Versions Compared

Old Version 20

changes.mady.by.user Andreas Ulm

Saved on

compared with

New Version 21

changes.mady.by.user Steffen Drya

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

General process

OpenVPN is disabled by default.

...

  1. check and accept preconditions

  2. request activation of OpenVPN and optionally MFA

  3. activate MFA if it is enabled

  4. obtain the VPN client config, install and configure OpenVPN client

  5. establish VPN connection

1. Preconditions

  • MFA preconditions, if MFA is enabled for the target environment

2. Request activation of OpenVPN

Request activation of OpenVPN for a dedicated environment via change request at https://support.root360.cloud.

3. activate MFA (if enabled)

Follow the steps for MFA activation.

4. Install and configure OpenVPN client

4.1 Windows

  1. Download the OpenVPN Windows installer

  2. Install the client software (make sure to tick "EasyRSA 2 Certificate Management Scripts" (warning) )

  3. Create a Certificate Signing Request (see additional infos below) and send the resulting CSR file to root360 via https://share.root360.cloud/

  4. Get the OpenVPN client config file including the signed certificate from root360

  5. Copy the content of your private key into the config file (into the key section)

    Code Block
    <key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>


  6. Copy the secret VPN config file into directory C:\Users\<your-user>\OpenVPN\config

4.2 Linux

  1. Install the OpenVPN client and easy-rsa using your package manager

  2. Create a Certificate Signing Request (see additional infos below) and send the resulting CSR file to root360 via https://share.root360.cloud/

  3. Get the OpenVPN client config file including the signed certificate from root360

  4. Copy the content of your private key into the config file (into the key section)

    Code Block
    <key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>


  5. Copy the secret VPN config file into a directory of your choice

5. Establish connection

5.1 Windows

  1. Start the programm OpenVPN GUI

  2. Double-click the OpenVPN GUI systray icon (lower right desktop corner) to start the connection

  3. Enter your username and the MFA token

5.2 Linux - Manual Start

  1. Run OpenVPN client

    Code Block
    openvpn --config /path/to/secret_vpn_config


  2. Enter your username and the MFA token

6. Additional info

6.1 Create CSR

  1. see example code below for your operating system:

    • (warning) make sure to replace <username> with your name in format <first-digit-of-prename>_<surname> (e.g. j_doe) AND prepend the current date in format YYYYMMDD (e.g. 20200103): j_doe_20200103 (warning)

    • make sure to set valid values for at least Organization Name (your company), Name and Email Address (your email address registered in root360 support portal) as these information will be checked

    • we recommend to secure your certificate with a strong password:

      • at least one lower-case character

      • at least upper-case character

      • at least one digit

      • at least 8 characters

      • optionally with symbols

  2. copy the content of keys\<your-name>.csr into https://share.root360.cloud/

  3. send the share link into the ticket requesting OpenVPN activation

6.1.1 Sample commands for Windows

Code Block
C:\Users\john.doe> xcopy "C:\Program Files\OpenVPN\easy-rsa" "%USERPROFILE%\Documents\easy-rsa" /I /E
C:\Users\john.doe> cd "%USERPROFILE%\Documents\easy-rsa"
C:\Users\john.doe\Documents\easy-rsa> init-config.bat
C:\Users\john.doe\Documents\easy-rsa> vars.bat
C:\Users\john.doe\Documents\easy-rsa> mkdir keys
C:\Users\john.doe\Documents\easy-rsa> openssl req -days 3650 -new -keyout keys\<username>.key -out keys\<username>.csr -config openssl-1.0.0.cnf
Generating a RSA private key
............+++++
..........+++++
writing new private key to '<username>.key'
Enter PEM pass phrase:**********
Verifying - Enter PEM pass phrase:**********
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Saxony
Locality Name (eg, city) []:Leipzig
Organization Name (eg, company) [Internet Widgits Pty Ltd]:root360
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:<username>_YYYYMMDD
Email Address []:j.doe@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


6.1.2 Sample commands for Linux

Code Block
$ openssl req -new -keyout <username>.key -out <username>.csr -config /etc/ssl/openssl.cnf

Generating a RSA private key
............+++++
..........+++++
writing new private key to '<username>.key'
Enter PEM pass phrase:**********
Verifying - Enter PEM pass phrase:**********
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Saxony
Locality Name (eg, city) []:Leipzig
Organization Name (eg, company) [Internet Widgits Pty Ltd]:root360
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:<username>_YYYYMMDD
Email Address []:j.doe@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

...