Fantasy Grounds - Port Forwarding - Transparent Op
  • Fantasy Grounds - Port Forwarding and a "transparent" OpenVPN setup
  • General
    • Introduction - F.G.Comms
    • GM's machine barriers
    • Internet connection barriers
    • Some NO-GO Situations
    • VPN solutions
  • Proposed Solution
    • "Transparent" OpenVPN-based Port Forwarding
    • Tools
    • Amazon Web Services
    • Setup process overview
  • Local setup - Step-by-step
    • Step 0 : Preparation
    • Step 1 : OpenVPN + Easy-RSA & "new-PKI"
    • Step 2 : Create your own PKI
    • Step 3 : Setup OpenVPN connections
  • AWS Setup - Click-by-Click
    • Step 4 : Your AWS environment
    • 4.1-Creating the IAM Role
    • 4.2-Choosing the AWS Region
    • 4.3-Creating the S3 bucket
    • 4.4-Virtual Private Cloud - Default VPC
    • 4.5-Creating an AWS Key Pair
    • 4.6-Creating an AWS Security Group
    • 4.7-Filling the bucket
    • 4.8-Building the Launch Template
  • Transfer & First Test
    • Step 5 : Transfer to S3
    • Step 6 : Launch time !
    • Step 7 : Connect, test, fix glitches
    • Step 8 : Destroy/"Terminate" after use
  • Use your server
    • Regular Usage Pattern
  • Simultaneous FG games / 1 VPN Server
    • Lifting the "1 GM at-a-time" restriction
    • FGU vs. FGC networking
    • VPNs for both FGC + FGU (LAN mode)
  • Upgrading our setup for "N-at-a-time", FGC/FGU
    • Untitled
  • Appendixes
    • Acronyms and definitions
    • AWS acronyms
    • AWS admin user + API access key
    • AWS, DNS, DDNS, CRL...
    • Possible (?) developments
  • Links
    • Fantasy Grounds Web
    • Fantasy Grounds Discord
    • FG College Web
    • FG College Discord
    • FG College KB
    • Our "EU" Discord
    • OpenVPN
    • AWS
Powered by GitBook
On this page
  • OpenVPN (+ Easy-RSA 2)
  • Prepare the new-PKI folder contents
  • Adjust the CRL (Certificate Revocation List) lifetime

Was this helpful?

  1. Local setup - Step-by-step

Step 1 : OpenVPN + Easy-RSA & "new-PKI"

PreviousStep 0 : PreparationNextStep 2 : Create your own PKI

Last updated 4 years ago

Was this helpful?

As exposed in the section, we absolutely need 2 pieces of software :

OpenVPN (+ Easy-RSA 2)

OpenVPN is an "SSL/TLS-based VPN" that is very mature and very widely used all over the multiverse.

Tech Blurb

OpenVPN is NOT one of the old "SSL VPNs" running in a web browser, but uses SSL/TLS cryptography natively. It uses the transport layer on any unused TCP or UDP port, is "NAT-friendly", and uses a single protocol+port (contrarily to protocols like the old PPTP with TCP 1723 + GRE, or IPSEC with ESP + AH + IKE)

For VPNs and network tunnels in general, it is always best to choose the UDP transport layer protocol, rather than TCP. See this excellent, old but still valid, article : by the creator of , who moved later on to OpenVPN

But in case you absolutely need it, you can run OpenVPN even on TCP 80 or 443 (web server ports), if unused on your server machine : if you happen to be on a network with very strict Internet access rules, you may have to resort to that.

However in this setup we'll use the : UDP 1194.

Easy-RSA 2 is a set of command-line utilities to create/manage Public Key Infrastructures (PKIs)

Easy-RSA 2 is developed by the same team as OpenVPN.

Windows installation packages for OpenVPN already include Easy-RSA 2.

So, we download and save the installer from for our version of Windows (I have built a small temporary Windows 2012R2 to "impersonate" the GM FG machine for this demo) into the folder we previously created at T:\fg-ovpn\source-install :

...and we execute, authorizing it to do its job through the Yes on the "User Access Control" dialog...

...making sure to select "Easy-RSA 2 Certificate Management Scripts" :

...AND allowing the creation of the virtual network card with the "Install" button :

Finally, we'll have our complete installation result looking like this (depends on Windows version AND the version of OpenVPN) :

Tech Blurb :

Note the "TAP-Windows" group above : OpenVPN uses a virtual network card/adapter for each concurrent VPN. So if you need multiple VPNs connected at a time (I often have 2 or 3), you'll need to use the "Add new TAP..." but this is not required for our demo setup.

Let's have a look at the installation folders in Program Files :

We now have the whole required "prime materials" on disk. Let's immediately create a source to initialize "autonomous" blank Public Key Infrastructures in our new-PKI folder :

Prepare the new-PKI folder contents

This folder will be a ready-to-duplicate source folder to create a brand new PKI. We'll keep there both the current version of the Easy-RSA script files and the associated binary programs.

We'll then use it to initialize our own PKI in its own folder . This way, even if we break/uninstall/lose our installation directory for whatever reason, we'll still be able to manage our VPN security (create/revoke certificates), and we'll have the right version of required programs available for that.

Tech Blurb :

Also by creating all PKIs (only 1 is needed for our setup) by duplicating this source folder contents later on, we have the ability to tweak script files or even the openssl configuration file used for that specific PKI if needed, without impacting others.

  1. copy all files from <OpenVPN Installation>\easy-rsa to your new-PKI folder

  2. then copy these (or all, if you want) files from <OpenVPN Installation>\bin to new-PKI as well

Your autonomous "ready-to-duplicate" new-PKI folder is now (nearly) complete :

Adjust the CRL (Certificate Revocation List) lifetime

Since we likely won't be revoking certificates very often, let's just give the CRL a lifetime of 10 years, just like the rest of our PKI.

So we edit openssl-1.0.0.cnf in a text editor (even Right click + Edit with the very limited Windows Notepad is sufficient for this file) as follows : around line 55 you will find :

Line to be changed
default_crl_days= 30			# how long before next CRL

and replace the 30 with 3650 like this :

Edited line
default_crl_days= 3650			# how long before next CRL

Then save and close openssl-1.0.0.cnf and you're done !

There is one issue with this standard configuration : the lifetime of the CRL () is by default only 30 days, and since our VPN server checks the CRL for evey connection request, it will refuse all connections 30 days after the last CRL update...

💩
Tools
Why TCP Over TCP Is A Bad Idea
CIPE
"official" OpenVPN UDP port
https://openvpn.net/community-downloads/
Certificate Revocation List
Copy from easy-rsa to new-PKI
Copy from bin to new-PKI