PROXY_AUTO_CONFIG_URL http://proxy.domainname.private/proxy.pac" -;push "dhcp-option PROXY_HTTP 10.8.0.1 3128" -;push "dhcp-option PROXY_BYPASS domainname.com" -push "cipher AES-256-CBC" -; cipher BF-CBC is susceptible to SWEET32 attacks +;push "dhcp-option PROXY_HTTP 10.0.1.3 8118" +push "dhcp-option PROXY_BYPASS domainname.com proxy.domainname.private" client-to-client keepalive 10 120 -;cipher BF-CBC ; susceptible to SWEET32 attacks -cipher AES-256-CBC +cipher AES-256-GCM +tls-version-min 1.3 + ; openvpn --show-tls | grep -e '^TLS' | grep -v 128 | grep -v -e 'SHA$' | grep -v GCM -tls-cipher TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-DSS-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384 -tls-version-min 1.2 -auth SHA512 +; tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 -max-clients 10 +max-clients 20 -user nobody -group nobody +; user nobody +; group nobody persist-key persist-tun diff --git a/openvpn-server-tun.tblk/config.ovpn.osxfortress b/openvpn-server-tun.tblk/config.ovpn.osxfortress deleted file mode 100644 index 88617d2..0000000 --- a/openvpn-server-tun.tblk/config.ovpn.osxfortress +++ /dev/null @@ -1,87 +0,0 @@ -################################################# -# OpenVPN 2.0 config file for # -# multi-client server. # -# # -# This file is for the server side # -# of a many-clients one-server # -# OpenVPN configuration. # -# # -# OpenVPN also supports # -# single-machine single-machine # -# configurations (See the Examples page # -# on the web site for more info). # -# # -# This config should work on Windows # -# or Linux/BSD systems. Remember on # -# Windows to quote pathnames and use # -# double backslashes, e.g.: # -# "C:\\Program Files\\OpenVPN\\config\\foo.key" # -# # -# Comments are preceded with '#' or ';' # -################################################# - -local 10.0.1.3 -port 443 -proto udp - -dev tun -;dev tap - -ca ca.crt -cert server-domainname.crt -key server-domainname.key - -tls-auth ta.key 0 - -dh dh4096.pem - -server 10.8.0.0 255.255.255.0 -route 10.0.1.0 255.255.255.0 -route 10.8.0.0 255.255.255.0 - -;server-bridge 10.0.1.3 255.255.255.0 10.0.1.50 10.0.1.90 - -;topology subnet - -# Push routes to the client to allow it -# to reach other private subnets behind -# the server. Remember that these -# private subnets will also need -# to know to route the OpenVPN client -# address pool (10.8.0.0/255.255.255.0) -# back to the OpenVPN server. -push "route 10.0.1.0 255.255.255.0" -push "route 10.8.0.0 255.255.255.0" - -push "redirect-gateway def1" -push "dhcp-option DNS 10.0.1.3" -; push "dhcp-option DNS 8.8.8.8" -; push "dhcp-option DNS 4.4.4.4" -push "dhcp-option DOMAIN server.domainname.com" -push "dhcp-option PROXY_AUTO_CONFIG_URL http://proxy.domainname.private/proxy.pac" -;push "dhcp-option PROXY_HTTP 10.8.0.1 3128" -push "dhcp-option PROXY_BYPASS domainname.com" -push "cipher AES-256-CBC" -; cipher BF-CBC is susceptible to SWEET32 attacks - -client-to-client - -keepalive 10 120 - -;cipher BF-CBC ; susceptible to SWEET32 attacks -cipher AES-256-CBC -tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-DSS-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA -tls-version-min 1.2 -auth SHA512 - -max-clients 10 - -user nobody -group nobody - -persist-key -persist-tun - -ifconfig-pool-persist "/Library/Application Support/Tunnelblick/ipp.txt" - -verb 3 diff --git a/pf.conf b/pf.conf index 862f23c..e1f5e06 100644 --- a/pf.conf +++ b/pf.conf @@ -28,9 +28,12 @@ # $ ifconfig | pcregrep -M -o '^[^\t:]+:([^\n]|\n\t)*status: active' | egrep -o -m 1 '^[^\t:]+' int_if = "en0" -# VPN network (uncomment '#vpn#' comment lines) +# VPN network # $vpn_net == utun0/24 when Tunnelblick creates utun0 -vpn_net = "10.8.0/24" # utun0 interface doesn't exist at boot time +vpn_net = "10.8.0/24" # utun0 interface doesn't exist at boot time + +# Hardcoded IPs +# domainname_tld = "x.x.x.x.x" # Options @@ -60,16 +63,19 @@ scrub-anchor "com.apple/*" # The Book of PF, p. 21 # Allow VPN connections to the VPN host: # http://serverfault.com/questions/555594/troubleshoot-broken-tcp-from-openvpn-client-to-server-but-ping-traceroute-work -#tun_if = "utun0" -#no nat on ! $tun_if from $vpn_net to ($int_if) -#nat on ! $tun_if from $vpn_net to ! ($int_if) -> ($int_if) +# $ sudo vi /etc/sysctl.conf +# net.inet.ip.forwarding=1 +# net.inet6.ip6.forwarding=1 +tun_if = "utun3" +no nat on ! $tun_if inet from $vpn_net to ($int_if) +nat on ! $tun_if inet from $vpn_net to ! ($int_if) -> ($int_if) # Use a list in case Tunnelblick creates multiples