What's new

OpenVPN server setup on 378.56_2

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

vnangia

Senior Member
Hello folks, I've followed the instructions here to generate the keys on the router itself. This is the list of files that is generated after walking through that procedure for three clients, an HMAC PSK and encrypting the keys using 3des for Android and iOS use (openssl rsa -in Client1.key -des3 -out Client1.3des.key):
Code:
01.pem
02.pem
03.pem
04.pem
Client1.3des.key
Client1.crt
Client1.csr
Client1.key
Client1.ovpn
Client2.3des.key
Client2.crt
Client2.csr
Client2.key
Client2.ovpn
Server1.crt
Server1.csr
Server1.key
Client3.3des.key
Client3.crt
Client3.csr
Client3.key
Client3.ovpn
ca.crt
ca.key
dh2048.pem
hmacpsk.key
index.txt
index.txt.attr
index.txt.attr.old
index.txt.old
serial
serial.old

Now according to the documentation here, there should be a folder in the jffs partition for me to store the updated files. This folder doesn't exist, but there is a folder under /jffs called openvpn which has the following:
Code:
vpn_crt_server1_ca
vpn_crt_server1_ca_key
vpn_crt_server1_client_crt
vpn_crt_server1_client_key
vpn_crt_server1_crt
vpn_crt_server1_dh
vpn_crt_server1_key

Which brings up a few questions:
1. Where do I put the actual keys that I generated? Should I rename them to match and put them in /jffs/openvpn folder? If so, which key is which?
2. How do I have more than one client? It seems the format of the /jffs/openvpn folder precludes more than one client.

Advice and guidance appreciated - thank you in advance.
 
Enter them through the webui.

The client keys and certs do not go on the router, they only go on your clients.
 
Enter them through the webui.
Thanks, found the webui. Can I confirm the following files match up with the WebUI:
Static Key - HMACPSK.key
Certificate Authority - ca.key
Server Certificate - Server1.crt
Server Key - Server1.key
Diffie Hellman parameters - dh.pem
 
Certificate Authority - ca.key

No. CA must be a certificate, not a key. The key should ideally be kept outside of your router, for security reason, as it's used to sign new client certificates.
 
Enter them through the webui.

The client keys and certs do not go on the router, they only go on your clients.

What is the best way to update the server certs without using webui? I am having a nightmarish time with carriage returns.
 
What is the best way to update the server certs without using webui? I am having a nightmarish time with carriage returns.

They are now stored in the JFFS partition, so you can update them using WinSCP or any other SSH/SCP method of your chosing.
 
Did you specifically want to set up your certs and keys this way rather than to export the .ovpn config file (which, as if by magic, has everything you need inside) from your router to your clients? In the case of an Apple device that transfer can be done with the iTunes program in Windows.

[VPN page in gui > OpenVPN Servers tab > Export button, only after you have taken care of, and applied, any relevant settings in the Advanced VPN Settings page (selection General/Advanced) above the Export button]

It has been made so easy that anyone who has done this before, say, with DDWRT or similar, finds it almost impossible to believe that what previously took several hours to sort out (if you were lucky), now takes just a few minutes.
 
Last edited:
Did you specifically want to set up your certs and keys this way rather than to export the .ovpn config file (which, as if by magic, has everything you need inside) from your router to your clients? In the case of an Apple device that transfer can be done with the iTunes program in Windows.

[VPN page in gui > OpenVPN Servers tab > Export button, only after you have taken care of, and applied, any relevant settings in the Advanced VPN Settings page (selection General/Advanced) above the Export button]

It has been made so easy that anyone who has done this before, say, with DDWRT or similar, finds it almost impossible to believe that what previously took several hours to sort out (if you were lucky), now takes just a few minutes.

Export for clients works fine. I was looking for a pure command line way to set up my custom certs for the server. No copy/paste required into webui. Sequence like 1-stop openvpn server, 2-copy certs and keys to /jffs/openvpn/* and preserve filenames, 3-start openvpn server. Would that work?
 
Ah, you didn't say you deliberately wanted to make your life difficult:). I'm not sufficiently qualified to comment on your proposals, but there are many who do that sort of thing before breakfast and who'll probably give you sound guidance.
 
Ah, you didn't say you deliberately wanted to make your life difficult:). I'm not sufficiently qualified to comment on your proposals, but there are many who do that sort of thing before breakfast and who'll probably give you sound guidance.

Actually was thinking I might make life a bit simpler by avoiding problems with special characters/carriage returns if I could skip a copy/paste step in the webui. Anyway, my setup is working fine thanks to Merlin's excellent software the the great documentation in these forums. Thanks.
 
Avoiding the problems special characters can bring (other than in website passwords) is really a very smart move.

I don't mean to insult you, but on carriage returns etc, (assuming you are using Windows) are you using that marvellous text editor, Notepad++, and setting the edit/format mode to UNIX (rather than using Windows' native Notepad or similar)? As I say, I don't mean to insult you given your obvious level of knowledge, but it's just possible you got there having missed out on Notepad++.
 
Last edited:
Export for clients works fine. I was looking for a pure command line way to set up my custom certs for the server. No copy/paste required into webui. Sequence like 1-stop openvpn server, 2-copy certs and keys to /jffs/openvpn/* and preserve filenames, 3-start openvpn server. Would that work?

It should, in theory.
 
Avoiding the problems special characters can bring (other than in website passwords) is really a very smart move.

I don't mean to insult you, but on carriage returns etc, (assuming you are using Windows) are you using that marvellous text editor, Notepad++, and setting the edit/format mode to UNIX (rather than using Windows' native Notepad or similar)? As I say, I don't mean to insult you given your obvious level of knowledge, but it's just possible you got there having missed out on Notepad++.

No worries and no Windows in my world. I was trying various combinations and permutations of OSX client with its native textedit app, then textwrangler (also OSX). Certs and Keys were on a samba shared usbkey accessed by OSX Finder. Switched to Opensuse linux client and a few apps there incl their KDE text editor, bash terminal and vi. Was never completely happy with webui copy paste result. The sequence 1-stop openvpn server, 2-copy certs and keys to /jffs/openvpn/* (preserve destination filenames), 3-start openvpn server seems to have worked btw. :).
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top