ECDSA / EdDSA certs

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
OpenVpn Newbie
Posts: 9
Joined: Wed Aug 02, 2023 1:41 am

ECDSA / EdDSA certs

Post by thisisliam » Mon Oct 02, 2023 2:29 am

Hi all

Soon to be setting up a TAP server/bridge between two OpenWRT routers. Everything is happening at router level. Both are on most recent firmware.

Was advised to set this connection up with ECDSA or EdDSA and TLS 1.3, making use of ChaCha20 encryption instead of AES on both server and client side.

I'm having trouble generating either of these certificate types - has anyone successfully gotten these to work? Both routers need the applicable ca, cert, key (+ dh for server setup). I've found very little on Google.

Off topic here, but any advice on enabling TLS 1.3? Is it just a matter of adding a line to the etc/config/openvpn config file saying "tls-version-min '1.3'"?

OpenVPN version: 2.6.6
OWRT/router Kernel version: 6.7
OpenSSL version: 3.0.11

Current OWRT client config (server setup pending):

Code: Select all

config openvpn 'VPN_Tap_Client'
        option auth_nocache '1'
        option cipher 'CHACHA20-POLY1305'
        option client '1'
        option comp_lzo 'no'
        option connect_retry '5 60'
        option dev 'tap_vpn'
        option float '1'
        option nobind '1'
        option persist_key '1'
        option persist_tun '1'
        option port '7500'
        option proto 'udp'
        option remote_cert_tls 'server'
        option reneg_sec '0'
        option verb '5'
        option enabled '1'
        list remote '[redacted]'
        option ca '/etc/openvpn/ca.key'
        option cert '/etc/openvpn/myclient-eddsa.crt'
        option key '/etc/openvpn/myclient-eddsa.key'

Post Reply