easyrsa3 batch

Featured


# easyrsa3 using batch with no prompts

mkdir $HOME/clientside
mkdir $HOME/serverside
cd $HOME/serverside
wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
unzip master.zip
cd easy-rsa-master/easyrsa3
openvpn --genkey --secret ta.key
./easyrsa init-pki
./easyrsa --batch build-ca nopass
./easyrsa --batch build-server-full server nopass
./easyrsa --batch build-client-full client1 nopass
./easyrsa gen-dh

# we will merge certs and keys into config files
# one for server and one for client

cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/ca.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/issued/server.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/dh.pem $HOME/serverside/dh2048.pem
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/private/server.key $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/ta.key $HOME/serverside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/issued/client1.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/ta.key $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/ca.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa-master/easyrsa3/pki/private/client1.key $HOME/clientside/

# Client Script
nano $HOME/clientside/raspberrypi.ovpn

client
dev tun
proto udp
remote change_this_to_server_address 34557
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

# Now merge certs and keys into client script, so we only have one file to handle
cd $HOME/clientside/
wget --no-check-cert https://www.dropbox.com/s/v228zvccef9d10c/merge.sh -O merge.sh
sudo chmod +x merge.sh
sudo ./merge.sh
sudo chown $USER $HOME/clientside/raspberrypi.ovpn

# Now transfer client script raspberrypi.ovpn
# in $HOME/clientside/ to your client PC
# Due to permissions, I had to transfer it to C:\
# Then in windows, copy the file
# to C:\Program Files (x86)\OpenVPN\config

# Server Script
nano $HOME/serverside/server.conf

port 34557
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
tls-auth ta.key 0
dh dh2048.pem
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
user nobody
group nogroup
status openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30

# Now merge certs and keys into server script, so we only have one file to handle
cd $HOME/serverside/
wget --no-check-cert https://www.dropbox.com/s/9wc3we8ezfucj1j/merge_server.sh -O merge_server.sh
sudo chmod +x merge_server.sh
sudo ./merge_server.sh

# Now copy the merged server script to /etc/openvpn/
sudo cp $HOME/serverside/server.conf /etc/openvpn/


#
# Comments about nopass option, if you omit it.
#
# easyrsa --batch build-ca
# you need password to create and sign certs
#
# easyrsa --batch build-server-full server
# you need password to start server, not a good idea
# if you expected the server to start automatically.
# Don't do it.
#
# easyrsa --batch build-client-full client1
# you need password for client to connect, very annoying
#

[howto] Install latest openvpn and easyrsa3


# Tested on
# Raspbian Wheezy version date: 2014-09-09
#
# Summary of Files that we will use
###############################################
# Script to start openvpn [ /etc/init.d/openvpn ]
# https://www.dropbox.com/s/nz4dyons6tlsbr4/etcinitdopenvpn.sh
#
# Script to merge Client keys and certs
# https://www.dropbox.com/s/v228zvccef9d10c/merge.sh
#
# Script to merge Server keys and certs
# https://www.dropbox.com/s/9wc3we8ezfucj1j/merge_server.sh
#
# Latest openvpn source code
# http://build.openvpn.net/downloads/releases/latest/openvpn-latest-stable.tar.gz
###############################################

cd $HOME
wget http://build.openvpn.net/downloads/releases/latest/openvpn-latest-stable.tar.gz
gzip -dc openvpn-latest-stable.tar.gz | tar xvf -

# at this time, the latest is openvpn-2.3.10
# you will see what revision it is when you unzip it

# We need to add a few components to be able to compile
sudo apt-get update
sudo apt-get install --only-upgrade openssl -y
sudo apt-get install gcc make automake autoconf dh-autoreconf file patch perl dh-make debhelper devscripts gnupg lintian quilt libtool pkg-config libssl-dev liblzo2-dev libpam0g-dev libpkcs11-helper1-dev -y

# This is the bit where we make and install the new openvpn server
sudo mkdir /etc/openvpn/
cd $HOME/openvpn-2.3.10/
sudo ./configure --prefix=/usr
sudo make
sudo make install
sudo wget --no-check-cert https://www.dropbox.com/s/nz4dyons6tlsbr4/etcinitdopenvpn.sh -O /etc/init.d/openvpn
sudo chmod +x /etc/init.d/openvpn
sudo update-rc.d openvpn defaults

