vault-openvpn/README.md

[![Go Report Card](https://goreportcard.com/badge/github.com/Luzifer/vault-openvpn)](https://goreportcard.com/report/github.com/Luzifer/vault-openvpn)
![](https://badges.fyi/github/license/Luzifer/vault-openvpn)
![](https://badges.fyi/github/downloads/Luzifer/vault-openvpn)
![](https://badges.fyi/github/latest-release/Luzifer/vault-openvpn)

# Luzifer / vault-openvpn

`vault-openvpn` is a small wrapper utility to manage [OpenVPN](https://openvpn.net/) configuration combined with a [Vault PKI](https://www.vaultproject.io/docs/secrets/pki/index.html). It enables administrators with Vault access to create client / server configurations with only one command. No more hazzle to manage that easyrsa PKI, just some few commands to set up a Vault PKI and you're done.

## Setting up Vault for this

The Vault setup follows the Quick Start from the Vault documentation and is personalized for me so you need to adapt it to your domain if you want to follow it:

- Mount PKI for my domain  
`vault mount -path=luzifer_io pki`
- Enable long TTLs  
`vault mount-tune -max-lease-ttl=87600h luzifer_io`
- Generate a root certificate  
`vault write luzifer_io/root/generate/internal common_name=luzifer.io ttl=87600h`
- Set CA / CRL URLs  
`vault write luzifer_io/config/urls issuing_certificates=${VAULT_ADDR}/v1/luzifer_io/ca crl_distribution_points=${VAULT_ADDR}/v1/luzifer_io/crl`
- Set a rule for OpenVPN certificates  
`vault write luzifer_io/roles/openvpn allowed_domains="openvpn.luzifer.io" allow_subdomains="true" max_ttl="8760h" ttl="8760h" allow_ip_sans=false allow_localhost=false`

That's all you need to do to set up a whole PKI for your OpenVPN.

## Configuration of the tool

You can pass all configurations through commandline-parameters. To see the available options and their defaults use the `vault-openvpn --help` flag.

Additionally most of the parameters are also supported to be set using a configuration file to be stored in `~/.config/vault-openvpn.yaml`. To use that file you need to specify the arguments to the flags together with the flag name:

```yaml
---
log-level: debug
template-path: /path/to/templates
```

The flags not supported to be set through that file are `vault-addr`, `vault-token` and `version`. First two for security reasons, last because it does not make sense.

## Issuing configurations

You need to create a folder containing two files: `client.conf` and `server.conf`. Those two are templates to use for generating the configuration file used by `vault-openvpn`. Inside those files paste this block which will get replaced by the certificates:

```
<ca>
{{ .CertAuthority }}
</ca>

<cert>
{{ .Certificate }}
</cert>

<key>
{{ .PrivateKey }}
</key>
```

For the server configuration an additional block is available in case you don't want to generate your DH parameters with an external command:

```
<dh>
{{ dhparam <bitsize> [generator] }}
</dh>
```

In this function call you must specify `<bitsize>` (for example `2048`) and may specify the `[generator]`. If the generator is not specified the default generator is set to `2`. Please ensure you are not using this block in your `client.conf` as OpenVPN will not accept it there.

The configurations generated by this tool will not need multiple files but include the certificates inside the configuration. This makes it far more easy to pass them to your users. No unzip, no questions where to put the files, mostly the OpenVPN clients will know how to handle something called `my-vpn.conf`.