utun interaces -#tun_if = "{ utun0, utun1, utun2, utun3, utun4, utun5, utun6, utun7, utun8, utun9 }" -not_tun_if = "{ !utun0, !utun1, !utun2, !utun3, !utun4, !utun5, !utun6, !utun7, !utun8, !utun9 }" -no nat on $not_tun_if from $vpn_net to ($int_if) -nat on $not_tun_if from $vpn_net to ! ($int_if) -> ($int_if) +# tun_if = "{ utun0, utun1, utun2, utun3, utun4, utun5, utun6, utun7, utun8, utun9 }" +# not_tun_if = "{ !utun0, !utun1, !utun2, !utun3, !utun4, !utun5, !utun6, !utun7, !utun8, !utun9 }" +# no nat on $not_tun_if inet from $vpn_net to ($int_if) +# nat on $not_tun_if inet from $vpn_net to ! ($int_if) -> ($int_if) # This rule must be included below BEFORE these packets are passed by other rules: -# pass in quick on $tun_if reply-to $tun_if from $vpn_net to $int_if +# pass in quick on $tun_if reply-to $tun_if inet from $vpn_net to $int_if nat-anchor "com.apple/*" rdr-anchor "com.apple/*" @@ -77,11 +83,6 @@ dummynet-anchor "com.apple/*" anchor "com.apple/*" load anchor "com.apple" from "/etc/pf.anchors/com.apple" -# macOS Server Adaptive Firewall -# Comment out for non-macOS Server instances -# anchor "com.apple.server-firewall/*" -# load anchor "com.apple.server-firewall" from "/etc/pf.anchors/com.apple.server-firewall" - # Filtering # Block by default @@ -95,22 +96,22 @@ block all # $ sudo ifconfig pflog0 create # $ sudo tcpdump -n -e -ttt -i pflog0 # $ sudo ifconfig pflog0 destroy -# block log (all, to pflog0) all +#block log (all, to pflog0) all # Allow VPN connections to the VPN host: # http://serverfault.com/questions/555594/troubleshoot-broken-tcp-from-openvpn-client-to-server-but-ping-traceroute-work -# pass in quick on $tun_if reply-to $tun_if from $vpn_net to $int_if +pass in quick on $tun_if reply-to $tun_if inet from $vpn_net to $int_if # Rule for a lot of utun interfaces in case Tunnelblick creates extras -pass in quick on utun0 reply-to utun0 from $vpn_net to $int_if -pass in quick on utun1 reply-to utun1 from $vpn_net to $int_if -pass in quick on utun2 reply-to utun2 from $vpn_net to $int_if -pass in quick on utun3 reply-to utun3 from $vpn_net to $int_if -pass in quick on utun4 reply-to utun4 from $vpn_net to $int_if -pass in quick on utun5 reply-to utun5 from $vpn_net to $int_if -pass in quick on utun6 reply-to utun6 from $vpn_net to $int_if -pass in quick on utun7 reply-to utun7 from $vpn_net to $int_if -pass in quick on utun8 reply-to utun8 from $vpn_net to $int_if -pass in quick on utun9 reply-to utun9 from $vpn_net to $int_if +# pass in quick on utun0 reply-to utun0 inet from $vpn_net to $int_if +# pass in quick on utun1 reply-to utun1 inet from $vpn_net to $int_if +# pass in quick on utun2 reply-to utun2 inet from $vpn_net to $int_if +# pass in quick on utun3 reply-to utun3 inet from $vpn_net to $int_if +# pass in quick on utun4 reply-to utun4 inet from $vpn_net to $int_if +# pass in quick on utun5 reply-to utun5 inet from $vpn_net to $int_if +# pass in quick on utun6 reply-to utun6 inet from $vpn_net to $int_if +# pass in quick on utun7 reply-to utun7 inet from $vpn_net to $int_if +# pass in quick on utun8 reply-to utun8 inet from $vpn_net to $int_if +# pass in quick on utun9 reply-to utun9 inet from $vpn_net to $int_if # Local net table const { 10/8, 172.16/12, 192.168/16 } @@ -129,11 +130,9 @@ block drop in log quick from urpf-failed to any #block drop in log quick on $int_if from any to 255.255.255.255 # Whitelist -# Hardcoded IPs -#mydomainname_com = "xxx.xxx.xxx.xxx" -#table const { $mydomainname_com } -#pass in quick from -#pass out quick to +# table const { $domainname_tld } +# pass in quick from +# pass out quick to # Block brute force attacks table persist @@ -144,20 +143,15 @@ block drop log quick from pass on $int_if proto { udp, tcp } to { 224.0.0.2, 224.0.0.18, 224.0.0.251 } port mdns pass on $int_if proto igmp to { 224.0.0.1, 224.0.0.22, 224.0.0.251 } -# quick pass of Tor relay ports to avoid blocks below -#tor_relay = "{ 9001, 9030 }" -#pass in quick proto tcp from any to $int_if port $tor_relay -#pass out quick proto tcp from $int_if port $tor_relay to any - # Open Source IP blocks -# Refresh with pfctl -a blockips -T load -f /usr/local/etc/blockips.conf -anchor 'blockips' label "Open Source IP Blocks" -load anchor 'blockips' from '/usr/local/etc/blockips.conf' +# Refresh with pfctl -a blockips -T load -f /opt/local/etc/macos-fortress/blockips.conf +# anchor 'blockips' label "Open Source IP Blocks" +# load anchor 'blockips' from '/opt/local/etc/macos-fortress/blockips.conf' # ICMP icmp_types = "echoreq" -pass