RSA, PKI, OPENVPN

How can we help?

Навигация
➜  ~ openssl s_client -showcerts -connect wifikzn.ru:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = wifikzn.ru
verify return:1
---
Certificate chain
 0 s:CN = wifikzn.ru
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 23 07:18:38 2022 GMT; NotAfter: Sep 21 07:18:37 2022 GMT
-----BEGIN CERTIFICATE-----
MIIFKjCCBBKgAwIBAgISA52pqnZKlVuYuuNoMP6S1jl0MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA2MjMwNzE4MzhaFw0yMjA5MjEwNzE4MzdaMBUxEzARBgNVBAMT
CndpZmlrem4ucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCyyg19
3wHEaHL1wmc+lNSbN3cTe0WX3VzBZBIG1UUktLREpvJgYOgOwtKTTJcAeQDJvY92
hmVlf1NZWRxcAzCC2JLCh3DOgA1ZheuYEsX1Bq1EinkGCgZsKUHBILVuudUIq+qM
XQqPF7/xg5KrGpVCvANXe6sCJjG0iuxMb1raLBnIR1XkZvqa+UQHAQuj2HYX0pVp
CQgyoTrhRBRd4GTzSmOSDevYlPYBePLyk+TSf3H0qWKlcJWXtVxh88iUGeMTHY/b
L2ohMU1SVAnXs7u8fKJY8IHFGnQ1XbtbYCND5mp5yQp3L1+ZD/fkEn/b2Y57P4IE
GrdnwxvEWME8knc1AgMBAAGjggJVMIICUTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
FJxkHR/0573sRtSIjrdY6HWvuxK6MB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYf
r52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8u
bGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMCUG
A1UdEQQeMByCCndpZmlrem4ucnWCDnd3dy53aWZpa3puLnJ1MEwGA1UdIARFMEMw
CAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j
cHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcA36Ve
q2iCTx9sre64X04+WurNohKkal6OOxLAIERcKnMAAAGBj6RMGQAABAMASDBGAiEA
u8llSGxlMNZ45N79fHEiH32KBZOi2BE5YWX+dOlzRIoCIQCq1KW9sRnCNvNw0gV6
BywVcY1PSvvvLUOHVe9pnuItQAB1ACl5vvCeOTkh8FZzn2Old+W+V32cYAr4+U1d
JlwlXceEAAABgY+kTA0AAAQDAEYwRAIgXJPliiRqhHGNA5FT1imBJq5Xz9PG5qwa
NyRd9lJ7srECIFnWkO0QySVfAG/kIi9fh+HLxWECskqHLunfUH5PntI3MA0GCSqG
SIb3DQEBCwUAA4IBAQC5LrBr2uH2DtzyNEsj28STxgWpMw3Xg3d0LWwExzZ9NDMi
3ciXoyN3vqI8se2TV5NZSqrCbCzi7aJ6imZBV4/eABklpxK2+5vomxqi2lzxp1wM
OTzPCM4TCFKTjmapbkWZbkveVRWPD9pXCg06w6T4thSmEbSJRiaCgzAaZjEuNMwr
ZeRmhhpjO1QNJ0RC7ArCY4d1RYP9ZyRyEbUkst9If/V0EwEJyNMPszY7gZOUwcv4
PoPrZegpmREeUAIsCoFbh4z+D7f5Y+fl+ZCfmVgOah/IiDJ2i5iA0hg8KgYb/qdz
GXkVJATdviqGo+9l7zze59GjHLeTs27dyvGppW6W
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = wifikzn.ru
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4582 bytes and written 392 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 9CF8367F8CD7B436DAA0A21BDEDC0E00607C45CCAC7AD2B99CC9BE6D89909410
    Session-ID-ctx:
    Resumption PSK: 0FD3A35D5AA0EE8C6F2349B3D6CAAFF0207E58A1157604C3405692C75BA4DF5582D66791361B3660D2BFE132D0E8A351
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - 19 32 cc 5f f8 8d ec 3f-4c 2e 82 af 59 d6 09 7f   .2._...?L...Y...
    0010 - 1a 38 35 79 9e 53 6e 7d-41 c3 d4 f4 27 f7 b7 da   .85y.Sn}A...'...
    0020 - cd a2 b9 ab 72 3a 82 3c-03 34 e8 cd a3 02 de 0f   ....r:.<.4......
    0030 - 0c ef 46 86 07 ec bc e1-9e 75 78 ca 0e f8 d9 f8   ..F......ux.....
    0040 - 72 a2 ad f7 62 d4 a4 0e-63 0e 1e 8a 5f 65 22 30   r...b...c..._e"0
    0050 - bf 30 36 b0 19 9c 38 c5-8b 34 b0 ae 14 3c 1d 04   .06...8..4...<..
    0060 - 68 93 e4 f2 7e 69 0d 46-01 41 b2 fc 3e 91 e8 fa   h...~i.F.A..>...
    0070 - a8 4e 86 1a 78 e7 29 c7-90 ba 11 1c e3 a0 62 f9   .N..x.).......b.
    0080 - fe 1e 98 5b 51 8f 73 48-10 89 85 e6 27 f4 ed a6   ...[Q.sH....'...
    0090 - ba e0 57 11 ea f3 fb a6-52 15 93 f5 a3 95 36 47   ..W.....R.....6G
    00a0 - 93 27 03 9b 05 68 e6 db-0d 07 9e 9f 06 ca cc 19   .'...h..........
    00b0 - 37 b3 94 24 e7 10 a5 52-63 db 2d 7e 67 87 34 dc   7..$...Rc.-~g.4.
    00c0 - 95 46 9a 3d 92 ca 4b 8e-cf 61 57 af fb fc b9 f1   .F.=..K..aW.....
    00d0 - dc 26 27 b8 f6 86 a9 dc-c7 db a0 b5 c5 5b 2d 14   .&'..........[-.

