From b54d77527b0e6922b03fead40c4f94ccd8cbcc5f Mon Sep 17 00:00:00 2001 From: i12bretro <54692756+i12bretro@users.noreply.github.com> Date: Mon, 17 Jan 2022 19:50:31 -0500 Subject: [PATCH] 0284: Setting Up OpenWRT OpenVPN Server and Certificate Creation --- 0284.html | 238 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 238 insertions(+) create mode 100644 0284.html diff --git a/0284.html b/0284.html new file mode 100644 index 0000000..3b41975 --- /dev/null +++ b/0284.html @@ -0,0 +1,238 @@ + + + + Setting Up OpenWRT OpenVPN Server and Certificate Creation + + + + + + +
+
+
+

Setting Up OpenWRT OpenVPN Server and Certificate Creation

+
+
+
+

Create Required Certificates

+ +
    +
  1. Launch XCA
    2. +
  2. Open the PKI database if it is not already (File > Open DataBase), enter password
    3. +
  3. Click on the Certificates tab, right click on your Intermediate CA certificate
    4. +
  4. Select New
    5. +
  5. On the Source tab, make sure Use this Certificate for signing is selected
    6. +
  6. Verify your Intermediate CA certificate is selected from the drop down
    7. +
  7. Click the Subject tab
    8. +
  8. Complete the Distinguished Name section +

    internalName: OpenVPN Server
    + countryName: US
    + stateOrProvinceName: Virginia
    + localityName: Northern
    + organizationName: i12bretro
    + organizationUnitName: i12bretro Certificate Authority
    + commonName: vpn.i12bretro.local

    +
    9. +
  9. Click the Generate a New Key button
    10. +
  10. Enter a name and set the key size to at least 2048
    11. +
  11. Click Create
    12. +
  12. Click on the Extensions tab
    13. +
  13. Set the Type dropdown to End Endity
    14. +
  14. Check the box next to Subject Key Identifier
    15. +
  15. Update the validity dates to fit your needs
    16. +
  16. Click the Key Usage tab
    17. +
  17. Under Key Usage select Digital Signature and Key Encipherment
    18. +
  18. Under Extended Key Usage select TLS Web Server Authentication
    19. +
  19. Click the Netscape tab
    20. +
  20. Deselect all options and clear the Netscape Comment field
    21. +
  21. Click OK to create the certificate
    22. +
  22. Click on the Certificates tab, right click on your Intermediate CA certificate again
    23. +
  23. Select New
    24. +
  24. On the Source tab, make sure Use this Certificate for signing is selected
    25. +
  25. Verify your Intermediate CA certificate is selected from the drop down
    26. +
  26. Click the Subject tab
    27. +
  27. Complete the Distinguished Name section +

    internalName: OpenVPN Client #1
    + countryName: US
    + stateOrProvinceName: Virginia
    + localityName: Northern
    + organizationName: i12bretro
    + organizationUnitName: i12bretro Certificate Authority
    + commonName: VPN Client 1

    +
    28. +
  28. Click the Generate a New Key button
    29. +
  29. Enter a name and set the key size to at least 2048
    30. +
  30. Click Create
    31. +
  31. Click on the Extensions tab
    32. +
  32. Set the Type dropdown to End Endity
    33. +
  33. Check the box next to Subject Key Identifier
    34. +
  34. Update the validity dates to fit your needs
    35. +
  35. Click the Key Usage tab
    36. +
  36. Under Key Usage select Digital Signature, Key Agreement
    37. +
  37. Under Extended Key Usage select TLS Web Client Authentication
    38. +
  38. Click the Netscape tab
    39. +
  39. Deselect all options and clear the Netscape Comment field
    40. +
  40. Click OK to create the certificate
    41. +
  41. On the Certificates tab, click the OpenVPN Server certificate
    42. +
  42. Select Extra > Generate DH Parameter
    43. +
  43. Type 2048 for DH parameter bits
    44. +
  44. Click OK
    45. +
  45. Select a location for dh2048.pem and click Save
    46. +
+ +

