Setting Up OpenWRT OpenVPN Server and Certificate Creation

Prerequisites

Create Required Certificates

  1. Launch XCA
  2. Open the PKI database if it is not already (File > Open DataBase), enter password
  3. Click on the Certificates tab, right click on your Intermediate CA certificate
  4. Select New
  5. On the Source tab, make sure Use this Certificate for signing is selected
  6. Verify your Intermediate CA certificate is selected from the drop down
  7. Click the Subject tab
  8. Complete the Distinguished Name section

    internalName: OpenVPN Server
    countryName: US
    stateOrProvinceName: Virginia
    localityName: Northern
    organizationName: i12bretro
    organizationUnitName: i12bretro Certificate Authority
    commonName: vpn.i12bretro.local

  9. Click the Generate a New Key button
  10. Enter a name and set the key size to at least 2048
  11. Click Create
  12. Click on the Extensions tab
  13. Set the Type dropdown to End Endity
  14. Check the box next to Subject Key Identifier
  15. Update the validity dates to fit your needs
  16. Click the Key Usage tab
  17. Under Key Usage select Digital Signature and Key Encipherment
  18. Under Extended Key Usage select TLS Web Server Authentication
  19. Click the Netscape tab
  20. Deselect all options and clear the Netscape Comment field
  21. Click OK to create the certificate
  22. Click on the Certificates tab, right click on your Intermediate CA certificate again
  23. Select New
  24. On the Source tab, make sure Use this Certificate for signing is selected
  25. Verify your Intermediate CA certificate is selected from the drop down
  26. Click the Subject tab
  27. Complete the Distinguished Name section

    internalName: OpenVPN Client #1
    countryName: US
    stateOrProvinceName: Virginia
    localityName: Northern
    organizationName: i12bretro
    organizationUnitName: i12bretro Certificate Authority
    commonName: VPN Client 1

  28. Click the Generate a New Key button
  29. Enter a name and set the key size to at least 2048
  30. Click Create
  31. Click on the Extensions tab
  32. Set the Type dropdown to End Endity
  33. Check the box next to Subject Key Identifier
  34. Update the validity dates to fit your needs
  35. Click the Key Usage tab
  36. Under Key Usage select Digital Signature, Key Agreement
  37. Under Extended Key Usage select TLS Web Client Authentication
  38. Click the Netscape tab
  39. Deselect all options and clear the Netscape Comment field
  40. Click OK to create the certificate
  41. On the Certificates tab, click the OpenVPN Server certificate
  42. Select Extra > Generate DH Parameter
  43. Type 2048 for DH parameter bits
  44. Click OK
  45. Select a location for dh2048.pem and click Save

Exporting Required Files for OpenVPN

  1. In XCA, click on the Certificates tab
  2. Right click the Intermediate CA certificate > Export > File
  3. Set the file name with a .pem extension and verify the export format is PEM chain (*.pem)
  4. Click OK
  5. Right click the OpenVPN Server certificate > Export > File
  6. Set the file name with a .crt extension and verify the export format is PEM (*.crt)
  7. Click OK
  8. Right click the OpenVPN Client #1 certificate > Export > File
  9. Set the file name with a .crt extension and verify the export format is PEM (*.crt)
  10. Click OK
  11. Click on the Private Keys tab
  12. Right click the OpenVPN Server key > Export > File
  13. Set the file name with a .pk8 extension and verify the export format is PKCS #8 (*.pk8)
  14. Click OK
  15. Right click the OpenVPN Client #1 key> Export > File
  16. Set the file name with a .pk8 extension and verify the export format is PKCS #8 (*.pk8)
  17. Click OK

Setting Up OpenVPN Server in OpenWRT

  1. Open a web browser and navigate to your OpenWRT IP address
  2. Login when prompted
  3. Select System > Software from the navigation menu
  4. Click on the Update lists button to update the software repositories
  5. Click the Dismiss button once the update has completed
  6. Type openvpn in the filter field
  7. Click the Install... button next to openvpn-openssl
  8. Click the Install button to confirm installing with dependencies
  9. Click the Dismiss button once the install has completed
  10. Click the Install... button next to luci-app-openvpn
  11. Click the Install button to confirm installing with dependencies
  12. Click the Dismiss button once the install has completed
  13. Refresh the browser window
  14. Select VPN > OpenVPN from the navigation menu
  15. Under the Template based configuration heading, enter OpenVPNServer as the Instance name and select Server configuration for a routed multi-client VPN as the template > Click Add
  16. Click the Edit button across from the newly created OpenVPNServer entry
  17. Next to ca, click the button, browse to and upload the previously exported CA .pem file
  18. Select the ca .pem file to be used
  19. Next to dh, click the button, browse to and upload the previously exported dh2048.pem file
  20. Select the dh2048.pem file to be used
  21. Next to cert, click the button, browse to and upload the previously exported OpenVPN server .crt file
  22. Select the .crt file to be used
  23. Next to key, click the button, browse to and upload the previously exported OpenVPN server .pk8 file
  24. Select the ca .pk8 file to be used
  25. Click the Additional Field dropdown > Select proto > Click Add
  26. Set the value of proto to udp
  27. Click the Additional Field dropdown > Select port > Click Add
  28. Set the value of port to 1194
  29. Click the Additional Field dropdown > Select dev_type > Click Add
  30. Set the value of dev_type to tun
  31. Scroll to the bottom of the page and click the Save & Apply button
  32. Select VPN > OpenVPN from the navigation menu
  33. Check the Enabled checkbox next to the OpenVPNServer entry and click the Save & Apply button
  34. After a few seconds the page will refresh and the OpenVPN server should be running
    NOTE: If the server is not running, check the system logs for troubleshooting by selecting Status > System Log from the navigation menu

Installing OpenVPN Client Software and Testing

  1. Download the OpenVPN software Download
  2. Run the installer with all the default values
  3. Click the Start button and search OpenVPN GUI
  4. Select OpenVPN GUI from the results to start the application

Creating the OpenVPN Client Profile

  1. Download the OVPN template Download
  2. Rename the .ovpn template something meaningful
  3. Edit the .ovpn template replacing the following:

    <#replace with dynamic dns#> with a dynamic DNS or external IP address to your server
    <#replace with CA chain#> with the contents of CA_Chain.pem
    <#replace with client 1 cert #> with the contents of OpenVPN_Client #1.crt
    <#replace with client 1 key #> with the contents of OpenVPN_Client #1.pk8

  4. Save your changes
  5. Copy the .ovpn template to OpenVPN install directory/config
  6. Right click OpenVPN GUI in the system tray > Connect