# Now we create keys and certs using the new easyrsa3
mkdir $HOME/clientside
cd $HOME/clientside
git clone git://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa gen-req client1 nopass

mkdir $HOME/serverside
cd $HOME/serverside
git clone git://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req server nopass
./easyrsa sign-req server server
openssl dhparam -out dh2048.pem 2048
openvpn --genkey --secret ta.key
./easyrsa import-req $HOME/clientside/easy-rsa/easyrsa3/pki/reqs/client1.req client1
./easyrsa sign-req client client1
# Copy certs and keys to correct directory,
# Later we will merge them with the config file
cp $HOME/serverside/easy-rsa/easyrsa3/pki/ca.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa/easyrsa3/pki/issued/server.crt $HOME/serverside/
cp $HOME/serverside/easy-rsa/easyrsa3/dh2048.pem $HOME/serverside/
cp $HOME/serverside/easy-rsa/easyrsa3/pki/private/server.key $HOME/serverside/
cp $HOME/serverside/easy-rsa/easyrsa3/ta.key $HOME/serverside/
cp $HOME/serverside/easy-rsa/easyrsa3/pki/issued/client1.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa/easyrsa3/ta.key $HOME/clientside/
cp $HOME/serverside/easy-rsa/easyrsa3/pki/ca.crt $HOME/clientside/
cp $HOME/clientside/easy-rsa/easyrsa3/pki/private/client1.key $HOME/clientside/

# Client Script
nano $HOME/clientside/raspberrypi.ovpn

client
dev tun
proto udp
remote change_this_to_server_address 34557
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

# Now merge certs and keys into client script, so we only have one file to handle
cd $HOME/clientside/
wget --no-check-cert https://www.dropbox.com/s/v228zvccef9d10c/merge.sh -O merge.sh
sudo chmod +x merge.sh
sudo ./merge.sh
sudo chown $USER $HOME/clientside/raspberrypi.ovpn

# Now transfer client script raspberrypi.ovpn
# in $HOME/clientside/ to your client PC
# Due to permissions, I had to transfer it to C:\
# Then in windows, copy the file
# to C:\Program Files (x86)\OpenVPN\config

# Server Script
nano $HOME/serverside/server.conf

port 34557
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
tls-auth ta.key 0
dh dh2048.pem
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
user nobody
group nogroup
status openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30

# Now merge certs and keys into server script, so we only have one file to handle
cd $HOME/serverside/
wget --no-check-cert https://www.dropbox.com/s/9wc3we8ezfucj1j/merge_server.sh -O merge_server.sh
sudo chmod +x merge_server.sh
sudo ./merge_server.sh

# Now copy the merged server script to /etc/openvpn/
sudo cp $HOME/serverside/server.conf /etc/openvpn/

# uncomment to allow data redirect
sudo nano /etc/sysctl.conf

net.ipv4.ip_forward=1

#
# The firewall settings can really screw everything up
# There are a number of ways, it depends of how you're using the PI
# I am using it as a headless remote server, this means no desktop
# environment, and no other firewall conflicting data loaded.
# Here is alternative Firewall data using a static IP address
# check with ifconfig. Also this should be the firewall.sh file
#
# iptables -t nat -A POSTROUTING -s VPNIP -o interface -j SNAT --to-source LOCALIP
#
# e.g.
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 10.0.0.2
#
# And Start everything
# sudo sysctl -w net.ipv4.ip_forward=1
#
#
#

# Make file for firewall setting
sudo nano /usr/local/bin/firewall.sh

#!/bin/bash
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s "10.8.0.0/24" -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE

# Make firewall script executable, run it and check
sudo chmod +x /usr/local/bin/firewall.sh
sudo /usr/local/bin/firewall.sh
sudo iptables --list

# add new text line into file /etc/rc.local
# before ‘exit 0' to ensure the firewall rules are run at reboot or power up.
sudo nano /etc/rc.local

/usr/local/bin/firewall.sh

# reboot the pi
sudo reboot

# Connect VPN client from remote location
# does not work when client and server are connected
# to same router and you try external IP address.
# If you want to do a local test at home
# connect to local IP address of server e.g. 192.168.1.4
# when you go to your remote location, connect to no-ip address or external static IP

Shadowsocks server

# For someone in China Shadowsocks gives a better VPN speed connection than
# either openvpn or ssh.
# Shadowsocks is a little known socks5 proxy program, But used quite a bit in China.
# Its a socks5 proxy that sets up multiple connection channels.

# The Chinese throttle the speed of encrypted connections, so openvpn,
# ssh, stunnel can be setup, but as they use one connection
# they are very very slow to the point of being useless, which is the Chinese idea.
# Instead of have having one throttled connection, Shadowsocks has many connections,
# while each are still throttled slow, the total sum added together gives more bandwidth.

