Configuring OpenVPN for Merlin

[gbguy71]

I replaced my router and needed to set up OpenVPN again. My old setup was quite old and I
went with the latest Easy RSA 3. Hopefully the following will make it easier for others
who need to do the same.

This was done on a Windows 10 machine.

Everything, except easytls, was included in the OpenVPN 2.5.6 download.

The basic instructions are located here:
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

The major changes from my old setup were: AES-256-CBC (vs. 128) and TLS Authorization

The biggest change was using Easy RSA 3. They suggested multiple directories.
So I set up, under the C:\program files\openvpn directory, the following:

• easy-rsa (part of the OpenVPN installation, will contain the tls-auth key)
• easy-rsa-CA (to hold the certificates)
• easy-rsa-server (to hold the server key and DH file)
• easy-rsa-<CLIENTNAME> (for the client's .key file. Just create the first one to begin with)

Each client device will eventually have five files installed (see **NOTE** below):

• ca.crt (which is identical on the server and all clients)
• tls-auth.key (also identical on the server and clients)
• <CLIENTNAME>.ovpn
• <CLIENTNAME>.crt
• <CLIENTNAME>.key

**NOTE**: One of my Android clients had to have a "unitifed" ovpn file, instead of separate
files check out https://openvpn.net/faq/i-am-having-trouble-importing-my-ovpn-file/

The sequence I used (which might not be optimal) was:
------------------------------------------------------------------------------------
1. modify the vars file in easy-rsa (which will be identical in the easy-rsa-server (router)
and each easy-rsa-<CLIENTNAME>
------------------------------------------------------------------------------------
The var modifications/defaults I chose were:

• set_var EASYRSA_OPENSSL "C:/Program Files/OpenVPN/bin/openssl.exe" # Maybe not needed?
• #set_var EASYRSA_DN "org" # Let this default, I had an issue when specifying "org"
• set_var EASYRSA_ALGO rsa # There is a currently a bug with the "ec" choice

------------------------------------------------------------------------------------
2. Download easytls into the easy-rsa directory and generate the TLS-AUTH-KEY
from a cmd window (admin mode)
------------------------------------------------------------------------------------

C:\>cd program files\openvpn
C:\Program Files\OpenVPN>cd easy-rsa
C:\Program Files\OpenVPN\easy-rsa>.\EasyRSA-Start.bat # (**You'll remain in this shell**)

# ./easyrsa init-pki

# cd easytls
# ./easytls init-tls

# #Create a TLS-AUTH key:
./easytls build-tls-auth
------------------------------------------------------------------------------------
3. copy easy-rsa to easy-rsa-CA to prepare for generating the ca.crt file
------------------------------------------------------------------------------------
(Windows File Explorer is easiest way to copy)
------------------------------------------------------------------------------------
4. generate the common ca.crt from easy-rsa-CA (I went with the "nopass" option)
(cd ../easy-rsa-CA to get there)
------------------------------------------------------------------------------------

# ./easyrsa init-pki

# ./easyrsa build-ca nopass

Your new CA certificate file for publishing is at:
C:/Program Files/OpenVPN/easy-rsa-CA/pki/ca.crt
------------------------------------------------------------------------------------
5. copy easy-rsa-CA to easy-rsa-server to prepare for server key and DH file generation
------------------------------------------------------------------------------------
(Windows File Explorer is easiest way to copy)
------------------------------------------------------------------------------------
6. From the easy-rsa-server directory generate the server key, and DH file
(cd ../easy-rsa-server to get there)
------------------------------------------------------------------------------------

# ./easyrsa init-pki

# # I DID THIS, AND IT WORKED (FOR SOME REASON I HAD ISSUES WITH GENERATING CLIENTS
# # WITH BUILD-CLIENT-FULL ???)
# ./easyrsa build-server-full server nopass

# # Generate the DH file
# ./easyrsa gen-dh
DH parameters of size 2048 created at C:/Program Files/OpenVPN/easy-rsa-server/pki/dh.pem

------------------------------------------------------------------------------------
7. Copy easy-rsa-CA to easy-rsa-<CLIENTNAME> (Do this for each client)
------------------------------------------------------------------------------------
(Windows File Explorer is easiest way to copy)
------------------------------------------------------------------------------------
8. Generate keypair/request for <CLIENTNAME>
------------------------------------------------------------------------------------

# cd ../easy-rsa-<CLIENTNAME>
# ./easyrsa init-pki

# ./easyrsa gen-req <CLIENTNAME> nopass

------------------------------------------------------------------------------------
9. Register and sign the request for <CLIENTNAME>
------------------------------------------------------------------------------------

# cd ../easy-rsa-CA
# ./easyrsa import-req ../easy-rsa-<CLIENTNAME>/pki/reqs/<CLIENTNAME>.req <CLIENTNAME>

# ./easyrsa sign-req client <CLIENTNAME>

Certificate created at: C:/Program Files/OpenVPN/easy-rsa-CA/pki/issued/<CLIENTNAME>.crt

------------------------------------------------------------------------------------
10. Edit the OVPN Files for each <CLIENTNAME>
NOTE: There is no .ovpn file for the server. You specify the necessary
parameters via the router's "VPN Server - OpenVPN" pages.
------------------------------------------------------------------------------------
(Copy OpenVPN/sample-config to OpenVPN/config/ using Windows Explorer)

