1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

[SOLVED] OpenVPN server advanced settings

Discussion in 'Asuswrt-Merlin' started by zd59, Jun 16, 2019.

  1. zd59

    zd59 Occasional Visitor

    Joined:
    Feb 13, 2017
    Messages:
    42
    AsusWRT-Merlin on RT-AC86U

    Need help to configure OpenVpn server with my own handshake keys and certificates generated with EasyRSA-v3.0.6 scripts on windows machine.
    I'm not an VPN expert, so I do not know, how to configure OpenVPN server.


    The scripts generated certs and keys on points 2 -4:
    Code:
    EasyRSA-v3.0.6 key generator
    
    1.)----------------------------------------------------
    # ./easyrsa init-pki
    Your newly created PKI dir is: d:/EasyRSA-v3.0.6/pki
    
    
    2.)----------------------------------------------------
    # ./easyrsa build-ca
    Your new CA certificate file for publishing is at:
    d:/EasyRSA-v3.0.6/pki/ca.crt
    
    
    3.)----------------------------------------------------
    # ./easyrsa gen-req Asus
    Keypair and certificate request completed. Your files are:
    req: d:/EasyRSA-v3.0.6/pki/reqs/Asus.req
    key: d:/EasyRSA-v3.0.6/pki/private/Asus.key
    
    
    4.)----------------------------------------------------
    # ./easyrsa sign-req client  Asus
    UWrite out database with 1 new entries
    Data Base Updated
    
    Certificate created at: d:/EasyRSA-v3.0.6/pki/issued/Asus.crt
    I wish to configure OpenVPN server secured with above keys and certs generated. At establishing VPN tunnel client asks for a password offered by encrypted key above generated. This is the only way server asks a client for a user verification.
    The interface type must be TAP, to ease connected clients networking.
    When I click on "Edit" at advanced settings "Keys and Certificates, new window opens with manual keys and certificates paste options (from top to bottom):
    a. Static Key
    b. Certificate Authority
    c. Server Certificate
    d. Server Key
    e. Diffe Hellman ...
    f. Certificate Revocat..
    g. Extera Chain Cert..
    (Attached picture)
    I do not know which one from above point 2-4 keys/certs generated (four) are pasted in a configuration, first four lines (a. --d)?

    Can not find any description for the above elsewhere, so please help.
     

    Attached Files:

  2. wrx28

    wrx28 Occasional Visitor

    Joined:
    Jul 28, 2013
    Messages:
    11
    Location:
    UK
    copy to router;

    static key - ta.key
    certificate authority - ca.crt
    server certificate - Asus.crt
    server key - Asus.key
    diffie hellman - dh.pem

    Regards
     
    royarcher and amplatfus like this.
  3. zd59

    zd59 Occasional Visitor

    Joined:
    Feb 13, 2017
    Messages:
    42
    Thanks wrx28!

    In a first post I pointed out, that certificates were created with (hardly found) EasyRSA-v3.0.6 windows scripts. That was because they support recent libOpenSSL (1.1.x) which OpenVPN uses. Regular EasyRSA for windows supports only older libOpenSSL .
    So created keys/certificates do not include dh.pem file.
    As I copy/paste created keys/certificates to corresponding places you suggested, the router refused all except the first one (ca.key). They were entered as instructed:
    For instance:



    I'm confused. Not sure, Asus accepts data created with EasyRSA-v3.0.6 windows scripts, or there is any other problem.

    Any one successfully manually entered certificates/keys this way?
     
  4. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,051
    Location:
    United Kingdom
    When you copied and pasted, how did you do it? The problem isn’t the simple glitch of editing using something like Windows Notepad instead of using, say, Notepad++ set to Unix formatting?
     
  5. zd59

    zd59 Occasional Visitor

    Joined:
    Feb 13, 2017
    Messages:
    42
    Good point!
    I have txt files (certs & keys) on USB key. All copy/paste was done in linux, but I'm afraid end of line was the problem.
    Do I have to convert files to one line only, or convert CR & LF to Unix style?
    Notepad++ is my default text editor in Windows, can simply edit or convert files to Linux style.
     
  6. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,051
    Location:
    United Kingdom
    I can’t speak with authority on whether or not it has to be one line. From my experience, I have only converted the CR LF, and never bothered about whether or not it was a single line.
     