# Clients for windows, android etc etc see
# http://shadowsocks.org/en/download/clients.html

# Lets get started setting up a Shadowsocks server on a Raspberry PI

sudo apt-get install python-pip python-gevent python-m2crypto
sudo pip install shadowsocks

# Create server script, you only need to make a password
sudo nano /etc/shadowsocks.json

{
"server":"0.0.0.0",
"server_port":8388,
"local_address": "127.0.0.1",
"local_port":1080,
"password":"make_a_password",
"timeout":300,
"method":"aes-256-cfb",
"fast_open": false,
"workers": 1
}

# Start Shadowsocks server automatically after a reboot
# Add new line
# sudo nohup ssserver -c /etc/shadowsocks.json >> /home/pi/nohup.out
# in file /etc/rc.local before "exit 0"

sudo nano /etc/rc.local

sudo nohup ssserver -c /etc/shadowsocks.json >> /home/pi/nohup.out
exit 0

# Start Shadowsocks server manually
sudo nohup ssserver -c /etc/shadowsocks.json &

############################################
# TIPs
# check shadowsocks 'ssserver' installed
which ssserver
# should say
# /usr/local/bin/ssserver
##############################################
# check logfile nohup.out
cat /home/pi/nohup.out
# should only say
# ....INFO starting server at 0.0.0.0:8388
##############################################
# check listening port 8388
netstat -a | grep 8388
# should say
# pi@raspberrypi ~ $ netstat -a | grep 8388
# tcp 0 0 *:8388 *:* LISTEN
# udp 0 0 *:8388 *:*

[howto] Openvpn server, using easy-rsa3 to create keys and certs

# Using SD card with "2014-01-07-wheezy-raspbian armhf"
# Remember you gotta do port forwarding, not covered in this post
# TIP: When using Windows Client, must run Openvpn Client as administrator
# otherwise it connects but TUN/TAP will not start due to permissions
# and you will not have web browsing etc. This is a common mistake.

# Now install openvpn
sudo apt-get install openvpn -y

# Now we create keys and certs using the new easyrsa3
# You need to make a passphrase during this process
mkdir $HOME/clientside
cd $HOME/clientside
git clone git://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa gen-req client1 nopass

mkdir $HOME/serverside
cd $HOME/serverside
git clone git://github.com/OpenVPN/easy-rsa
cd easy-rsa/easyrsa3
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req server nopass
./easyrsa sign-req server server
openssl dhparam -out dh2048.pem 2048
/usr/sbin/openvpn --genkey --secret ta.key
./easyrsa import-req $HOME/clientside/easy-rsa/easyrsa3/pki/reqs/client1.req client1
./easyrsa sign-req client client1
# Copy certs and keys to correct directory
sudo cp $HOME/serverside/easy-rsa/easyrsa3/pki/ca.crt /etc/openvpn/
sudo cp $HOME/serverside/easy-rsa/easyrsa3/pki/issued/server.crt /etc/openvpn/
sudo cp $HOME/serverside/easy-rsa/easyrsa3/dh2048.pem /etc/openvpn/
sudo cp $HOME/serverside/easy-rsa/easyrsa3/pki/private/server.key /etc/openvpn/
sudo cp $HOME/serverside/easy-rsa/easyrsa3/ta.key /etc/openvpn/
cp $HOME/serverside/easy-rsa/easyrsa3/pki/issued/client1.crt $HOME/clientside/
cp $HOME/serverside/easy-rsa/easyrsa3/ta.key $HOME/clientside/
cp $HOME/serverside/easy-rsa/easyrsa3/pki/ca.crt $HOME/clientside/
cp $HOME/clientside/easy-rsa/easyrsa3/pki/private/client1.key $HOME/clientside/
# Client Script
nano $HOME/clientside/raspberrypi.ovpn

client
dev tun
proto udp
remote change_this_to_server_address 34557
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3

# Now merge certs and keys into client script, so we only have one file to handle
cd $HOME/clientside/
wget --no-check-cert https://www.dropbox.com/s/v228zvccef9d10c/merge.sh -O merge.sh
sudo chmod +x merge.sh
sudo ./merge.sh
sudo chown $USER $HOME/clientside/raspberrypi.ovpn

# Now transfer client script raspberrypi.ovpn
# in $HOME/clientside/ to your client PC
# Due to permissions, I had to transfer it to C:\
# Then in windows, copy the file
# to C:\Program Files (x86)\OpenVPN\config

# Back to Raspberry PI, Now we create file for server config
# Below is my OpenVPN server configuration saved as /etc/openvpn/server.conf
sudo nano /etc/openvpn/server.conf

port 34557
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
tls-auth ta.key 0
dh dh2048.pem
server 10.8.0.0 255.255.255.0
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
user nobody
group nogroup
status openvpn-status.log
verb 3
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30

