OpenVPN tunnel: Increase server and client certificate duration

[gsanchietti]

Proposed Feature
Enhance the OpenVPN tunnel server certificate management by increasing its default validity period and surfacing its validity in the user interface.

Purpose and Motivation
Currently, OpenVPN tunnel certificates are valid for 2 years, while the Certificate Authority (CA) is valid for 10 years. When the VPN certificate expires, it is not automatically renewed, requiring manual intervention and certificate reinstallation on the client side. This can lead to service interruptions and additional maintenance for users and administrators. Increasing the validity and improving visibility will enhance user experience and reduce administrative burden.

Proposed Solution

• Extend the default VPN certificate duration from 2 years to 10 years (to align with the CA).
• Show the VPN certificate's expiration date and validity period within the user interface, allowing administrators to easily monitor certificate status.

See Also

• Helpdesk ticket: https://helpdesk.nethesis.it/a/tickets/197672
• Private discussion: https://mattermost.nethesis.it/nethesis/pl/hphoy4ezt3dnxyqzzsnxm5upwo

[gsanchietti]

Workaround: change the duration of certificates to 10 years.

1. Delete the tunnel
2. Execute these commands:

sed -i  's|EASYRSA_BATCH=1 |EASYRSA_BATCH=1 EASYRSA_CERT_EXPIRE=3650 |' /usr/sbin/ns-openvpntunnel-add-client
sed -i  's|EASYRSA_BATCH=1 /usr/bin/easyrsa init-pki$|EASYRSA_BATCH=1 EASYRSA_CERT_EXPIRE=3650 /usr/bin/easyrsa init-pki|' /usr/sbin/ns-openvpnrw-init-pki

3. Create the tunnel

To verify the certificate expiration (tunnel name is tun2):

openssl x509 -noout -text -in   /etc/openvpn/ns_tun2/pki/issued/server.crt  | grep "Not After
openssl x509 -noout -text -in   /etc/openvpn/ns_tun2/pki/issued/client.crt  | grep "Not After

[federicoballarini]

I tried to follow the above instructions on a OpenVPN Roadwarrior with expired certificate, but the system generates always a 2-years server certificate. I added this command to the others two:

sed -i 's|EASYRSA_BATCH=1 EASYRSA_REQ_CN=$cn /usr/bin/easyrsa build-server-full server nopass$|EASYRSA_BATCH=1 EASYRSA_CERT_EXPIRE=3650 EASYRSA_REQ_CN=$cn /usr/bin/easyrsa build-server-full server nopass|' /usr/sbin/ns-openvpnrw-init-pki

And now the certificate expiration is in 2036. Should this be added to the changes?

[Tbaile]

And now the certificate expiration is in 2036. Should this be added to the changes?

For Roadwarrior is not planned at the moment, will discuss this today in the weekly meeting.

[m-dilorenzi]

QA

Image: latest DEV

Steps:

1. Create an OpenVPN tunnel between two firewalls and verify that the connection is up.
2. Verify the validity of both certificates (client and server) on both firewalls by clicking the magnifying-glass icon next to the tunnel name. The modal that opens will display the expiration date.
3. Verify that, on the client side, it is not possible to regenerate the certificates by clicking the menu on the right.
4. Verify instead that, on the server side, it is possible to regenerate the certificate by clicking the menu on the right.
5. Regenerate the certificates.
6. Verify the validity of the server certificate on the server side by clicking the magnifying-glass icon next to the tunnel name. The date should be more recent than the one noted in step 2.
7. Verify that the connection goes down and then comes back up after about a minute, without updating the certificate on the client side.
8. Remove the tunnel on the client firewall, then add a tunnel using the new certificate, and verify that the expiration date of the new client certificate is more recent than the one noted in step 2.
9. Verify that the connection is up again when using the new certificate.