OVPN files made by Merlin

[wayner]

I have successfully used the OVPN file from my Merlin router to connect to my VPN, but I have some questions regarding the OVPN files.

When I look at examples of OVPN files on the net they are supposed to look like this:

client

dev tun
proto tcp
remote 1.2.3.4 1194

resolv-retry infinite
nobind

persist-key
persist-tun

ca [inline]
cert [inline]
key [inline]

verb 1

keepalive 10 900
inactive 3600
comp-lzo

<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
</key>

The first time I exported an OVPN file it looked like that, but I have exported two others and they are much smaller and seem to not have the cert or key sections. They look like this:

client
dev tun
proto udp
remote myip.asuscomm.com 1194
float
comp-lzo adaptive
keepalive 15 60
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
.........
-----END CERTIFICATE-----
</ca>
ns-cert-type server
resolv-retry infinite
nobind

Why is this? And with Merlin how do you create an OVPN file for a specific client that you have created keys for? How do you export separate OVPN files for client1, client2, client3, etc?

One other question - when I change one of the server settings do I have to recreate the OVPN file? I would think so as don't these ovpn files tell the clients what parameters to use?

 

[sinshiva]

afaik, the server configuration is somewhat minimal and the clients only need to specify their user/pass as defined in the server configuration page, by you. if you want a more elaborate configuration; https://openvpn.net/index.php/open-source/documentation/howto.html

[edit/] this is my working client configuration, with keys manually generated for each OVPN and server (user/pass authentication DISABLED) + a static key used for TLS; based on MTU of 1492 so PPPoE hotspots don't mess you up.

client
tls-client
remote-cert-tls server
tun-mtu 1411
fragment 1407
mssfix 1407
verb 3
dev tun
remote MY_FQDN.COM 1194 udp
nobind
auth sha256
float
cipher aes-128-cbc
verify-x509-name CN_OF_SERVER name
persist-tun
persist-remote-ip
<ca>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</ca>

<key>
-----BEGIN PRIVATE KEY-----
xxx
-----END PRIVATE KEY-----
</key>

<cert>
-----BEGIN CERTIFICATE-----
xxx
-----END CERTIFICATE-----
</cert>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
xxx
-----END OpenVPN Static key V1-----
</tls-auth>

View the attached image for the server page and below is added to the 'Custom configuration' field.

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
auth sha256
fragment 1407
mssfix 1407
tun-mtu 1411

provided you can figure out how to generate the keys required, this should help you. i use the standard openvpn client for windows and 'OpenVPN for Android', for android. a friend of mine connects with Apple products, but never asked which client software he was using

 

[wayner]

Do you need to use unique client files for each client or can they all use the same file? I have been able to connect simultaneously with both iPad and iPhone using the same OVPN file.

If you click the Export button from the UI in Merlin does the OVPN file created contain all three certs/keys or just one as I showed?