Configuring OpenVPN for Merlin - Updated EasyRSA no longer works on Windows

[gbguy71]

NOTE: EasyRSA no longer works on windows https://github.com/TinCanTech/easy-tls/issues/313 (use Linux for EasyRSA)

I replaced my router and needed to set up OpenVPN again. My old setup was quite old and I
went with the latest Easy RSA 3. Hopefully the following will make it easier for others
who need to do the same.

This was done on a Windows 10 machine.

Everything, except easytls, was included in the OpenVPN 2.5.6 download.

The basic instructions are located here:
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

The major changes from my old setup were: AES-256-CBC (vs. 128) and TLS Authorization

The biggest change was using Easy RSA 3. They suggested multiple directories.
So I set up, under the C:\program files\openvpn directory, the following:

• easy-rsa (part of the OpenVPN installation, will contain the tls-auth key)
• easy-rsa-CA (to hold the certificates)
• easy-rsa-server (to hold the server key and DH file)
• easy-rsa-<CLIENTNAME> (for the client's .key file. Just create the first one to begin with)

Each client device will eventually have five files installed (see **NOTE** below):

• ca.crt (which is identical on the server and all clients)
• tls-auth.key (also identical on the server and clients)
• <CLIENTNAME>.ovpn
• <CLIENTNAME>.crt
• <CLIENTNAME>.key

**NOTE**: One of my Android clients had to have a "unitifed" ovpn file, instead of separate
files check out https://openvpn.net/faq/i-am-having-trouble-importing-my-ovpn-file/

The sequence I used (which might not be optimal) was:
------------------------------------------------------------------------------------
1. modify the vars file in easy-rsa (which will be identical in the easy-rsa-server (router)
and each easy-rsa-<CLIENTNAME>
------------------------------------------------------------------------------------
The var modifications/defaults I chose were:

• set_var EASYRSA_OPENSSL "C:/Program Files/OpenVPN/bin/openssl.exe" # Maybe not needed?
• #set_var EASYRSA_DN "org" # Let this default, I had an issue when specifying "org"
• set_var EASYRSA_ALGO rsa # There is a currently a bug with the "ec" choice

------------------------------------------------------------------------------------
2. Download easytls into the easy-rsa directory and generate the TLS-AUTH-KEY
from a cmd window (admin mode)
------------------------------------------------------------------------------------

C:\>cd program files\openvpn
C:\Program Files\OpenVPN>cd easy-rsa
C:\Program Files\OpenVPN\easy-rsa>.\EasyRSA-Start.bat # (**You'll remain in this shell**)

# ./easyrsa init-pki

# cd easytls
# ./easytls init-tls

# #Create a TLS-AUTH key:
./easytls build-tls-auth
------------------------------------------------------------------------------------
3. copy easy-rsa to easy-rsa-CA to prepare for generating the ca.crt file
------------------------------------------------------------------------------------
(Windows File Explorer is easiest way to copy)
------------------------------------------------------------------------------------
4. generate the common ca.crt from easy-rsa-CA (I went with the "nopass" option)
(cd ../easy-rsa-CA to get there)
------------------------------------------------------------------------------------

# ./easyrsa init-pki

# ./easyrsa build-ca nopass

Your new CA certificate file for publishing is at:
C:/Program Files/OpenVPN/easy-rsa-CA/pki/ca.crt
------------------------------------------------------------------------------------
5. copy easy-rsa-CA to easy-rsa-server to prepare for server key and DH file generation
------------------------------------------------------------------------------------
(Windows File Explorer is easiest way to copy)
------------------------------------------------------------------------------------
6. From the easy-rsa-server directory generate the server key, and DH file
(cd ../easy-rsa-server to get there)
------------------------------------------------------------------------------------

# ./easyrsa init-pki

# # I DID THIS, AND IT WORKED (FOR SOME REASON I HAD ISSUES WITH GENERATING CLIENTS
# # WITH BUILD-CLIENT-FULL ???)
# ./easyrsa build-server-full server nopass

