Configure OpenVPN with passphrase

I'm following this guide and I setted a passphrase instead nopass option.

Everything was OK but I don't know how to configure this password on that config file:

umask go=
VPN_DH="$(cat ${VPN_PKI}/dh.pem)"
VPN_CA="$(openssl x509 -in ${VPN_PKI}/ca.crt)"
ls ${VPN_PKI}/issued \
| sed -e "s/\.\w*$//" \
| while read -r VPN_ID
do
VPN_TC="$(cat ${VPN_PKI}/private/${VPN_ID}.pem)"
VPN_KEY="$(cat ${VPN_PKI}/private/${VPN_ID}.key)"
VPN_CERT="$(openssl x509 -in ${VPN_PKI}/issued/${VPN_ID}.crt)"
VPN_EKU="$(echo "${VPN_CERT}" | openssl x509 -noout -purpose)"
case ${VPN_EKU} in
(*"SSL server : Yes"*)
VPN_CONF="${VPN_DIR}/${VPN_ID}.conf"
cat << EOF > ${VPN_CONF} ;;
user nobody
group nogroup
dev tun
port ${VPN_PORT}
proto ${VPN_PROTO}
server ${VPN_POOL}
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS ${VPN_DNS}"
push "dhcp-option DOMAIN ${VPN_DN}"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
${VPN_DH}
</dh>
EOF
(*"SSL client : Yes"*)
VPN_CONF="${VPN_DIR}/${VPN_ID}.ovpn"
cat << EOF > ${VPN_CONF} ;;
user nobody
group nogroup
dev tun
nobind
client
remote ${VPN_SERV} ${VPN_PORT} ${VPN_PROTO}
auth-nocache
remote-cert-tls server
EOF
esac
cat << EOF >> ${VPN_CONF}
<tls-crypt-v2>
${VPN_TC}
</tls-crypt-v2>
<key>
${VPN_KEY}
</key>
<cert>
${VPN_CERT}
</cert>
<ca>
${VPN_CA}
</ca>
EOF
done
/etc/init.d/openvpn restart
ls ${VPN_DIR}/*.ovpn

Can someone provide some insight here? :slight_smile:

https://medium.com/@tzuhaochung/setup-openvpn-server-with-openwrt-1f6bfcaf64f9

Try following the information in the OpenWrt wiki... I have no idea if the information in that medium article is correct.

https://openwrt.org/docs/guide-user/services/vpn/openvpn/extras#commercial_provider

If you need configure a OpenVPN Server, please, follow this guide:

[OpenWrt Wiki] OpenVPN server

It works perfectly and I´m using here it in my router...

Thanks for the fast replies! However, I need to know how to set the configuration to use a password when generating credentials and keys.

Leaving this access without additional security isn't acceptable for my setup:

# Create a new CA
easyrsa build-ca nopass

Instead I used a passphrase and that's OK until the final configuration that I posted on the first post.

Does anybody knows how to add the passphrase into that?

Reference from OpenWRT guide

Well, you can compare them and see they are the same but Medium article is more polished and probably updated.

I can remember there were problems with using the passphrase for the CA private key in earlier EasyRSA builds but I assume it should be working in the latest.
But why not just keep your ca.key in a secure place?

1 Like

Nice, thanks! I just think that most secure place is encrypting it.

Do you know if I need to change something on the config (last step) in order to use the certificate with passphrase?

I never used it with passphrase, I just kept my ca.key in secure storage, but be sure to use the latest EasyRSA

1 Like

I'm using the latest version, thanks! Do you know where I can find more information to complete my configuration with a passphrase?

I suspect the code doesn't account for the fact that I encrypted the files:

umask go=
VPN_DH="$(cat ${VPN_PKI}/dh.pem)"
VPN_CA="$(openssl x509 -in ${VPN_PKI}/ca.crt)"
ls ${VPN_PKI}/issued \
| sed -e "s/\.\w*$//" \
| while read -r VPN_ID
do
VPN_TC="$(cat ${VPN_PKI}/private/${VPN_ID}.pem)"
VPN_KEY="$(cat ${VPN_PKI}/private/${VPN_ID}.key)"
VPN_CERT="$(openssl x509 -in ${VPN_PKI}/issued/${VPN_ID}.crt)"
VPN_EKU="$(echo "${VPN_CERT}" | openssl x509 -noout -purpose)"
case ${VPN_EKU} in
(*"SSL server : Yes"*)
VPN_CONF="${VPN_DIR}/${VPN_ID}.conf"
cat << EOF > ${VPN_CONF} ;;
user nobody
group nogroup
dev tun
port ${VPN_PORT}
proto ${VPN_PROTO}
server ${VPN_POOL}
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS ${VPN_DNS}"
push "dhcp-option DOMAIN ${VPN_DN}"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
${VPN_DH}
</dh>
EOF
(*"SSL client : Yes"*)
VPN_CONF="${VPN_DIR}/${VPN_ID}.ovpn"
cat << EOF > ${VPN_CONF} ;;
user nobody
group nogroup
dev tun
nobind
client
remote ${VPN_SERV} ${VPN_PORT} ${VPN_PROTO}
auth-nocache
remote-cert-tls server
EOF
esac
cat << EOF >> ${VPN_CONF}
<tls-crypt-v2>
${VPN_TC}
</tls-crypt-v2>
<key>
${VPN_KEY}
</key>
<cert>
${VPN_CERT}
</cert>
<ca>
${VPN_CA}
</ca>
EOF
done
/etc/init.d/openvpn restart
ls ${VPN_DIR}/*.ovpn

Sorry cannot help you with that but a word of warning for the use of tls-crypt-v2, most clients do not support that yet when in doubt just use tls-crypt (=v1)