Need help generating OpenVPN TLS certificates and keys

GS3 · January 29, 2025, 11:17am

I have a TP-Link Archer C7 v2 router running OpenWRT and OpenVPN and I need to generate the encryption keys for OpenVPN. I am totally stumped by this.

What I understand is that there are three types of files

ca, ca.crt, root certificate authority
cert, client.crt, client certificate
key, client.key, client private key

and that

the server and all clients will use the same ca file
each client and the server must have their own cert (cert) and private key (key) file.

I have managed to generate a ca file:

root@OpenWrt:/etc/openvpn# easyrsa build-ca

CA creation complete. Your new CA certificate is at:

/etc/easy-rsa/pki/ca.crt

But I am totally stumped with creating the certificates and key files. Hours on the Internet have not yielded anything I could use. And I understand this should be a very simple thing to do.

How can I create these files needed for the encryption?

egc · January 29, 2025, 11:24am

Why not use WireGuard much faster and easier to setup.

I assume you want to setup a server to connect from outside to your home?

See: https://openwrt.org/docs/guide-user/services/vpn/wireguard/road-warrior

or my own notes: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/notes

If you really want OpenVPN research EasyRSA3

GS3 · January 29, 2025, 11:40am

Thanks but I have already looked around and have no idea how to generate the files I need.

I need step by step instructions.

egc · January 29, 2025, 11:42am

Why not use WireGuard ?

GS3 · January 29, 2025, 12:10pm

For several reasons. One is that I did try it and could not get it to work. Another is that Linux Mint, which I use, makes it much easier to use and configure as OpenVPN client. And another is that I already have a TP-Link Archer C7 router which has OpenVPN installed natively. With three clicks it is up and running and generates a configuration file for the client. Could not be easier.

1- Turn OpenVPN ON
2- Generate encryption keys
3- Generate configuration file for the client

Three clicks.

There must be thousands of people who have installed OpenVPN and have had to generate the necessary keys. I do not understand why this is so complicated. It should be simple and straightforward. I am beginning to understand all the people who hate Linux and the dreaded command line.

The router with OpenVPN included does all this with one click. One click. And I cannot for the life of me find a way to do it that I can manage. I get lost with different tools, different versions, long tutorials with dozens of commands... for something that can and should be done with one click. Very frustrating.

egc · January 29, 2025, 12:14pm

All those problems are not present if you use WireGuard, WireGuard can generate the config files for you.

But if you insist on OpenVPN see:
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

Or my own notes:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1157344
They are targeted at DDWRT but the key generating is the same for all router software, just start with 1a

alexq · January 29, 2025, 10:01pm

Method 1:
Creating from Windows env. where OpenVPN and Easy-RSA are installed: see from 5:35 https://youtu.be/FnvP7dOmy9w?si=W7lpxrI8YODYB8l9

cd C:\Program Files\OpenVPN\easy-rsa
EasyRSA-Start
easyrsa init-pki
easyrsa build-ca nopass
easyrsa build-server-full Server_SiteA nopass
easyrsa build-client-full Client_SiteA nopass
easyrsa gen-dh

Method 2:
From OpenWrt env.: see https://www.i-programmer.info/projects/27-networking/14745-setting-up-site-to-site-openvpn-.html (Creating the Cryptographic Certificates for the Server section)

opkg install openvpn-easy-rsa
nano /etc/easy-rsa/vars

##find #set_var EASYRSA_PKI "$PWD/pki" row => replace with set_var EASYRSA_PKI "/etc/easy-rsa/pki"

easyrsa init-pki
easyrsa build-ca nopass
easyrsa build-server-full server nopass
easyrsa build-client-full client nopass
easyrsa gen-dh