    Start Time: 1658211670
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 19FB6B134BCB72E3E10122830C9545056EC2B94338C518463DF2B3231AC9C71E
    Session-ID-ctx:
    Resumption PSK: EC4B1B1AAF361A9204953A33E1539FD133B0EE87F9E16072E3EF5F4129B087F784F3369F2DD69B2C1ADCC34278846133
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - 19 32 cc 5f f8 8d ec 3f-4c 2e 82 af 59 d6 09 7f   .2._...?L...Y...
    0010 - a2 4a 44 1d 62 9c 4d 16-ee 22 51 c0 9e b2 0f a0   .JD.b.M.."Q.....
    0020 - 0a 7c 8d 07 12 91 be 6f-1a 51 ab 57 cb 46 69 38   .|.....o.Q.W.Fi8
    0030 - 2b d4 0f 6f 82 1b 38 98-20 1f 3d d9 2e 69 e9 9f   +..o..8. .=..i..
    0040 - 2f 6c 49 12 23 5a ad 8b-ae d7 7d 28 18 dc 98 d2   /lI.#Z....}(....
    0050 - 5b 2c 39 34 99 3a 56 55-26 ff 17 64 aa 35 96 6e   [,94.:VU&..d.5.n
    0060 - 7a 2d ea 33 fa c9 a7 a8-d2 5b 67 34 e4 c3 51 2b   z-.3.....[g4..Q+
    0070 - ea 4b 04 e8 a9 73 a6 ca-4a db 9c 67 c8 61 68 c0   .K...s..J..g.ah.
    0080 - 6f 6a 43 a2 41 9f 4e 04-98 ff 25 80 99 66 8e 2a   ojC.A.N...%..f.*
    0090 - 65 65 65 e3 5e 92 7e 7b-d0 18 4b f3 63 93 7d b6   eee.^.~{..K.c.}.
    00a0 - 2d 76 f8 e3 2c 28 9b fa-f3 56 62 90 f6 59 01 ac   -v..,(...Vb..Y..
    00b0 - 6c 2e f0 f9 52 38 08 c2-0c 54 19 06 70 bc 58 a2   l...R8...T..p.X.
    00c0 - 50 54 ad 89 9e bb ef 5f-c2 f7 73 ec f4 ba ea f1   PT....._..s.....
    00d0 - d0 da bb 8d 09 9f 45 1b-eb c3 ba c2 2f 6b 85 ae   ......E...../k..

