-
-
Notifications
You must be signed in to change notification settings - Fork 21
normal mode
This page describes how to use Easy-TLS in Normal mode.
You must setup your Easy-RSA PKI first.
- Required files:
- CA certificate
pki/ca.crt - Server certificate
pki/server-name.crt - Client certificates
pki/client-name-01.crt,pki/client-name-02.crtetc..
- CA certificate
- Initialise:
./easytls init-tls
The custom.group identifies inline files and TLS-Crypt-v2 files created in your group. Default: EASYTLS
-
./easytls config custom.group Your-Custom-Group
Yourcustom.groupwill be included in all Client TLS-Crypt-V2 keys and allinlinefiles.
Abbreviation:./easytls cf cg Your-Custom-Group
Examplecustom.groupisTinCanTech -
./easytls config tmp.dir <temp-dir>
Abbreviation:./easytls cf td /tmp
This is only used by Server side verification scripts used with your Openvpn Server.
Config: temporary-directory
Recommanded settings:- Linux with
systemd:/tmp(This is the default for Linux)
- Linux without
systemd:/var/tmp/easytls(You must create this directory)
- Windows:
C:\Windows\Temp(This is the default for Windows)
- Linux with
-
./easytls config inline.metadata on|off
Abbreviation:./easytls cf im on|off
Add TLS-Crypt-V2metadatato Clientinlinefiles. Defaulton -
./easytls config inline.hardware on|off
Abbreviation:./easytls cf ih on|off
Add TLS-Crypt-V2 hardware-address to Clientinlinefiles. Defaultoff
-
Easy-TLS has an inter-active menu to build all TLS keys:
./easytls build -
Easy-TLS has an inter-active menu to inline all TLS keys:
./easytls inline -
Easy-TLS has an inter-active menu to remove all TLS keys and inline files:
./easytls remove -
Build a TLS-Auth key
./easytls build-tls-auth
Abbreviation:./easytls bta -
Inline a TLS-Auth key
./easytls inline-tls-auth common-name 0|1
Abbreviation:./easytls ita common-name 0|1
common_nameis the name of the Server or Client certificate.
0|1is the--key-direction-0for Servers and1for Clients. -
Build a TLS-Crypt key
./easytls build-tls-crypt
Abbreviation:./easytls btc -
Inline a TLS-Crypt key
./easytls inline-tls-crypt common-name
Abbreviation:./easytls itc common-name
common_nameis the name of the Server or Client certificate.If you are using
--tls-author--tls-cryptfor your Openvpn server
then you only need one of these keys.
-
Build a Server TLS-Crypt-V2 key (Must be done first):
-
build-tls-crypt-v2-server server-name
Abbreviation:./easytls btcv2s server-name
-
-
Build multiple Client TLS-Crypt-V2 keys:
-
Build a simple Client key:
-
./easytls build-tls-crypt-v2-client server-name client-name-01
Abbreviation:./easytls btcv2c server-name client-name-01
-
-
Build a second simple key for the same Client:
-
./easytls --subkey-name=key2 build-tls-crypt-v2-client server-name client-name-01
Abbreviation:./easytls -k=key2 btcv2c server-name client-name-01
For option-k|--subkey-name=<NAME>, can be any contiguous word of your choice.
eg:homeorhead-office
-
-
Build a key with hardware-lockdown for the same Client:
-
./easytls --subkey-name=hw-lock build-tls-crypt-v2-client server-name client-name-01 AA:AA:AA:AA:AA:AA
Abbreviation:./easytls -k=hw-lock btcv2c server-name client-name-01 AA:AA:AA:AA:AA:AA
ReplaceAA:AA:AA:AA:AA:AAwith the MAC address of your client ethernet card.
Each single Client key can be locked to a single or multiple hardware addresses.
eg. Ethernet and WiFi address:AA:AA:AA:AA:AA:AA BB:BB:BB:BB:BB:BB
-
-
It is not possible to edit any key file and, in normal mode, Easy-TLS does not allow editing inline files.
If you make a mistake then use ./easytls remove to delete inline and/or key files.