OpenVPN no access to LAN

Ok, I see. So in my case I don't have to modify the servers section. Since I have several clients, I will only edit the Clients section. For example, as follows:

 # Clients #
    [ JohnNotebook ]
    email.1             = john@email.com
    DNS.1               = VPN-JohnNotebook-Hostname

    [ SarahTablet ]
    email.1             = sarah@email.com
    DNS.1               = VPN-SarahTablet-Hostname

Since I don't understand what an ICA is, I think I only need a CA? So I don't have to pay attention to the "ICA" part of the wiki?

Sorry for my stupid questions. I hope I'll understand soon, and you will have your peace again from beginners like me...

You almost got it right =]

  • SANs profiles must always be lower case, can only use _ [an underscore] as a word separator (i.e. [ alt_john_tablet ], and must start with alt_
    • [ alt_johnnotebook ]
    • [ alt_sarahtablet ]

.
I think it mentions it in the wiki, but since I can't remember, each SAN profile must also have a corresponding V3 profile (V3 profiles, for all, start at Line 260)

  • V3 profile name must mirror the SAN profile name, must be lower case, and must start with v3_

    • [ v3_johnnotebook ]
    • [ v3_sarahtablet ]
  • Under the V3 profile, the SAN profile name must be reflected under subjectAltName in the format of:

    • subjectAltName = @alt_johnnotebook
    • subjectAltName = @alt_sarahtablet

.
All you need to do for additional clients is copy a client V3 section, paste it below it self with a blank line separating the two, and edit the V3 section name and subjectAltName.

  • Do not modify any other V3 profile sections unless you fully understand what you're modifying

I have now edited the openssl.cnf file. I have made changes in the following sections:

  • Establish SubjectAltName (SAN) Profiles -- > Certificate Authorities

  • Establish SubjectAltName (SAN) Profiles -- > Certificate Authority Clients

  • Establish SubjectAltName (SAN) Profiles -- > Intermediate Certificate Authority Clients

  • Establish Certificate Authority V3 Profiles --> Certificate Authority Clients

  • Establish Certificate Authority V3 Profiles --> Intermediate Certificate Authority Clients

Can you look at the file, please?

#

            ##::[[---  Windows OpenSSL Config  ---]]::##

#####################################################################
                       ##----- Notes -----##
#####################################################################

  # All commands required can be found beginning on line 430


  # BSD/Linux/Mac users:

    # Replace all single/double backslashes with forward slashes. You may also wish to utilize lowercase only,
    # and if utilizing spaces in names, ensure utilization of proper break format, i.e. './Sophos\ UTM\ CA.crt'

    # Ensure EOLs are LF, not CRLF
      # Windows uses CRLF, UNIX utilizes LF


  # Sophos users:

    # If not using SANs, prior to generating user certs, ensure 'x509_extensions = usr_cert_not_dn'
      # This results with 'RFC822 Name = user@email.com' in the SubjectAlternativeName of the certificate.
        # Without this, it will be impossible to authenticate to VPNs on Sophos.

    # Intermediate CAs & Intermediate CA client certs CANNOT be utilized on Sophos UTM due to how Sophos authenticates.
      # Only exception is the WebAdmin certificate, which can be signed by a Public ICA authority for a FQDN.
        # For chain of trust to be maintained, CA & ICA must be installed on devices accessing the WebAdmin/User Portal.


#####################################################################
             ##----- Establish Build Variables -----##
#####################################################################

dir                             = .
cnf                             = /etc/ssl/openssl.cnf
CNF                             = $dir\\openssl.cnf


#####################################################################
           ##----- Establish CA Profile and Policy -----##
#####################################################################

[ default ]
UTM                             = "Sophos UTM CA"
WRT                             = "Router 2 ICA"
VPN                             = "Router 2 VPN ICA"

