Page 1 of 1
Questions about Easy RSA 2 on Windows
Posted: Sat Jan 19, 2019 3:23 pm
by Fractalogic
I used Easy RSA 2 that's included with OpenVPN 2.4.6 to generate my certificates and keys.
When generating client key and certificate, the CN needs to match the certificate file name or client name. Is the same true for the server?
When asked to assign a password, can we skip past this part and only use the certificates and keys to establish a VPN connection?
Do I need to generate a TA key? My intention is to be able to configure and establish a VPN connection to my router that's running on DD-WRT and includes OpenVPN daemon and server.
My understanding is that ca.crt, ca.key, client.crt and client.key along with the client.ovpn configuration files go on the server PC. The ca.crt, ca.key, server.crt, server.key and dh2048.pem go on the server. Is this correct?
I have essentially copy and pasted the certificate and key data from these files to the router web GUI. And saved the settings.
Re: Questions about Easy RSA 2 on Windows
Posted: Sat Jan 19, 2019 3:28 pm
by TinCanTech
Fractalogic wrote: ↑Sat Jan 19, 2019 3:23 pm
When generating client key and certificate, the CN needs to match the certificate file name or client name. Is the same true for the server?
Once created you can rename the file as you like but there seems to be little point.
Fractalogic wrote: ↑Sat Jan 19, 2019 3:23 pm
When asked to assign a password, can we skip past this part and only use the certificates and keys to establish a VPN connection?
Yes, if you add a password using EasyRSA the file will be encrypted and you will need to supply the password every time you start openvpn.
Fractalogic wrote: ↑Sat Jan 19, 2019 3:23 pm
Do I need to generate a TA key?
Highly recommended.
Re: Questions about Easy RSA 2 on Windows
Posted: Sat Jan 19, 2019 3:45 pm
by Fractalogic
Thank you for the quick reply! I have updated the original post with additional info and some questions.
What does a yellow icon mean in OpenVPN GUI program? It seems like I am able to contact my router, but there is a problem somewhere. I keep seeing the following lines repeated in the log.
Sat Jan 19 15:38:28 2019 WARNING: No server certificate verification method has been enabled. See
http://openvpn.net/howto.html#mitm for more info.
Sat Jan 19 15:39:29 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 19 15:39:29 2019 TLS Error: TLS handshake failed
So it looks like something is missing in my setup. Would that be the TA key?
https://openvpn.net/community-resources/how-to/#mitm
This page talks about "Man-in-the-Middle attack". I don't fully understand what it says, but I used the build-key-server command to generate my server certificate and key.
It suggests adding this line to my config file.
This goes in the client.ovpn file?
Re: Questions about Easy RSA 2 on Windows
Posted: Sat Jan 19, 2019 5:47 pm
by TinCanTech
Fractalogic wrote: ↑Sat Jan 19, 2019 3:45 pm
Thank you for the quick reply! I have updated the original post with additional info and some questions.
What does a yellow icon mean in OpenVPN GUI program? It seems like I am able to contact my router, but there is a problem somewhere. I keep seeing the following lines repeated in the log.
So it looks like something is missing in my setup. Would that be the TA key?
https://openvpn.net/community-resources/how-to/#mitm
This page talks about "Man-in-the-Middle attack". I don't fully understand what it says, but I used the build-key-server command to generate my server certificate and key.
It suggests adding this line to my config file.
This goes in the client.ovpn file?
Yes.
Sat Jan 19 15:39:29 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Jan 19 15:39:29 2019 TLS Error: TLS handshake failed
This is a different problem and you will need to see you server log file to fix it.
Because you are new to OpenVPN/EasyRSA I would recommend you start using this:
https://github.com/OpenVPN/easy-rsa/releases
I would start over from scratch with your PKI.
Re: Questions about Easy RSA 2 on Windows
Posted: Sun Jan 20, 2019 1:20 pm
by Fractalogic
Adding "remote-cert-tls server" to the client.ovpn file resolved the warning message.
To resolve the TLS error I had to restart the router.
I have heard good things about the Easy RSA 3, but while it is more powerful, it seems to be more complicated to use for a novice like myself. I plan on giving that a try at a later time. For now at least, Easy RSA 2 will do.
I do wonder though, why is Easy RSA 3 not included with OpenVPN installer for Windows? If it's that great, it would seem logical to include it.
Re: Questions about Easy RSA 2 on Windows
Posted: Sun Jan 20, 2019 2:16 pm
by TinCanTech
Because the installer is written by volunteers and nobody has got around to changing it.
Re: Questions about Easy RSA 2 on Windows
Posted: Sun Jan 20, 2019 2:33 pm
by Fractalogic
TinCanTech wrote: ↑Sun Jan 20, 2019 2:16 pm
Because the installer is written by volunteers and nobody has got around to changing it.
How might an outsider change that? Is the code available somewhere? Who maintains these packages? If the source code for Easy RSA 3 is on Github, where is the same for Easy RSA 2? I assume Easy RSA 3 is a continued development of Easy RSA 2 and not a complete rewrite.