Edit sample-config and save as <CLIENTNAME>.ovpn
NOTE: you may need to use a "unified" ovpn file - see **NOTE** above
The ca.crt and tls-auth.key files are identical among the server and all clients
Change these lines in the <CLIENTNAME>.ovpn file:
ca ca.crt
cert <CLIENTNAME>.crt
key <CLIENTNAME>.key
tls-auth tls-auth.key 1
------------------------------------------------------------------------------------
11. Install OpenVPN on all clients and distribute the files
------------------------------------------------------------------------------------
Each client's OpenVPN directory (OpenVPN/config/ on Windows) will contain:

• the <CLIENTNAME>.ovpn file generated above
• the ca.crt file from easy-rsa-CA/
• the <CLIENTNAME>.crt file from easy-rsa-CA/pki/issued
• the <CLIENTNAME>.key file from easy-rsa-<CLIENTNAME>/pki/private
• the tls-auth.key file from easy-rsa/pki/easytls

(Alternatively it will contain a "unified" .ovpn file that contains the other 4 files)
------------------------------------------------------------------------------------
12. Configure the router settings
------------------------------------------------------------------------------------
Modify the VPN Server-OpenVPN parameters

• Choose your "Client will use VPN to access" setting - I chose "Both"
• Click on "VPN Details" and select "Advanced Settings"

Here is what I have for Advanced Settings:
(The fuzzy red text: first one with an arrow just says "This is how you access the Keys & Certs"
The second one is on a push "route ..." that is needed to access a subnetwork I have)

------------------------------------------------------------------------------------
13. Upload the "Keys and Certificates" to the router
------------------------------------------------------------------------------------

• Click on "Edit"
• Upload the key and certificate files and paste them as shown here:
  
  

------------------------------------------------------------------------------------
14. Cross your fingers and see if it works
(I find it best to get one client working and then move on to the others
------------------------------------------------------------------------------------

 

[Rippo]

Wow- thanks for posting this!

 

[Martin Fishkov]

Thanks for your post!

Question though: Why go through all this if the router generates its own keys?

Question: Are openvpn CA keys generated on first boot?

Hello guys, Title says all. So, after flashing a new build I noticed I have new CA\Server Keys in OpenVPN, so, the router doesn't keep the previous keys. My question here is, are these new keys built-in the new ROM image, or are they generated in first boot, and unique per each device? Thanks

www.snbforums.com

Just checking to see which path to follow with my new set-up..

 

[eibgrad]

Thanks for your post!

Question though: Why go through all this if the router generates its own keys?

Question: Are openvpn CA keys generated on first boot?

Hello guys, Title says all. So, after flashing a new build I noticed I have new CA\Server Keys in OpenVPN, so, the router doesn't keep the previous keys. My question here is, are these new keys built-in the new ROM image, or are they generated in first boot, and unique per each device? Thanks

www.snbforums.com

Just checking to see which path to follow with my new set-up..

IMO, the biggest limitation of the GUI auto-generated files is that all concurrent OpenVPN clients share a *single* OpenVPN client cert. That's fine assuming you only intend to support one OpenVPN client, or all the concurrently active OpenVPN clients are are effectively the same user. But under normal conditions, you typically want each unique user to have their own client cert w/ its own unique CN (Common Name). Just as you do when using private/public keypairs w/ SSH.

The reason the GUI reuses the same client cert is for convenience. And it gets away w/ it because in addition to the client cert, authentication typically includes username/password as well. IOW, users can be disambiguated based on username, rather than the more secure client cert. But that's like using private/public keypairs w/ SSH *and* requiring a username/password as well, something you don't see because SSH requires YOU to create the private/public keypairs. SSH doesn't care if that's inconvenient; you're expected to create as many private/public keypairs as necessary for your users.

In short, to rely on a shared cert is less secure, since you're really depending on the username/password to disambiguiate users. Under normal conditions, you would NOT do it this way. It's just an artifact of how the GUI simplifies the process for you. But like most conveniences, it can mean a less secure configuration.

BTW, use of a shared cert also means that if any one OpenVPN client machine's client cert is compromised (e.g., lost or stolen), you'd have to issue a new shared cert for ALL your users! Had they their own unique client cert, only that one user would have to have their current cert revoked and issued a new cert. Again, in the simplest case of only one user, NOT a big deal. But for multiple user situations, sharing a cert is best avoided. Of course, it's also possible to not require a client cert AT ALL, and only rely on username/password exclusively. NOT recommended, but in that case, all of the concerns expressed above are moot.

 

[Martin Fishkov]

Thanks, that's very clear!

 

[elorimer]

1. I suppose it might be useful if someone were to update the wiki for uploading multiple client certs/keys, for both servers.
2. I confess my sins: I use only one set of certs/keys for both servers and all clients. The certs/keys are not shared with anyone but me and are the principal security device. I also use user/password authentication. In my case, the clients all me, and are disambiguated by username in order that different configurations can be applied, and these are primarily routing rules for local networks, or not. (@eibgrad has a ton of posts here showing how to do this.) I also apply different configurations on the client side with different clients. I recognize that I might have to regenerate and repopulate certificates if a device is lost (not hard), but if I were fully to disambiguate based on certs, I would have something on the order of 8 different cert/key combos. Or maybe 24. I can't keep that number straight, particularly given the weirdness of my Chromebooks. This way, I just have one.
3. It might be an interesting exercise if someone were to create an add-in router page to manage certs for different users, automating this plus point #1. Maybe also with client-side options.