[ ca ]
default_ca                      = CA_default


#####################################################################

[ CA_default ]
certs                           = $dir\\cert
new_certs_dir                   = $dir

database                        = $dir\\index
RANDFILE                        = $dir\\rand
serial                          = $dir\\serial

crldir                          = $dir\\crl
crlnumber                       = $crldir\\crlnumber
crl                             = $crldir\\ca.crl.pem
default_crl_days                = 3650

certificate                     = "$dir\\ca\\$UTM.crt.pem"
private_key                     = "$dir\\ca\\$UTM.key.pem"

default_days                    = 3650
preserve                        = no
default_md                      = sha512

x509_extensions                 = usr_cert_not_dn
copy_extensions                 = copy
unique_subject                  = yes

policy                          = policy_match
name_opt                        = esc_2253,esc_ctrl,esc_msb,sep_comma_plus_space,ignore_type
cert_opt                        = ca_default


#####################################################################

[ policy_match ]
countryName                     = match
stateOrProvinceName             = match
organizationName                = match
organizationalUnitName          = match
commonName                      = supplied
emailAddress                    = optional

[ policy_supply ]
countryName                     = match
stateOrProvinceName             = match
organizationName                = match
organizationalUnitName          = match
commonName                      = optional
emailAddress                    = optional


#####################################################################
            ##----- Establish Certificate Options -----#
#--------------------------------------------------------------------

    # If you plan on using TLS ECDHE or ECDH, the bits and hash must exceed the value you wish to have.

      # For example, if one wants 2048bit encryption with a SHA256 hash, encryption value must be
      # greater than 2048 (3072 or 4096) with a hash greater than SHA256 (SHA384 or SHA512).
        # x64 machines can almost always process SHA512 faster than SHA256.

    # If you're not planning on using TLS ECDHE or ECDH, a key larger than 2048bit isn't necessary.

    # Encrypt key is not currently commmented out; however, as one does not want a server's key to have
    # an encrypted password, when creating the key for the server, add -nodes to the Request command.


[ req ]
default_bits                    = 2048
default_keyfile                 = private.key.pem

preserve                        = no
default_md                      = sha512

string_mask                     = utf8only
utf8                            = yes
distinguished_name              = req_distinguished_name
attributes                      = req_attributes
req_extensions                  = v3_req
x509_extensions                 = v3_ca
copy_extensions                 = copy
encrypt_key                     = yes

[ req_attributes ]
 challengePassword              =
 challengePassword_min          = 12
 challengePassword_max          = 40


#####################################################################

[ req_distinguished_name ]

countryName                     = xx
countryName_max                 = 2
stateOrProvinceName             = State
localityName                    = Locality
0.organizationName              = Organization
organizationalUnitName          = Organizational Unit
commonName                      = Common Name
commonName_max                  = 64
emailAddres                     = Email
emailAddress_max                = 64

countryName_default             = US
stateOrProvinceName_default     = State
localityName_default            = Locality
0.organizationName_default      = Sophos UTM
organizationalUnitName_default  = LAN


#####################################################################
      ##----- Establish SubjectAltName (SAN) Profiles -----##
#####################################################################

  # All server certs with WebUIs should have their loopback IP specified in their SAN profile
    # This prevents certificate errors if connecting to the device, router, or server via an SSH tunnel
      # Certain OS CA certs must have the loopback IP specified in SAN profile (i.e. Sophos UTM's CA)

  # Provided one utilizes the SAN profile, Common Names can be whatever one wishes (i.e. not the DNS or IP)
    # SANs can be: email (an email address), URI (a uniform resource indicator), DNS (a DNS domain name),
    # RID (a registered ID: OBJECT IDENTIFIER), IP (an IP address), dirName (a distinguished name), and otherName.


#--------------------------------------------------------------------
               ##----- Certificate Authorities -----##
#--------------------------------------------------------------------

# Main #
  [ alt_ca_main ]
  DNS.1                 = BellevueCA
  IP.1                  = 127.0.0.1

# Router 2 #
  [ alt_ica_router2 ]
  DNS.1                 = Router.2
  IP.1                  = 127.0.0.1

# Code Signing #
  [ alt_signing_ica ]
  DNS.1                 = Code-Signing

#--------------------------------------------------------------------
            ##----- Certificate Authority Clients -----##
#--------------------------------------------------------------------