# # Generate the DH file
# ./easyrsa gen-dh
DH parameters of size 2048 created at C:/Program Files/OpenVPN/easy-rsa-server/pki/dh.pem

------------------------------------------------------------------------------------
7. Copy easy-rsa-CA to easy-rsa-<CLIENTNAME> (Do this for each client)
------------------------------------------------------------------------------------
(Windows File Explorer is easiest way to copy)
------------------------------------------------------------------------------------
8. Generate keypair/request for <CLIENTNAME>
------------------------------------------------------------------------------------

# cd ../easy-rsa-<CLIENTNAME>
# ./easyrsa init-pki

# ./easyrsa gen-req <CLIENTNAME> nopass

------------------------------------------------------------------------------------
9. Register and sign the request for <CLIENTNAME>
------------------------------------------------------------------------------------

# cd ../easy-rsa-CA
# ./easyrsa import-req ../easy-rsa-<CLIENTNAME>/pki/reqs/<CLIENTNAME>.req <CLIENTNAME>

# ./easyrsa sign-req client <CLIENTNAME>

Certificate created at: C:/Program Files/OpenVPN/easy-rsa-CA/pki/issued/<CLIENTNAME>.crt

------------------------------------------------------------------------------------
10. Edit the OVPN Files for each <CLIENTNAME>
NOTE: There is no .ovpn file for the server. You specify the necessary
parameters via the router's "VPN Server - OpenVPN" pages.
------------------------------------------------------------------------------------
(Copy OpenVPN/sample-config to OpenVPN/config/ using Windows Explorer)

Edit sample-config and save as <CLIENTNAME>.ovpn
NOTE: you may need to use a "unified" ovpn file - see **NOTE** above
The ca.crt and tls-auth.key files are identical among the server and all clients
Change these lines in the <CLIENTNAME>.ovpn file:
ca ca.crt
cert <CLIENTNAME>.crt
key <CLIENTNAME>.key
tls-auth tls-auth.key 1
------------------------------------------------------------------------------------
11. Install OpenVPN on all clients and distribute the files
------------------------------------------------------------------------------------
Each client's OpenVPN directory (OpenVPN/config/ on Windows) will contain:

• the <CLIENTNAME>.ovpn file generated above
• the ca.crt file from easy-rsa-CA/
• the <CLIENTNAME>.crt file from easy-rsa-CA/pki/issued
• the <CLIENTNAME>.key file from easy-rsa-<CLIENTNAME>/pki/private
• the tls-auth.key file from easy-rsa/pki/easytls

(Alternatively it will contain a "unified" .ovpn file that contains the other 4 files)
------------------------------------------------------------------------------------
12. Configure the router settings
------------------------------------------------------------------------------------
Modify the VPN Server-OpenVPN parameters

• Choose your "Client will use VPN to access" setting - I chose "Both"
• Click on "VPN Details" and select "Advanced Settings"

Here is what I have for Advanced Settings:
(The fuzzy red text: first one with an arrow just says "This is how you access the Keys & Certs"
The second one is on a push "route ..." that is needed to access a subnetwork I have)

------------------------------------------------------------------------------------
13. Upload the "Keys and Certificates" to the router
------------------------------------------------------------------------------------

• Click on "Edit"
• Upload the key and certificate files and paste them as shown here:
  
  

------------------------------------------------------------------------------------
14. Cross your fingers and see if it works
(I find it best to get one client working and then move on to the others
------------------------------------------------------------------------------------

 

[Rippo]

Wow- thanks for posting this!

 

[Martin Fishkov]

Thanks for your post!

Question though: Why go through all this if the router generates its own keys?

Question: Are openvpn CA keys generated on first boot?

