V. VPN (Virtual Private Networking)
ExpiredOpenVPN Setup on Vigor Router with XCA
OpenVPN is an open-source VPN technology which is capable of traversing network address translators (NATs) and firewalls, since it uses a custom security protocol that utilizes SSL/TLS for key exchanges. A certificate is one of the client authentication methods that OpenVPN supports. With a Certificate Authority (CA) to sign the certificate, the server can use a different certificate for each client in a multi client-server topology.
In this setup guide, we will be using XCA, a free Certificate Authority (CA) software, to sign and manage the server and client certificates. Once installed and configured on a computer, XCA can be used as a personal Certificate Authority (CA). This can be used to manage and sign certificates for the router and other devices, establishing the chain of trust required for OpenVPN.
Part 1. Making Server Certificate on the Router
1-1. Since the certificate has a valid period, please make sure the time settings of the router are correctly configured in [System Maintenance] > [Time and Date].
1-2. Go to [Certificate Management] > [Local Certificate] to generate a new certificate. Type the information, then click Generate.
1-3. After clicking Generate the Certificate Signing Request Information window will pop up. Copy the certificate request from the PEM Format Content section.
Part 2. Create a new CA on XCA
2-1. Launch XCA, go to the Certificates tab, and click New Certificate. Select Create a self-signed Certificate with the serial. Click Apply all to apply the CA Template.
2-2. Go to the Subject tab and enter some distinguishable details for the certificate, then click Generate a new key.
Select RSA for Keytype and 2048 bit for Keysize, then click Create.
Click OK to generate the CA Certificate. Now we have the Trusted CA Certificate to sign the server certificate and client certificate.
Part 3. Importing Signed Server Certificate and CA Certificate to the Router
3-1 Go to Certificate signing requests tab, select Paste PEM data and paste the PEM Format Content copied from the router in step 1-3.
3-2. Right-click on the imported certificate and select Sign. Use the certificate created in step 2 for signing.
3-3 At Certificate tab, export the Singed Local Certificate in .crt format. Go back to the router's GUI, import it to the router at [Certificate Management] > [Local Certificate] > [Upload Local Certificate].
3-4 Make sure the status of the uploaded certificate is OK.
3-5 On XCA, go to Certificate tab, choose the CA certificate and export it in .crt format, and import it to the router at [Certificate Management] > [Trusted CA Certificate].
3-6 Make sure the status of the Trusted CA imported is OK.
Part 4. Making a Private Certificate and Private key for the VPN Client
4-1 On XCA, go to Certificates tab, click New Certificate. At Signing, select Use this certificate for singing.
4-2 Go to the Subject tab, and enter distinguishable information for the certificate.
Click Generate a new key, choose RSA for Keytype and 2048 bit for Keysize. Then click Create.
Click OK to generate the certificate. Now, we also have the private certificate for the VPN client.
4-3. Go to the Certificates tab, select the certificate we just created. Export it in .crt format and import to the VPN client.
4-4. Open Private Keys tab, and Export the Private Key (Oclient.key). Manually change extension name to .key. Then import it to the VPN client.
Part 5. Router Setup as OpenVPN Server
5-1. Go to [VPN and Remote Access] > [OpenVPN] > [General Setup] and ensure that the configuration page matches the settings illustrated below.
5-2. Go to the [Client Config] tab and specify the file name of CA Certificate, Client Certificate, and Client Key. Then, click Export.
5-3. Go to [VPN and Remote Access] > [Remote Dial-in User] to create user profiles for OpenVPN Dial-in users. Check Enable this account, enter Username/Password, and check OpenVPN Tunnel in Allowed Dial-In Type section.
5-4. Go to [SSL VPN] > [General Setup] to change the Server Certificate to the Local Certificate generated in part 2.
Part 6: Client Setup in OpenVPN GUI
6-1 Import the OpenVPN config (test.ovpn) in OpenVPN GUI. There are three files to put in the OpenVPN config folder:
- Trusted CA Certificate (CAtest.crt)
- Private Certificate (Oclient.crt)
- Private Key (Oclient.key)
6-2 Click Connect and enter username/password configured in step 5-3.
Client Setup in Smart VPN client
OpenVPN is supported by Smart VPN client since version 5.2.0. Here are the optional steps of smart VPN client so that it can be used instead of the OpenVPN GUI.
1. Add a VPN profile and set VPN type to OpenVPN. Then Import the OpenVPN config (test.ovpn) into Smart VPN client.
2. Enter username/password configured in step 5-3, and click OK to save it.
3. There are three files that should be copied into the SmartVPN Client ovpnca folder (see step 6-1):
- Trusted CA Certificate (CAtest.crt)
- Private Certificate (Oclient.crt)
- Private Key (Oclient.key)
4. Then switch on the Connect.
Once the OpenVPN tunnel is established, its status can be checked in [VPN and Remote Access] > [Connection Management] section of the router.
Troubleshooting
VERIFY ERROR: error=self signed certificate
The router is using self-signed certificate for the VPN instead of the certificate that was imported. Check the Server Certificate settings in [SSL VPN] > [General Setup] section (see step 5-4).
How do you rate this article?
- First Published: 18/03/2020
- Last Updated: 22/04/2021