OpenVPN Server or Client

Stev Wolf

Young grasshopper
Joined
May 7, 2017
Messages
56
Reaction score
4
I have successfully downloaded EasyRSA-3.0.8.zip and run the two commands:

./easyrsa init-pki

./easyrsa build-ca

Now it says on the openvpn web site:

----------------------------------Snip Start -------------------
On each server system, generate a keypair and request. Normally these are left unencrypted by using the "nopass" argument since servers usually start up without any password input. This generates an unencrypted key, so protect its access and file permissions carefully.
./easyrsa init-pki
./easyrsa gen-req UNIQUE_SERVER_SHORT_NAME nopass
On each client, generate a keypair and request. The name selected must be unique across the PKI and is otherwise arbitrary. Create a new PKI and request on each client as follows:
./easyrsa init-pki
./easyrsa gen-req UNIQUE_CLIENT_SHORT_NAME
Optionally, the private key can be left unencrypted on-disk with the additional nopass option after the name. This is not recommended unless automated VPN startup is required. Unencrypted private keys can be used by anyone who obtains a copy of the file. Encrypted keys offer stronger protection, but will require the passphrase on initial use.
Send the request files from each entity to the CA system. This is not security sensitive, though it is wise to verify the received file matches the sender's copy if the transport is untrusted.
On the CA, import each entity request file, giving it an arbitrary "short name" as follows. This basically just copies the request file into reqs/ under the PKI dir to prepare it for review and signing.
./easyrsa import-req /path/to/received.req UNIQUE_SHORT_FILE_NAME
Review each request's details if you wish, then sign it as one of the types: server or client.
(optional) review the request:
./easyrsa show-req UNIQUE_SHORT_FILE_NAME
If you are signing as a client:
./easyrsa sign-req client UNIQUE_SHORT_FILE_NAME
If you are signing as a server:
./easyrsa sign-req server UNIQUE_SHORT_FILE_NAME
The CA returns the signed certificate produced in the above step, and includes the CA certificate (ca.crt) unless the client already has it. This can be done over an insecure channel, though the client is encouraged to confirm the received CA cert is valid if the transport is untrusted.
DH Generation
On the PKI for the OpenVPN server, this command will generate DH parameters used during the TLS handshake with connecting clients. The DH params are not security sensitive and are used only by an OpenVPN server.

./easyrsa gen-dh
------------------------------------- Snip End ------------------------
Do i need to do the rest of these things if Im running openvpn on the ddwrt router,
And if so I get confused, what Im suppose to do where, for example it starts with :
"On each server syste" do i do this on the ddwrt since its the server?

I'm just trying to work my way through this one at a time. I have read the ddwrt web page on OpenVPN, but its not really clear, they have too much chaff in there regarding other things in my opinion its not clear unless you know what you are doing.

Regards

Regards
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,473
Reaction score
971
I cannot make up anything from your post. I think it's better to watch a youtube movie on someone doing this stuff. Or you let someone do this for you.
 

Stev Wolf

Young grasshopper
Joined
May 7, 2017
Messages
56
Reaction score
4
Thanks for your answer, I laughed when I saw your post, really, I mean no offence. Your right of course , But now you know the predicament I'm in.
I'm determined to get some understanding of this, as I know once I do I will most likely generally grasp it.

I'm reading FAQ's from in the download from the software, I'm reading WIKI's from DDWRT, and I'm reading the Howto's from the OpenVPN site. Sometimes too much information just adds to the confusion.
One of the problems with youtube and many other sites is that they don't deal with version 3 of EasyRSA. As soon as they mention running init-config I know its not my version. As I believe this comes from version 2.

Then when I find one that is version 3 for example here: How to easyvpn it shows you using the command easy-cert which seems to walk through the process in one step by step process. But my install has NO build-cert it only has build-ca, from what I can tell. And indeed the help in the software I downloaded says to use build-ca.

I have set up networks, Servers, AD, Firewall, yadda yadda yadda, What I find true generally is that everything is a mystery until you do it and play with it then you truly come to an understanding and that most FAQ's are often written by people who fully understand the process thus they are not really the best judge or author for writing it for the novice, in the area of your currently discovering.

