How to generate keys for OpenVPN

[jochenthomas]

Hi,
I am using an AC87U with newest version 55.0.
Is there currently a rule how to generate ca and keys, given the fact that there are newer openSSL versions?
If I generate those keys on a newest Linux machine is there a mismatch or are there only not supported/missing (more secure) cipher methods?

Sorry for my question, but I cannot get openVPN to work with TLS (but static key is working fine). Or do I have to clear something after the new version?

 

[martinr]

I've never had need to set up OpenVPN clients on my router; I've only set up the servers. Is that what you are doing? If so, why are you generating certs and keys yourself? It does it for you when you run the server for the first time. It really couldn't have been made easier. Is there a reason why you want to generate them manually?

 

[morph89]

Also running 55.0

The .opvn file generated by the router only contains a CA cert for me.

<cert>
paste client certificate data here
</cert>
<key>
paste client key data here
</key>

Is what I get after the cert. Any reason why that info would be missing?

 

[jochenthomas]

O.k. I thought about to make a complete reset, but it was not my aim.
So I tried again different times, but I also cleared the JFFS, did some reboots and tried again to generate the .ovpn
Yes I had explicitly to use an external cert/key (not sure why inline cert/key isn't working). But at least it is working now.
Not sure what exactly was the root cause, but most important: it is working now ;-)

 

[martinr]

......,
The .opvn file generated by the router only contains a CA cert for me.....,,Any reason why that info would be missing?

I've had this happen to me a couple of months ago on an earlier firmware. I don't know what caused it, though. I got round it, I think, by pasting in the key and cert from the other server. But I wasn't happy with that as a solution, so eventually I bit the bullet and restored the router to factory status and set it up from scratch again. And that time all the keys and certs were in the config file exactly as they should be.

O.k. I thought about to make a complete reset, but it was not my aim.
So I tried again different times, but I also cleared the JFFS, did some reboots and tried again to generate the .ovpn
Yes I had explicitly to use an external cert/key (not sure why inline cert/key isn't working). But at least it is working now.
Not sure what exactly was the root cause, but most important: it is working now ;-)

That's great. I now wonder if you ran into the same thing Morph89 mentioned (and I experienced a while back); that would explain why you wanted to manually generate the ca and keys. Anyway, you managed it without a restore to factory default. Thanks for the feedback.

 

[jochenthomas]

I am using an Android ovpn app (esp. TAP) which is very comfortable: OpenVPN Client
So yes, here it was necessary to define manually cert and key.
Reason: within the generated ovpn it says "paste client certificate data here" - so no complete inline ca/key.
And even worse, if you generate a static key (initially this was the only way it worked) and you put some manual configs (client to client / route) in the GUI the generation process will never end :-?

 

[morph89]

I've had this happen to me a couple of months ago on an earlier firmware. I don't know what caused it, though. I got round it, I think, by pasting in the key and cert from the other server. But I wasn't happy with that as a solution, so eventually I bit the bullet and restored the router to factory status and set it up from scratch again. And that time all the keys and certs were in the config file exactly as they should be.

After doing a factory restore, the generated .ovpn file now contains the cert and key info.

However, when I attempt to connect, I'm getting the following TLS error (I removed the IP):

Aug 6 17:44:05 openvpn[947]: **.***.*.***:12321 TLS_ERROR: BIO read tls_read_plaintext error: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01: error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT: padding check failed: error:1408807B:SSL routines:ssl3_get_cert_verify:bad signature: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
Aug 6 17:44:05 openvpn[947]: **.***.*.***:12321 TLS Error: TLS object -> incoming plaintext read error
Aug 6 17:44:05 openvpn[947]: **.***.*.***:12321 TLS Error: TLS handshake failed
Aug 6 17:44:05 openvpn[947]: **.***.*.***:12321 SIGUSR1[soft,tls-error] received, client-instance restarting

Any idea how I can correct this?

 

[martinr]

Firstly, it's good to know that, after you went to the trouble of factory restore, it paid off; however, yuo have now hit another hurdle.

Is your router running an OpenVPN server or client?

I ran one quick Google check on one of the messages you got, but I can't make much sense of the responses:

SSL routines:ssl3_get_cert_verify:bad signature: error:140940E5:SSL. (Copy and paste into Google)

You might want to have a look through and see if you can extract anything, or else alter the search criteria.

I remember a while back, one of the resident experts responded to an OpenVPN qustion saying that often it may well be better to direct a question to an OpenVPN forum because, it's not that people don't care here, but there is not a tremendous amount of OpenVPN experience in the Asus-Merlin forum.

 

[morph89]

Firstly, it's good to know that, after you went to the trouble of factory restore, it paid off; however, yuo have now hit another hurdle.

Is your router running an OpenVPN server or client?

Attempting to run it as a server. Surprised there are any certificate errors considering the router is the one that generated them!

 

[martinr]

Attempting to run it as a server. Surprised there are any certificate errors considering the router is the one that generated them!

I ran a couple of Google searches; when I tried "SSL3_GET_CERT_VERIFY: bad rsa signature" the poster said,
"regenerated host certificate and container restart appeared to make this go away." But you've done that by your factory default restore.

One thought: after doing the restore, what changes did you make to the OpenVPN settings, if any? I don't expect you had any reason to edit/save the keys or certificates themselves, but if you did, did you use a Linux editor such as Notepad++? There's a case for doing the restore to factory default, exporting the .ovpn config file without changing any settings, and seeing if it works. If it does, only then do you start altering anything, as required, in the advanced settings tab, remembering that some setting changes may well require a new .ovpn file export to the clients, and then rechecking, step by step if necessary, if it still works.