inet proto icmp from $int_if:network to any icmp-type $icmp_types -pass inet proto icmp from any to $int_if icmp-type $icmp_types +pass out inet proto icmp from $int_if:network to any icmp-type $icmp_types +pass in inet proto icmp from any to $int_if icmp-type $icmp_types # allow out the default range for traceroute(8): # "base+nhops*nqueries-1" (33434+64*3-1) @@ -168,54 +162,36 @@ pass in quick inet proto udp from port bootps to port bootpc pass out quick inet proto udp from port bootpc to port bootps # LAN services: block access, except from localnet -lan_udp_services = "{ domain, 5001, postgresql }" -lan_tcp_services = "{ domain, auth, nntp, www, \ - 311, 3128, 5001, 5900:5909, privoxy, postgresql, \ - 8123, 8180, 8181, 9150, 9151 }" -block in proto tcp from any to $int_if port $lan_tcp_services +lan_udp_services = "{ domain, net-assistant, 5001 }" +lan_tcp_services = "{ domain, kerberos, microsoft-ds, eyetv, 3128, \ + net-assistant, 5001, 5900:5909, privoxy, 8119, 8123, 8180 }" block in proto udp from any to $int_if port $lan_udp_services +block in proto tcp from any to $int_if port $lan_tcp_services -pass in inet proto udp from $int_if:network to $int_if port $lan_udp_services -pass in inet proto tcp from $int_if:network to $int_if port $lan_tcp_services -pass out proto udp from $int_if port $lan_udp_services to $int_if:network -pass out proto tcp from $int_if port $lan_tcp_services to $int_if:network - -# Add vpn_net if running OpenVPN -pass in inet proto udp from $vpn_net to $int_if port $lan_udp_services -pass in inet proto tcp from $vpn_net to $int_if port $lan_tcp_services -pass out proto udp from $int_if port $lan_udp_services to $vpn_net -pass out proto tcp from $int_if port $lan_tcp_services to $vpn_net +pass in inet proto udp from { $vpn_net, $int_if:network } to $int_if port $lan_udp_services +pass in inet proto tcp from { $vpn_net, $int_if:network } to $int_if port $lan_tcp_services +pass out proto udp from $int_if port $lan_udp_services to { $vpn_net, $int_if:network } +pass out proto tcp from $int_if port $lan_tcp_services to { $vpn_net, $int_if:network } # Internet services -internet_udp_services = "{ https, 500, openvpn, \ - 1701, 4500, 5060, 5190, 5297, 5298, 5678, 16384 }" -internet_tcp_services = "{ 995, 1640, 1723, 2195, \ - 2196, 4190, 5218, 5223, 5190, 5220, 5222, 5298, \ - 8008, 8443, 8800, 8843, 9001, 9030 }" -pass in proto udp from any to $int_if port $internet_udp_services -pass in proto tcp from any to $int_if port $internet_tcp_services +# https://support.apple.com/en-us/HT202944 +internet_udp_services = "{ https, isakmp, l2f, ipsec-msft, 16384:16403 }" +pass in inet proto udp from any to $int_if port $internet_udp_services +pass in inet proto tcp from any to $int_if port $internet_tcp_services pass out inet proto udp from $int_if to any port $internet_udp_services pass out inet proto tcp from $int_if to any port $internet_tcp_services -#apns_services = "{ 2195, 2196 }" -#pass in proto tcp from any port $apns_services to -#pass out inet proto tcp to any port $apns_services from - # ssh really restrictive pass in inet proto tcp from any to $int_if port ssh \ - keep state (max-src-conn 5, max-src-conn-rate 5/2, \ + keep state (max-src-conn 10, max-src-conn-rate 10/2, \ overload flush global) pass out inet proto tcp from $int_if port ssh - -# web, mail more restrictive +# web, mail, calendarservice more restrictive +webmailcalcard_tcp_services = "{ smtp, www, imap, https, submission, imaps, \ + cert-responder, sieve, 8008, 8443, 8800, 8843 }" pass in inet proto tcp from any to $int_if \ - port { smtp, https, imap, submission, imaps } \ + port $webmailcalcard_tcp_services \ keep state (max-src-nodes 50, max-src-conn 200, max-src-conn-rate 100/10, \ overload flush global) -pass out inet proto tcp from $int_if to any \ - port { smtp, imap4-ssl, imap, submission, imaps } - -# I2P -#i2p_port = "65530" -#pass in inet proto { udp, tcp } from any to $int_if port $i2p_port -#pass out inet proto { udp, tcp } from $int_if port $i2p_port to any +pass out inet proto tcp from $int_if to any \ + port $webmailcalcard_tcp_services diff --git a/readme-and-install.sh b/readme-and-install.sh old mode 100644 new mode 100755 index bb684b3..76fc4d0 --- a/readme-and-install.sh +++ b/readme-and-install.sh @@ -11,64 +11,77 @@ $CAT <<'HELPSTRING' | $MORE macOS OpenVPN Server and Client Configuration How to build an OpenVPN VPN server on macOS pfctl and Tunnelblick. -This setup will provide a TLS-based VPN server using 4096-bit +This setup will provide