Questions about Easy RSA 2 on Windows

Support forum for Easy-RSA certificate management suite.
Post Reply
Fractalogic
OpenVpn Newbie
Posts: 6
Joined: Sat Jan 19, 2019 3:14 pm

Questions about Easy RSA 2 on Windows

Post by Fractalogic » Sat Jan 19, 2019 3:23 pm

I used Easy RSA 2 that's included with OpenVPN 2.4.6 to generate my certificates and keys.

When generating client key and certificate, the CN needs to match the certificate file name or client name. Is the same true for the server?

When asked to assign a password, can we skip past this part and only use the certificates and keys to establish a VPN connection?

Do I need to generate a TA key? My intention is to be able to configure and establish a VPN connection to my router that's running on DD-WRT and includes OpenVPN daemon and server.

My understanding is that ca.crt, ca.key, client.crt and client.key along with the client.ovpn configuration files go on the server PC. The ca.crt, ca.key, server.crt, server.key and dh2048.pem go on the server. Is this correct?

I have essentially copy and pasted the certificate and key data from these files to the router web GUI. And saved the settings.
Last edited by Fractalogic on Sat Jan 19, 2019 3:32 pm, edited 1 time in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5574
Joined: Fri Jun 03, 2016 1:17 pm

Re: Questions about Easy RSA 2 on Windows

Post by TinCanTech » Sat Jan 19, 2019 3:28 pm

Fractalogic wrote:
Sat Jan 19, 2019 3:23 pm
When generating client key and certificate, the CN needs to match the certificate file name or client name. Is the same true for the server?
Once created you can rename the file as you like but there seems to be little point.
Fractalogic wrote:
Sat Jan 19, 2019 3:23 pm
When asked to assign a password, can we skip past this part and only use the certificates and keys to establish a VPN connection?
Yes, if you add a password using EasyRSA the file will be encrypted and you will need to supply the password every time you start openvpn.
Fractalogic wrote:
Sat Jan 19, 2019 3:23 pm
Do I need to generate a TA key?
Highly recommended.

Fractalogic
OpenVpn Newbie
Posts: 6
Joined: Sat Jan 19, 2019 3:14 pm

Re: Questions about Easy RSA 2 on Windows

Post by Fractalogic » Sat Jan 19, 2019 3:45 pm

Thank you for the quick reply! I have updated the original post with additional info and some questions.

What does a yellow icon mean in OpenVPN GUI program? It seems like I am able to contact my router, but there is a problem somewhere. I keep seeing the following lines repeated in the log.
Sat Jan 19 15:38:28 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 19 15:39:29 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 19 15:39:29 2019 TLS Error: TLS handshake failed
So it looks like something is missing in my setup. Would that be the TA key?

https://openvpn.net/community-resources/how-to/#mitm

This page talks about "Man-in-the-Middle attack". I don't fully understand what it says, but I used the build-key-server command to generate my server certificate and key.

It suggests adding this line to my config file.

Code: Select all

remote-cert-tls server
This goes in the client.ovpn file?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5574
Joined: Fri Jun 03, 2016 1:17 pm

Re: Questions about Easy RSA 2 on Windows

Post by TinCanTech » Sat Jan 19, 2019 5:47 pm

Fractalogic wrote:
Sat Jan 19, 2019 3:45 pm
Thank you for the quick reply! I have updated the original post with additional info and some questions.

What does a yellow icon mean in OpenVPN GUI program? It seems like I am able to contact my router, but there is a problem somewhere. I keep seeing the following lines repeated in the log.
Sat Jan 19 15:38:28 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
So it looks like something is missing in my setup. Would that be the TA key?

https://openvpn.net/community-resources/how-to/#mitm

This page talks about "Man-in-the-Middle attack". I don't fully understand what it says, but I used the build-key-server command to generate my server certificate and key.

It suggests adding this line to my config file.

Code: Select all

remote-cert-tls server
This goes in the client.ovpn file?
Yes.
Sat Jan 19 15:39:29 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 19 15:39:29 2019 TLS Error: TLS handshake failed
This is a different problem and you will need to see you server log file to fix it.


Because you are new to OpenVPN/EasyRSA I would recommend you start using this:
https://github.com/OpenVPN/easy-rsa/releases

I would start over from scratch with your PKI.

Fractalogic
OpenVpn Newbie
Posts: 6
Joined: Sat Jan 19, 2019 3:14 pm

Re: Questions about Easy RSA 2 on Windows

Post by Fractalogic » Sun Jan 20, 2019 1:20 pm

Adding "remote-cert-tls server" to the client.ovpn file resolved the warning message.

To resolve the TLS error I had to restart the router.

I have heard good things about the Easy RSA 3, but while it is more powerful, it seems to be more complicated to use for a novice like myself. I plan on giving that a try at a later time. For now at least, Easy RSA 2 will do.

I do wonder though, why is Easy RSA 3 not included with OpenVPN installer for Windows? If it's that great, it would seem logical to include it.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5574
Joined: Fri Jun 03, 2016 1:17 pm

Re: Questions about Easy RSA 2 on Windows

Post by TinCanTech » Sun Jan 20, 2019 2:16 pm

Because the installer is written by volunteers and nobody has got around to changing it.

Fractalogic
OpenVpn Newbie
Posts: 6
Joined: Sat Jan 19, 2019 3:14 pm

Re: Questions about Easy RSA 2 on Windows

Post by Fractalogic » Sun Jan 20, 2019 2:33 pm

TinCanTech wrote:
Sun Jan 20, 2019 2:16 pm
Because the installer is written by volunteers and nobody has got around to changing it.
How might an outsider change that? Is the code available somewhere? Who maintains these packages? If the source code for Easy RSA 3 is on Github, where is the same for Easy RSA 2? I assume Easy RSA 3 is a continued development of Easy RSA 2 and not a complete rewrite.

Post Reply