    Start Time: 1658211670
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

Поля и состав сертификатов описаны здесь. На сервере настраиваем:

[root@r3 ~]# sudo yum install epel-release -y
...
Установленоe
  epel-release.noarch 0:7-11


[root@r3 ~]# yum install openvpn easy-rsa -y
...
Установлено:
  easy-rsa.noarch 0:3.0.8-1.el7                                                            openvpn.x86_64 0:2.4.12-1.el7
Установлены зависимости:
  pkcs11-helper.x86_64 0:1.11-3.el7

[root@r3 ~]# cd /etc/openvpn/
[root@r3 openvpn]# ll
итого 0
drwxr-x---. 2 root openvpn 6 мар 17 21:57 client
drwxr-x---. 2 root openvpn 6 мар 17 21:57 server
[root@r3 openvpn]# cp -r /usr/share/easy-rsa /etc/openvpn/
[root@r3 openvpn]# ll
итого 0
drwxr-x---. 2 root openvpn  6 мар 17 21:57 client
drwxr-xr-x. 3 root root    39 июл 19 09:41 easy-rsa
drwxr-x---. 2 root openvpn  6 мар 17 21:57 server
[root@r3 openvpn]# cd easy-rsa/3
[root@r3 3]# ll
итого 84
-rwxr-xr-x. 1 root root 76946 июл 19 09:41 easyrsa
-rw-r--r--. 1 root root  4616 июл 19 09:41 openssl-easyrsa.cnf
drwxr-xr-x. 2 root root   122 июл 19 09:41 x509-types
[root@r3 3]# vi vars
set_var EASYRSA "$PWD"
set_var EASYRSA_PKI "$EASYRSA/pki"
set_var EASYRSA_DN "cn_only"
set_var EASYRSA_REQ_COUNTRY "RU"
set_var EASYRSA_REQ_PROVINCE "Moscow"
set_var EASYRSA_REQ_CITY "Moscow"
set_var EASYRSA_REQ_ORG "EXAMPLE CERTIFICATE AUTHORITY"
set_var EASYRSA_REQ_EMAIL "openvpn@example.com"
set_var EASYRSA_REQ_OU "Example.com EASY CA"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_ALGO rsa
set_var EASYRSA_CA_EXPIRE 7500
set_var EASYRSA_CERT_EXPIRE 365
set_var EASYRSA_NS_SUPPORT "no"
set_var EASYRSA_NS_COMMENT "EXAMPLE CERTIFICATE AUTHORITY"
set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types"
set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf"
set_var EASYRSA_DIGEST "sha256"
~
[root@r3 3]# chmod +x vars
[root@r3 3]# ll
итого 88
-rwxr-xr-x. 1 root root 76946 июл 19 09:41 easyrsa
-rw-r--r--. 1 root root  4616 июл 19 09:41 openssl-easyrsa.cnf
-rwxr-xr-x. 1 root root   680 июл 19 09:45 vars
drwxr-xr-x. 2 root root   122 июл 19 09:41 x509-types


[root@r3 3]# ./easyrsa init-pki

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/3/pki


[root@r3 3]# ./easyrsa build-ca nopass  # Без пароля, лучше так не делать в реальных имплементациях.

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating RSA private key, 2048 bit long modulus
..............+++
............................................................+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/3/pki/ca.crt


[root@r3 3]# ./easyrsa gen-req server nopass       # Создаём ключи для сервера без пароля, лучше так не делать в реальных имплементациях.

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
...............+++
..............................+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/easy-rsa-30857.8Ym7Vf/tmp.o3CctI'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [server]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3/pki/reqs/server.req
key: /etc/openvpn/easy-rsa/3/pki/private/server.key

[root@r3 3]# ./easyrsa sign-req server server               # Подписываем сертификат сервера у удостоверяющего центра

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a server certificate for 365 days:

subject=
    commonName                = server


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/3/pki/easy-rsa-31218.evpD2t/tmp.GfudNy
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until Jul 19 07:05:01 2023 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/server.crt

[root@r3 3]# openssl verify -CAfile pki/ca.crt pki/issued/server.crt   # Проверяем валидность выписанного сертификата
pki/issued/server.crt: OK

[root@r3 3]# ./easyrsa gen-req client01 nopass   # сертификат для клиента

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating a 2048 bit RSA private key
......................................................+++
..............................+++
writing new private key to '/etc/openvpn/easy-rsa/3/pki/easy-rsa-495.ys37KA/tmp.18YHKd'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [client01]:

Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/3/pki/reqs/client01.req
key: /etc/openvpn/easy-rsa/3/pki/private/client01.key

