How do you backup or redo OpenVPN setup in Merlin

[wayner]

About a year and a half or so ago I set up OpenVPN server on my router. I set up iOS devices and my laptop as clients and it works really well. But I only did it once and I don't really remember how to do this.

I want to now upgrade the firmware on my router as it is close to two years old. But since it is so old I will have to wipe all settings. What is the easiest way to do this? Would there be a cert file on the router (or on my PC) that I can copy over and copy back? I can't remember if I generated the cert file on my PC or router. Where would I find the cert keys on my router?

 

[martinr]

Just upgrade the firmware and remember that you must restore the router to factory default settings AFTERWARDS and then go ahead and alter settings as you require.

Before you update, go into the OpenVPN server settings and take a screenshot of the advanced settings (just in case you can't recall what settings you had).


Setting up the new OpenVPN is now easier than falling off a log. (The restore/reset will wipe those old certs for you.) Just go into OpenVPN Server in the GUI after the factory restore/reset, make all the adjustments you need in the Advanced sub-section, go back to General, export the.ovpn config file to the clients and that's it! Certs and keys are in the config file all done for you. The hardest work you'll do is pressing the Return key. By all means have a look inside the config file with a text editor to see what's there, but don't tamper and Cancel rather than Save afterwards. (I once experimented, generating different config files depending username/password settings combinations just to satisfy myself I understood what was in the config file.)

So, in case I haven't been clear enough: you don't need to generate any keys or certs, you don't even need to know such things exist.

Good luck.

 

[wayner]

Thanks Martin - it does sound pretty easy. But isn't there a way to even copy over the old cert file to the new server instance, or can you not do that as the cert has to be tied to the server install?

 

[martinr]

Thanks Martin - it does sound pretty easy. But isn't there a way to even copy over the old cert file to the new server instance, or can you not do that as the cert has to be tied to the server install?

You could. I once got into a slight mess with something I'd done, and to avoid starting afresh with a factory restore, I once did, indeed, copy a cert into the new config file (overwriting the one that was there) and it worked, but later I decided that wasn't the tidiest way to do things, so I started afresh - factory restore and export the config file to all clients. And I recommend you do the same: editing the config file is fraught with problems; one wrong character ....... Start afresh and you'll get that warm feeling that everything is as it should be. In fact, you'll probably spend more time moving certs and editing the file than if you just started afresh, especially if you factor in the post-editing troubleshooting. And if you do use username/passwords as well as public keys (I hope you do), use a different pair for each client. That way, it's easy to block a client if you need to.

 

[wayner]

I have been using the username/passwords but just one set for all clients. I am not too worried about the disabling of one device as all devices have strong passwords (min 8 characters including at least one each lower, upper, number, special char) and/or Touch ID.

 

[martinr]

I have been using the username/passwords but just one set for all clients. I am not too worried about the disabling of one device as all devices have strong passwords (min 8 characters including at least one each lower, upper, number, special char) and/or Touch ID.

Understood, but heaven forbid you lose a device, say the iPhone, which automatically sends its username and password when you connect back to the server (you don't manually enter them each time), you have to assume the worst case and the thief cracks the device screen lock. All they then do is what you do: go to the OpenVPN app and press Connect. So the strong username/password hasn't helped. Do you agree or have I forgotten something?

 

[martinr]

There's a danger we could send this topic spinning off into heated debates about strong passwords and touch ID. And you could have set up all your cliemts five times over by now.