OpenVPN server - regenerating certificate/keys issue

[ArronF]

I have the RT-87U router, flashed with Merlin all works fine. I am looking at the openVPN server and I do not know if I have discovered a bug but, when I create the server the certificates and keys are generated, this all works fine.

I have tried creating my own certificates and keys and have found the following
- When copying through the WEBGUI which is the only way to make it save (as opposed to the /tmp/openVPN through winscp) that through chrome it produces a load of ^M.
- The new server certificate is larger than the field box allows me to enter the data in so I am unable to paste the whole key
- If I some how put the data in (whether it has ^M) or not into these text fields I have noticed that the router can crash and then I am unable to login and it seems to get stuck in either a reboot cycle or stops me logging in where the VPN server is causing some sort of issue with incorrect certificate/key data

What I need to know is the following
1) Is there an easy way to get the router to just re-generate the keys from scratch without re-flashing and hopefully without having to create my own ideally producing a complete new set
2) Someone suggested going into the jffs partition deleting the files but then said there were issues with the login passwords not taking (in another thread), is this still true, has this been fixed I have not enabled the JFFS partition as of yet
3) If I am needing to go through the Easy-RSA and paste the keys through the webGUI how do I deal with the characters being larger than the 3499 limit
4) Out of interest if someone was able to take the clientOPN file and we use the 2 layer security thus requiring a username/password, how easy is this for someone to hack/find?

Any help is appreciated thanks

 

[RMerlin]

I have the RT-87U router, flashed with Merlin all works fine. I am looking at the openVPN server and I do not know if I have discovered a bug but, when I create the server the certificates and keys are generated, this all works fine.

I have tried creating my own certificates and keys and have found the following
- When copying through the WEBGUI which is the only way to make it save (as opposed to the /tmp/openVPN through winscp) that through chrome it produces a load of ^M.

That tends to happen if you paste from a Windows-formatted text file.

Asus has been doing a lot of tweaking recently to pre-processing of pasted key/certs. Once I merge the next GPL I will see if that preprocessing is sufficient or not (I don't remember if they handle both CR+LF or just one of the two).

- The new server certificate is larger than the field box allows me to enter the data in so I am unable to paste the whole key

The field is large enough to handle a certificate up to 4096 bits. Make sure you read the notice at the top which says to ONLY paste the content between the BEGIN/END lines (including these two lines).

And if you are generating a certificate stronger than 4096-bit - don't. It's over the top, and completely overkill especially for a low-powered router.

1) Is there an easy way to get the router to just re-generate the keys from scratch without re-flashing and hopefully without having to create my own ideally producing a complete new set

Stop the OpenVPN server, and erase all existing key/certificates. On first start, the router will generate new ones automatically.

2) Someone suggested going into the jffs partition deleting the files but then said there were issues with the login passwords not taking (in another thread), is this still true, has this been fixed I have not enabled the JFFS partition as of yet

The firmware automatically does this now since 378.55.

3) If I am needing to go through the Easy-RSA and paste the keys through the webGUI how do I deal with the characters being larger than the 3499 limit

Make sure you only paste what you are supposed to.

 

[ArronF]

Thanks for your reply just so I am aware, when you say erase all existing key/certificates, do you mean through the webGUI delete everything in all the boxes then turn VPNserver off and on again? If this is not the case what is the best way of doing this currently I have not looked at the JFFS partition or enabled it, is there any precautions I should take when starting to look at this area?

Also when you said only paste what your supposed to, they generate a server certificate already does this mean its not possible to replace this if only pasting at the BEGIN/END parts.

 

[RMerlin]

Thanks for your reply just so I am aware, when you say erase all existing key/certificates, do you mean through the webGUI delete everything in all the boxes then turn VPNserver off and on again? If this is not the case what is the best way of doing this currently I have not looked at the JFFS partition or enabled it, is there any precautions I should take when starting to look at this area?

Do it in the order I posted: turn the server off before clearing the content of all OpenVPN key/cert fields.

Also when you said only paste what your supposed to, they generate a server certificate already does this mean its not possible to replace this if only pasting at the BEGIN/END parts.

I don't understand your question, sorry. Who are "they"?

 

[ArronF]

Thank you for the advice and the correct order. I enabled the JFFS (did not see a reason to format it for this purpose) I assume this is correct.

Deleted the files inside OpenVPN and then like you said it re-created them.