Setup OpenVPN server on Amazon EC2

Recently I got some new hardware that I will use to run some useful software. To use the software from anywhere, I’ll need to have remote access. As I cannot do DMZ or port forwarding with my new internet provider, I decided to connect my home server using VPN to a access machine running on AWS.

The AWS EC2 Linux computer will serve as my entry point. Services running on the RP at home connected via VPN can be accessed from EC2. Other computers at my home cannot be accessed, as the IP is different and no route is configured.

This setup comes with several architectural questions to solve:

  • How to ensure the communication is secure?
  • How to guarantee the tunnel is up?
  • How to enable access from EC2 to the services running on the client?
  • The client must be assigned the same IP for the services be accessible from EC2
  • How to give access to the services from the internet?

The three top question will be answered in my next blogs about how to set up OpenVPN server and client. The first question is the easiest to answer: by using a VPN solution. I am going to use OpenVPN and this blog is about how to setup OpenVPN. I’ll cover the installation on the EC2 instance and on the Raspberry Pi, as well as the initial setup with the certificates, server and client configuration and how to connect. Starting the client and server as service keeps them running and in case the connection fails, an automatic reconnect is attempted. The EC2 instance can access the services running on the client automatically. The last two questions will be answered sometimes later.

OpenVPN Server

Install OpenVPN on EC2

The OpenVPN software is available in yum on EC2 Linux AMI. You may need to enable the REPL repository. I assume you did this already. The packages to install a openvpn and easy-rsa.

sudo yum update
sudo yum install openvpn easy-rsa

This will also install a public key to install a package and ask for your permission to do so.

The easy-rsa package is needed to set up a certificate authority. In case you do have a CA available, you can use your CA to generate the certificates used by OpenVPN. For those that do not have a CA available, take the easy-rsa functionality.

Generate CA

The command above installs easy-rsa 3.x. With 3.x, the way how to use easy-rsa and to set up a CA and issue the certificates changed. You can see in detail how to use easy-rsa 3.x at the documentation available at the GitHub project site.

OpenVPN uses certificates, and easy-rsa issues those certificates. Basically, you have two components of easy-rsa to deal with:

  • CA software
  • Certificates

Configuration of OpenVPN is put and read from /etc/openvpn. Easy-rsa software should be in a separate folder, like /home/ec2-user/easy-rsa, but to keep all in one place I’ll put easy-rsa inside the /etc/openvpn directory.

Note: for real productive usage, don’t do this. Separate easy-rsa executables and config files.

Copy easy-rsa

Copy easy-rsa to your selection location. For this, first find out where easy-rsa is installed.

repoquery -l easy-rsa

Location is /usr/share/easy-rsa/3.0.3. I’ll copy these files to /etc/openvpn/easy-rsa.

sudo mkdir /etc/openvpn/easy-rsa
sudo cp -Rv /usr/share/easy-rsa/3.0.3/* .

Start easy-rsa

Follow the steps outlined at the easy-rsa git site. For the following steps, go into the directory where easy-rsa is installed.

cd /etc/openvpn/easy-rsa

Init PKI

sudo ./easyrsa init-pki

Build CA

This will create the CA certificate to sign certificate requests. In other words: whoever gets access to the private key of the CA created in this step, can create new valid OpenVPN clients for your setup. Take care of the CA certificate and key.

sudo ./easyrsa build-ca

You’ll need to enter:

  • PEM pass phrase
  • Common Name

The passphrase is used to unlock the private key and is an additional level of security. Even when someone gets a copy of the private key of your CA, without the pass phrase the key is not usable. The common name is used to identify the CA. I used the FQDN of my web server. After execution these two commands, the CA is initialized and can be used to issue certificates.

Diffie-Hellman

Generate Diffie-Hellman parameters.

sudo ./easyrsa gen-dh

Generate OpenVPN server certificate

The OpenVPN server needs a certificate issued by the CA to identify itself against the clients. This is a nice “feature” when using PKI. Server and client can validate the other side. Both need just to trust the CA certificate for this. The difference between the two certificates (client and server) is the included type. This is done by including an additional value in the certificate specifying the type of certificate:

  • TLS Web Server Authentication for the server and
  • TLS Web Client Authentication for the client

Which kind of certificate is going to be issued is specified by the easy-rsa command when creating the certificate request.

Generate certificate request

Create a certificate request containing the identity information of the server and let this request be signed by the CA. By specifying the server parameter, the request is for a server and the CA will include the value TLS Web Server Authentication in the extension.

sudo ./easyrsa gen-req server

Inform:

  • Pass phrase
  • Common Name

As with the CA certificate, inform a pass phrase that adds additional security to the private key and a common name to uniquely identify the server. I used server as CN. Of course, it could also have been openvpn.mydomain.com or something else.

Sign request

Send the request to the CA and sign it to issue a valid certificate. With that, the CA information is added to the CA, making it official and clients that connect to OpenVPN server will know if they can trust the server. Only when trust is verified, a connection will be established between the server and client.

sudo ./easyrsa sign-req server server

You’ll need to confirm the request by typing yes and the pass phrase.

TLS-AUTH

The following certificate is needed to harden the overall security of OpenVPN. As OpenVPN is using TLS, it makes sense to add HMAC to validate integrity of the packages received. For this to work, a shared secret key is needed. This key will be written to a file named ta.key.

Generate ta.key

cd /etc/openvpn
sudo openvpn --genkey --secret ta.key
sudo mv /etc/openvpn/ta.key /etc/openvpn/easy-rsa/private

OpenVPN server configuration

Take a sample configuration file as a template. Can be found in the doc folder of openvpn. The sample configuration file for the server is server.conf, and for the client, client.conf.

ls -1 /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/

Copy server.conf to /etc/openvpn and edit the file.

sudo cp /usr/share/doc/openvpn-2.4.4/sample/sample-config-files/server.conf /etc/openvpn/
sudo vim /etc/openvpn/server.conf

Adjust the path to the ca, cert, key and dh files

These parameters inform OpenVPN where the certificates and Keys are stored. The CA cert ca.crt is used to validate the client certificates. They must be issued by this CA. The server.crt and server.key are used by the OpenVPN server to encrypt traffic and authenticate itselfs against clients. Diffie hellman dh.pem is used to provide Perfect Forward Secrecy.

Start OpenVPN server

To start the OpenVPN server and to test the current setup, run the following command:

sudo openvpn /etc/openvpn/server.conf

During startup, you need to provide the passphrase of the server certificate.

If all works, OpenVPN starts without erros: Initialization Sequence Completed. After this, the server is waiting for clients to connect.

 

 

Note:

If someone is reading my blogs for the last years you may remember that I have once written about setting up OpenVPN for accessing SUP on AWS. That blog was all about Windows and is outdated. I wrote it in 2012. But, as I published it once at SAP Community Network, it is not available anymore. SAP lost it during their last migration.

OpenSSL CA to sign CSR with SHA256 – Sign CSR issued with SHA-1

The overall process is:

  1. Create CA
    1. Private CA key
      1. Create private key
      2. Check private key
    2. Public CA certificate
      1. Create public certificate
      2. Check public certificate
  2. Sign CSR
    1. SHA-1
      1. Create CSR using SHA-1
      2. Check CSR
      3. Sign CSR enforcing SHA-256
      4. Check signed certificate
    2. SHA-256
      1. Create CSR using SHA-256
      2. Check CSR
      3. Sign CSR
      4. Check signed certificate

Sign CSR request – SHA-1

When a CSR is created, a signature algorithm is used. Normally, this is SHA-1. Installing a TLS certificate that is using SHA-1 will give some problems, as SHA-1 is not considered secure enough by Google, Mozilla, and other vendors. Therefore, the final certificate needs to be signed using SHA-256. In case the CSR is only available with SHA-1, the CA can be used to sign CSR requests and enforce a different algorithm.

Create CSR using SHA-1

openssl req -out sha1.csr -new -newkey rsa:2048 -nodes -keyout sha1.key

The command creates two files: sha1.key containing the private key and sha1.csr containing the certificate request.

