no ca mode - TinCanTech/easy-tls GitHub Wiki

This page describes how to use Easy-TLS in No-CA mode.

Easy-TLS No-CA mode

OpenVPN can run in Peer-Fingerprint mode, which means that it does not require a CA and full PKI from Easy-RSA. Instead OpenVPN uses self-signed certificate fingerprints to validate each end.

Requirements

  • OpenVPN version 2.6.0
  • Easy-TLS: For generating self-signed certificates and building TLS keys.

Setup

  • Install Easy-RSA3 first and initialise: ./easyrsa init-pki
  • Download the complete file list for Easy-TLS into your working directory. Initialise Easy-TLS in No CA mode: ./easytls init-tls no-ca

Using No-CA mode

  • Create self signed server certificate: ./easytls self-sign-server your-server-name (Abbreviation: sss)
  • Create self signed client certificates: ./easytls self-sign-client your-client-name (Abbreviation: ssc) Use -r|--ss-peer-fingerprint=<Server_commonName> to enable automatic sharing of fingerprints. The client fingerprint is added to a list in the server inline file and the server fingerprint is added to the client inline file. Example: ./easytls -r=server01 ssc client01
  • Set your CUSTOM_GROUP: ./easytls config custom.group your-custom-group
  • Build TLS-Crypt-V2 Server key: ./easytls build-tls-crypt-v2-server your-server-name (Abbreviation: btcv2s)
  • Build TLS-Crypt-V2 Client keys: ./easytls build-tls-crypt-v2-client your-server-name your-client-name (Abbreviation: btcv2c) Optionally, you can add MAC hardware addresses to the client keys. Sub-keys are also supported.
  • Inline your certificates and keys: ./easytls inline-tls-crypt-v2 node-name (Abbreviation: itcv2)

Using the certs and keys

  • The Server and Client inline-files are located in ./easytls directory in your Easy-RSA working directory. Note: The finger-print is copied to the peer, it is not used in the same config as the cert and key.
  • Server configuration file: 
    <peer-fingerprint>
# Peer-Client client01
1D:72:07:57:5B:E1:0C:90:01:63:D3:96:88:90:7C:F9:B5:A7:4D:AE:84:EE:A8:80:89:94:DD:EA:1E:4D:F2:C8
# Peer-Client client02
CC:74:E3:40:B6:DF:6F:32:BD:38:20:19:5C:56:01:1C:C5:A6:E6:F3:C1:BA:E4:57:BB:0B:64:B8:43:FB:1B:F5
</peer-fingerprint>
  • Client configuration file: 
    <peer-fingerprint>
# Peer-Server server01
9B:2C:CA:27:4E:18:B7:81:9F:8C:3F:7F:B0:82:B2:AE:E1:B6:87:68:B9:65:51:0D:3C:F4:D7:19:06:CF:C3:96
</peer-fingerprint>

Configuring Openvpn Server to use Easy-TLS scripts

  • Use Easy-TLS interactive script menu: ./easytls script and follow the instructions.

Notes

  • Not all Easy-TLS functions work in No-CA mode. I am working on improvements.