# Main #

  # Servers #
    [ alt_sophos ]
    IP.1                = 192.168.2.1
    IP.2                = 127.0.0.1
    DNS.1               = UTM.LEDE
    DNS.2               = your.ddns.com

    [ alt_freenas ]
    IP.1                = 192.168.2.13
    IP.2                = 192.168.2.130
    IP.3                = 127.0.0.1
    DNS.1               = Free.LEDE
    DNS.2               = your-fqdn.com

    [ alt_vpn_server1 ]
    IP.1                = 10.0.0.1
    DNS.1               = your.ddns.com

  # Clients #
    [ alt_xps13 ]
    email.1             = xxxx@mailbox.org
    DNS.1               = VPN-xps13-Hostname

    [ alt_remoop5 ]
    email.1             = xxxx@mailbox.org
    DNS.1               = VPN-remoop5-Hostname

    [ alt_matti ]
    email.1             = xxxx@mailbox.org
    DNS.1               = VPN-matti-Hostname

    [ alt_hanna ]
    email.1             = xxxx@mailbox.org
    DNS.1               = VPN-hanna-Hostname


#--------------------------------------------------------------------
     ##----- Intermediate Certificate Authority Clients -----##
#--------------------------------------------------------------------

# Router 2 #

  # Servers #
    [ alt_lede ]
    IP.1                = 192.168.2.2
    IP.2                = 127.0.0.1
    DNS.1               = LAN.LEDE

    [ alt_vpn_server2 ]
    IP.1                = 192.168.0.1
    DNS.1               = xxxx.duckdns.org

  # Clients #
    [ alt_vpn2_xps13 ]
    DNS.1               = VPN-xps13-Hostname
    email.1             = xxxx@mailbox.org

    [ alt_vpn2_remoop5 ]
    DNS.1               = VPN-remoop5-Hostname
    email.1             = xxxx@mailbox.org

    [ alt_vpn2_matti ]
    DNS.1               = VPN-matti-Hostname
    email.1             = xxxx@mailbox.org

    [ alt_vpn2_hanna ]
    DNS.1               = VPN-hanna-Hostname
    email.1             = xxxx@mailbox.org


# Code Signing #

  # Cert1 #
    [ alt_codesign ]
    email.1             = user@email.com


#####################################################################
     ##----- Establish Certificate Authority V3 Profiles -----##
#--------------------------------------------------------------------

  # These V3 CA profiles must not be modified to contain any more, or any less, KUs
  
  # These have been configured specifically for security & its imperative no other keyUsages are set
    # For an ICA to be capable of signing additional CAs/ICAs, pathlen number must mirror number of CAs/ICAs
    # it can sign.  By default, all ICAs are set to 0, meaning they can sign certs, but not other CAs/ICAs.


[ v3_ca ]
basicConstraints            = critical, CA:TRUE
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always, issuer:always
subjectAltName              = @alt_ca_main
keyUsage                    = critical, cRLSign, digitalSignature, keyCertSign

[ v3_ica_router2 ]
basicConstraints            = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always, issuer:always
subjectAltName              = @alt_ica_router2
keyUsage                    = critical, cRLSign, digitalSignature, keyCertSign

[ v3_signing_ica ]
basicConstraints            = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always, issuer:always
keyUsage                    = critical, cRLSign, digitalSignature, keyCertSign
subjectAltName              = @alt_signing_ica

[ crl_ext ]
issuerAltName               = issuer:copy
authorityKeyIdentifier      = keyid:always, issuer:always


#####################################################################
    ##----- Establish Generalized V3 Certificate Profiles -----##
#--------------------------------------------------------------------

[ v3_req ]
basicConstraints            = critical, CA:FALSE
subjectKeyIdentifier        = hash

[ usr_cert_dn ]
basicConstraints            = critical, CA:FALSE
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always, issuer:always
keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage            = critical, clientAuth, emailProtection

[ usr_cert_not_dn ]
basicConstraints            = critical, CA:FALSE
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always, issuer:always
subjectAltName              = email:copy
keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage            = critical, clientAuth, emailProtection


#####################################################################
      ##----- Establish Client Certificate V3 Profiles -----##
#--------------------------------------------------------------------

  # These V3 profiles should not be modified to contain less than what they are currently configured with.
    # These have been specifically configured with security in mind.