  7. zd59

    zd59 Occasional Visitor

    Joined:
    Feb 13, 2017
    Messages:
    42
    Bingo!

    All keys converted to Unix accepted.

    But now:
    I wish that at client start it asks me for entering a password for a key decripting. Looks like server cert I also created with password.
    Do I have to create it with blank password (it asks for one)?
     
  8. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,280
    Location:
    The Land of Smiles
    Does this solution help?
     
  9. zd59

    zd59 Occasional Visitor

    Joined:
    Feb 13, 2017
    Messages:
    42
    No. No TTY to enter password.
    How to configure OpenVPN to have password less server certs/keys and client uses private key with password?

    ca.crt can not be build without password (logical).
    Now the question is: How to start OpenVPN server with password protected crt without entering one? Asus router is headless machine.
     
    Last edited: Jun 18, 2019
  10. wrx28

    wrx28 Occasional Visitor

    Joined:
    Jul 28, 2013
    Messages:
    11
    Location:
    UK
    Maybe have a look at https://www.sys-dev.cat/blog/3/, I don't know the differences between running EasyRSA3 on linux or windows, I ran linux and used ./easyrsa build-ca nopass, copied required files to router, built client files and copied these to each client.
     
  11. zd59

    zd59 Occasional Visitor

    Joined:
    Feb 13, 2017
    Messages:
    42
    Do I must create both keys with nopass option? Then client will not ask for one.
    On Netgear I created private key with password, service started and client asked for a password.
     
  12. wrx28

    wrx28 Occasional Visitor

    Joined:
    Jul 28, 2013
    Messages:
    11
    Location:
    UK
    Yes, I used these commands,

    ./easyrsa gen-req CLIENTNAME nopass
    ./easyrsa sign-req client CLIENTNAME

    worked for me.
     
  13. zd59

    zd59 Occasional Visitor

    Joined:
    Feb 13, 2017
    Messages:
    42
    Thanks server finally up!

    As I written, I'm not a VPN expert, and now I'm stuck on a client site.
    Fetched client.ovpn contains last part:
    At creating cert/key files with easy-rsa, server site files were created.
    How do I create corresponding client cert and key files, server will thrust?

    Another question:
    OpenVPN advanced settings:

    TLS control channel security is disabled.
    If I enable it by selecting any of option, server failed to start:
    I wish to enable it, to improve security.
    What's missing in a static.key file to enable it? This must be added somehow in creating a key with easy-rsa.
     
  14. wrx28

    wrx28 Occasional Visitor

    Joined:
    Jul 28, 2013
    Messages:
    11
    Location:
    UK
    Go back to your easy-rsa and create the client files for each client, crt and key and copy to the ovpn file. Check you created/copied the ta.key correctly for the static key.
     
  15. zd59

    zd59 Occasional Visitor

    Joined:
    Feb 13, 2017
    Messages:
    42
    Thanks a lot.
    ta.key - you mean ca.key?

    Now I followed README txt to the letter for creating certs/keys and woks.
    A new version EasyRSA-v3.0.6 do not includes manual for a client side certs/keys creation.

    To enhance security, I wish to set "TLS control channel security".
    Server failed to start with Error:
    What's missing?
     
  16. wrx28

    wrx28 Occasional Visitor

    Joined:
    Jul 28, 2013
    Messages:
    11
    Location:
    UK
    Your error is in file 'static key', as far as I'm aware that's a file created in easyrsa3 called ta.key which you paste to the static key field in the advanced settings of the vpn server setup, created by the command - openvpn --genkey --secret ta.key (in linux at least) so I'd start with checking that.
     
  17. zd59

    zd59 Occasional Visitor

    Joined:
    Feb 13, 2017
    Messages:
    42
    The solution is here:
    https://openvpn.net/community-resources/static-key-mini-howto/

    As I implemented this, all settings of my OpenVPN server are solved.

    Thanks all helped me.

    How do I mark the tread "solved"?
     
    martinr likes this.
  18. Xentrk

    Xentrk Part of the Furniture

    Joined:
    Jul 21, 2016
    Messages:
    2,280
    Location:
    The Land of Smiles
    Since you are the OP of the thread, you will see an option to edit the post title. Add the word [SOLVED] at the beginning.