Check CSR

openssl req -verify -in sha1.csr -text -noout

The signature algorithm of the CSR is SHA-1

Sign CSR enforcing SHA-256

Singing the CSR using the CA

openssl x509 -req -days 360 -in sha1.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out sha1.crt -sha256

This will sign the CSR using SHA-256.

Check signed certificate

openssl x509 -text -noout -in sha1.crt

The certificate`s signature algorithm is using SHA-256. The original CSR`s signature algorithm was SHA-1, but the resulting algorithm is now SHA-256. Even when you cannot change to SHA-256 during CSR creation, or the CSR is only available in SHA-1, it is still possible to change the SHA-256 during the signing process of the CA.

Online Certificate Status Protocol

Online Certificate Status Protocol, or short: OCSP, let you obtain the revocation status of a certificate. It has some benefits over certification revocation lists, mainly that you can let the OCSP server do the heavy work of validating a certificate and the client gets some additional security when accepting the answer. To use OCSP in your landscape, you will have to install and configure an OCSP responder. I did this for my sandbox SMP3 system. Here are the links that contain the information on how to set up your own OCSP responder on your Microsoft CA server.

My walkthrough

Hope you find the links useful.

Additional OCSP information

Here are some more links that I consulted when setting up my OCSP responder. All are from Microsoft and treat information regarding OCSP on a Microsoft server and CA.

About

Implementing OCSP responder part 1 – introducing OCSP

OCSP installation and configuration

Designing and implementing a PKI part 2

Designing and implementing a PKI part 3

Designing and implementing a PKI part 4

Designing and implementing a PKI part 5

Windows Server

Online Responder Installation, Configuration, and Troubleshooting Guide

AD CS: Online Certificate Status Protocol Support

Configure a CA to Support OCSP Responders

Configure MSFT NDES to work with Afaria

Afaria mobile client can request a client certificate from a corporate CA for the user. This means that the user will get automatically a valid certificate made available for him, without having to go through the complicated process of requesting and installing a certificate. The user won`t even know that a certificate was requested and installed on the device, it`s really a transparent process. For this to work, Afaria needs to be configured to send requests to a CA (using SCEP). The CA needs to be able to act on device requests. This is done by installing the type NDES to a Windows CA. After that, the CA needs to be configured to work together with Afaria.

A possible error message that can occur when this configuration is not done is visible in the Afaria log. The error message will look like: “SCEPcertificateAcquisition Exception: ASN1 bad tag value met

This error message won`t occur out of nothing, it is in the context of the Afaria client requesting a certificate at Microsoft CA/NDES.

Here, a CSR with Subject CN=rds,O=Afaria,OU=Consulting,L=Rio de Janeiro … was sent to the CA by the Android app com.sap.logon.cert. The solution for this problem is given by SAP Note 2193313. The documentation that treats this error can be obtained either from SAP or from Microsoft:

SOLUTION

Basically there are two solutions available:

  1. Deactive the use of a password for NDES or
  2. Activate the use of a password and configure Afaria to send the credentials

Easiest solution: deactivate usage of password when requesting a certificate. This is done by changing a Windows registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EnforcePassword to 0

This change requires a restart of IIS to ensure that the new value is picked up. Afterwards, the Afaria cliente can be used to request a certificate.

This request can be followed in the Afaria log:

RESULT

The client received a certifcate. The certificate can be seen in the CA:

Afaria Setup 10.8 – Install Afaria 7 – SCEP Plugin

The steps to install SAP Afaria 7 are:

  1. Download installation package and install license
  2. SAP Afaria Server
  3. SAP Afaria API Service and Administrator
  4. Afaria Admin
  5. Self Service Portal
  6. Enrollment Server
  7. Package Server
  8. SCEP Plugin-in module

This document is about step 8.

SCEP Plugin-in module

The last component to be installed is the SCEP plug-in. This module is responsible for requesting certificates on behalf of the user. It will make use of the CA and NDE functionality.

Select the version of the module to be installed. On a x64 architecture, the 64-bit version should be selected.

This starts the SCEP installation wizard.