a TLS-based VPN server using EC ed25519 certificates and UDP port 443, accessible by any OpenVPN client, especially iOS with the OpenVPN app. -Why would you want to build your own VPN server when macOS Server -already comes with a VPN service? To have certificate-based VPN. One -VPN technology used by macOS Server is broken and should be avoided -altogether (Microsoft’s PPTP: ("PPTP traffic should be considered -unencrypted", -), -or requires a very long random PSK ("IPSEC-PSK is arguably worse than -PPTP ever was for a dictionary-based attack vector"). If you want -secure certificate-based VPN between macOS Server and iOS, OpenVPN is -the only option. - -Furthermore, macOS has its PF firewall turned off by default. -Integrating OpenVPN access within a working macOS firewall provides -greater security. See the git essandess/osxfortress for a firewall, -blackhole, and privatizing proxy. Use the server configuration -config.ovpn.osxfortress for these features. - The commands to install an OpenVPN server on macOS and iOS are: # Install everything here -export OPENVPN_INSTALL=~/Backups/OpenVPN -sudo mkdir -p $OPENVPN_INSTALL -sudo rsync -va /Applications/Tunnelblick.app/Contents/Resources/easy-rsa-tunnelblick $OPENVPN_INSTALL +export OPENVPN_INSTALL=~/Security/OpenVPN +mkdir -p ${OPENVPN_INSTALL}/pki_backupvars +mkdir -p ${OPENVPN_INSTALL}/Profiles/Tunnelblick +mkdir -p ${OPENVPN_INSTALL}/Profiles/OpenVPN-app + +# install easy-rsa v. 3, openvpn2, and openssl-1.1 via MacPorts: +sudo port install openvpn2 easy-rsa openssl-1.1 # configure easy-rsa -sudo install -m 755 -B .orig ./vars $OPENVPN_INSTALL -diff -NaurdwB -I '^ *#.*' $OPENVPN_INSTALL/vars ./vars > /tmp/vars.patch -sudo patch -p5 $OPENVPN_INSTALL/vars < /tmp/vars.patch +install -m 0755 -B .orig ./vars ${OPENVPN_INSTALL}/pki_backupvars + +# edit ${OPENVPN_INSTALL}/pki_backupvars for local instance +# change: EASYRSA_REQ_COUNTRY, EASYRSA_CA_EXPIRE etc. +open -e ${OPENVPN_INSTALL}/pki_backupvars # or emacs, nano, vi, etc. + +cd ${OPENVPN_INSTALL} +easyrsa init-pki +diff -NaurdwB -I '^ *#.*' ${OPENVPN_INSTALL}/pki_backupvars/vars ./pki/vars > /tmp/vars.patch +patch -p5 ${OPENVPN_INSTALL}/pki/vars < /tmp/vars.patch rm /tmp/vars.patch # copy the Tunnelblick and client configuration -rsync -va ./openvpn-server-tun.tblk $OPENVPN_INSTALL -install -m 600 ./openvpn-client-tun.ovpn $OPENVPN_INSTALL +rsync -va ./openvpn-server-tun.tblk ${OPENVPN_INSTALL}/Profiles/Tunnelblick +install -m 0600 ./openvpn-client-tun.ovpn ${OPENVPN_INSTALL}/Profiles/OpenVPN-app # create the keys -cd $OPENVPN_INSTALL/easy-rsa-tunnelblick -sudo mkdir -m go-rwx ./keys -sudo touch ./keys/index.txt -sudo echo 1 > ./keys/serial -. ./vars -sudo -E ./clean-all -sudo -E ./build-ca --pass -sudo -E ./build-key-server server-domainname -# choose a unique Common Name (CN) for each client; see notes immediately below for new clients certificates -sudo -E ./build-key client-domainname -sudo -E ./build-dh -# Use the openvpn executable -sudo /Applications/Tunnelblick.app/Contents/Resources/openvpn/default --genkey --secret ./keys/ta.key - -# Notes: -# Use the domain name "domainname.com" for the common name -# Contact email "admin@domainname.com" must match name in CA; -# otherwise, there will be some X509 error. -# + +# dh; tls-auth, tls-crypt +openvpn2 --genkey secret pki/ta.key + +# Client-specific TLS keys +# https://github.com/TinCanTech/easy-tls + +easyrsa build-ca + +# +openssl x509 -in pki/ca.crt | pbcopy +# +pbcopy < pki/ta.key + +easyrsa gen-req hostname.servername.com nopass +easyrsa sign-req server hostname.servername.com + +easyrsa gen-req my-iPhone +easyrsa sign-req client client-domainname + +# .ovpn12 currently do not work with ECDSA; see: +# https://forums.openvpn.net/viewtopic.php?p=77248&hilit=OpenSSL%3A+could+not+obtain+signature#p77248 +# https://community.openvpn.net/openvpn/ticket/1024 +if false; then + # https://developer.apple.com/forums/thread/697030 + EASYRSA_OPENSSL=openssl-1.1 easyrsa export-p12 client-domainname + # https://openvpn.net/faq/how-do-i-use-a-client-certificate-and-private-key-from-the-ios-keychain/ + mv pki/private/client-domainname.