After you've set up your folder (you also could use one of the example configurations in the [`example` folder](https://github.com/Luzifer/vault-openvpn/tree/master/example) of this repository) you can issue your servers configuration:

```console
$ vault-openvpn --auto-revoke --pki-mountpoint luzifer_io server edda.openvpn.luzifer.io
server 10.231.0.0 255.255.255.0
route 10.231.0.0 255.255.255.0

[...]
```

And also you can generate client configurations:

```console
$ vault-openvpn --auto-revoke --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io
remote myserver.com 1194 udp

[...]
```

In case someone needs to get removed from your OpenVPN there is also a revoke:

```console
$ vault-openvpn --auto-revoke --pki-mountpoint luzifer_io revoke baduser.openvpn.luzifer.io
[...]
2016/07/25 15:06:58 Found certificate 33:e1:0c:85:36:a5:c2:6b:05:85:f5:aa:9f:3b:f3:3a:a2:e0:ae:b0 with CN baduser.openvpn.luzifer.io
2016/07/25 15:06:58 Revoked certificate 33:e1:0c:85:36:a5:c2:6b:05:85:f5:aa:9f:3b:f3:3a:a2:e0:ae:b0
[...]
```

To have revokes being executed by OpenVPN you need to periodically update the CRL file OpenVPN reads. For my solution see the `living-example` in the `example` folder.

## Using TLS authentication
OpenVPN highly recommends using TLS authentication hardening, see [GettingStartedwithOVPN](https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN#TLSAuthentication).

This requires the use of a pre-shared key: If you want to use it, you will first need to generate a TLS authentication key and then upload it into vault:

```console
$ openvpn --genkey --secret openvpn.key
$ vault kv put secret/ovpn key=@openvpn.key
```

In the above example we call the secret "ovpn" but you can call it anything you want, as long as it is a known value.
The key must be placed into both the client and server configurations and must match. Edit both config templates to include a section as shown below:

```
<tls-auth>
{{ .TLSAuth }}
</tls-auth>
```

Now run vault-openvpn passing in the name of the secret that holds our key, e.g.

```console
# for the server config
$ vault-openvpn --auto-revoke --ovpn-key secret/ovpn --pki-mountpoint luzifer_io server edda.openvpn.luzifer.io

# for the client config
$ vault-openvpn --auto-revoke --ovpn-key secret/ovpn --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io
```

Pay attention when using a **Vault KV v2 backend**: You need to specify the path slighty different and use `vault-openvpn` v1.9.0 and above.

```console
$ openvpn --genkey --secret openvpn.key
$ vault kv put secret/vault-openvpn/ovpn key=@openvpn.key

$ vault-openvpn --auto-revoke --ovpn-key secret/data/vault-openvpn/ovpn --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io
```

Mind the additional `/data` added inside the key directly after the mount. This is required due to the differences in API methods between the KV v1 and v2 backends.
Remove gobuilder badge Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-05-04 10:29:28 +00:00			`[![Go Report Card](https://goreportcard.com/badge/github.com/Luzifer/vault-openvpn)](https://goreportcard.com/report/github.com/Luzifer/vault-openvpn)`
Adjust README buttons Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-01-30 21:39:23 +00:00			`![](https://badges.fyi/github/license/Luzifer/vault-openvpn)`
			`![](https://badges.fyi/github/downloads/Luzifer/vault-openvpn)`
			`![](https://badges.fyi/github/latest-release/Luzifer/vault-openvpn)`
add README / LICENSE 2016-07-25 13:11:26 +00:00
			`# Luzifer / vault-openvpn`

			`vault-openvpn` is a small wrapper utility to manage [OpenVPN](https://openvpn.net/) configuration combined with a [Vault PKI](https://www.vaultproject.io/docs/secrets/pki/index.html). It enables administrators with Vault access to create client / server configurations with only one command. No more hazzle to manage that easyrsa PKI, just some few commands to set up a Vault PKI and you're done.

