Change OpenVPN Server to RSA 2048 Bit Encryption?

[HarryMuscle]

I've setup an OpenVPN server on my Asus RT-AC66U B1 router running the Merlin firmware. I noticed when I first set this up that you were given a choice of using 1024 or 2048 bit RSA encryption. I used the default of 1024 bit, however, I've read that maybe I should have used 2048 bit since 1024 bit seems to be considered no longer secure. However, the option to choose 1024 or 2048 bit is no longer available since the certificates have already been created. Is it possible to somehow get that option back and have the certificates regenerated or would the only option be to manually generate the certificates somewhere else and paste them in as new keys in the advanced OpenVPN server page?

Thanks,
Harry

 

[elorimer]

I've setup an OpenVPN server on my Asus RT-AC66U B1 router running the Merlin firmware. I noticed when I first set this up that you were given a choice of using 1024 or 2048 bit RSA encryption. I used the default of 1024 bit, however, I've read that maybe I should have used 2048 bit since 1024 bit seems to be considered no longer secure. However, the option to choose 1024 or 2048 bit is no longer available since the certificates have already been created. Is it possible to somehow get that option back and have the certificates regenerated or would the only option be to manually generate the certificates somewhere else and paste them in as new keys in the advanced OpenVPN server page?

Reset to defaults and start over.

 

[HarryMuscle]

Reset to defaults and start over.

I think it would be easier to manually change the certificates than reconfigure everything on the router.

 

[elorimer]

I think it would be easier to manually change the certificates than reconfigure everything on the router.

Sorry, not what I meant. On the VPN Server page, at the bottom, click on "Default".

 

[HarryMuscle]

Sorry, not what I meant. On the VPN Server page, at the bottom, click on "Default".

Interesting. I would have thought that button would just reset the advanced options and not the certificate. I'm away from the router right now, but you've actually tried this? And it resets the OpenVPN server settings including the certificates?

Thanks,
Harry

 

[elorimer]

Interesting. I would have thought that button would just reset the advanced options and not the certificate. I'm away from the router right now, but you've actually tried this? And it resets the OpenVPN server settings including the certificates?

Thanks,
Harry

To be very specific, that is how I changed from 1024 to 2048 bits about six months ago. I'm not gonna press that button again if I don't have to.

 

[HarryMuscle]

To be very specific, that is how I changed from 1024 to 2048 bits about six months ago. I'm not gonna press that button again if I don't have to.

Awesome. Thanks for the info.

Harry

 

[fields987]

if you are feeling adventurous, you could use easy-rsa and openssl to generate EC keys instead of RSA. Even going all out and using the secp521r1 curve, you're getting a much smaller key that that's equal to 15360 RSA key. This translates into faster encrypt/decrypt due to less processing overhead. You also wouldn't need DH params since your tls-cipher (1.2) or tls-ciphersuites (1.3) would take care of that. Downside to EC is that its newer so not all clients (read old client) support it. I created a little cheat sheet for myself I can dust off and send if you're interested.

 

[HarryMuscle]

if you are feeling adventurous, you could use easy-rsa and openssl to generate EC keys instead of RSA. Even going all out and using the secp521r1 curve, you're getting a much smaller key that that's equal to 15360 RSA key. This translates into faster encrypt/decrypt due to less processing overhead. You also wouldn't need DH params since your tls-cipher (1.2) or tls-ciphersuites (1.3) would take care of that. Downside to EC is that its newer so not all clients (read old client) support it. I created a little cheat sheet for myself I can dust off and send if you're interested.

That would be awesome. And these newer keys work with the latest version of the Merlin firmware without any issues?

Thanks,
Harry

 

[fields987]

That would be awesome. And these newer keys work with the latest version of the Merlin firmware without any issues?

Thanks,
Harry

I've been using EC keys on 384.17 and 384.18 alpha/beta with no issue. The key is making sure the SSL Library that openvpn uses supports EC. In our case, it it supported on the router as openvpn is using OpenSSL 1.1.1g. I'm using the openvpn client for windows 10 and ios which both support EC as well.

You can use easy-rsa directly on your router if you want. I chose to download it and OpenSSL and install to a flash drive for portability/security (ie CA private key is stored offline)
Heres a good read if you want to use it via ssh though: https://github.com/RMerl/asuswrt-merlin.ng/wiki/Generating-OpenVPN-keys-using-Easy-RSA

EasyRSA Downloads
https://github.com/OpenVPN/easy-rsa/releases

OpenSSL Downloads. Either light or full should work
https://slproweb.com/products/Win32OpenSSL.html

In the directory you extracted EasyRSA, make a copy of the VARS.Example file and just name it VARS with no extention. Make the following edits (and make sure to uncomment these lines if they are commented):
set_var EASYRSA_OPENSSL "C:/path to where you extracted/openssl.exe/use forward slashes"
set_var EASYRSA_ALGO ec #Sets elliptic curve instead of using the default of rsa
set_var EASYRSA_CURVE secp521r1 #you can run ecparam -list_curves in openssl to show available curves. You'll want to make sure whatever you use is also available in openssl11 on your router
set_var EASYRSA_DIGEST "sha512" #use whichever one is best for you from the examples listed in the vars file.

Via administrator command line:
CD into your easy-rsa directory and execute EasyRSA-Start.bat

in the easy-rsa shell run:
./easyrsa init-pki
./easyrsa build-ca
./easyrsa build-server-full ServerName nopass
./easyrsa build-client-full ClientName1 nopass
./easyrsa build-client-full ClientName2 nopass #if using multiple clients

When you run build-ca, you can specify the name of your ca if you want or leave it as default. The password you enter protects your CA private key. When you issue certs from your CA, you will enter this password as an authorization to issue server and client certs.

Your CA cert will be in EasyRSA\PKI
Public Keys will be in EasyRSA\PKI\Issued
Private Keys will be in EasyRSA\PKI\Private

if you open your public keys and see Signature algorithm sha***ECDSA and public key ECC (*** Bits), you've successfully generated EC keys. Just open the appropriate ones in notepad and copy the --Begin-- to --End-- sections into the openvpn server config page on your router and in your client ovpn files.