{p,ovpn}12 + +# Client certificate decrypted key +openssl pkey -in pki/private/client-domainname.key -out pki/private/client-domainname.key.decrypted + +# unified cert in .ovpn +# +openssl x509 -in pki/issued/client-domainname.crt -text | pbcopy +# +pbcopy < pki/private/client-domainname.key.decrypted + # Example: # # ... @@ -76,54 +89,49 @@ sudo /Applications/Tunnelblick.app/Contents/Resources/openvpn/default --genkey - # ... # Email Address [admin@domainname.com]: -# For the server-domainname cert, use the default common name -# "server-domainname". This must also match the client configuration -# setting: -# tls-remote domainname.com - -# Unnecessary if you already signed with ./build-key[-server] -# ./sign-req server-domainname -# ./sign-req client-domainname - -cd $OPENVPN_INSTALL/easy-rsa-tunnelblick/keys -sudo openssl verify -CAfile ca.crt ca.crt -sudo openssl verify -CAfile ca.crt server-domainname.crt -sudo openssl verify -CAfile ca.crt client-domainname.crt +cd ${OPENVPN_INSTALL} +openssl verify -CAfile pki/ca.crt pki/ca.crt +sudo openssl verify -CAfile pki/ca.crt server-domainname.crt +sudo openssl verify -CAfile pki/ca.crt pki/client-domainname.crt # Create .p12 client certificates/keys for iOS clients -sudo openssl pkcs12 -export -in client-domainname.crt -inkey client-domainname.key -certfile ca.crt -name client-domainname -out client-domainname.p12 +# .ovpn12 currently do not work with ECDSA; see: +# https://forums.openvpn.net/viewtopic.php?p=77248&hilit=OpenSSL%3A+could+not+obtain+signature#p77248 +# https://developer.apple.com/forums/thread/697030 +# openssl-1.1 pkcs12 -export -in pki/issued/client-domainname.crt -inkey pki/private/client-domainname.key -certfile pki/ca.crt -name client-domainname -out pki/private/client-domainname.p12 # Copy the necessary files to the .tblk directory -# sudo cp -p ca.crt dh4096.pem server-domainname.crt server-domainname.key ta.key $OPENVPN_INSTALL/openvpn-server-tun.tblk -sudo install -m 644 $OPENVPN_INSTALL/easy-rsa-tunnelblick/keys/ca.crt $OPENVPN_INSTALL/openvpn-server-tun.tblk -sudo install -m 600 $OPENVPN_INSTALL/easy-rsa-tunnelblick/keys/dh4096.pem $OPENVPN_INSTALL/openvpn-server-tun.tblk -sudo install -m 644 $OPENVPN_INSTALL/easy-rsa-tunnelblick/keys/server-domainname.crt $OPENVPN_INSTALL/openvpn-server-tun.tblk -sudo install -m 600 $OPENVPN_INSTALL/easy-rsa-tunnelblick/keys/server-domainname.key $OPENVPN_INSTALL/openvpn-server-tun.tblk -sudo install -m 600 $OPENVPN_INSTALL/easy-rsa-tunnelblick/keys/ta.key $OPENVPN_INSTALL/openvpn-server-tun.tblk -sudo chmod -R $USER $OPENVPN_INSTALL/openvpn-server-tun.tblk - -sudo mkdir '/Library/Application Support/vpn' -sudo install -m 755 osx-openvpn-server/enable-vpn-forward-nat.sh '/Library/Application Support/vpn' -sudo install -m 644 net.openvpn.enable-vpn-forward-nat.plist /Library/LaunchDaemons -sudo launchctl load -w /Library/LaunchDaemons/net.openvpn.enable-vpn-forward-nat.plist +# cp -p ca.crt server-domainname.crt server-domainname.key ta.key ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk +install -m 0644 ${OPENVPN_INSTALL}/pki/ca.crt ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk +install -m 644 ${OPENVPN_INSTALL}/pki/issued/server-domainname.crt ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk +install -m 0600 ${OPENVPN_INSTALL}/pki/private/server-domainname.key ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk +install -m 0600 ${OPENVPN_INSTALL}/pki/ta.key ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk + +sudo install -m 0644 -B .orig sysctl.conf /etc +# reboot or set by hand prior to reboot: +sudo sysctl net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1 # Configure your router to forward port udp port 443 to the OpenVPN server # Configure the server's config.ovpn file to specifiy the server IP on the LAN -# Edit $OPENVPN_INSTALL/openvpn-server-tun.tblk/config.ovpn to relect your NAT configuration -sed -i '' -e 's/10.0.1.3/'`ifconfig en0 | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p'`'/g' $OPENVPN_INSTALL/openvpn-server-tun.tblk/config.ovpn +# Edit ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk/config.ovpn to relect your NAT configuration +sed -i '' -e 's/10.0.1.3/'`ifconfig en0 | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p'`'/g' ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk/config.ovpn # Use config.ovpn.osxfortress with "git clone https://github.com/essandess/osxfortress" for # secured, privacy-enhanced features on VPN clients -sed -i '' -e 's/10.0.1.3/'`ifconfig en0 | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p'`'/g' $OPENVPN_INSTALL/openvpn-server-tun.tblk/config.ovpn.osxfortress -install -m 644 -B .orig $OPENVPN_INSTALL/openvpn-server-tun.tblk/config.ovpn.osxfortress $OPENVPN_INSTALL/openvpn-server-tun.tblk/config.ovpn +sed -i '' -e 's/10.0.1.3/'`ifconfig en0 | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p'`'/g' ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk/config.ovpn.osxfortress +# install -m 0644 -B .orig ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk/config.ovpn.osxfortress ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk/config.ovpn # Load the .tblk file into Tunnelblick; connect/configure the server from Tunnelblick -# Remove the README and other files that will cause Tunnelblick to fail -rm $OPENVPN_INSTALL/openvpn-server-tun.tblk/README $OPENVPN_INSTALL/openvpn-server-tun.tblk/config.ovpn.osxfortress -open $OPENVPN_INSTALL/openvpn-server-tun.tblk +open ${OPENVPN_INSTALL}/Profiles/Tunnelblick/openvpn-server-tun.tblk -# Use a text editor to add the certificate ca.crt and ta.key to the client .ovpn file -open -e $OPENVPN_INSTALL/openvpn-client-tun.ovpn # or emacs, nano, vi, etc. +# Configure pf to use the VPN interface +# copy the pf.conf file locally, or use MacPorts macos-fortress +sudo install -m 0644 pf.conf "/Library/Application Support/Tunnelblick/" +sudo pfctl -ef "/Library/Application Support/Tunnelblick/pf.conf" + +# Use a text editor to add the certificates ca.crt, ta.key, and client PKI +# to the client .ovpn file +open -e ${OPENVPN_INSTALL}/openvpn-client-tun.ovpn # or emacs, nano, vi, etc. # Install the OpenVPN app on iOS @@ -131,13 +139,10 @@ open -e $OPENVPN_INSTALL/openvpn-client-tun.ovpn # or emacs, nano, vi, etc. # iTunes: Device>Apps>File Sharing>Add... # AirDrop # Email: -uuencode $OPENVPN_INSTALL/keys/client-domainname.p12 client-domainname.ovpn12 | mail -s "client-domainname.ovpn12" myself@myemail.com - -# OpenVPN v1.2.6 uses its own keychain, not the iOS keychain +uuencode ${OPENVPN_INSTALL}/keys/client-domainname.p12 client-domainname.ovpn12 | mail -s "client-domainname.ovpn12" myself@myemail.com # Transfer the client OpenVPN file openvpn-client-tun.ovpn -# to the OpenVPN app using iTunes, Device>Apps>File Sharing>Add... -open -a iTunes +# to the OpenVPN app using macOS Finder with AirDrop or iOS Syncing # Launch the OpenVPN app and toggle the "Connect" button diff --git a/sysctl.conf b/sysctl.conf new file mode 100644 index 0000000..192a1ee --- /dev/null +++ b/sysctl.conf @@ -0,0 +1,2 @@ +net.inet.ip.forwarding=1 +net.inet6.ip6.forwarding=1 diff --git a/vars b/vars index 2235fe4..24475a2 100644 --- a/vars +++ b/vars @@ -1,73 +1,236 @@ -# easy-rsa parameter settings - -# NOTE: If you installed from an RPM, -# don't edit this file in place in -# /usr/share/openvpn/easy-rsa -- -# instead, you should copy the whole -# easy-rsa directory to another location -# (such as /etc/openvpn) so that your -# edits will not be wiped out by a future -# OpenVPN package upgrade. - -# This variable should point to -# the top level of the easy-rsa -# tree. -export EASY_RSA="`pwd`" +# Easy-RSA 3 parameter settings +# NOTE: If you installed Easy-RSA from your package manager, do not edit +# this file in place -- instead, you should copy the entire easy-rsa directory +# to another location so future upgrades do not wipe out your changes. + +# HOW TO USE THIS FILE +# +# vars.example contains built-in examples to Easy-RSA settings. You MUST name +# this file "vars" if you want it to be used as a configuration file. If you do +# not, it WILL NOT be automatically read when you call easyrsa commands. +# +# It is not necessary to use this config file unless you wish to change +# operational defaults. These defaults should be fine for many uses without the +# need to copy and edit the "vars" file. +# +# All of the editable settings are shown commented and start with the command +# "set_var" -- this means any set_var command that is uncommented has been +# modified by the user. If you are happy with a default, there is no need to +# define the value to its default. + +# NOTES FOR WINDOWS USERS +# +# Paths for Windows *MUST* use forward slashes, or optionally double-escaped +# backslashes (single forward slashes are recommended.) This means your path to +# the openssl binary might look like this: +# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" + +# A little housekeeping: DO NOT EDIT THIS SECTION +# +# Easy-RSA 3.x does not source into the environment directly. +# Complain if a user tries to do this: +if [ -z "$EASYRSA_CALLER" ]; then + echo "You appear to be sourcing an Easy-RSA *vars* file." >&2 + echo "This is no longer necessary and is disallowed. See the section called" >&2 + echo "*How to use this file* near the top comments for more details." >&2 + return 1 +fi + +# DO YOUR EDITS BELOW THIS POINT + +# This variable is used as the base