OpenVPN Setup on Vigor Router with XCA

OpenVPN is an open source VPN techniques which is capable of traversing network address translators (NATs) and firewalls, since it uses a custom security protocol that utilizes SSL/TLS for key exchanges. Certificate is one of the client authentciation methods that OpenVPN supports. With a Certificate Authority (CA) to sign the certificate, the server can use a different certificate for each client in a multiclient-server topology.
In this article, we will use XCA, a free Certificate Authority (CA) software, to generate and manage the server and client certificate that required for OpenVPN configuration. This article includes:

Part 1. Making Server Certificate on the Router

1-1. Since the certificate has a valid period, please make sure the time settings of the router is correct at System Maintenance >> Time and Date.

a screenshot of DrayOS Time and Date Settings

1-2. Go to Certificate Management >> Local Certificate to generate a new certificate. Type the information, then click Generate.

a screenshot of DrayOS generating new Local Certificate

1-3. After clicking Generate, you will see the Certificate Signing Request, which needs to be signed by a CA. Copy the certificate at PEM Format Content.

a screenshot of DrayOS Certificate Signing Request
Part 2. Create a new CA on XCA

2-1. Launch XCA, go to the Certificates tab, click New Certificate. Select Create a self-signed Certificate with the serial. Click Apply all to apply the CA Template.

a screenshot of XCA

2-2. Go the Subject page,

a screenshot of XCA
Part 3. Importing Signed Server Certificate and CA Certificate to the Router

3-1 Go to Certificate signing requests, select Paste PEM data and paste the PEM Format Content copied from the router in step 1-3.

a screenshot of XCA

3-2. Right-click on the imported certificate and select Sign. Use the certificate created in step 2 to signing.

a screenshot of XCA

3-3 At Certificate tab, export the Singed Local Certificate in .crt format. Go back to the router's GUI, import it to the router at Certificate Management >> Local Certificate >> Upload Local Certificate.

a screenshot of XCA and DrayOS

3-4 Make sure the status of the certificate uploaded is OK.

a screenshot of DrayOS Local Certificate showing OK at Status

3-5 On XCA, go to Certificate, choose the CA certificate and export it in .crt format, and import it to the router at Certificate Management >> Trusted CA Certificate.

a screenshot of XCA and DrayOS

3-6 Make sure the status of the Trusted CA imported is OK.

a screenshot of DrayOS Trusted CA showing OK
Part 4. Making a Private Certificate and Private key for the VPN Client

4-1 On XCA, go to Certificates, click New Certificate. At Signing, select use the CA certificate for singing.

a screenshot of XCA

4-2 Go to the Subject page,

a screenshot of XCA

4-3. Go to Certificates, select the certificate we just created. Export it in .crt format and import to the VPN client.

a screenshot of XCA

4-4. Go to Private Keys, export the Private Key (Oclient.key), manually change extension name to .key. Then, import it to the VPN client.

a screenshot of XCA
Part 5. Router Setup as OpenVPN Server

5-1. Go to VPN and Remote Access >> OpenVPN General Setup, and have the configuration below.

a screenshot of DrayOS Open VPN General Setup

5-2. Go to the Client Config tab, specify the file name of CA Certificate, Client Certificate, and Client Key. Then, click Export.

a screenshot of DrayOS Open VPN Client Config setup

5-3. Go to VPN and Remote Access >> Remote Dial-in User to create user profiles for OpenVPN Dial-in users. Check Enable this account, enter Username/Password, and check OpenVPN Tunnel in Allowed Dial-In Type.

a screenshot of DrayOS Remote Dial-in User Setup

5-4. Go to SSL VPN >> General Setup to change the Server Certificate to the Local Certificate generated in part 2.

a screenshot of DrayOS SSL VPN General Setup
Part 6: Client Setup in OpenVPN GUI

6-1 Import the OpenVPN config (test.ovpn) in OpenVPN GUI. There are three files to put in the OpenVPN config folder:

s screenshot of OpenVPN UI

6-2 Click Connect and enter username/password configured in step 5-3.

a screenshot of OpenVPN UI
Client Setup in Smart VPN client

OpenVPN is supported by Smart VPN client since v5.2.0, following is the setup steps of smart VPN client as an alternative solution apart from OpenVPN GUI.

1. Add a VPN profile and choose VPN type OpenVPN, then Import the OpenVPN config (test.ovpn) in Smart VPN client.

import config into smart vpn client

2. Enter username/password configured in step 5-3, and click OK to save it.

smart vpn client auth

3. There are three files to put in smart VPN client ovpnca folder:

smart vpn client cert path

4. Then swtich on Connect.

smart vpn client connect

After establishing the OpenVPN tunnels, the VPN status will show in VPN and Remote Access >> Connection Management

a screenshot of DrayOS showing OpenVPN online


VERIFY ERROR: error=self signed certificate
The router is using the self-signed certificate for the VPN instead of the certificate we imported. Check the Server Certificate settings at SSL VPN >> General Setup (step 5-4).

Published On: Nov 27, 2018 

Was this helpful?     

Related Articles