Wiki
Clone wikirt-n56u / EN / HowToConfigureOpenvpnServer
How To Configure Bild-In OpenVPN On Asus RT-N56U/RT-N65U Routers
This firmware contains built-in OpenVPN (see Firmware Builds), which can be configured via Web Interface. This HowTo covers questions of certificates creation. Most of users experience problems with this process.
On this page:
First of all, let's assume that persons, who maintain applications on server and client side are two different people. You should never send authentication data in clear (human readable) form. And sensitive authentication data (such as private keys, etc) should not be sent to anybody at all!
Certificates may have different usage purposes, which can be set using certificate extensions. For example, if there is no CA extension in certificate, it can't be used for signature verification of other certificates.
Each side (both server and client) should have at least
- Private key.
- Certificate, signed by CA.
- Diffie–Hellman Key.
Optional (depends on server settings)
- TLS Authorization Key
Files purpose:
Filename | Needed By | Purpose | Secret |
---|---|---|---|
ca.crt | server + all clients | Root CA certificate | NO |
ca.key | key signing machine only | Root CA key | YES |
server.crt | server only | Server Certificate | NO |
server.key | server only | Server Key | YES |
client1.crt | client1 only | Client1 Certificate | NO |
client1.key | client1 only | Client1 Key | YES |
dh{n}.pem | server only | Diffie Hellman parameters | NO |
ta.key | server + all clients | tls-auth HMAC signature | YES |
Install Server Side Certificates
Common Algorithm
- Create CA certificate and private key
- Create server private key and certificate, signed by CA
- Create Diffie–Hellman Key
- Optional: Create TLS Key
Change directory to server certificate storage:
#!bash cd /etc/storage/openvpn/server
Create CA certificate and private key
#!bash openssl req -nodes -x509 -days 3650 -newkey rsa:2048 -outform PEM -out ca.crt -keyout ca.key -sha1
Note: Common Name field should not be blank!
If you don't want fill all fields by hands, you can use:
#!bash openssl req -nodes -x509 -days 365 -newkey rsa:2048 -outform PEM -out ca.crt -keyout ca.key -sha1 -subj '/CN=My OpenVPN CA'
#!bash openssl req -nodes -x509 -days 365 -new -outform PEM -out ca.crt -key ca.key -sha1 -subj '/CN=My OpenVPN CA'
Certificate content can be viewed with:
#!bash
openssl x509 -text -noout -in ca.crt
#!bash chmod 600 ca.key
Note: CA key (ca.key) is required only for CSR (certificate signing request) sign and most of time it not needed. It is very sensitive component. It is recommended to encrypt and/or put it to more secure storage.
#!bash openssl rsa -aes256 -in ca.key -out ca.key.aes mv ca.key.aes ca.key chmod 600 ca.key
Create server certificate
Let's create certificate signing request:
#!bash openssl req -nodes -days 365 -newkey rsa:2048 -outform PEM -out server.csr -keyout server.key -sha1 -subj '/CN=example.com'
#!bash
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -clrext -out server.crt -sha1
#!bash rm -f server.csr chmod 600 server.key
Create Diffie-Hellman Key
#!bash openssl dhparam -out dh1024.pem 1024
Optional: Create TLS Key
This key is required if TLS-Auth is set to 'Yes' in server settings.
#!bash openvpn --genkey --secret ta.key chmod 600 ta.key
To save changes to flash-memory on router:
#!bash
mtd_storage.sh save
Install Client Side Certificates
Common Algorithm
- Create client certificate signing request and send it to the CA (to server)
- Get signed certificate (client.crt), CA (ca.crt) and install them
- Optional: Get TLS key over a pre-existing secure channel (depends on server settings)
Create client certificate signing request and send it to the CA (to server)
Change directory to client certificate storage:
#!bash cd /etc/storage/openvpn/client
Let's create CSR:
#!bash openssl req -nodes -days 365 -newkey rsa:2048 -outform PEM -out client.csr -keyout client.key -sha1 -subj '/CN=client1.example.com' chmod 600 client.key
Get signed certificate (client.crt), CA (ca.crt) and install them
CA (ca.crt), client certificate (client.crt) and client key (client.key) should be installed: * Go to * Turn on VPN client * Change VPN protocol to OpenVPN * Open 'Certificates and Keys' tap and copy-paste all keys to fields Other client settings should be set according to server settings.
If TLS Key is encrypted (as written below) decrypt it with:
#!bash openssl smime -decrypt -aes-256-cbc -inform PEM -in ta.key.aes -inkey client.key -out ta.key chmod 600 ta.key
Add a Client
Common Algorithm
- Sign CSR from client (client.csr)
- Send signed certificate (client.crt), CA certificate (ca.crt) to client
- Optional: Send TLS Key (ta.key) over a pre-existing secure channel (depends on server settings)
Sign CSR from client (client.csr)
View CSR with:
#!bash
openssl req -text -noout -in client.csr
Sign a request:
#!bash
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -clrext -out client.crt -sha1
Send signed certificate (client.crt), CA certificate (ca.crt) to client
Files can be sent in clear form to client.
If it is required to access local network behind a client, you should add Common Name of this client to Username field in VPN Clients Accounts on .
In the example above client with Common Name = client1.example.com with be assigned with static ip address 192.168.111.23. Also routes will be added to access 172.20.21.0/24.
Note: Access to resources can be restricted by client.
Optional: Send TLS Key (ta.key) over a pre-existing secure channel (depends on server settings)
TLS Key can encrypted with client certificate. Only that client can decrypt it with client.key.
#!bash
openssl smime -encrypt -aes-256-cbc -in ta.key -outform PEM -out ta.key.aes client.crt
Creating Certificates Using Script
There is the script, which should help you:
#!bash
openvpn-cert.sh --help
How to Block Connection if one of certificates was compromised
It is useful to keep serial numbers of signed client certificates.
Let's create directory, where we will put such certificates:
#!bash
mkdir /etc/storage/openvpn/server/crl
#!bash
crl-verify /etc/storage/openvpn/server/crl dir
Let's assume we have a copy of that certificate (or we know its serial number).
#!bash openssl x509 -noout -serial -in client.crt serial=AA1E3C74A9D241D1 printf '%lu\n' 0xAA1E3C74A9D241D1 12258301707512070609 touch /etc/storage/openvpn/server/crl/12258301707512070609
Conclusion
I'd like to say that OpenVPN provides huge amount of opportunities. Its configuration is very flexible. Please find additional information in official documentation.
Updated