Can we discuss how to generate our own keys/certs for ASUS OpenVPN?

[Deleted member 27741]

I am unsure of what you mean by the keys are "working" now?

 

[Deleted member 27741]

Also, note that the "static key" in the router gui is the tls-auth key, or the ta.key I was referring to in my key creation notes.

static key is ta.key
certificate authority is ca.crt
server certificate is servername.crt
server key is servername.key
diffie hellman parameters is dh1024.pem (or possibly dh2048.pem)

 

[Dajinn]

The gui doesn't throw an error about the certificates being incorrect anymore, and, I specified manually all of the cert files in my config file with directional 1 option and was able to authenticate to the server.

 

[Deleted member 27741]

Do you have the proper keys and config in your client? Again, if you set username/password to yes and username/password only to yes the keys are doing nothing.

 

[Dajinn]

Username / Password Auth. Only I already turned to no so that I could use the keys, since I did that, and even specified my keys, I am getting

the errors in the other post a page back.

 

[Deleted member 27741]

For example, you will need the following keys (in the same folder your client.ovpn file is in) in your client config-
ca.crt
client1.crt
client1.key
ta.key (if you have tls-auth set to yes)

they are listed in the client.ovpn file like this:
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key

 

[Dajinn]

Check my post a page back, it shows me config. static.key is the key I am using for tls-auth.

 

[Deleted member 27741]

Ok. Forget about the config file on your router ok? Leave it alone and use the gui. The gui alters the config file.

 

[Dajinn]

Bro I am referencing my client config file. Not the server config file.

 

[Deleted member 27741]

Ok, well good luck!

 

[Dajinn]

I don't think you can use client keys AND "allow only specified clients" at the same time. Because I unchecked the latter and it began to work.

 

[Deleted member 27741]

Ah, I see your client config issue now. I mentioned in post 26, in your client config file the certs are listed something like this:

ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key

ta.key is the name of the key you created for tls-auth (see post 15)

 

[Deleted member 27741]

client
dev tun
proto udp
remote 1.2.3.4 1194
float
cipher AES-256-CBC
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
ca ca.crt
cert client1.crt
key client1.key
tls-auth should probably be ta.key or whatever you called it (see generation in post 15)
dh should likely be dh1024.pem, whatever you created should be the name here
key-direction must be opposite of what it is on server config OR bi-directional on both (1 recommended)
resolv-retry infinite
nobind

This applies only if your cert files are all in the same directory as your OVPN client file, this is the recommended way so I would put them there instead of messing with full paths to each certificate which can be a pain in the butt to get working.

 

[RMerlin]

So clearly, the "SERVER CERTIFICATE" field does not just take the "---begin certificate---" and "---end certificate---" part.

Trust me on this, that part outside of the --begin-- and ---end--- block is not used by the router. It's just a readable dump of the PEM that's below, and will only cause overflow issues if the total size of that field is over 3499 characters.