[root@r3 3]#  ./easyrsa sign-req client client01   # Подписываем выписанный сертификат у CA

Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 365 days:

subject=
    commonName                = client01


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /etc/openvpn/easy-rsa/3/pki/easy-rsa-1995.lZ4kT5/tmp.9bQON9
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'client01'
Certificate is to be certified until Jul 19 07:13:13 2023 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /etc/openvpn/easy-rsa/3/pki/issued/client01.crt

[root@r3 3]# openssl verify -CAfile pki/ca.crt pki/issued/client01.crt    # Проверяем валидность
pki/issued/client01.crt: OK

[root@r3 3]# ./easyrsa gen-dh    # Создаём Diffie-Hellman-ключ
wd
Note: using Easy-RSA configuration from: /etc/openvpn/easy-rsa/3.0.8/vars
Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..+...................................+.................................................................................+............+.................................................................................................................................................+.....................................................................+....................................................................................+....................................+.+.....................................................................+.............................+................................................+...................................................................................................................+.............+..................+...................................................................................+...+........................................................+...................................................................................................................................................+.................................................................+..................................................................................................................................................................................................................................................+...........+......................................................................+...........+.........................................................................................................................................................................................................................+.+......................................................................................................................................+..............+....................................................................++*++*

DH parameters of size 2048 created at /etc/openvpn/easy-rsa/3/pki/dh.pem

[root@r3 3]# pwd               # копируем сертификаты в папку
/etc/openvpn/easy-rsa/3
[root@r3 3]# cp pki/ca.crt /etc/openvpn/server/
[root@r3 3]# cp pki/issued/server.crt /etc/openvpn/server/
[root@r3 3]# cp pki/private/server.key /etc/openvpn/server/
[root@r3 3]# cp pki/ca.crt /etc/openvpn/client/
[root@r3 3]# cp pki/issued/client01.crt /etc/openvpn/client/
[root@r3 3]# cp pki/private/client01.key /etc/openvpn/client/
[root@r3 3]# cp pki/dh.pem /etc/openvpn/server/
[root@r3 3]# vi /etc/openvpn/server.conf

# OpenVPN Port, Protocol and the Tun
port 1194
proto udp
dev tun
# OpenVPN Server Certificate - CA, server key and certificate
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
#DH key
dh /etc/openvpn/server/dh.pem
# Network Configuration - Internal network
# Redirect all Connection through OpenVPN Server
server 10.8.1.0 255.255.255.0
push "redirect-gateway def1"
# Using the DNS from https://dns.watch
push "dhcp-option DNS 8.8.8.8"
#Enable multiple client to connect with same Certificate key
duplicate-cn
# TLS Security
cipher AES-256-CBC
tls-version-min 1.2
# tls-cipher
# TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHERSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
auth SHA512
auth-nocache
# Other Configuration
keepalive 20 60
persist-key
persist-tun
comp-lzo yes
daemon
user nobody
group nobody
# OpenVPN Log
log-append /var/log/openvpn.log
verb 3

[root@r3 3]# echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf    # включаем форвардинг 
[root@r3 3]# sysctl -p
net.ipv4.ip_forward = 1

[root@r3 3]# systemctl start firewalld
[root@r3 3]# firewall-cmd --permanent --add-service=openvpn  # настраиваем файрволл
success
[root@r3 3]#  firewall-cmd --permanent --zone=trusted --add-interface=tun0
success
[root@r3 3]# firewall-cmd --reload
success
[root@r3 3]#
[root@r3 3]# systemctl start openvpn@server
[root@r3 3]# systemctl status openvpn@server
● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled)
   Active: active (running) since Вт 2022-07-19 10:49:17 MSK; 6s ago
 Main PID: 15527 (openvpn)
   Status: "Initialization Sequence Completed"
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           └─15527 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf

июл 19 10:49:17 r3 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server...
июл 19 10:49:17 r3 systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.

