What's new

[SOLVED] OpenVPN server advanced settings

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

zd59

Regular Contributor
AsusWRT-Merlin on RT-AC86U

Need help to configure OpenVpn server with my own handshake keys and certificates generated with EasyRSA-v3.0.6 scripts on windows machine.
I'm not an VPN expert, so I do not know, how to configure OpenVPN server.


The scripts generated certs and keys on points 2 -4:
Code:
EasyRSA-v3.0.6 key generator

1.)----------------------------------------------------
# ./easyrsa init-pki
Your newly created PKI dir is: d:/EasyRSA-v3.0.6/pki


2.)----------------------------------------------------
# ./easyrsa build-ca
Your new CA certificate file for publishing is at:
d:/EasyRSA-v3.0.6/pki/ca.crt


3.)----------------------------------------------------
# ./easyrsa gen-req Asus
Keypair and certificate request completed. Your files are:
req: d:/EasyRSA-v3.0.6/pki/reqs/Asus.req
key: d:/EasyRSA-v3.0.6/pki/private/Asus.key


4.)----------------------------------------------------
# ./easyrsa sign-req client  Asus
UWrite out database with 1 new entries
Data Base Updated

Certificate created at: d:/EasyRSA-v3.0.6/pki/issued/Asus.crt

I wish to configure OpenVPN server secured with above keys and certs generated. At establishing VPN tunnel client asks for a password offered by encrypted key above generated. This is the only way server asks a client for a user verification.
The interface type must be TAP, to ease connected clients networking.
When I click on "Edit" at advanced settings "Keys and Certificates, new window opens with manual keys and certificates paste options (from top to bottom):
a. Static Key
b. Certificate Authority
c. Server Certificate
d. Server Key
e. Diffe Hellman ...
f. Certificate Revocat..
g. Extera Chain Cert..
(Attached picture)
I do not know which one from above point 2-4 keys/certs generated (four) are pasted in a configuration, first four lines (a. --d)?

Can not find any description for the above elsewhere, so please help.
 

Attachments

  • VPN_SVR1_keys.jpg
    VPN_SVR1_keys.jpg
    48.3 KB · Views: 721
copy to router;

static key - ta.key
certificate authority - ca.crt
server certificate - Asus.crt
server key - Asus.key
diffie hellman - dh.pem

Regards
Thanks wrx28!

In a first post I pointed out, that certificates were created with (hardly found) EasyRSA-v3.0.6 windows scripts. That was because they support recent libOpenSSL (1.1.x) which OpenVPN uses. Regular EasyRSA for windows supports only older libOpenSSL .
So created keys/certificates do not include dh.pem file.
As I copy/paste created keys/certificates to corresponding places you suggested, the router refused all except the first one (ca.key). They were entered as instructed:
-----BEGIN CERTIFICATE/KEY----- ..certificate or key letters END CERTIFICATE/KEY-----
For instance:
-----BEGIN CERTIFICATE-----
MIIEwTCCA6mgAwIBAgIJAKyJVQYmRv63MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYD
and so on until
-----END CERTIFICATE-----




I'm confused. Not sure, Asus accepts data created with EasyRSA-v3.0.6 windows scripts, or there is any other problem.

Any one successfully manually entered certificates/keys this way?
 
When you copied and pasted, how did you do it? The problem isn’t the simple glitch of editing using something like Windows Notepad instead of using, say, Notepad++ set to Unix formatting?
 
When you copied and pasted, how did you do it? The problem isn’t the simple glitch of editing using something like Windows Notepad instead of using, say, Notepad++ set to Unix formatting?

Good point!
I have txt files (certs & keys) on USB key. All copy/paste was done in linux, but I'm afraid end of line was the problem.
Do I have to convert files to one line only, or convert CR & LF to Unix style?
Notepad++ is my default text editor in Windows, can simply edit or convert files to Linux style.
 
