Help with OpenVPN Server: How to generate client entries for the Index File?

rkkoszewski · November 14, 2018, 10:04pm

Hi,
So I'm trying to setup a OpenVPN server in OpenWRT, and so far I'm just stuck creating the required certificates. I have all CA's and everything ready, but I'm unable to create the Client entries in the "Index File" as described in: https://oldwiki.archive.openwrt.org/doc/howto/openvpn-streamlined-server-setup#index_file

How do I generate the required entries? Where is the DN? The certificate to be used with the command " openssl x509 -in certificate.crt -text -noout" is it the OpenWrt-CA.crt.pem file found in the /ca folder?? What is the index file doing? Is it for the Server Certificates or the Client ones???

Also many commands seem to be missing the .pem extensions, why?

Also in the Server Certificate part, while running the command for the step " Export to PKCS12", the command fails as the "ca/OpenWrt-OpenVPN_CA-Chain.crt.pem" file doesn't exist, as it has never been created, but there is a similar file "ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem" (Note the change from CA to ICA), but from what I understood the CA and the ICA are something different. So where did I go wrong? Or is something missing in the tutorial?

Am I approaching this wrong? Any help or advice is highly appreciated.

vgaetera · November 14, 2018, 11:09pm

https://openwrt.org/docs/guide-user/services/vpn/openvpn/start

mk24 · November 14, 2018, 11:51pm

OpenVPN doesn't strictly need:

certificates at all (of course, such a deployment would be a security risk)
PKCS12 files. You only need .pem and .key files.
index files. These are an artifact of the certificate generation process.
certificate revocation lists. In a small system a certificate is unlikely to be compromised; if it is you can shut down the server and install entirely new certificates.
to generate certificates on the router. Much easier on a regular PC.

Creating a client or server certificate is a two step process. First you make a certificate signing request, then sign it using the CA certificate's private key. There is no difference between a client and server certificate other than where they are installed.

The server and all the clients need a copy of the public part of the CA certificate. The server needs the server certificate and its key. Each client has their certificate and key. The CA private key should not be deployed anywhere. It is only used to sign new certificates.