normal mode

This page describes how to use Easy-TLS in Normal mode.

Easy-TLS normal mode

You must setup your Easy-RSA PKI first.

• Required files:
  • CA certificate pki/ca.crt
  • Server certificate pki/server-name.crt
  • Client certificates pki/client-name-01.crt, pki/client-name-02.crt etc..

Install Easy-TLS

• Download and install Easy-TLS

Start Easy-TLS

• Initialise: ./easytls init-tls

Configure your Easy-TLS custom.group

The custom.group identifies inline files and TLS-Crypt-v2 files created in your group. Default: EASYTLS

• ./easytls config custom.group Your-Custom-Group
  Your custom.group will be included in all Client TLS-Crypt-V2 keys and all inline files.
  Abbreviation: ./easytls cf cg Your-Custom-Group
  Example custom.group is TinCanTech

• ./easytls config tmp.dir <temp-dir>
  Abbreviation: ./easytls cf td /tmp
  This is only used by Server side verification scripts used with your Openvpn Server.
  Config: temporary-directory
  Recommanded settings:

  • Linux with systemd: /tmp (This is the default for Linux)
    
  • Linux without systemd: /var/tmp/easytls (You must create this directory)
    
  • Windows: C:\Windows\Temp (This is the default for Windows)

• ./easytls config inline.metadata on|off
  Abbreviation: ./easytls cf im on|off
  Add TLS-Crypt-V2 metadata to Client inline files. Default on
  

• ./easytls config inline.hardware on|off
  Abbreviation: ./easytls cf ih on|off
  Add TLS-Crypt-V2 hardware-address to Client inline files. Default off
  

Build and inline standard TLS keys:

• Easy-TLS has an inter-active menu to build all TLS keys: ./easytls build

• Easy-TLS has an inter-active menu to inline all TLS keys: ./easytls inline

• Easy-TLS has an inter-active menu to remove all TLS keys and inline files: ./easytls remove

• Build a TLS-Auth key ./easytls build-tls-auth
  Abbreviation: ./easytls bta
  

• Inline a TLS-Auth key ./easytls inline-tls-auth common-name 0|1
  Abbreviation: ./easytls ita common-name 0|1
common_name is the name of the Server or Client certificate.
  0|1 is the --key-direction - 0 for Servers and 1 for Clients.
  

• Build a TLS-Crypt key ./easytls build-tls-crypt
  Abbreviation: ./easytls btc
  

• Inline a TLS-Crypt key ./easytls inline-tls-crypt common-name
  Abbreviation: ./easytls itc common-name
common_name is the name of the Server or Client certificate.
  

  If you are using --tls-auth or --tls-crypt for your Openvpn server
  then you only need one of these keys.

Build and inline advanced TLS-Crypt-V2 keys:

• Build a Server TLS-Crypt-V2 key (Must be done first):

  • build-tls-crypt-v2-server server-name
    Abbreviation: ./easytls btcv2s server-name

• Build multiple Client TLS-Crypt-V2 keys:

  • Build a simple Client key:

    • ./easytls build-tls-crypt-v2-client server-name client-name-01
      Abbreviation: ./easytls btcv2c server-name client-name-01

  • Build a second simple key for the same Client:

    • ./easytls --subkey-name=key2 build-tls-crypt-v2-client server-name client-name-01
      Abbreviation: ./easytls -k=key2 btcv2c server-name client-name-01
      For option -k|--subkey-name=<NAME>, can be any contiguous word of your choice.
      eg: home or head-office

  • Build a key with hardware-lockdown for the same Client:

    • ./easytls --subkey-name=hw-lock build-tls-crypt-v2-client server-name client-name-01 AA:AA:AA:AA:AA:AA
      Abbreviation: ./easytls -k=hw-lock btcv2c server-name client-name-01 AA:AA:AA:AA:AA:AA
      Replace AA:AA:AA:AA:AA:AA with the MAC address of your client ethernet card.
      Each single Client key can be locked to a single or multiple hardware addresses.
      eg. Ethernet and WiFi address: AA:AA:AA:AA:AA:AA BB:BB:BB:BB:BB:BB

Remove inline files and TLS keys:

It is not possible to edit any key file and, in normal mode, Easy-TLS does not allow editing inline files.
If you make a mistake then use ./easytls remove to delete inline and/or key files.

Configuring Easy-TLS Server side Authentication scripts

• Configuring Easy-TLS Server side Authentication scripts