OpenVPN Setup on Vigor Router with XCA

OpenVPN is an open source VPN techniques which is capable of traversing network address translators (NATs) and firewalls, since it uses a custom security protocol that utilizes SSL/TLS for key exchanges. Certificate is one of the client authentciation methods that OpenVPN supports. With a Certificate Authority (CA) to sign the certificate, the server can use a different certificate for each client in a multiclient-server topology.
In this article, we will use XCA, a free Certificate Authority (CA) software, to generate and manage the server and client certificate that required for OpenVPN configuration. This article includes:

Part 1. Making Server Certificate on the Router

1-1. Since the certificate has a valid period, please make sure the time settings of the router is correct at System Maintenance >> Time and Date.

a screenshot of DrayOS Time and Date Settings

1-2. Go to Certificate Management >> Local Certificate to generate a new certificate. Type the information, then click Generate.

a screenshot of DrayOS generating new Local Certificate

1-3. After clicking Generate, you will see the Certificate Signing Request, which needs to be signed by a CA. Copy the certificate at PEM Format Content.

a screenshot of DrayOS Certificate Signing Request
Part 2. Create a new CA on XCA

2-1. Launch XCA, go to the Certificates tab, click New Certificate. Select Create a self-signed Certificate with the serial. Click Apply all to apply the CA Template.

a screenshot of XCA

2-2. Go the Subject page,

a screenshot of XCA
Part 3. Importing Signed Server Certificate and CA Certificate to the Router

3-1 Go to Certificate signing requests, select Paste PEM data and paste the PEM Format Content copied from the router in step 1-3.

a screenshot of XCA

3-2. Right-click on the imported certificate and select Sign. Use the certificate created in step 2 to signing.

a screenshot of XCA

3-3 At Certificate tab, export the Singed Local Certificate in .crt format. Go back to the router's GUI, import it to the router at Certificate Management >> Local Certificate >> Upload Local Certificate.

a screenshot of XCA and DrayOS

3-4 Make sure the status of the certificate uploaded is OK.

a screenshot of DrayOS Local Certificate showing OK at Status

3-5 On XCA, go to Certificate, choose the CA certificate and export it in .crt format, and import it to the router at Certificate Management >> Trusted CA Certificate.

a screenshot of XCA and DrayOS

3-6 Make sure the status of the Trusted CA imported is OK.

a screenshot of DrayOS Trusted CA showing OK
Part 4. Making a Private Certificate and Private key for the VPN Client

4-1 On XCA, go to Certificates, click New Certificate. At Signing, select use the CA certificate for singing.

a screenshot of XCA

4-2 Go to the Subject page,

a screenshot of XCA

4-3. Go to Certificates, select the certificate we just created. Export it in .crt format and import to the VPN client.

a screenshot of XCA

4-4. Go to Private Keys, export the Private Key (Oclient.key), manually change extension name to .key. Then, import it to the VPN client.

a screenshot of XCA
Part 5. Router Setup as OpenVPN Server

5-1. Go to VPN and Remote Access >> OpenVPN General Setup, and have the configuration below.

a screenshot of DrayOS Open VPN General Setup

5-2. Go to the Client Config tab, specify the file name of CA Certificate, Client Certificate, and Client Key. Then, click Export.

a screenshot of DrayOS Open VPN Client Config setup

5-3. Go to VPN and Remote Access >> Remote Dial-in User to create user profiles for OpenVPN Dial-in users. Check Enable this account, enter Username/Password, and check OpenVPN Tunnel in Allowed Dial-In Type.

a screenshot of DrayOS Remote Dial-in User Setup

5-4. Go to SSL VPN >> General Setup to change the Server Certificate to the Local Certificate generated in part 2.

a screenshot of DrayOS SSL VPN General Setup
Part 6: Client Setup in OpenVPN GUI

6-1 Import the OpenVPN config (test.ovpn) in OpenVPN GUI. There are three files to put in the OpenVPN config folder:

s screenshot of OpenVPN UI

6-2 Click Connect and enter username/password configured in step 5-3.

a screenshot of OpenVPN UI

After establishing the OpenVPN tunnels, the VPN status will show in VPN and Remote Access >> Connection Management

a screenshot of DrayOS showing OpenVPN online

Troubleshooting

VERIFY ERROR: error=self signed certificate
The router is using the self-signed certificate for the VPN instead of the certificate we imported. Check the Server Certificate settings at SSL VPN >> General Setup (step 5-4).

Published On: Nov 27, 2018 

Was this helpful?     


Related Articles