smallstep_full_white

Configure Your VPN Server For Certificate-Based VPN With Smallstep

This tutorial describes how to configure your VPN server for certificate-based authentication with Smallstep. The Smallstep app can then configure and issue certificates to your clients.

Overview of Setup Steps

While the details will differ between VPNs, the process of configuring a VPN server to use Smallstep certificate authentication is broadly the same:

  1. Create a VPN server, if you don't already have one. Most VPN servers that support X.509 certificate authentication will work with Smallstep.

  2. Configure a DNS server name for your VPN server.

  3. Configure the VPN server to use a server TLS certificate. You can use a public Web PKI certificate, eg. from Let's Encrypt, or you can use a Smallstep Workoad certificate.

  4. Gather the following configuration information from your VPN server:

    • Server name and IP address
    • Remote ID. This may be the same as the server name.
    • Root Certificate. By default, most VPN clients will not trust any server certificate, even if it comes from the Web PKI and would be trusted by a web browser. Smallstep will need the Root Certificate for your VPN server, which it will pass along to clients for the purpose of creating a trusted connection.
  5. In Smallstep, go to Protect -> VPN and + Add VPN. You may be asked for your VPN's Server Name (or IP address), Remote ID, and Root Certifcate (if it's a non-Smallstep server ceritificate, choose "Upload external root").

  6. Once you've saved the VPN resource, choose the VPN resource you just created, and download the Root Certificate (in PEM format) from the VPN resource page. This is your Account CA. Your devices will be issued VPN account certificates from this CA.

  7. Finally, configure your VPN server to authenticate clients using the Account CA certificate you just downloaded from Smallstep.

What about the Accounts Intermediate CA?

Clients receive the Accounts Intermediate CA from Smallstep in a certificate bundle that includes their client certificate. Clients then send this intermediate CA and the client certificate to the VPN server when connecting. The VPN server then has everything it needs to verify the full Root -> Intermediate -> Client certificate chain.

In some rare cases, however, the server needs to be configured with the Accounts Intermediate CA in addition to the Root.

Vendor-specific guides

The following VPN servers are covered in this document:

Juniper SSL-VPN

Cisco Meraki AnyConnect

Last updated on June 11, 2024