Hello guys, Title says all. So, after flashing a new build I noticed I have new CA\Server Keys in OpenVPN, so, the router doesn't keep the previous keys. My question here is, are these new keys built-in the new ROM image, or are they generated in first boot, and unique per each device? Thanks

www.snbforums.com

Just checking to see which path to follow with my new set-up..

 

[eibgrad]

Thanks for your post!

Question though: Why go through all this if the router generates its own keys?

Question: Are openvpn CA keys generated on first boot?

Hello guys, Title says all. So, after flashing a new build I noticed I have new CA\Server Keys in OpenVPN, so, the router doesn't keep the previous keys. My question here is, are these new keys built-in the new ROM image, or are they generated in first boot, and unique per each device? Thanks

www.snbforums.com

Just checking to see which path to follow with my new set-up..

IMO, the biggest limitation of the GUI auto-generated files is that all concurrent OpenVPN clients share a *single* OpenVPN client cert. That's fine assuming you only intend to support one OpenVPN client, or all the concurrently active OpenVPN clients are are effectively the same user. But under normal conditions, you typically want each unique user to have their own client cert w/ its own unique CN (Common Name). Just as you do when using private/public keypairs w/ SSH.

The reason the GUI reuses the same client cert is for convenience. And it gets away w/ it because in addition to the client cert, authentication typically includes username/password as well. IOW, users can be disambiguated based on username, rather than the more secure client cert. But that's like using private/public keypairs w/ SSH *and* requiring a username/password as well, something you don't see because SSH requires YOU to create the private/public keypairs. SSH doesn't care if that's inconvenient; you're expected to create as many private/public keypairs as necessary for your users.

In short, to rely on a shared cert is less secure, since you're really depending on the username/password to disambiguiate users. Under normal conditions, you would NOT do it this way. It's just an artifact of how the GUI simplifies the process for you. But like most conveniences, it can mean a less secure configuration.

BTW, use of a shared cert also means that if any one OpenVPN client machine's client cert is compromised (e.g., lost or stolen), you'd have to issue a new shared cert for ALL your users! Had they their own unique client cert, only that one user would have to have their current cert revoked and issued a new cert. Again, in the simplest case of only one user, NOT a big deal. But for multiple user situations, sharing a cert is best avoided. Of course, it's also possible to not require a client cert AT ALL, and only rely on username/password exclusively. NOT recommended, but in that case, all of the concerns expressed above are moot.

 

[Martin Fishkov]

Thanks, that's very clear!

 

[elorimer]

1. I suppose it might be useful if someone were to update the wiki for uploading multiple client certs/keys, for both servers.
2. I confess my sins: I use only one set of certs/keys for both servers and all clients. The certs/keys are not shared with anyone but me and are the principal security device. I also use user/password authentication. In my case, the clients all me, and are disambiguated by username in order that different configurations can be applied, and these are primarily routing rules for local networks, or not. (@eibgrad has a ton of posts here showing how to do this.) I also apply different configurations on the client side with different clients. I recognize that I might have to regenerate and repopulate certificates if a device is lost (not hard), but if I were fully to disambiguate based on certs, I would have something on the order of 8 different cert/key combos. Or maybe 24. I can't keep that number straight, particularly given the weirdness of my Chromebooks. This way, I just have one.
3. It might be an interesting exercise if someone were to create an add-in router page to manage certs for different users, automating this plus point #1. Maybe also with client-side options.

 

[gbguy71]

It has been a long time since I wrote this. I have moved to a new computer and am pulling my hair out. As far as I can tell the OpenVPN forum is not accepting new posts (please tell me how if you still can).

I'm getting a "OPENSSL_Uplink(00007FFEF543FAC8,08): no OPENSSL_Applink" error when I do a "./easytls init-tls" (right after I successfully ran the initial "./easyrsa init-pki").

There was no easytls package to install. I simply download the scripts easytls, easytls-client-disconnect.sh, easytls-client-connect.sh, and easytls-cryptv2-verify.sh into the C:\Program Files\OpenVPN\easy-rsa directory.

