Lets Encrypt and openvpn

gariac · June 30, 2017, 2:52am

Is there some definitive reference on using Lets Encrypt and openvpn. One reference on the FreeeBSD forum kind of leaves this dangling. All the installation guides deals with self signed certs, and that is something I was trying to stop doing on my new server. (Ten year lifetimes!)

I found a reference on PAM with openvpn, so the lack of a password on the cert is no big deal.

Here is the FreeBSD reference:
https://forums.freebsd.org/threads/60254/

Here is the PAM setup:
http://zewaren.net/site/node/138

motoko · June 30, 2017, 3:48am

I haven’t seen one, but that’s mainly because you usually want to use a private CA or self-signed certificates for something like this.

ahaw021 · July 8, 2017, 3:47pm

https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains

Patches · July 9, 2017, 1:54am

So you usually want to create your own private certificate authority with OpenVPN because you also want to issue client certificates to your users in addition to server certificates so nobody is just one password away from cracking your VPN.

If you do just want to use a password-based VPN, you can use certbot certonly --standalone (assuming you have no web server on the same machine) to obtain a certificate and set the cert in your OpenVPN server config to /etc/letsencrypt/live/yourdomain.com/fullchain.pem. However, it is critical that you not set the ca option when using a public certificate authority and setup password-based authentication instead, or any of the hundreds of thousands of people with Let’s Encrypt certificates will be able to use your VPN.

gariac · July 9, 2017, 2:14am

I hacked a bit, couldn’t get it going, then set up the VPN the traditional way with easy-RSA. (Actually not hard to do.) I was going to use PAM for auth to prevent others from using the letsencrypt cert.

As it turns out, the .opvn ‎file has a number of certs in it. I was thinking I could avoid having to make the .opvn file with the letsencrypt cert, but alas no.

I do appreciate the replies indicating what a bad idea this was.

ahaw021 · July 9, 2017, 4:38am

hi @gariac

Using SSL Certificates for SSL VPN is no different from using a self signed certificate

When it comes to Identity management if you do want to use certificates as a basis for identity then as @Patches says you are better of running your own CA.

On Another note - you do not have to use standalone you can also use the DNS challenge

Andrei

gariac · July 9, 2017, 5:11am

Doesn’t a DNS challenge mean a password in the cert?

Like I said, I got the self signed cert working, but I’m always will to learn.

Patches · July 9, 2017, 5:55am

DNS verification is just another method of verifying you own a domain for obtaining certificates from Let's Encrypt, one that doesn't require any web server listening on the public Internet.

gariac · July 9, 2017, 6:15am

“You will need a new token every time you need to renew for a new certifcate though, hence automation is easier.”

Well this certainly explains why it is better to use the acme client.

system · August 8, 2017, 6:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Vpn setup with .pem files	4	10456	September 6, 2018
I am trying to understand how Lets Encrypt works Help	8	1896	December 2, 2016
Proxy and VPN servers Server	2	1383	August 10, 2018
Installing for Shared and Cpannel user Help	3	3133	January 26, 2016
How to Correctly Set up and Install Let's Encrypt with VestCP & Digital Ocean Help	4	2911	January 30, 2016

Lets Encrypt and openvpn

Related topics