4096 bit keys - Githubissues

Biepa commented 5 years ago

Hey,

i want to generate 4096 keys. Regarding #154 i added "declare -x EASYRSA_KEY_SIZE=4096" to ovpn_env.sh

Do i need to reinitialize something?

docker-compose run --rm openvpn easyrsa build-client-full $CLIENTNAME generates still 2048 bit keys.

docker-compose run -e EASYRSA_KEY_SIZE=4096 --rm openvpn easyrsa build-client-full $CLIENTNAME gets me 4096 bit keys

But when i export in .ovpn file, the content of ovpn_env.sh is written in the ovpn file and then the config doesnt work. When i manually remove those lines, the config works as expected.

Does somebody know, where I am wrong?

Amaelh commented 5 years ago

To generate a 4096 bit key the parameter has to be added to the command initialising the server part : docker-compose run --rm -e EASYRSA_KEY_SIZE=4096 rpi-openvpn sh -c "ovpn_initpki"

On my side I added the following parameters directly in docker-compose.yml : environment:

EASYRSA_BATCH=yes
EASYRSA_REQ_CN=vpn.domain.tld
EASYRSA_KEY_SIZE=4096

Biepa commented 5 years ago

@Amaelh Hey, thank you for your answer. i tried as you said, and the initial process worked so far.

But when I use the "build-client-full" command I still get all those config paramters in the ovpn file.

`+ set -e

'[' -z /etc/openvpn ']'
source /etc/openvpn/ovpn_env.sh ++ declare -x OVPN_AUTH= ++ declare -x OVPN_CIPHER= ++ declare -x OVPN_CLIENT_TO_CLIENT= ++ declare -x OVPN_CN=vpn.domain.de ++ declare -x OVPN_COMP_LZO=0 ++ declare -x OVPN_DEFROUTE=1 ++ declare -x OVPN_DEVICE=tun ++ declare -x OVPN_DEVICEN=0 ++ declare -x OVPN_DISABLE_PUSH_BLOCK_DNS=0 ++ declare -x OVPN_DNS=1 ++ OVPN_DNS_SERVERS=([0]="8.8.8.8" [1]="8.8.4.4") ++ declare -x OVPN_DNS_SERVERS ++ declare -x OVPN_ENV=/etc/openvpn/ovpn_env.sh ++ OVPN_EXTRA_CLIENT_CONFIG=() ++ declare -x OVPN_EXTRA_CLIENT_CONFIG ++ OVPN_EXTRA_SERVER_CONFIG=() ++ declare -x OVPN_EXTRA_SERVER_CONFIG ++ declare -x OVPN_FRAGMENT= ++ declare -x 'OVPN_KEEPALIVE=10 60' ++ declare -x OVPN_MTU= ++ declare -x OVPN_NAT=0 ++ declare -x OVPN_PORT=1194 ++ declare -x OVPN_PROTO=udp ++ OVPN_PUSH=() ++ declare -x OVPN_PUSH ++ OVPN_ROUTES=([0]="192.168.254.0/24") ++ declare -x OVPN_ROUTES ++ declare -x OVPN_SERVER=192.168.255.0/24 ++ declare -x OVPN_SERVER_URL=udp://vpn.domain.de ++ declare -x OVPN_TLS_CIPHER=
'[' -z /etc/openvpn/pki ']'
cn=test
parm=
'[' '!' -f /etc/openvpn/pki/private/test.key ']'
dir=/etc/openvpn/clients/test
case "$parm" in
get_client_config combined
mode=combined
echo ' client nobind dev tun remote-cert-tls server

remote vpn.domain.de 1194 udp'

client nobind dev tun remote-cert-tls server

remote vpn.domain.de 1194 udp

'[' udp == udp6 ']'
'[' udp == tcp6 ']'
'[' combined == combined ']' ++ cat /etc/openvpn/pki/private/test.key ++ openssl x509 -in /etc/openvpn/pki/issued/test.crt ++ cat /etc/openvpn/pki/ca.crt ++ cat /etc/openvpn/pki/ta.key
echo ' -----BEGIN ENCRYPTED PRIVATE KEY----- omitted -----END ENCRYPTED PRIVATE KEY----- -----BEGIN CERTIFICATE----- omitted -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- omitted -----END CERTIFICATE-----
key-direction 1
# # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- omitted -----END OpenVPN Static key V1-----
'

key-direction 1

# # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- omitted -----END OpenVPN Static key V1-----

'[' 1 '!=' 0 ']'
echo 'redirect-gateway def1' redirect-gateway def1
'[' -n '' ']'
'[' -n '' ']'
'[' -n '' ']'
'[' -n '' ']'
'[' -n '' ']'
'[' 0 == 1 ']'
'[' -n '' ']' `

Amaelh commented 5 years ago

Well I have the same on my side : the ta.key file mentions a 2048 bit length in comments. Only my ca.crt is generated with 4096 bits :

bash-4.4# openssl x509 -text -noout -in ca.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ....
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=vpn.domain.ltd
        Validity
            Not Before: ...
            Not After : ...
        Subject: CN=vpn.domain.ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

I guess we'll need another opinion here

kylemanna / docker-openvpn

4096 bit keys #445