- Created by Steffen Drya, last modified by Stefan Heitmueller on Feb 21, 2022
- Not Reviewed
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 9 Next »
General process
OpenVPN is disabled by default.
When OpenVPN is enabled by root360 for specific users, they are able to connect to the bastion host using a TLS-secured private tunnel. When addionally Activate MFA (Multi-Factor-Authentication) for SSH and OpenVPN is active for the environment a valid token must be provided upon connect.
Following steps are required to enable and use OpenVPN:
check and accept preconditions
request activation of OpenVPN and optionally MFA
activate MFA if it is enabled
obtain the VPN client config, install and configure OpenVPN client
establish VPN connection
Preconditions (not for site-to-site connection)
See preconditions at Activate MFA (Multi-Factor-Authentication) for SSH and OpenVPN , if MFA is enabled for the target environment
Request activation of OpenVPN
Request activation of OpenVPN for a dedicated environment via change request at https://support.root360.cloud.
Activate MFA (not for site-to-site connection)
Follow the steps for MFA activation at Activate MFA (Multi-Factor-Authentication) for SSH and OpenVPN , if MFA is enabled for the target environment
Install and configure OpenVPN client
Windows
Download the OpenVPN Windows installer
Install the client software (make sure to tick "EasyRSA 2 Certificate Management Scripts" )
Create a Certificate Signing Request (see additional infos below) and send the resulting CSR file to root360 via https://share.root360.cloud/
Get the OpenVPN client config file including the signed certificate from root360
Copy the content of your private key into the config file (into the key section)
<key> -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- </key>
Copy the secret VPN config file into directory C:\Users\<your-user>\OpenVPN\config
Linux
Install the OpenVPN client and easy-rsa using your package manager
Create a Certificate Signing Request (see additional infos below) and send the resulting CSR file to root360 via https://share.root360.cloud/
Get the OpenVPN client config file including the signed certificate from root360
Copy the content of your private key into the config file (into the key section)
<key> -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- </key>
Copy the secret VPN config file into a directory of your choice
Establish connection
Windows
Start the programm OpenVPN GUI
Double-click the OpenVPN GUI systray icon (lower right desktop corner) to start the connection
Enter your username and the MFA token
Linux - Manual Start
Run OpenVPN client
openvpn --config /path/to/secret_vpn_config
Enter your username and the MFA token
Additional information
Create CSR
see example code below for your operating system:
make sure to replace <username> with your name in format <first-digit-of-prename>_<surname> (e.g. j_doe) AND append the current date in format YYYYMMDD (e.g. 20200103): j_doe_20200103
we recommend to secure your certificate with a strong password when asked
Enter PEM pass phrase
:at least one lower-case character
at least upper-case character
at least one digit
at least 8 characters
optionally with symbols
make sure to set valid values for
Country Name (
<country-code>
) = 2-letter code for your companies country, e.g. DEState or Province Name (
<province>
) = name of your companies state/province, e.g. SaxonyLocality Name (
<city>
) = name of your companies city, e.g. LeipzigOrganization Name (
<company name>
) = your company, e.g. root360 GmbHCommon Name (
<username>_YYYYMMDD>
) = your VPN username, e.g. j_doe_20200103Email Address (
<email-address>
) = your email address registered in root360 cloud dashboard (Orbiter), e.g. j.doe@example.comA challenge password = empty as it does not provide any security improvements for the intended usage
copy the content of keys\<your-name>.csr into https://share.root360.cloud/
send the share link into the ticket requesting OpenVPN activation
Sample commands for Windows
C:\Users\john.doe> xcopy "C:\Program Files\OpenVPN\easy-rsa" "%USERPROFILE%\Documents\easy-rsa" /I /E C:\Users\john.doe> cd "%USERPROFILE%\Documents\easy-rsa" C:\Users\john.doe\Documents\easy-rsa> init-config.bat C:\Users\john.doe\Documents\easy-rsa> vars.bat C:\Users\john.doe\Documents\easy-rsa> mkdir keys C:\Users\john.doe\Documents\easy-rsa> openssl req -days 3650 -new -keyout keys\<username>.key -out keys\<username>.csr -config openssl-1.0.0.cnf Generating a RSA private key ............+++++ ..........+++++ writing new private key to '<username>.key' Enter PEM pass phrase:********** Verifying - Enter PEM pass phrase:********** ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:<country-code> State or Province Name (full name) [Some-State]:<province> Locality Name (eg, city) []:<city> Organization Name (eg, company) [Internet Widgits Pty Ltd]:<company name> Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:<username>_YYYYMMDD Email Address []:<email-address> Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Sample commands for Linux
$ openssl req -new -keyout <username>.key -out <username>.csr -config /etc/ssl/openssl.cnf Generating a RSA private key ............+++++ ..........+++++ writing new private key to '<username>.key' Enter PEM pass phrase:********** Verifying - Enter PEM pass phrase:********** ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:<country-code> State or Province Name (full name) [Some-State]:<province> Locality Name (eg, city) []:<city> Organization Name (eg, company) [Internet Widgits Pty Ltd]:<company name> Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:<username>_YYYYMMDD Email Address []:<email-address> Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
While running this command the following warning might be printed and can be ignored:
Can't load /[...]/.rnd into RNG 140068274860480:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/[...]/.rnd
Related tutorials
-
Page:
-
Page:
Related Components
-
Page:
-
Page:
-
Page:
EXPERT
Related questions
-
Page:
-
Page:
- No labels