Rapid OpenVPN Certificate & Configuration Deployment

On a number of recent occasions, I have needed to quickly configure and deploy OpenVPN. These situations have included simulated attacks, in which the opportunity to deploy OpenVPN as an egress or C2 channel presented itself, or during reconnaissance activities in which it is advantageous to disguise your real IP address for attribution purposes. In these cases, it is desirable to be able to rapidly deploy OpenVPN without compromising on security, and where the situation may not warrant or benefit from the overheads of constructing a full PKI. OpenVPN itself is a very simple tool to configure; the more convoluted part is the generation of digital certificates which is made relatively straightforward through the easy-rsa set of scripts. However, I was in need of a quick way to configure OpenVPN as below:

• Mutual TLS authentication using separate CAs.
• Generation of DH parameters.
• Usage of OpenVPN's HMAC authentication.
• Inclusion of the required keyUsage/extendedKeyUsage/nsCertType attributes and values.
• Non-attributable CNs.
• Ideally in a one-click style tool which doesn't need the OpenSSL file structure.

I therefore chose to repurpose my Certerator code to build a quick OpenVPN configuration and certificate generator. Where possible, it uses pyOpenSSL (python's OpenSSL bindings). When run, it performs the following actions:

1. If server_ca.pem does not exist, generate a new certification authority for the OpenVPN server. If it does exist, use whatever is there.
2. If client_ca.pem does not exist, generate a new certification authority for the OpenVPN client. If it does exist, use whatever is there.
3. If server_cert.pem does not exist, generate a new certificate for the OpenVPN server and sign it with the Server CA.
4. If client_cert.pem does not exist, generate a new certificate for the OpenVPN client and sign it with the Client CA.
5. If ta.key does not exist, execute openvpn --genkey --secret ta.key to generate a shared secret.
6. If dh4096.pem does not exist, execute openssl genrsa -out dh4096.pem 4096 to generate custom 4096 bit DH parameters (change DH_PARAM_SIZE if you want a differently sized key). I have included my generated 4096 bit DH parameters for you to use.
7. Generate a configuration file for the OpenVPN server and the OpenVPN client, referencing the required certificates and configuration files.
8. Create two tar.gz files, one to deploy on the server and one to deploy on the client, which contain the required files.

If a second signed certificate was desired, you need only change the hardcoded CN (if appropriate), remove client_cert.pem and client_key.pem and re-run the script. It will pick up the fact that those certificates are missing and generate new ones. One benefit of this is that it (mostly) does not use the OpenSSL command line interface directly, meaning that there is no need to set up the OpenSSL file structure that is usually necessary. It does use the OpenSSL binary to generate DH params and uses OpenVPN to generate the HMAC key (ta.key), but everything else is generated through python.

Transfer example.server.tar.gz to the server machine:

Transfer example.client.tar.gz to the client machine:

Now start the server, update the client config file with the server IP address and connect to the server. Either edit the file using vi/pico/nano/ee etc or update it inline:

If a second signed client certificate is required, the first need only be removed and a new one generated:

However the two client certificates would have the same serial number and same CN field; for most practical purposes, it would be sensible to change the serial number and CN manually, which requires modification of the script.

• This tool is not a replacement for a fully maintainable public key infrastructure. I built it simply for speed and convenience and released it in the hope that others find it helpful.
• It makes several assumptions about the OpenVPN configuration specifics. For example, it assumes that UDP is the desired protocol and does not automatically include options such as port-share (which may be helpful if TCP mode is used instead).
• It is not intelligent; for example, if you removed client_ca.* but left client_cert.* present and re-ran the script, it would generate a new client CA but would not generate a new client certificate and sign it.

Like so many tools, this started as a quick-and-dirty tool to automate an otherwise tedious task.

I am not planning to add a configuration file, revocation support (e.g. CRL) or any of the other niceties to this because tools such as OpenSSL itself, easy-rsa, tinyCA etc have been specifically designed for this purpose. This project was simply to meet a need, namely to be able to go from nothing to a secure, functioning OpenVPN installation with a minimum of configuration or effort. Although this is built for OpenVPN, the certificates are valid, normal digital certificates and could be used for any mutual TLS authentication scenario. For example, it could be used to generate the required certificates for Apache, nginx etc to facilitate client certificate authentication. The fact that this project is open source will not make any meaningful difference to the cryptographic security because the keys are all generated locally.

The tool can be found at https://github.com/stufus/openvpn-rapid-config. Alternatively the repository can be cloned as follows: