Stock Asus Firmware - OpenVPN Server setup guide

[ca509]

Hi,

could one maybe post a howto for the setup of an OpenVPN server with the original Asus firmware, not Merlins one?

I found some, eg https://www.privateinternetaccess.c...on/1125/asus-rt-ac66u-openvpn-setup-guide-/p1

But I'm not quite clear, why don't i need to generate CA files by myself but use predefined ones. Isn't that a security issue?


Thanks for all the help!

 

[sinshiva]

the CA cert+key is generated and then used to sign the private server and client keys/certs. to use their server with the key they generate for you, you need the server's CA.

it would be a security issue if they gave away their CA key, because then anybody could load it up and start generating keys, or be used to decrypt other people's data.

the cert is an assymetric (one-way) hash that acts kind of like the keyhole for the ca key as well as verifying other generated certs, etc

 

[ca509]

the CA cert+key is generated and then used to sign the private server and client keys/certs. to use their server with the key they generate for you, you need the server's CA.

it would be a security issue if they gave away their CA key, because then anybody could load it up and start generating keys, or be used to decrypt other people's data.

the cert is an assymetric (one-way) hash that acts kind of like the keyhole for the ca key as well as verifying other generated certs, etc

Could I generate these by myself? I just want to use my own router via OpenVPN remotely, nothing else.

 

[sinshiva]

yes, if you choose to roll your own server, you must generate the CA, a DH modulus, the cert/key for the server itself and another for each client you want to connect to the server

 

[ca509]

yes, if you choose to roll your own server, you must generate the CA, a DH modulus, the cert/key for the server itself and another for each client you want to connect to the server

Thanks for all your help. Do you have a tutorial to generate the files, I'm familiar with linux.

So basically i want to draft a howto for the stock Firmware to just act as a server and maybe make it sticky in this forum

 

[sinshiva]

tutorials are pretty easy to find; you generate everything via openssl, installed along with openvpn server. install openvpn server with all the options enabled in the installer, on any computer. obviously, this machine wont ultimately be the server, but that's how it works. keep your keys very, very safe. backup, etc. these are the types of keys that corporations and governments protect with armed guards, etc.

 

[ca509]

tutorials are pretty easy to find; you generate everything via openssl, installed along with openvpn server. install openvpn server with all the options enabled in the installer, on any computer. obviously, this machine wont ultimately be the server, but that's how it works. keep your keys very, very safe. backup, etc. these are the types of keys that corporations and governments protect with armed guards, etc.

Ok will try, thanks for your help!

If anyone has already done this, please post a howto otherwise I'll draft one!

 

[sinshiva]

not exactly a tutorial, but this is a thread detailing my server/client configurations and may be of use to you.

a tutorial would be good to see around here

[edit/] my config is running with tcp instead of udp, so your tun-mtu may be different. udp also has the benefit of much lower latency

 

[ca509]

not exactly a tutorial, but this is a thread detailing my server/client configurations and may be of use to you.

a tutorial would be good to see around here

[edit/] my config is running with tcp instead of udp, so your tun-mtu may be different. udp also has the benefit of much lower latency

Which thread?

 

[sinshiva]

http://forums.smallnetbuilder.com/showthread.php?t=13917

sorry about that, multitasking atm, poorly