Exporting Required Files for OpenVPN

+ +
    +
  1. In XCA, click on the Certificates tab
    2. +
  2. Right click the Intermediate CA certificate > Export > File
    3. +
  3. Set the file name with a .pem extension and verify the export format is PEM chain (*.pem)
    4. +
  4. Click OK
    5. +
  5. Right click the OpenVPN Server certificate > Export > File
    6. +
  6. Set the file name with a .crt extension and verify the export format is PEM (*.crt)
    7. +
  7. Click OK
    8. +
  8. Right click the OpenVPN Client #1 certificate > Export > File
    9. +
  9. Set the file name with a .crt extension and verify the export format is PEM (*.crt)
    10. +
  10. Click OK
    11. +
  11. Click on the Private Keys tab
    12. +
  12. Right click the OpenVPN Server key > Export > File
    13. +
  13. Set the file name with a .pk8 extension and verify the export format is PKCS #8 (*.pk8)
    14. +
  14. Click OK
    15. +
  15. Right click the OpenVPN Client #1 key> Export > File
    16. +
  16. Set the file name with a .pk8 extension and verify the export format is PKCS #8 (*.pk8)
    17. +
  17. Click OK
    18. +
+ +

Setting Up OpenVPN Server in OpenWRT

+ +
    +
  1. Open a web browser and navigate to your OpenWRT IP address
    2. +
  2. Login when prompted
    3. +
  3. Select System > Software from the navigation menu
    4. +
  4. Click on the Update lists button to update the software repositories
    5. +
  5. Click the Dismiss button once the update has completed
    6. +
  6. Type openvpn in the filter field
    7. +
  7. Click the Install... button next to openvpn-openssl
    8. +
  8. Click the Install button to confirm installing with dependencies
    9. +
  9. Click the Dismiss button once the install has completed
    10. +
  10. Click the Install... button next to luci-app-openvpn
    11. +
  11. Click the Install button to confirm installing with dependencies
    12. +
  12. Click the Dismiss button once the install has completed
    13. +
  13. Refresh the browser window
    14. +
  14. Select VPN > OpenVPN from the navigation menu
    15. +
  15. Under the Template based configuration heading, enter OpenVPNServer as the Instance name and select Server configuration for a routed multi-client VPN as the template > Click Add
    16. +
  16. Click the Edit button across from the newly created OpenVPNServer entry
    17. +
  17. Next to ca, click the button, browse to and upload the previously exported CA .pem file
    18. +
  18. Select the ca .pem file to be used
    19. +
  19. Next to dh, click the button, browse to and upload the previously exported dh2048.pem file
    20. +
  20. Select the dh2048.pem file to be used
    21. +
  21. Next to cert, click the button, browse to and upload the previously exported OpenVPN server .crt file
    22. +
  22. Select the .crt file to be used
    23. +
  23. Next to key, click the button, browse to and upload the previously exported OpenVPN server .pk8 file
    24. +
  24. Select the ca .pk8 file to be used
    25. +
  25. Click the Additional Field dropdown > Select proto > Click Add
    26. +
  26. Set the value of proto to udp
    27. +
  27. Click the Additional Field dropdown > Select port > Click Add
    28. +
  28. Set the value of port to 1194
    29. +
  29. Click the Additional Field dropdown > Select dev_type > Click Add
    30. +
  30. Set the value of dev_type to tun
    31. +
  31. Scroll to the bottom of the page and click the Save & Apply button
    32. +
  32. Select VPN > OpenVPN from the navigation menu
    33. +
  33. Check the Enabled checkbox next to the OpenVPNServer entry and click the Save & Apply button
    34. +
  34. After a few seconds the page will refresh and the OpenVPN server should be running
    + NOTE: If the server is not running, check the system logs for troubleshooting by selecting Status > System Log from the navigation menu
    35. +
+ +

Installing OpenVPN Client Software and Testing

+ +
    +
  1. Download the OpenVPN software Download
    2. +
  2. Run the installer with all the default values
    3. +
  3. Click the Start button and search OpenVPN GUI
    4. +
  4. Select OpenVPN GUI from the results to start the application
    5. +
+ +

Creating the OpenVPN Client Profile

+ +
    +
  1. Download the OVPN template Download
    2. +
  2. Rename the .ovpn template something meaningful
    3. +
  3. Edit the .ovpn template replacing the following: +

    <#replace with dynamic dns#> with a dynamic DNS or external IP address to your server
    + <#replace with CA chain#> with the contents of CA_Chain.pem
    + <#replace with client 1 cert #> with the contents of OpenVPN_Client #1.crt
    + <#replace with client 1 key #> with the contents of OpenVPN_Client #1.pk8

    +
    4. +
  4. Save your changes
    5. +
  5. Copy the .ovpn template to OpenVPN install directory/config
    6. +
  6. Right click OpenVPN GUI in the system tray > Connect
    7. +
+
+
+ + + \ No newline at end of file