Lets Encrypt and openvpn

Is there some definitive reference on using Lets Encrypt and openvpn. One reference on the FreeeBSD forum kind of leaves this dangling. All the installation guides deals with self signed certs, and that is something I was trying to stop doing on my new server. (Ten year lifetimes!)

I found a reference on PAM with openvpn, so the lack of a password on the cert is no big deal.

Here is the FreeBSD reference:
https://forums.freebsd.org/threads/60254/

Here is the PAM setup:
http://zewaren.net/site/node/138

I haven’t seen one, but that’s mainly because you usually want to use a private CA or self-signed certificates for something like this.

https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains

So you usually want to create your own private certificate authority with OpenVPN because you also want to issue client certificates to your users in addition to server certificates so nobody is just one password away from cracking your VPN.

If you do just want to use a password-based VPN, you can use certbot certonly --standalone (assuming you have no web server on the same machine) to obtain a certificate and set the cert in your OpenVPN server config to /etc/letsencrypt/live/yourdomain.com/fullchain.pem. However, it is critical that you not set the ca option when using a public certificate authority and setup password-based authentication instead, or any of the hundreds of thousands of people with Let’s Encrypt certificates will be able to use your VPN.

1 Like

I hacked a bit, couldn’t get it going, then set up the VPN the traditional way with easy-RSA. (Actually not hard to do.) I was going to use PAM for auth to prevent others from using the letsencrypt cert.

As it turns out, the .opvn ‎file has a number of certs in it. I was thinking I could avoid having to make the .opvn file with the letsencrypt cert, but alas no.

I do appreciate the replies indicating what a bad idea this was. :wink:

1 Like

hi @gariac

Using SSL Certificates for SSL VPN is no different from using a self signed certificate

When it comes to Identity management if you do want to use certificates as a basis for identity then as @Patches says you are better of running your own CA.

On Another note - you do not have to use standalone you can also use the DNS challenge

Andrei

Doesn’t a DNS challenge mean a password in the cert?

Like I said, I got the self signed cert working, but I’m always will to learn.

DNS verification is just another method of verifying you own a domain for obtaining certificates from Let’s Encrypt, one that doesn’t require any web server listening on the public Internet.

“You will need a new token every time you need to renew for a new certifcate though, hence automation is easier.”

Well this certainly explains why it is better to use the acme client.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.