Expired

V. VPN (Virtual Private Networking)

Expired

OpenVPN Setup on Vigor Router with XCA

Products:
Vigor 2620Ln
Vigor 2762
Vigor 2763
Vigor 2765
Show all

Keywords:
Certificate Authority
OpenVPN
Teleworker
VPN
Show all

OpenVPN is an open-source VPN technology which is capable of traversing network address translators (NATs) and firewalls, since it uses a custom security protocol that utilizes SSL/TLS for key exchanges. A certificate is one of the client authentication methods that OpenVPN supports. With a Certificate Authority (CA) to sign the certificate, the server can use a different certificate for each client in a multi client-server topology.

In this setup guide, we will be using XCA, a free Certificate Authority (CA) software, to sign and manage the server and client certificates. Once installed and configured on a computer, XCA can be used as a personal Certificate Authority (CA). This can be used to manage and sign certificates for the router and other devices, establishing the chain of trust required for OpenVPN.

Part 1. Making Server Certificate on the Router

1-1. Since the certificate has a valid period, please make sure the time settings of the router are correctly configured in [System Maintenance] > [Time and Date].

kb openvpn xca image1 01

1-2. Go to [Certificate Management] > [Local Certificate] to generate a new certificate. Type the information, then click Generate.

kb openvpn xca image1 02

1-3. After clicking Generate the Certificate Signing Request Information window will pop up. Copy the certificate request from the PEM Format Content section.

kb openvpn xca image1 03

Part 2. Create a new CA on XCA

2-1. Launch XCA, go to the Certificates tab, and click New Certificate. Select Create a self-signed Certificate with the serial. Click Apply all to apply the CA Template.

kb openvpn xca image2 01

2-2. Go to the Subject tab and enter some distinguishable details for the certificate, then click Generate a new key.
Select RSA for Keytype and 2048 bit for Keysize, then click Create.
Click OK to generate the CA Certificate. Now we have the Trusted CA Certificate to sign the server certificate and client certificate.

kb openvpn xca image2 02

Part 3. Importing Signed Server Certificate and CA Certificate to the Router

3-1 Go to Certificate signing requests tab, select Paste PEM data and paste the PEM Format Content copied from the router in step 1-3.

kb openvpn xca image3 01

3-2. Right-click on the imported certificate and select Sign. Use the certificate created in step 2 for signing.

kb openvpn xca image3 02

3-3 At Certificate tab, export the Singed Local Certificate in .crt format. Go back to the router's GUI, import it to the router at [Certificate Management] > [Local Certificate] > [Upload Local Certificate].

kb openvpn xca image3 03

3-4 Make sure the status of the uploaded certificate is OK.

kb openvpn xca image3 04

3-5 On XCA, go to Certificate tab, choose the CA certificate and export it in .crt format, and import it to the router at [Certificate Management] > [Trusted CA Certificate].

kb openvpn xca image3 05

3-6 Make sure the status of the Trusted CA imported is OK.

kb openvpn xca image3 06

Part 4. Making a Private Certificate and Private key for the VPN Client

4-1 On XCA, go to Certificates tab, click New Certificate. At Signing, select Use this certificate for singing.

kb openvpn xca image4 01

4-2 Go to the Subject tab, and enter distinguishable information for the certificate.
Click Generate a new key, choose RSA for Keytype and 2048 bit for Keysize. Then click Create.
Click OK to generate the certificate. Now, we also have the private certificate for the VPN client.

kb openvpn xca image4 02

4-3. Go to the Certificates tab, select the certificate we just created. Export it in .crt format and import to the VPN client.

kb openvpn xca image4 03

4-4. Open Private Keys tab, and Export the Private Key (Oclient.key). Manually change extension name to .key. Then import it to the VPN client.

kb openvpn xca image4 04

Part 5. Router Setup as OpenVPN Server

5-1. Go to [VPN and Remote Access] > [OpenVPN] > [General Setup] and ensure that the configuration page matches the settings illustrated below.

kb openvpn xca image5 01

5-2. Go to the [Client Config] tab and specify the file name of CA Certificate, Client Certificate, and Client Key. Then, click Export.

kb openvpn xca image5 02

5-3. Go to [VPN and Remote Access] > [Remote Dial-in User] to create user profiles for OpenVPN Dial-in users. Check Enable this account, enter Username/Password, and check OpenVPN Tunnel in Allowed Dial-In Type section.

kb openvpn xca image5 03

5-4. Go to [SSL VPN] > [General Setup] to change the Server Certificate to the Local Certificate generated in part 2.

kb openvpn xca image5 04

Part 6: Client Setup in OpenVPN GUI

6-1 Import the OpenVPN config (test.ovpn) in OpenVPN GUI. There are three files to put in the OpenVPN config folder:
- Trusted CA Certificate (CAtest.crt)
- Private Certificate (Oclient.crt)
- Private Key (Oclient.key)

kb openvpn xca image6a 01

6-2 Click Connect and enter username/password configured in step 5-3.

kb openvpn xca image6a 02

Client Setup in Smart VPN client

OpenVPN is supported by Smart VPN client since version 5.2.0. Here are the optional steps of smart VPN client so that it can be used instead of the OpenVPN GUI.

1. Add a VPN profile and set VPN type to OpenVPN. Then Import the OpenVPN config (test.ovpn) into Smart VPN client.

kb openvpn xca image7 01

2. Enter username/password configured in step 5-3, and click OK to save it.

kb openvpn xca image7 02

3. There are three files that should be copied into the SmartVPN Client ovpnca folder (see step 6-1):
- Trusted CA Certificate (CAtest.crt)
- Private Certificate (Oclient.crt)
- Private Key (Oclient.key)

kb openvpn xca image7 03

4. Then switch on the Connect.

kb openvpn xca image7 04

Once the OpenVPN tunnel is established, its status can be checked in [VPN and Remote Access] > [Connection Management] section of the router.

kb openvpn xca image7 05

Troubleshooting

VERIFY ERROR: error=self signed certificate

The router is using self-signed certificate for the VPN instead of the certificate that was imported. Check the Server Certificate settings in [SSL VPN] > [General Setup] section (see step 5-4).


How do you rate this article?

1 1 1 1 1 1 1 1 1 1