Create certificates with Easy-RSA on OpenWRT
This post will describe how to create certificates with Easy-RSA on OpenWRT. I use these for my OpenVPN server and clients. This won’t be a detailed tutorial, you need to know how to use SSH and properly configure OpenWRT and OpenVPN. At the moment of writing, I’m on OpenWrt 18.06.5 and openvpn-easy-rsa version 3.0.4-1.
Edit vars
CD into /etc/easy-rsa and open vars. Edit all the required variables. Point to the right config file:
export KEY_CONFIG=/usr/sbin/whichopensslcnf $EASY_RSA export KEY_CONFIG="$EASY_RSA/openssl-1.0.0.cnf"
Create server certificates
root@WRT1900AC:/etc/easy-rsa# easyrsa clean-all root@WRT1900AC:/etc/easy-rsa# easyrsa build-ca root@WRT1900AC:/etc/easy-rsa# easyrsa build-server-full server nopass root@WRT1900AC:/etc/easy-rsa# easyrsa gen-dh
Use the nopass parameter for build-server-full, otherwise OpenVPN won’t be able to start in the background.
Create client certificates
root@WRT1900AC:/etc/easy-rsa# easyrsa build-client-full client1 root@WRT1900AC:/etc/easy-rsa# easyrsa export-p12 client1
Do this for every client. Creating a pkcs12 file is optional, I use it in the OpenVPN for Android app.
Distribute files
Filename | Needed by | Purpose | Secret |
---|---|---|---|
ca.crt | server + all clients | Root CA certificate | NO |
ca.key | key signing machine only | Root CA key | YES |
dh{n}.pem | server only | Diffie Hellman parameters | NO |
server.crt | server only | Server Certificate | NO |
server.key | server only | Server Key | YES |
client1.crt | client1 only | Client1 Certificate | NO |
client1.key | client1 only | Client1 Key | YES |
Create an ovpn file
Create an empty text file, add the below section and save as an ovpn file. It can then be used in for example OpenVPN GUI for Windows.
client dev tun proto udp #only if you use udp protocol remote serveraddress 1194 resolv-retry infinite nobind persist-key persist-tun pkcs12 client1.p12 #this is the p12 client certificate in the same folder #auth-user-pass #uncomment this row if you want to use two factor authentication verb 3 comp-lzo ns-cert-type server