			`## Setting up Vault for this`

			`The Vault setup follows the Quick Start from the Vault documentation and is personalized for me so you need to adapt it to your domain if you want to follow it:`

			`- Mount PKI for my domain`
			`vault mount -path=luzifer_io pki`
			`- Enable long TTLs`
			`vault mount-tune -max-lease-ttl=87600h luzifer_io`
			`- Generate a root certificate`
Update README.md 2017-06-19 22:56:59 +00:00			`vault write luzifer_io/root/generate/internal common_name=luzifer.io ttl=87600h`
add README / LICENSE 2016-07-25 13:11:26 +00:00			`- Set CA / CRL URLs`
			`vault write luzifer_io/config/urls issuing_certificates=${VAULT_ADDR}/v1/luzifer_io/ca crl_distribution_points=${VAULT_ADDR}/v1/luzifer_io/crl`
			`- Set a rule for OpenVPN certificates`
			`vault write luzifer_io/roles/openvpn allowed_domains="openvpn.luzifer.io" allow_subdomains="true" max_ttl="8760h" ttl="8760h" allow_ip_sans=false allow_localhost=false`

			`That's all you need to do to set up a whole PKI for your OpenVPN.`

Add configuration section to README Signed-off-by: Knut Ahlers <knut@ahlers.me> 2017-05-04 12:29:13 +00:00			`## Configuration of the tool`

			You can pass all configurations through commandline-parameters. To see the available options and their defaults use the `vault-openvpn --help` flag.

			Additionally most of the parameters are also supported to be set using a configuration file to be stored in `~/.config/vault-openvpn.yaml`. To use that file you need to specify the arguments to the flags together with the flag name:

			```yaml
			`---`
			`log-level: debug`
			`template-path: /path/to/templates`
			```

			The flags not supported to be set through that file are `vault-addr`, `vault-token` and `version`. First two for security reasons, last because it does not make sense.

add README / LICENSE 2016-07-25 13:11:26 +00:00			`## Issuing configurations`

			You need to create a folder containing two files: `client.conf` and `server.conf`. Those two are templates to use for generating the configuration file used by `vault-openvpn`. Inside those files paste this block which will get replaced by the certificates:

			```
			`<ca>`
			`{{ .CertAuthority }}`
			`</ca>`

			`<cert>`
			`{{ .Certificate }}`
			`</cert>`

			`<key>`
			`{{ .PrivateKey }}`
			`</key>`
			```

Add dhparam generation support Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-10-08 11:17:50 +00:00			`For the server configuration an additional block is available in case you don't want to generate your DH parameters with an external command:`

			```
			`<dh>`
			`{{ dhparam <bitsize> [generator] }}`
			`</dh>`
			```

			In this function call you must specify `<bitsize>` (for example `2048`) and may specify the `[generator]`. If the generator is not specified the default generator is set to `2`. Please ensure you are not using this block in your `client.conf` as OpenVPN will not accept it there.

add README / LICENSE 2016-07-25 13:11:26 +00:00			The configurations generated by this tool will not need multiple files but include the certificates inside the configuration. This makes it far more easy to pass them to your users. No unzip, no questions where to put the files, mostly the OpenVPN clients will know how to handle something called `my-vpn.conf`.

			After you've set up your folder (you also could use one of the example configurations in the [`example` folder](https://github.com/Luzifer/vault-openvpn/tree/master/example) of this repository) you can issue your servers configuration:

Adjust wording and formatting Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-05-27 08:21:08 +00:00			```console
			`$ vault-openvpn --auto-revoke --pki-mountpoint luzifer_io server edda.openvpn.luzifer.io`
add README / LICENSE 2016-07-25 13:11:26 +00:00			`server 10.231.0.0 255.255.255.0`
			`route 10.231.0.0 255.255.255.0`

			`[...]`
			```

			`And also you can generate client configurations:`

Adjust wording and formatting Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-05-27 08:21:08 +00:00			```console
			`$ vault-openvpn --auto-revoke --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io`
add README / LICENSE 2016-07-25 13:11:26 +00:00			`remote myserver.com 1194 udp`

			`[...]`
			```

