What's new

Can we discuss how to generate our own keys/certs for ASUS OpenVPN?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Dajinn

Occasional Visitor
Hi,

I followed the howto here:

https://openvpn.net/index.php/open-source/documentation/howto.html#pki

and got all of the keys and cert files. I copied the values of the information into the "content modification of keys and certification" but when I save the changes the OpenVPN says on the next screen that there is a field error for the CA / Server Certification / Server Key.

I generated the keys on a separate machine and I believe that I put the correct values into the fields but something must be missing. I assume that the key and certificate files I generated must be somehow copied(I guess via SSH) to the ASUS router itself for this to actually work, correct?

edit; I logged in via SSH and in /tmp/etc/openvpn/server1 I see the CRT and KEY files. How can I copy my files over into the folder?
 
Last edited:
Hi,

I followed the howto here:

https://openvpn.net/index.php/open-source/documentation/howto.html#pki

and got all of the keys and cert files. I copied the values of the information into the "content modification of keys and certification" but when I save the changes the OpenVPN says on the next screen that there is a field error for the CA / Server Certification / Server Key.

I generated the keys on a separate machine and I believe that I put the correct values into the fields but something must be missing. I assume that the key and certificate files I generated must be somehow copied(I guess via SSH) to the ASUS router itself for this to actually work, correct?

edit; I logged in via SSH and in /tmp/etc/openvpn/server1 I see the CRT and KEY files. How can I copy my files over into the folder?
Are you copyimg the header data as well? everything exactly how it is when the were generated? You do not need to use ssh. tbe gui paste is fine.
 
Yes I believe I am, I'm doing a Ctrl + a and copy/paste.

I am comparing the data from the keys and the ca.key file that's in my router has different data than the ca.key file I just generated. I'm doing a process of elimination to find the field in the GUI that has the mismatched key but none of the fields have the key in it that's listed in ca.key. I wonder if that's the issue.
 
Yes I believe I am, I'm doing a Ctrl + a and copy/paste.

I am comparing the data from the keys and the ca.key file that's in my router has different data than the ca.key file I just generated. I'm doing a process of elimination to find the field in the GUI that has the mismatched key but none of the fields have the key in it that's listed in ca.key. I wonder if that's the issue.

That's because the ca key should ONLY be used to generate the ca certificate. That key isn't used by OpenVPN, and should ideally be stored outside of your router, for security reasons.
 
when I do ls -l in that directory the server.crt key shows as being 0 bytes meaning no lines, when I perform cat on it to view the contents it's sure enough empty, is that normal?
 
What Merlin said. :)

Also, just fyi, a cert should look like this. you need the header/footers for all keys.

example ca cert:
-----BEGIN CERTIFICATE-----
some
data
in
here
-----END CERTIFICATE-----

dh key:
-----BEGIN DH PARAMETERS-----
xxxxxx
xxxxxx
xxxxxx
xxxxxx

-----END DH PARAMETERS-----
 
So what goes before here:

Certificate:
Data:
..data here..
Signature Algorithm: md5WithRSAEncryption
...key

and after?
 
Okay I think I know what the issue is...the text field for entering your actual certificate information is constrained to too few characters. It's truncating the end of the certificate, maybe because I wanted it to generate a 2048-bit key?

Either way, the certificate is incomplete which must be why the error is throwing. I'll try to copy paste it using vi in ssh and see if that resolves this issue.
 
no...

"Only paste the content of the ----- BEGIN xxx ----- / ----- END xxx ----- block (including those two lines)."
 
Start at the BEGIN line, and end at the END line. Do NOT enter anything that's outside of these - that's why your cert does not fit.
 
If I enable server 2 and let it configure itself with the default params/keys,

The "SERVER CERTIFICATE" field has the ACTUAL server certificate information.. it STARTS with

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-N66U/emailAddress=me@myhost.mydomain
Validity
..etc
..etc

and ENDS

with

-----END CERTIFICATE-----

if I navigate to server2 using SSH and cat out the contents of the server.crt file

it spits out exactly what's in the field.

So clearly, the "SERVER CERTIFICATE" field does not just take the "---begin certificate---" and "---end certificate---" part.

I just tried only putting the begin/end parts from my server.crt file and it still did not work.
 
For all the fields just paste the lines between and including the --- BEGIN ........... and END. it works fine. I'm not sure how else to tell you. all keys/certs contain header/footer lines and all keys/certs should be pasted including those. nothing else.
 