# uncomment to allow data redirect
sudo nano /etc/sysctl.conf

net.ipv4.ip_forward=1

# Make file for firewall setting
sudo nano /usr/local/bin/firewall.sh

#!/bin/bash
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s "10.8.0.0/24" -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s "10.8.0.0/24" -j MASQUERADE

# Make firewall script executable, run it and check
sudo chmod +x /usr/local/bin/firewall.sh
sudo /usr/local/bin/firewall.sh
sudo iptables --list

# add new text line into file /etc/rc.local
# before ‘exit 0′ to ensure the firewall rules are run at reboot or power up.
sudo nano /etc/rc.local

/usr/local/bin/firewall.sh

# reboot the pi
sudo reboot

# Connect VPN client from remote location
# does not work when client and server are connected
# to same router and you try external IP address.
# If you want to do a local test at home
# connect to local IP address of server e.g. 192.168.1.4
# when you go to your remote location, connect to no-ip address or external static IP

Tips when using Raspberry Pi and SSH

Basic
a) only login with keys, remove username/password login
b) change ssh port from 22 to something high, say 45678

Extra
a) disable root login
b) create another user with no command shell access if you use SSH for proxy
and use myentunnel which can reconnect automatically,
#################################################################
How to Generate and setup key login for SSH, there are loads of guides from google.
e.g. http://kb.site5.com/shell-access-ssh/how-to-generate-ssh-keys-and-connect-to-your-account-with-putty/

# Of course make sure your key login is working, before removing user/password login.
# Here we comment out default Port 22, and add a new Port number, disable root,
# and turn off user/password login
sudo nano /etc/ssh/sshd_config

# Port 22
Port 45678

PermitRootLogin no
PasswordAuthentication no

# download and try myentunnel at
# https://billing.julyrush.com/downloads/myentunnel.zip
# http://nemesis2.qx.net/pages/MyEnTunnel
# http://nemesis2.qx.net/rdownload.php?filename=setup_myentunnel.exe

# Create new user, with no shell access, ideal for myentunnel and socks proxy
sudo useradd -m myen34
sudo passwd myen34
sudo adduser myen34 sudo
sudo visudo

myen34 ALL=(ALL) NOPASSWD:ALL

sudo mkdir /home/myen34/.ssh
sudo cp /home/pi/.ssh/authorized_keys /home/myen34/.ssh/authorized_keys

# To remove shell access your suppose to use sudo vipw
# and change the last line
# from
…/home/myen34:/bin/bash
# to
…/home/myen34:/bin/false

# If you get frustrated with vipw, there is nano
# sudo nano /etc/passwd

# Check any Invalid user logins
sudo cat /var/log/auth.log* | grep 'Invalid user' | grep sshd

# Check wrong password attempts
cat /var/log/auth.log* | grep 'Failed password' | grep sshd
zcat /var/log/auth.log* | grep 'Failed password' | grep sshd

# If you want to keep user/password
# install fail2ban , which will block repeated wrong password attacks

sudo apt-get install fail2ban -y
# Check reports
awk '($(NF-1) = /Ban/){print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n

zgrep -h "Ban " /var/log/fail2ban.log* | awk '{print $NF}' | sort | uniq -c

Set up PHproxy server on Raspberry PI

PHproxy
# PHproxy on raspberry pi
# tested on Soft-float Debian “wheezy” and standard Hard-float Raspbian “wheezy”
# NOTE youtube videos don’t play via this PHproxy
#
# Based upon these blogs
# http://lifehacker.com/5447726/install-phproxy-in-your-web-space-to-access-blocked-sites
# http://www.debian-administration.org/articles/391


sudo apt-get update
sudo apt-get install apache2 -y
sudo apt-get install php5 -y
sudo apt-get install php5-mysql php5-curl -y
sudo a2enmod php5
sudo /etc/init.d/apache2 start

# for info see http://sourceforge.net/projects/poxy/

cd /var/www
sudo mv /var/www/index.html /var/www/index_old.html
sudo wget http://downloads.sourceforge.net/project/poxy/PHProxy/0.5%20beta%202/poxy-0.5b2.zip
sudo unzip poxy-0.5b2.zip

# open web page
# if your connected to the same router as the Raspberry PI
# put in local IP address of PI e.g. 192.168.0.2
#
# As you know, to get to your PHproxy from the outside world
# you gotta do port forwarding and get a domain name or use
# IP address etc etc

# You can password protect the website if you want
http://www.debiantutorials.com/password-protecting-a-directory-with-apache-and-htaccess/