I have OpenVPN 2.6.12 and EasyRSA 3.1.7.

Google has been no help and after more than a day of trying to figure this out I'm asking for help..

TIA

 

[gbguy71]

I got an answer from GitHub, EasyRSA does not work on Windows!
https://github.com/TinCanTech/easy-tls/issues/313

 

[Martinski]

I got an answer from GitHub, EasyRSA does not work on Windows!
https://github.com/TinCanTech/easy-tls/issues/313

Well, it looks like you got misleading or incomplete information from the GitHub response. Perhaps the poster meant to say that the EasyTLS tools no longer work on Windows.

I've used EasyRSA for many years now, and I have the 3.1.6 version installed in one of my Windows 10 PCs (version 22H2, OS build 19045.4780, with OpenVPN 2.6.12) that I use to generate & manage the certs & keys for OpenVPN servers/clients on a handful of ASUS routers, and so far the EasyRSA tool is definitely working well and without any issues.

And just to check it out, tonight I downloaded & installed the EasyRSA 3.1.7 version on another Windows 10 PC, and then I ran a quick test to generate certs & keys for one OpenVPN client, and the tool worked just fine without any hiccups. I have not yet tried it on my Windows 11 PC so I suppose it's possible that there might be some issues on that OS. In any case, the point is that the blanket statement "EasyRSA no longer works on Windows" is undoubtedly incorrect for Windows 10.

 

[gbguy71]

Well, it looks like you got misleading or incomplete information from the GitHub response. Perhaps the poster meant to say that the EasyTLS tools no longer work on Windows.

I've used EasyRSA for many years now, and I have the 3.1.6 version installed in one of my Windows 10 PCs (version 22H2, OS build 19045.4780, with OpenVPN 2.6.12) that I use to generate & manage the certs & keys for OpenVPN servers/clients on a handful of ASUS routers, and so far the EasyRSA tool is definitely working well and without any issues.

And just to check it out, tonight I downloaded & installed the EasyRSA 3.1.7 version on another Windows 10 PC, and then I ran a quick test to generate certs & keys for one OpenVPN client, and the tool worked just fine without any hiccups. I have not yet tried it on my Windows 11 PC so I suppose it's possible that there might be some issues on that OS. In any case, the point is that the blanket statement "EasyRSA no longer works on Windows" is undoubtedly incorrect for Windows 10.

You might be correct. It was ./easytls init-tls that failed on Windows. However, as a practical matter it makes no real difference. I'm forced to generate needed files on Linux. I am in the middle of generation, but it looks like generating the EasyRSA/EasyTLS stuff on Linux and transferring the files to Windows, where OpenVPN is installed, is going to work. (I'll make a quick update to this thread once I make it work). Thanks for your investigation.

 

[Martinski]

... I'm forced to generate needed files on Linux. ...

I'm curious. Why do you feel "forced" to generate the files on Linux?

Is it because you want to continue to use the EasyTLS tools?
What additional functionality or benefit does EasyTLS give you?

Do you need EasyTLS just to generate the static 2048-bit pre-shared key (PSK) file (e.g. tls-auth.key)?

If that's the case, why don't you call directly from your own shell script the "openvpn.exe" executable to generate it?

For example:

$OPEN_VPN_PATH --genkey secret "${PKI_DIR_PATH}/tls_auth.key"

Where "$OPEN_VPN_PATH" is the full path of the "openvpn.exe" binary on Windows
(e.g. OPEN_VPN_PATH="C:/Program Files/OpenVPN/bin/openvpn.exe")

And "$PKI_DIR_PATH" is the full path of the target PKI directory.

I've been doing this for several years and it's a simple call, IMO.

Or, if you're trying to generate "tls-crypt-v2" keys, there are simple calls for those as well. No need for additional 3rd-party tools.

Just my 2 cents.