Good point!
I have txt files (certs & keys) on USB key. All copy/paste was done in linux, but I'm afraid end of line was the problem.
Do I have to convert files to one line only, or convert CR & LF to Unix style?
Notepad++ is my default text editor in Windows, can simply edit or convert files to Linux style.
I can’t speak with authority on whether or not it has to be one line. From my experience, I have only converted the CR LF, and never bothered about whether or not it was a single line.
 
Bingo!

All keys converted to Unix accepted.

But now:
Jun 18 13:07:56 ovpn-server1[27282]: neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Jun 18 13:07:56 ovpn-server1[27282]: Exiting due to fatal error

I wish that at client start it asks me for entering a password for a key decripting. Looks like server cert I also created with password.
Do I have to create it with blank password (it asks for one)?
 
Bingo!

All keys converted to Unix accepted.

But now:


I wish that at client start it asks me for entering a password for a key decripting. Looks like server cert I also created with password.
Do I have to create it with blank password (it asks for one)?
Does this solution help?
 

No. No TTY to enter password.
How to configure OpenVPN to have password less server certs/keys and client uses private key with password?

ca.crt can not be build without password (logical).
Now the question is: How to start OpenVPN server with password protected crt without entering one? Asus router is headless machine.
 
Last edited:
Maybe have a look at https://www.sys-dev.cat/blog/3/, I don't know the differences between running EasyRSA3 on linux or windows, I ran linux and used ./easyrsa build-ca nopass, copied required files to router, built client files and copied these to each client.
 
Maybe have a look at https://www.sys-dev.cat/blog/3/, I don't know the differences between running EasyRSA3 on linux or windows, I ran linux and used ./easyrsa build-ca nopass, copied required files to router, built client files and copied these to each client.
Do I must create both keys with nopass option? Then client will not ask for one.
On Netgear I created private key with password, service started and client asked for a password.
 
Yes, I used these commands,

./easyrsa gen-req CLIENTNAME nopass
./easyrsa sign-req client CLIENTNAME

worked for me.
 
Yes, I used these commands,

./easyrsa gen-req CLIENTNAME nopass
./easyrsa sign-req client CLIENTNAME

worked for me.

Thanks server finally up!

As I written, I'm not a VPN expert, and now I'm stuck on a client site.
Fetched client.ovpn contains last part:
</ca>
<cert>
paste client certificate data here
</cert>
<key>
paste client key data here
</key>
At creating cert/key files with easy-rsa, server site files were created.
How do I create corresponding client cert and key files, server will thrust?

Another question:
OpenVPN advanced settings:

TLS control channel security is disabled.
If I enable it by selecting any of option, server failed to start:
Jun 18 22:20:00 ovpn-server1[31834]: Insufficient key material or header text not found in file 'static.key' (0/128/256 bytes found/min/max)
Jun 18 22:20:00 ovpn-server1[31834]: Exiting due to fatal error

I wish to enable it, to improve security.
What's missing in a static.key file to enable it? This must be added somehow in creating a key with easy-rsa.
 
Go back to your easy-rsa and create the client files for each client, crt and key and copy to the ovpn file. Check you created/copied the ta.key correctly for the static key.
 
Go back to your easy-rsa and create the client files for each client, crt and key and copy to the ovpn file. Check you created/copied the ta.key correctly for the static key.

Thanks a lot.
ta.key - you mean ca.key?

Now I followed README txt to the letter for creating certs/keys and woks.
A new version EasyRSA-v3.0.6 do not includes manual for a client side certs/keys creation.

To enhance security, I wish to set "TLS control channel security".
Server failed to start with Error:
Insufficient key material or header text not found in file 'static.key' (0/128/256 bytes found/min/max)

What's missing?
 
Your error is in file 'static key', as far as I'm aware that's a file created in easyrsa3 called ta.key which you paste to the static key field in the advanced settings of the vpn server setup, created by the command - openvpn --genkey --secret ta.key (in linux at least) so I'd start with checking that.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top