[root@r3 3]# ss -tulpan | grep 1194
udp    UNCONN     0      0         *:1194                  *:*                   users:(("openvpn",pid=15527,fd=4))


[root@r3 3]# cd /etc/openvpn/client/

[root@r3 client]# vi client01.ovpn
client
dev tun
proto udp
remote 192.168.1.32 1194 # IP адрес сервера
ca ca.crt
cert client01.crt
key client01.key
cipher AES-256-CBC
auth SHA512
auth-nocache
tls-version-min 1.2
# tls-cipher
# TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHERSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
resolv-retry infinite
compress lzo
nobind
persist-key
persist-tun
# mute-repl
~

[root@r3 client]# ll
итого 20
-rw-------. 1 root root 1172 июл 19 10:16 ca.crt
-rw-------. 1 root root 4438 июл 19 10:16 client01.crt
-rw-------. 1 root root 1704 июл 19 10:17 client01.key
-rw-r--r--. 1 root root  424 июл 19 13:28 client01.ovpn

[root@r3 client]# cd ..
[root@r3 openvpn]# tar -czvf client01.tar.gz client/*
client/ca.crt
client/client01.crt
client/client01.key
client/client01.ovpn
client/client01.tar.gz

[root@r1 client]# openvpn --config client01.ovpn &
[1] 3433
[root@r1 client]# Tue Jul 19 14:05:17 2022 OpenVPN 2.4.12 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 17 2022
Tue Jul 19 14:05:17 2022 library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
Tue Jul 19 14:05:17 2022 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Jul 19 14:05:17 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.32:1194
Tue Jul 19 14:05:17 2022 UDP link local: (not bound)
Tue Jul 19 14:05:17 2022 UDP link remote: [AF_INET]192.168.1.32:1194
Tue Jul 19 14:05:17 2022 [server] Peer Connection Initiated with [AF_INET]192.168.1.32:1194
Tue Jul 19 14:05:18 2022 TUN/TAP device tun0 opened
Tue Jul 19 14:05:18 2022 /sbin/ip link set dev tun0 up mtu 1500
Tue Jul 19 14:05:18 2022 /sbin/ip addr add dev tun0 local 10.8.1.10 peer 10.8.1.9
Tue Jul 19 14:05:18 2022 Initialization Sequence Completed

[root@r1 client]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:fb:c6:ee brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.30/24 brd 192.168.1.255 scope global noprefixroute dynamic enp0s3
       valid_lft 543sec preferred_lft 543sec
    inet6 fe80::331:d8ac:ef4e:7834/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 08:00:27:9b:36:c9 brd ff:ff:ff:ff:ff:ff
4: enp0s9: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 08:00:27:79:eb:ba brd ff:ff:ff:ff:ff:ff
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.8.1.10 peer 10.8.1.9/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::a96d:fef9:db78:581/64 scope link flags 800
       valid_lft forever preferred_lft forever
[root@r1 client]# ping 33.33.33.33
PING 33.33.33.33 (33.33.33.33) 56(84) bytes of data.
64 bytes from 33.33.33.33: icmp_seq=1 ttl=64 time=0.513 ms
64 bytes from 33.33.33.33: icmp_seq=2 ttl=64 time=0.685 ms
64 bytes from 33.33.33.33: icmp_seq=3 ttl=64 time=0.682 ms
^C
--- 33.33.33.33 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.513/0.626/0.685/0.085 ms
[root@r1 client]# ps -afx | grep openvpn
 3433 pts/0    S      0:00  |   |   \_ openvpn --config client01.ovpn
 3758 pts/0    S+     0:00  |   |   \_ grep --color=auto openvpn
[root@r1 client]# kill 3433



на клиенте:

[root@r1 ~]# sudo yum install openvpn network-manager-openvpn -y
...
[root@r1 ~]# cd /etc/openvpn

[root@r1 openvpn]# scp root@192.168.1.32:/etc/openvpn/client01.tar.gz .
The authenticity of host '192.168.1.32 (192.168.1.32)' can't be established.
ECDSA key fingerprint is SHA256:Z914vrI0Nu3T5VuJIJP3aPZh04kegrZnamHEMvp8HNo.
ECDSA key fingerprint is MD5:de:66:f2:8f:99:5e:28:74:93:c0:21:40:45:e5:58:0d.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '192.168.1.32' (ECDSA) to the list of known hosts.
root@192.168.1.32's password:
client01.tar.gz                      

[root@r1 openvpn]# tar -xzvf client01.tar.gz
client/ca.crt
client/client01.crt
client/client01.key
client/client01.ovpn
client/client01.tar.gz

[root@r1 openvpn]#  cd client/