location of configuration files needed by +# easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF) +# may override this default. +# +# The default value of this variable is the location of the easyrsa script +# itself, which is also where the configuration files are located in the +# easy-rsa tree. + +#set_var EASYRSA "/opt/local/share/easy-rsa" + +# If your OpenSSL command is not in the system PATH, you will need to define the +# path to it here. Normally this means a full path to the executable, otherwise +# you could have left it undefined here and the shown default would be used. # -# This variable should point to -# the requested executables +# Windows users, remember to use paths with forward-slashes (or escaped +# back-slashes.) Windows users should declare the full path to the openssl +# binary here if it is not in their system PATH. + +#set_var EASYRSA_OPENSSL "openssl" +# +# This sample is in Windows syntax -- edit it for your path if not using PATH: +#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" + +# Edit this variable to point to your soon-to-be-created key directory. By +# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the +# directory you are currently in). # -export OPENSSL="openssl" -export PKCS11TOOL="pkcs11-tool" -export GREP="grep" +# WARNING: init-pki will do a rm -rf on this directory so make sure you define +# it correctly! (Interactive mode will prompt before acting.) + +#set_var EASYRSA_PKI "$PWD/pki" +# Define directory for temporary subdirectories. -# This variable should point to -# the openssl.cnf file included -# with easy-rsa. -export KEY_CONFIG=`"$EASY_RSA/whichopensslcnf" "$EASY_RSA"` +#set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI" -# Edit this variable to point to -# your soon-to-be-created key -# directory. +# Define X509 DN mode. +# This is used to adjust what elements are included in the Subject field as the DN +# (this is the "Distinguished Name.") +# Note that in cn_only mode the Organizational fields further below are not used. # -# WARNING: clean-all will do -# a rm -rf on this directory -# so make sure you define -# it correctly! -export KEY_DIR="$EASY_RSA/keys" - -# Issue rm -rf warning -echo "NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR" - -# PKCS11 fixes -export PKCS11_MODULE_PATH="dummy" -export PKCS11_PIN="dummy" - -# Increase this to 2048 if you -# are paranoid. This will slow -# down TLS negotiation performance -# as well as the one-time DH parms -# generation process. -export KEY_SIZE=4096 +# Choices are: +# cn_only - use just a CN value +# org - use the "traditional" Country/Province/City/Org/OU/email/CN format + +set_var EASYRSA_DN "org" + +# Organizational fields (used with "org" mode and ignored in "cn_only" mode.) +# These are the default values for fields which will be placed in the +# certificate. Do not leave any of these fields blank, although interactively +# you may omit any specific field by typing the "." symbol (not valid for +# email.) + +# NOTE: The following characters are not supported +# in these "Organizational fields" by Easy-RSA: +# back-tick (`) + +set_var EASYRSA_REQ_COUNTRY "US" +set_var EASYRSA_REQ_PROVINCE "State" +set_var EASYRSA_REQ_CITY "Town" +set_var EASYRSA_REQ_ORG "My Organization" +set_var EASYRSA_REQ_EMAIL "admin@domainname.tld" +set_var EASYRSA_REQ_OU "OpenVPN" + +# Choose a size in bits for your keypairs. The recommended value is 2048. Using +# 2048-bit keys is considered more than sufficient for many years into the +# future. Larger keysizes will slow down TLS negotiation and make key/DH param +# generation take much longer. Values up to 4096 should be accepted by most +# software. Only used when the crypto alg is rsa (see below.) + +#set_var EASYRSA_KEY_SIZE 2048 + +# The default crypto mode is rsa; ec can enable elliptic curve support. +# Note that not all software supports ECC, so use care when enabling it. +# Choices for crypto alg are: (each in lower-case) +# * rsa +# * ec +# * ed + +#set_var EASYRSA_ALGO rsa +set_var EASYRSA_ALGO ed + +# Define the named curve, used in ec & ed modes: + +#set_var EASYRSA_CURVE secp384r1 +set_var EASYRSA_CURVE ed25519 # In how many days should the root CA key expire? -export CA_EXPIRE=3650 +# 12 years plus leap days +set_var EASYRSA_CA_EXPIRE 4383 # In how many days should certificates expire? -export KEY_EXPIRE=3650 - -# These are the default values for fields -# which will be placed in the certificate. -# Don't leave any of these fields blank. -export KEY_COUNTRY="US" -export