Let me try to ask my question in a different way, as perhaps my last one was a bit too involved.
Below are the summary steps from the Openvpn site to create what I presume I need for my router:

To use Easy-RSA to set up a new OpenVPN PKI, you will:
  1. Set up a CA PKI and build a root CA <-- Done
  1. Configure secondary PKI environments on your server and each client and generate a keypair & request on them
  1. Send the certificate requests to the CA, where the CA signs and returns a valid certificate
  1. On your OpenVPN server, generate DH parameters (see the DH Generation section of this Howto)
I have done step 1.
But then when I move to step 2, the first thing it asks me to do in the easyrsa shell is to type.
./easyrsa init-pki

Which gives me the output...

WARNING!!!
You are about to remove the EASYRSA_PKI at: C:/temp/OpenVPN/EasyRSA-3.0.8-win64/EasyRSA-3.0.8/pki
and initialize a fresh PKI here.
Type the word 'yes' to continue, or any other input to abort.

Thus I will delete the previous work done in step 1.

So should I skip step 2 since I only have 1 server my ddwrt router ??

Regards
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,473
Reaction score
971
Hahaha, I like you taking my previous post as constructive as possible :p

So whilst reading your post, I think you might be stuck anyhow in any "step 1" ;-) (check the numbering). But I think it's simply a copy/paste error from :D

If you look at the titles (sections) of previous page: the GENERAL (enterprise grade) advice is to have a seperate CA server. Hence, you have to, on that CA server, start a new PKI and build a CA keypair/cert: ./easyrsa init-pki & ./easyrsa build-ca. Off course that collides with what you have done in the "preparation step 1".

What I would do on the dd-wrt:
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req UNIQUE_SERVER_SHORT_NAME nopass
etc etc

I'm puzzled why dd-wrt does not offer pre-canned scripts to do this, like ASUS does.

Hope this helps a bit!
CC
 

Stev Wolf

Young grasshopper
Joined
May 7, 2017
Messages
56
Reaction score
4
Well reading your comments you were not wrong, in that I'm confused. I think however with perseverance, (I hope) I can get it right. It seems like I'm always doing something that is a little off the norm. And when you know very little about this field, eg OpenVPN its easy to get mixed up with the unfamiliar. I find that there are two types of IT people, both of equal intelligence, but group 1 thinks they know everything and the right way to do it, group 2 are willing to admit they don't know everything (cause no one does) and are willing to learn and develop. I hope I fall into category two.

Anyway, thank you for the continued advice.

Your right about the confusing of numbering, Indeed the link you sent me is the exact one that I posted and following, but the numbers in the wisdom of the mystery of pasting reformatted them all to 1. Lets just say they are 1, 2,3,4,

So I have ignored each of the times it tells me to ./easyrsa init-pki

I have also realized in looking at some others that when it it says for example "UNIQUE_SERVER_SHORT_NAME"
That your not suppose to use UNIQUE_SERVER_SHORT_NAME unless you want it to be "UNIQUE_SERVER_SHORT_NAME"
That helps sort things out a bit, and also a bit embarrassing. I'm sure you are suppose to know that but it's not really there for us newbies, sure I know I recall something like this in my Unix days of Caps means parameters things, but anyway.

I'm confused regarding the second command when it creates a common name in step 2
"./easyrsa gen-req UNIQUE_SERVER_SHORT_NAME nopass"
and the previous command in step 1
"./easyrsa build-ca" cause it seems to create a common name as well?

I think I have two now?

But I continued on and finished it up Signing with the second one I created. I don't know if that will cause problems.
But I seem to have all the files I need I think.

Now I have to figure out what to do with them all. ??
Regards
 

Stev Wolf

Young grasshopper
Joined
May 7, 2017
Messages
56
Reaction score
4
I'm puzzled why dd-wrt does not offer pre-canned scripts to do this, like ASUS does.
By the way your ABSOLUTELY RIGHT. This could be SOOOO much easier. Over the years so much boggles the mind in this field, this will be added to the list. Even if Openvpn, did it. Why? why? why? It will go down with the mysteries of who build the pyramids I guess.
 

mikeynags

Getting comfortable
Joined
Mar 14, 2017
Messages
644
Reaction score
401
Location
CT
Lon TV has a good Youtube video on setting up OpenVPN on a Raspberry PI. It doesn't look difficult to do at all. Keep in mind, it depends on certificates so if you don't have a good understanding on how PKI works, it's a tough learning curve. Check out the video and if you find it helpful, you can get a Pi pretty cheap.

 

spile

Young grasshopper
Joined
Jun 11, 2020
Messages
49
Reaction score
17
Location
MIdlands UK
Installing pivpn/wireguard was very straight forward for me and it works brilliantly...
 
Top