-
-
Notifications
You must be signed in to change notification settings - Fork 20
normal mode
You must setup your Easy-RSA PKI first.
- Required files:
- CA certificate
pki/ca.crt
- Server certificate
pki/server-name.crt
- Client certificates
pki/client-name-01.crt
,pki/client-name-02.crt
etc..
- CA certificate
- Initialise:
./easytls init-tls
The custom.group
identifies inline
files and TLS-Crypt-v2 files created in your group. Default: EASYTLS
-
./easytls config custom.group Your-Custom-Group
Yourcustom.group
will be included in all Client TLS-Crypt-V2 keys and allinline
files.
Abbreviation:./easytls cf cg Your-Custom-Group
Examplecustom.group
isTinCanTech
-
./easytls config tmp.dir <temp-dir>
Abbreviation:./easytls cf td /tmp
This is only used by Server side verification scripts used with your Openvpn Server.
Config: temporary-directory
Recommanded settings:- Linux with
systemd
:/tmp
(This is the default for Linux)
- Linux without
systemd
:/var/tmp/easytls
(You must create this directory)
- Windows:
C:\Windows\Temp
(This is the default for Windows)
- Linux with
-
./easytls config inline.metadata on|off
Abbreviation:./easytls cf im on|off
Add TLS-Crypt-V2metadata
to Clientinline
files. Defaulton
-
./easytls config inline.hardware on|off
Abbreviation:./easytls cf ih on|off
Add TLS-Crypt-V2 hardware-address to Clientinline
files. Defaultoff
-
Easy-TLS has an inter-active menu to build all TLS keys:
./easytls build
-
Easy-TLS has an inter-active menu to inline all TLS keys:
./easytls inline
-
Easy-TLS has an inter-active menu to remove all TLS keys and inline files:
./easytls remove
-
Build a TLS-Auth key
./easytls build-tls-auth
Abbreviation:./easytls bta
-
Inline a TLS-Auth key
./easytls inline-tls-auth common-name 0|1
Abbreviation:./easytls ita common-name 0|1
common_name
is the name of the Server or Client certificate.
0|1
is the--key-direction
-0
for Servers and1
for Clients. -
Build a TLS-Crypt key
./easytls build-tls-crypt
Abbreviation:./easytls btc
-
Inline a TLS-Crypt key
./easytls inline-tls-crypt common-name
Abbreviation:./easytls itc common-name
common_name
is the name of the Server or Client certificate.If you are using
--tls-auth
or--tls-crypt
for your Openvpn server
then you only need one of these keys.
-
Build a Server TLS-Crypt-V2 key (Must be done first):
-
build-tls-crypt-v2-server server-name
Abbreviation:./easytls btcv2s server-name
-
-
Build multiple Client TLS-Crypt-V2 keys:
-
Build a simple Client key:
-
./easytls build-tls-crypt-v2-client server-name client-name-01
Abbreviation:./easytls btcv2c server-name client-name-01
-
-
Build a second simple key for the same Client:
-
./easytls --subkey-name=key2 build-tls-crypt-v2-client server-name client-name-01
Abbreviation:./easytls -k=key2 btcv2c server-name client-name-01
For option-k|--subkey-name=<NAME>
, can be any contiguous word of your choice.
eg:home
orhead-office
-
-
Build a key with hardware-lockdown for the same Client:
-
./easytls --subkey-name=hw-lock build-tls-crypt-v2-client server-name client-name-01 AA:AA:AA:AA:AA:AA
Abbreviation:./easytls -k=hw-lock btcv2c server-name client-name-01 AA:AA:AA:AA:AA:AA
ReplaceAA:AA:AA:AA:AA:AA
with the MAC address of your client ethernet card.
Each single Client key can be locked to a single or multiple hardware addresses.
eg. Ethernet and WiFi address:AA:AA:AA:AA:AA:AA BB:BB:BB:BB:BB:BB
-
-
It is not possible to edit any key file and, in normal mode, Easy-TLS does not allow editing inline
files.
If you make a mistake then use ./easytls remove
to delete inline
and/or key files.