Exported OVPN files requiring external certificates

[SnakeByte]

One thing I recently noticed after switching from the stock firmware to the latest 3.0.0.4.374.38_1 rmerlin build is that the exported server ovpn file I copy over to my IOS devices don't work the same.

When I copy over the opvn file from the stock firmware and import it, the OpenVPN Connect software only prompts me for a username and password. The ovpn files that rmerlin's build creates makes the OpenVPN Connect application require an additional certificate along with the username and password. I double checked and under VPN Details, I have Username/Password authentication set to on, as well as the Username/Password auth only setting.

When I compare the two ovpn files, I see that the stock firmware version includes three certs, the ca, and apparently a client public and private key.

merlin's only includes the ca. Does this mean merlin's build does not automatically create the client cert and key like the stock firmware does?

 

[RMerlin]

One thing I recently noticed after switching from the stock firmware to the latest 3.0.0.4.374.38_1 rmerlin build is that the exported server ovpn file I copy over to my IOS devices don't work the same.

When I copy over the opvn file from the stock firmware and import it, the OpenVPN Connect software only prompts me for a username and password. The ovpn files that rmerlin's build creates makes the OpenVPN Connect application require an additional certificate along with the username and password. I double checked and under VPN Details, I have Username/Password authentication set to on, as well as the Username/Password auth only setting.

When I compare the two ovpn files, I see that the stock firmware version includes three certs, the ca, and apparently a client public and private key.

merlin's only includes the ca. Does this mean merlin's build does not automatically create the client cert and key like the stock firmware does?

If you changed the CA (or any of the auto-generated cert/key), then the router will wipe out the automatically generated client cert/key as it won't match the stored CA. If you want to fully use everything automatically generated, you will have to remove all existing key and certs, and restart the OpenVPN server (stop and restart it).

 

[SnakeByte]

If you changed the CA (or any of the auto-generated cert/key), then the router will wipe out the automatically generated client cert/key as it won't match the stored CA. If you want to fully use everything automatically generated, you will have to remove all existing key and certs, and restart the OpenVPN server (stop and restart it).

RMerlin,

I did not change any key on the router, however I'm game to "reset" server1 and see if that fixes this issue. What is the correct method to "remote all existing key and certs"? Do I have to clear out certain nvram variables, or can this be done from the webgui?

 

[RMerlin]

RMerlin,

I did not change any key on the router, however I'm game to "reset" server1 and see if that fixes this issue. What is the correct method to "remote all existing key and certs"? Do I have to clear out certain nvram variables, or can this be done from the webgui?

First, stop the VPN server under VPN Server.

Then, go to VPN Details. Click on the link next to the TLS setting to edit keys and certs. Clear all fields on that page that will contain keys and certs. Apply those changes, they click on Apply/Save on the VPN Details page as well.

Then, go back to VPN Server, and turn the OpenVPN server instance on. Once the page reloads, it will show that it's currently generating keys and certs - give it 2-3 mins. It will eventually turn into an Export button.

 

[SnakeByte]

That fixed it. Thanks for your help!