OpenVPN is an open source software that implements virtual private network (VPN) techniques for secure site-to-site and remote access. OpenVPN is capable of traversing network address translators (NATs) and firewalls since it uses a custom security protocol that utilizes SSL/TLS for key exchanges.
OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. With a Certificate Authority (CA) to sign the certificate, it allows the server to use a different certificate for each client in a multiclient-server topology.
In this article, we will use XCA, a free Certificate Authority (CA) software, to generate and manage the server and client certificate that required for OpenVPN configuration. This article includes:
Part 1. Making Server Certificate on the Router
1-1. Since the certificate has a valid period, please make sure the time settings of the router is correct at System Maintenance >> Time and Date.
1-2. Go to Certificate Management >> Local Certificate to generate a new certificate. Type the information, then click Generate.
1-3. After clicking Generate, you will see the Certificate Signing Request, which needs to be signed by a CA. Copy the certificate at PEM Format Content.
2-1. Launch XCA, go to the Certificates tab, click New Certificate. Select Create a self-signed Certificate with the serial. Click Apply all to apply the CA Template.
2-2. Go the Subject page,
- type distinguishable information for the certificate, then click Generate a new key.
- Select “RSA” for Keytype and “2048 bit” for Keysize, then click Create.
- Click OK to generate the CA Certificate. Now we have the Trusted CA Certificate to sign the server certificate and client certificate.
3-1 Go to Certificate signing requests, select Paste PEM data and paste the PEM Format Content copied from the router in step 1-3.
3-2. Right-click on the imported certificate and select Sign. Use the certificate created in step 2 to signing.
3-3 Export the Singed Local Certificate in .crt format. Go back to the router’s GUI, import it to the router at Certificate Management >> Local Certificate >> Upload Local Certificate.
3-4 Make sure the status of the certificate uploaded is OK.
3-5 On XCA, go to Certificate, choose the CA certificate and export it in .crt format, and import it to the router at Certificate Management >> Trusted CA Certificate.
3-6 Make sure the status of the Trusted CA imported is OK.
4-1 On XCA, go to Certificates, click New Certificate. At Signing, select use the CA certificate for singing.
4-2 Go to the Subject page,
- enter distinguishable information for the certificate,
- click Generate a new key, choose “RSA” for Keytype and “2048 bit” for Keysize. Then click Create.
- Click OK to generate the certificate. Now, we have the private certificate for the VPN client as well.
4-3. Go to Certificates, select the certificate we just created. Export it in .crt format and import to the VPN client.
4-4. Go to Private Keys, export the Private Key (Oclient.key), manually change extension name to .key. Then, import it to the VPN client.
5-1. Go to VPN and Remote Access >> OpenVPN General Setup, and have the configuration below.
5-2. Go to the Client Config tab, specify the file name of CA Certificate, Client Certificate, and Client Key. Then, click Export.
5-3. Go to VPN and Remote Access >> Remote Dial-in User to create user profiles for OpenVPN Dial-in users. Check Enable this account, enter Username/Password, and check OpenVPN Tunnel in Allowed Dial-In Type.
5-4. Go to SSL VPN >> General Setup to specify the Server Certificate, here we choose “openvpn,” which is the Local Certificate generated in part 2.
6-1 Import the OpenVPN config (test.ovpn) in OpenVPN GUI. There are three files to put in the OpenVPN config folder:
- Trusted CA Certificate (CAtest.crt)
- Private Certificate (Oclient.crt)
- Private Key (Oclient.key)
6-2 Click Connect and enter username/password configured in step 5-3.
After establishing the OpenVPN tunnels, the VPN status will show in VPN and Remote Access >> Connection Management