Knowledge Base  >   VPN  > 

OpenVPN Setup on Vigor Router with XCA

OpenVPN is an open-source VPN technique which is capable of traversing network address translators (NATs) and firewalls, since it uses a custom security protocol that utilizes SSL/TLS for key exchanges. A certificate is one of the client authentication methods that OpenVPN supports. With a Certificate Authority (CA) to sign the certificate, the server can use a different certificate for each client in a multi client-server topology.
In this article, we will use XCA, a free Certificate Authority (CA) software, to generate and manage the server and client certificate that required for OpenVPN configuration. This article includes:

Part 1. Making Server Certificate on the Router

1-1. Since the certificate has a valid period, please make sure the time settings of the router is correct at System Maintenance >> Time and Date.

a screenshot of DrayOS Time and Date Settings

1-2. Go to Certificate Management >> Local Certificate to generate a new certificate. Type the information, then click Generate.

a screenshot of DrayOS generating new Local Certificate

1-3. After clicking Generate, you will see the Certificate Signing Request, which needs to be signed by a CA. Copy the certificate at PEM Format Content.

a screenshot of DrayOS Certificate Signing Request
Part 2. Create a new CA on XCA

2-1. Launch XCA, go to the Certificates tab, click New Certificate. Select Create a self-signed Certificate with the serial. Click Apply all to apply the CA Template.

a screenshot of XCA

2-2. Go the Subject page,

a screenshot of XCA
Part 3. Importing Signed Server Certificate and CA Certificate to the Router

3-1 Go to Certificate signing requests, select Paste PEM data and paste the PEM Format Content copied from the router in step 1-3.

a screenshot of XCA

3-2. Right-click on the imported certificate and select Sign. Use the certificate created in step 2 to signing.

a screenshot of XCA

3-3 At Certificate tab, export the Singed Local Certificate in .crt format. Go back to the router's GUI, import it to the router at Certificate Management >> Local Certificate >> Upload Local Certificate.

a screenshot of XCA and DrayOS

3-4 Make sure the status of the certificate uploaded is OK.

a screenshot of DrayOS Local Certificate showing OK at Status

3-5 On XCA, go to Certificate, choose the CA certificate and export it in .crt format, and import it to the router at Certificate Management >> Trusted CA Certificate.

a screenshot of XCA and DrayOS

3-6 Make sure the status of the Trusted CA imported is OK.

a screenshot of DrayOS Trusted CA showing OK
Part 4. Making a Private Certificate and Private key for the VPN Client

4-1 On XCA, go to Certificates, click New Certificate. At Signing, select use the CA certificate for singing.

a screenshot of XCA

4-2 Go to the Subject page,

a screenshot of XCA

4-3. Go to Certificates, select the certificate we just created. Export it in .crt format and import to the VPN client.

a screenshot of XCA

4-4. Go to Private Keys, export the Private Key (Oclient.key), manually change extension name to .key. Then, import it to the VPN client.

a screenshot of XCA
Part 5. Router Setup as OpenVPN Server

5-1. Go to VPN and Remote Access >> OpenVPN General Setup, and have the configuration below.

a screenshot of DrayOS Open VPN General Setup

5-2. Go to the Client Config tab, specify the file name of CA Certificate, Client Certificate for OpenVPN client, and Client Key. Then, click Export.

a screenshot of DrayOS Open VPN Client Config setup

5-3. Go to VPN and Remote Access >> Remote Dial-in User to create user profiles for OpenVPN Dial-in users. Check Enable this account, enter Username/Password, and check OpenVPN Tunnel in Allowed Dial-In Type.

a screenshot of DrayOS Remote Dial-in User Setup

5-4. Go to VPN and Remote Access >> SSL General Setup to change the Server Certificate to the Local Certificate generated in part 2.

a screenshot of DrayOS SSL VPN General Setup
Part 6: Client Setup in OpenVPN GUI

6-1 Import the OpenVPN config (test.ovpn) in OpenVPN GUI. There are three files to put in the OpenVPN config folder:

  • Trusted CA Certificate (CAtest.crt)
  • Private Certificate (Oclient.crt)
  • Private Key (Oclient.key)
s screenshot of OpenVPN UI

6-2 Click Connect and enter username/password configured in step 5-3.

a screenshot of OpenVPN UI
Client Setup in Smart VPN client

OpenVPN is supported by Smart VPN client since v5.2.0, please install OpenVPN for Windows first.

Following is the setup steps of smart VPN client as an alternative solution apart from OpenVPN GUI.

1. Add a VPN profile and choose VPN type OpenVPN, then Import the OpenVPN config (test.ovpn) in Smart VPN client.

import config into smart vpn client

2. Enter username/password configured in step 5-3, and click OK to save it.

smart vpn client auth

3. There are three files to put in smart VPN client ovpnca folder:

  • Trusted CA Certificate (CAtest.crt)
  • Private Certificate (Oclient.crt)
  • Private Key (Oclient.key)
smart vpn client cert path

4. Then swtich on Connect.

smart vpn client connect

After establishing the OpenVPN tunnels, the VPN status will show in VPN and Remote Access >> Connection Management

a screenshot of DrayOS showing OpenVPN online

Troubleshooting

VERIFY ERROR: error=self signed certificate
The router is using the self-signed certificate for the VPN instead of the certificate we imported. Check the Server Certificate settings at SSL VPN >> General Setup (step 5-4).

6-1 Edit the OpenVPN config file as follows

  • Delete ca CAtest.crt, cert Oclient.crt, key Oclient.key
  • Paste Trusted CA Certificate (CAtest.crt) texts between '' and ''
  • Paste Private Certificate (Oclient.crt)texts between '' and ''
  • Paste Private Key (Oclient.key) texts between '' and ''
    • ios ovpn cfg

    6-2 Install OpenVPN Connect on macOS devices

    6-3 Send the OpenVPN config file to macOS devices and run OpenVPN Connect

    6-4 Import the OpenVPN config from local file

    mac import ovpn mac ovpn file

    6-5 Select the server address and click Connect

    macos connect

    6-6 Enter Username and Password, then click Connect

    macos userpass

    We can see OpenVPN tunnel is up on the toolbar

    macos up

    Troubleshooting

    VERIFY ERROR: error=self signed certificate
    The router is using the self-signed certificate for the VPN instead of the certificate we imported. Check the Server Certificate settings at SSL VPN >> General Setup (step 5-4).

    6-1 Edit the OpenVPN config file as follows

  • Delete ca CAtest.crt, cert Oclient.crt, key Oclient.key
  • Paste Trusted CA Certificate (CAtest.crt) texts between '' and ''
  • Paste Private Certificate (Oclient.crt)texts between '' and ''
  • Paste Private Key (Oclient.key) texts between '' and ''
    • ios ovpn cfg

    6-2 Install OpenVPN Connect on iOS devices

    6-3 Send the OpenVPN config file to iOS devices and Copy to OpenVPN

    ios copy ovpn

    6-4 Tap ADD to import OpenVPN config

    ios import ovpn

    6-5 Enter Username and Password, then tap ADD

    ios userpass

    6-6 Tap Connect

    ios connect

    We can see OpenVPN tunnel status after it's established.

    ios up

    Troubleshooting

    VERIFY ERROR: error=self signed certificate
    The router is using the self-signed certificate for the VPN instead of the certificate we imported. Check the Server Certificate settings at SSL VPN >> General Setup (step 5-4).

    Published On:2018-11-27 

    Was this helpful?   

    book icon

    Related Articles