			`In case someone needs to get removed from your OpenVPN there is also a revoke:`

Adjust wording and formatting Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-05-27 08:21:08 +00:00			```console
			`$ vault-openvpn --auto-revoke --pki-mountpoint luzifer_io revoke baduser.openvpn.luzifer.io`
add README / LICENSE 2016-07-25 13:11:26 +00:00			`[...]`
			`2016/07/25 15:06:58 Found certificate 33:e1:0c:85:36:a5:c2:6b:05:85:f5:aa:9f:3b:f3:3a:a2:e0:ae:b0 with CN baduser.openvpn.luzifer.io`
			`2016/07/25 15:06:58 Revoked certificate 33:e1:0c:85:36:a5:c2:6b:05:85:f5:aa:9f:3b:f3:3a:a2:e0:ae:b0`
			`[...]`
			```

			To have revokes being executed by OpenVPN you need to periodically update the CRL file OpenVPN reads. For my solution see the `living-example` in the `example` folder.
Can now use TLS Auth with shared key in vault 2018-05-23 12:10:01 +00:00
Adjust wording and formatting Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-05-27 08:21:08 +00:00			`## Using TLS authentication`
			`OpenVPN highly recommends using TLS authentication hardening, see [GettingStartedwithOVPN](https://community.openvpn.net/openvpn/wiki/GettingStartedwithOVPN#TLSAuthentication).`
Can now use TLS Auth with shared key in vault 2018-05-23 12:10:01 +00:00
Adjust wording and formatting Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-05-27 08:21:08 +00:00			`This requires the use of a pre-shared key: If you want to use it, you will first need to generate a TLS authentication key and then upload it into vault:`
Can now use TLS Auth with shared key in vault 2018-05-23 12:10:01 +00:00
Adjust wording and formatting Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-05-27 08:21:08 +00:00			```console
			`$ openvpn --genkey --secret openvpn.key`
			`$ vault kv put secret/ovpn key=@openvpn.key`
Can now use TLS Auth with shared key in vault 2018-05-23 12:10:01 +00:00			```

Adjust wording and formatting Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-05-27 08:21:08 +00:00			`In the above example we call the secret "ovpn" but you can call it anything you want, as long as it is a known value.`
			`The key must be placed into both the client and server configurations and must match. Edit both config templates to include a section as shown below:`
Can now use TLS Auth with shared key in vault 2018-05-23 12:10:01 +00:00
			```
			`<tls-auth>`
Adjust wording and formatting Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-05-27 08:21:08 +00:00			`{{ .TLSAuth }}`
Can now use TLS Auth with shared key in vault 2018-05-23 12:10:01 +00:00			`</tls-auth>`
			```

			`Now run vault-openvpn passing in the name of the secret that holds our key, e.g.`

Adjust wording and formatting Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-05-27 08:21:08 +00:00			```console
Can now use TLS Auth with shared key in vault 2018-05-23 12:10:01 +00:00			`# for the server config`
Adjust wording and formatting Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-05-27 08:21:08 +00:00			`$ vault-openvpn --auto-revoke --ovpn-key secret/ovpn --pki-mountpoint luzifer_io server edda.openvpn.luzifer.io`
Can now use TLS Auth with shared key in vault 2018-05-23 12:10:01 +00:00
Adjust wording and formatting Signed-off-by: Knut Ahlers <knut@ahlers.me> 2018-05-27 08:21:08 +00:00			`# for the client config`
			`$ vault-openvpn --auto-revoke --ovpn-key secret/ovpn --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io`
Can now use TLS Auth with shared key in vault 2018-05-23 12:10:01 +00:00			```
Add support for Vault KVv2 backends refs #9 Signed-off-by: Knut Ahlers <knut@ahlers.me> 2019-02-14 22:02:17 +00:00
			Pay attention when using a Vault KV v2 backend: You need to specify the path slighty different and use `vault-openvpn` v1.9.0 and above.

			```console
			`$ openvpn --genkey --secret openvpn.key`
			`$ vault kv put secret/vault-openvpn/ovpn key=@openvpn.key`

			`$ vault-openvpn --auto-revoke --ovpn-key secret/data/vault-openvpn/ovpn --pki-mountpoint luzifer_io client workwork01.openvpn.luzifer.io`
			```

			Mind the additional `/data` added inside the key directly after the mount. This is required due to the differences in API methods between the KV v1 and v2 backends.