Database

  • Type: Microsoft SQL Server

  • Server: localhost

  • Database: AfariaDb

Location

Start installation

This ends the installation of SAP Afaria 7.00. Now a fully functional SAP Afaria environment is installed and available on the same Windows Server 2008 R2. Be aware that it is a version of Afaria from 2012. Next step is to upgrade this version to the latest version available.

Afaria Setup 6: Configure SSL for IIS

To ensure confidentiality of user data, access to SAP Afaria by users needs to be done using SSL. For this to work, IIS must use its own valid SSL certificate. To do so, first a certificate request for IIS must be created. This request will be handled by the CA (installed on same server) and the created certificate must be made available in IIS.

IIS: Create certificate request

  • Start IIS Manager
  • Select default server and sever certificates in IIS section.

  • Create certificate request

  • Inform server information. The CA will include this information in the final certificate.
    • Common name: FQDN of the server
    • Country: BR, or your country

  • Select cryptographic service provider.
    • Cryptographic service provider: Microsoft RSA SChannel Cryptographic Provider
    • Bit length: 1024

  • Inform file name. This is where the certificate request will be saved to. This file will be later submitted to the CA.

Now the certificate request is done by IIS. Next step is to submit the request to the CA.

CA: Issue certificate

As the CA is on the same server as IIS, it is only to submit the request to the CA. The certificate type is for a web server. In my case, using the CA wizard to submit the CSR did not work, as the web server template was not available. What worked was to use the command line to submit the CSR and inform there the web server template.

Command: certreq.exe –submit –attrib “CertificateTemplate:WebServer” .\certreq.txt

Select the CA to be used.

Specify path to save certificate to.

Certificate is issued and saved in CER format.

Next is to install the certificate into IIS and make it available for usage.

IIS: Install certificate

To install the server certificate, open IIS Manager console. Select Complete Certificate Request.

Inform the path to the certificate and na alias/friendly name. You’ll refer by friendly name to the certificate.

Click OK. This installs the certificate into IIS.

Afaria Setup 4: Install roles – Certificate Authority – NDE

To enroll an iOS device to SAP Afaria, a certificate for this device is needed. For mobile apps, SAP Afaria client can be used to request a user certificate from the CA. All these requests are handled by SAP Afaria, making the certificate handling transparent to the user. For doing this, SAP Afaria needs a CA with NDE enabled.

Pre-requisite

  • Install a CA
  • Add a user for NDE

Install a CA

See previous blog about how to install a CA.

Add user for NDE

Create a user for NDE service using Windows tool: Active Directory Users and Computers.

Add a new user.

  • First name: ndeuser
  • Last name: n/a
  • Full name: ndeuser
  • Logon: ndeuser@tobias.de

Inform password. As this is a test environment installation, it makes sense to not have a user whose password expires every N month.

  • Password never expires: yes

Confirm user data.

Assign user to group

Add ndeuser to IIS group using Windows tool: Active Directory Users and Computers.

Open the AD domain and go to folder Builtin. Select group IIS_IUSRS.

Go to tab Members

Click Add

Enter user: ndeuser and select Check Names.

This adds the AD user ndeuser to the local group IIS_IUSRS. This is needed for the NDE service of CA.

Add service NDE to Windows Server

Add Role Services.

Add

  • Network Device Enrollment Service
  • Certificate Enrollment Web Service
  • Certificate Enrollment Policy Web Service
  • And all dependencies

Inform the user created earlier: ndeuser@tobias.de

Inform registration authority (RA) information.

  • RA Name: Tobias-RA
  • Country: BR (or your country)
  • City: Rio de Janeiro (or your city)
  • State: RJ (or your state)

Inform key strength of RA

Inform the CA that will be used by NDE (use previously created CA).

Select authentication type going to be used to log on to NDE.

  • Windows Integrated Authentication: Yes

Specifiy service account: ndeuser@tobias.de

Select a SSL certificate. Chose to select a SSL certificate later, as this certificate still does not exist and will be created later on.

Check the selected server roles.

Confirm.

Windows installs and configures NDE.

Installation results.

Result

NDE installed on Windows Server, using previously installed CA for requesting certificates.