OpenVPN is an open source VPN techniques which is capable of traversing network address translators (NATs) and firewalls, since it uses a custom security protocol that utilizes SSL/TLS for key exchanges. Certificate is one of the client authentciation methods that OpenVPN supports. With a Certificate Authority (CA) to sign the certificate, the server can use a different certificate for each client in a multiclient-server topology.
In this article, we will use XCA, a free Certificate Authority (CA) software, to generate and manage the server and client certificate that required for OpenVPN configuration. This article includes:
1-1. Since the certificate has a valid period, please make sure the time settings of the router is correct at System Maintenance >> Time and Date.
1-2. Go to Certificate Management >> Local Certificate to generate a new certificate. Type the information, then click Generate.
1-3. After clicking Generate, you will see the Certificate Signing Request, which needs to be signed by a CA. Copy the certificate at PEM Format Content.
2-1. Launch XCA, go to the Certificates tab, click New Certificate. Select Create a self-signed Certificate with the serial. Click Apply all to apply the CA Template.
2-2. Go the Subject page,
3-1 Go to Certificate signing requests, select Paste PEM data and paste the PEM Format Content copied from the router in step 1-3.
3-2. Right-click on the imported certificate and select Sign. Use the certificate created in step 2 to signing.
3-3 Export the Singed Local Certificate in .crt format. Go back to the router's GUI, import it to the router at Certificate Management >> Local Certificate >> Upload Local Certificate.
3-4 Make sure the status of the certificate uploaded is OK.
3-5 On XCA, go to Certificate, choose the CA certificate and export it in .crt format, and import it to the router at Certificate Management >> Trusted CA Certificate.
3-6 Make sure the status of the Trusted CA imported is OK.
4-1 On XCA, go to Certificates, click New Certificate. At Signing, select use the CA certificate for singing.
4-2 Go to the Subject page,
4-3. Go to Certificates, select the certificate we just created. Export it in .crt format and import to the VPN client.
4-4. Go to Private Keys, export the Private Key (Oclient.key), manually change extension name to .key. Then, import it to the VPN client.
5-1. Go to VPN and Remote Access >> OpenVPN General Setup, and have the configuration below.
5-2. Go to the Client Config tab, specify the file name of CA Certificate, Client Certificate, and Client Key. Then, click Export.
5-3. Go to VPN and Remote Access >> Remote Dial-in User to create user profiles for OpenVPN Dial-in users. Check Enable this account, enter Username/Password, and check OpenVPN Tunnel in Allowed Dial-In Type.
5-4. Go to SSL VPN >> General Setup to change the Server Certificate to the Local Certificate generated in part 2.
6-1 Import the OpenVPN config (test.ovpn) in OpenVPN GUI. There are three files to put in the OpenVPN config folder:
6-2 Click Connect and enter username/password configured in step 5-3.
After establishing the OpenVPN tunnels, the VPN status will show in VPN and Remote Access >> Connection Management
VERIFY ERROR: error=self signed certificate
The router is using the self-signed certificate for the VPN instead of the certificate we imported. Check the Server Certificate settings at SSL VPN >> General Setup (step 5-4).
Was this helpful?
Thank you for your feedback
Sorry about that. Leave us some comments below to help us improve, or Contact Support if you need further assistance.