Here are my "notes" to make certificates-

get to easy-rsa folder as admin
type commands:

vars
clean-all
build-ca
build-dh

****when making server keys make sure "servername" and common name are the same!!!
build-key-server servername

****when making client keys make sure client name and common name are the same!!!
build-key client1

repeat for as many clients as you need- be sure client name and common name are the same for all client keys made.

cd into openvpn directory
type
openvpn --genkey --secret c:\anynonadmindirectory\ta.key

As others have mentioned in the router openvpn server gui (vpn>vpn details>content modification of keys and certificates link- next to authorization mode in basic config) copy and paste from ---begin certificate to end certificate---

note this INCLUDES the ---begin--- and ---end--- parts!!!
 
Last edited by a moderator:
Here are my "notes" to make certificates-

get to easy-rsa folder as admin
type commands:

vars
clean-all
build-ca
build-dh

****when making server keys make sure "servername" and common name are the same!!!
build-key-server servername

****when making client keys make sure client name and common name are the same!!!
build-key client1

repeat for as many clients as you need- be sure client name and common name are the same for all client keys made.

cd into openvpn directory
type
openvpn --genkey --secret c:\nonadmindirectory\ta.key

As others have mentioned in the router gui copy and paste from ---begin certificate to end certificate---

000111, when you create the client1 key how exactly do you know that it's working or specified?

On the ASUS router I don't see any options to require a client key, however, looking into the server config file I saw the line "client-cert-not-required" and commented it out, generated client1 key, and put it in my config folder.

I didn't specify the key in my client config file and didn't get asked for it or encounter any hiccup when reconnecting to the VPN.

So I moved the client 1 key files out of that directory and still didn't encounter any issue.

Any tips? Is there a setting that indirectly refers to or activates client key requirement? Because right now I am using "username/password authentication" and "username/password auth only".

edit: I found out by unchecking user/pass auth only that I got the ablity to add in my client key data into the client config file.

This is great stuff, thanks for the awesome firmware Merlin! You can really learn a lot about security in a short amount of time by locking down a VPN server.
 
Last edited:
I personally don't make the keys on the router. I use easy-rsa on a windows 7 machine. I would forget about copying files to/on your router. Use the gui for your router to copy/paste the certs after you have created them elsewhere with a program like notepad++ (so you don't get goofy windows invisible characters).

The client key goes on the client computer, the computer that will be connecting to the router vpn server.

I believe if you are using username/password auth only all of the keys are meaningless, they will not be used. You could use username/password no and it would be all certs, or username/password yes with username/password only set to no to use both username/password and certs.

For the time being, I would suggest you fall back on the username/password only until you can get the certs working.

And again, I would definitely stop messing around with copying files to/altering config files on your router when you do not have an intimate knowledge of what they do and don't do or how they function. USE THE GUI.
 
Last edited by a moderator:
I personally don't make the keys on the router. I use easy-rsa on a windows 7 machine. I would forget about copying files to/on your router. Use the gui for your router to copy/paste the certs after you have created them elsewhere with a program like notepad++ (so you don't get goofy windows invisible characters).

The client key goes on the client computer, the computer that will be connecting to the router vpn server.

I believe if you are using username/password auth only all of the keys are meaningless, they will not be used. You could use username/password no and it would be all certs, or username/password yes with username/password only set to no to use both username/password and certs.

For the time being, I would suggest you fall back on the username/password only until you can get the certs working.

And again, I would definitely stop messing around with copying files to/altering config files on your router when you do not have an intimate knowledge of what they do and don't do or how they function. USE THE GUI.

I've got all the other certs working now except for the client 1 key/cert. Is there a specific way to specify the reference to the files in the config?

this is what my config file looks like:

client
dev tun
proto udp
remote 1.2.3.4 1194
float
cipher AES-256-CBC
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
ca ca.crt 1
cert client1.crt
key client1.key

tls-auth static.key 1
dh dh.pem 1
key-direction 1
resolv-retry infinite
nobind

I've also tried

cert client1.crt 1
key client1.key 1

with the 1 for the directional option, but the authentication still fails:

Thu Aug 27 13:00:30 2015 AUTH: Received control message: AUTH_FAILED
Thu Aug 27 13:00:30 2015 SIGUSR1[soft,auth-failure] received, process restarting
 
I think perhaps you should reboot your router and forget about messing with the config. Hopefully the file will be recreated upon reboot. INSERT THE CERTIFICATES FROM THE ROUTER GUI. You should be able to do all you need to do from the gui. Leave the router config file alone, it is generated by the gui settings!!!
 
I think perhaps you should reboot your router and forget about messing with the config. Hopefully the file will be recreated upon reboot. INSERT THE CERTIFICATES FROM THE ROUTER GUI. You should be able to do all you need to do from the gui.

Sorry I forgot to mention the server keys themselves and what not are working now ^^; that's why I moved onto client keys.
 
Similar threads
Thread starter Title Forum Replies Date
M Importing own certificate broken on 3004.388.6 ? Asuswrt-Merlin 9

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top