KEY_PROVINCE="MA" -export KEY_CITY="Cityname" -export KEY_ORG="Domainname" -export KEY_EMAIL="admin@domainname.com" -export KEY_CN=Mydomain -export KEY_NAME=Mydomain -export KEY_OU=Mydomain -export PKCS11_MODULE_PATH=Mydomain -export PKCS11_PIN=1234 +# 4 years plus leap days +set_var EASYRSA_CERT_EXPIRE 1461 + +# How many days until the next CRL publish date? Note that the CRL can still be +# parsed after this timeframe passes. It is only used for an expected next +# publication date. +#set_var EASYRSA_CRL_DAYS 180 + +# Random serial numbers by default, set to no for the old incremental serial numbers +# +#set_var EASYRSA_RAND_SN "yes" + +# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default +# is "no" to discourage use of deprecated extensions. If you require this +# feature to use with --ns-cert-type, set this to "yes" here. This support +# should be replaced with the more modern --remote-cert-tls feature. If you do +# not use --ns-cert-type in your configs, it is safe (and recommended) to leave +# this defined to "no". When set to "yes", server-signed certs get the +# nsCertType=server attribute, and also get any NS_COMMENT defined below in the +# nsComment field. + +#set_var EASYRSA_NS_SUPPORT "no" + +# When NS_SUPPORT is set to "yes", this field is added as the nsComment field. +# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored. + +#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate" + +# A temp file used to stage cert extensions during signing. The default should +# be fine for most users; however, some users might want an alternative under a +# RAM-based FS, such as /dev/shm or /tmp on some systems. + +#set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp" + +# !! +# NOTE: ADVANCED OPTIONS BELOW THIS POINT +# PLAY WITH THEM AT YOUR OWN RISK +# !! + +# Broken shell command aliases: If you have a largely broken shell that is +# missing any of these POSIX-required commands used by Easy-RSA, you will need +# to define an alias to the proper path for the command. The symptom will be +# some form of a "command not found" error from your shell. This means your +# shell is BROKEN, but you can hack around it here if you really need. These +# shown values are not defaults: it is up to you to know what you are doing if +# you touch these. +# +#alias awk="/alt/bin/awk" +#alias cat="/alt/bin/cat" + +# X509 extensions directory: +# If you want to customize the X509 extensions used, set the directory to look +# for extensions here. Each cert type you sign must have a matching filename, +# and an optional file named "COMMON" is included first when present. Note that +# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then +# fallback to $EASYRSA for the "x509-types" dir. You may override this +# detection with an explicit dir here. +# +#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" + +# If you want to generate KDC certificates, you need to set the realm here. +#set_var EASYRSA_KDC_REALM "CHANGEME.EXAMPLE.COM" + +# OpenSSL config file: +# If you need to use a specific openssl config file, you can reference it here. +# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the +# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA +# specific and you cannot just use a standard config file, so this is an +# advanced feature. + +#set_var EASYRSA_SSL_CONF "$EASYRSA_PKI/openssl-easyrsa.cnf" + +# Default CN: +# This is best left alone. Interactively you will set this manually, and BATCH +# callers are expected to set this themselves. + +#set_var EASYRSA_REQ_CN "ChangeMe" + +# Cryptographic digest to use. +# Do not change this default unless you understand the security implications. +# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512 + +#set_var EASYRSA_DIGEST "sha256" + +# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly +# in batch mode without any user input, confirmation on dangerous operations, +# or most output. Setting this to any non-blank string enables batch mode. + +#set_var EASYRSA_BATCH "" + +# DISABLED - DO NOT USE +# Ref: https://github.com/OpenVPN/easy-rsa/issues/593 +# How many days before its expiration date a certificate is allowed to be +# renewed? +#set_var EASYRSA_CERT_RENEW 30 + +# DISABLED - DO NOT USE +# Ref: https://github.com/OpenVPN/easy-rsa/issues/593 +# For fixed certificate start/end dates - Range 1..365 +# If set here then command line option is always in effect. +# The day number 183 is either July 2nd or 3rd (leap-year) +# Replace with your chosen day-of-year value: +#set_var EASYRSA_FIX_OFFSET 183