  # All servers capable of TLS should contain all keyUsages, except for dataEncipherment
    # VPN and file servers should not have less than digitalSignature, keyEncipherment, keyAgreement

  # All servers must contain EKU serverAuth
    # All server [VPN] clients must contain EKU clientAuth


#--------------------------------------------------------------------
            ##----- Certificate Authority Clients -----##
#--------------------------------------------------------------------

# Main #

  # Servers #
    [ v3_sophos ]
    basicConstraints            = critical, CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
    extendedKeyUsage            = critical, serverAuth
    subjectAltName              = @alt_sophos

    [ v3_freenas ]
    basicConstraints            = critical, CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
    extendedKeyUsage            = critical, serverAuth
    subjectAltName              = @alt_freenas

    [ v3_vpn_server1 ]
    basicConstraints            = critical, CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
    extendedKeyUsage            = critical, serverAuth
    subjectAltName              = @alt_vpn_server1

  # Clients #
    [ v3_xps13 ]
    basicConstraints            = critical,CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage            = critical, clientAuth
    subjectAltName              = @alt_xps13

    [ v3_remoop5 ]
    basicConstraints            = critical,CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage            = critical, clientAuth
    subjectAltName              = @alt_remoop5

    [ v3_matti ]
    basicConstraints            = critical,CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage            = critical, clientAuth
    subjectAltName              = @alt_matti

    [ v3_hanna ]
    basicConstraints            = critical,CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage            = critical, clientAuth
    subjectAltName              = @alt_hanna


#--------------------------------------------------------------------
      ##----- Intermediate Certificate Authority Clients -----##
#--------------------------------------------------------------------

# Router 2 #

  # Servers #
    [ v3_lede ]
    basicConstraints            = critical, CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
    extendedKeyUsage            = critical, serverAuth
    subjectAltName              = @alt_lede

    [ v3_vpn_server2 ]
    basicConstraints            = critical, CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
    extendedKeyUsage            = critical, serverAuth
    subjectAltName              = @alt_vpn_server2

  # Clients #
    [ v3_vpn2_xps13 ]
    basicConstraints            = critical,CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage            = critical, clientAuth
    subjectAltName              = @alt_vpn2_xps13

    [ v3_vpn2_remoop5 ]
    basicConstraints            = critical,CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage            = critical, clientAuth
    subjectAltName              = @alt_vpn2_remoop5

    [ v3_vpn2_matti ]
    basicConstraints            = critical,CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage            = critical, clientAuth
    subjectAltName              = @alt_vpn2_matti

    [ v3_vpn2_hanna ]
    basicConstraints            = critical,CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage            = critical, clientAuth
    subjectAltName              = @alt_vpn2_hanna


# Code Signing #

  # Certificates #
    [ v3_codesign ]
    basicConstraints            = critical, CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature
    extendedKeyUsage            = critical, codeSigning, msCodeInd, msCodeCom, mcCTLSign, timeStamping
    subjectAltName              = @alt_codesign

Are you going to be setting up two VPNs, issuing one VPN's certs from the CA and the second VPN's certs from the ICA? If so, the config you posted will work, however I would caution against issuing the VPN certs with the CA, as I would recommend creating a second ICA for the second VPN's certs.

  • The reason I recommend creating a self signed CA, and using that CA solely to sign ICAs, especially with VPN certs, is:
    • Chain of Trust: You currently have at least two servers which need certs (uhttpd for LuCI WebAdmin and OpenVPN), and each server should have it's own ICA.

      • Self generated CAs will always be self signed, whereas an ICA will always be digitally signed by the CA, further strengthening the Chain of Trust.
      • The only situation in which I recommend using a CA to issue certs, rather than an ICA, is if using Sophos UTM as a router OS, as due to the way in which Sophos authenticates it's clients, an ICA cannot be utilized (only exception is for the WebAdmin if accessible via an FQDN or WAN IP).
    • if a VPN cert (server or clients) is ever compromised, you can simply create a new ICA and issue new certs, but if you utilize a CA, of which also creates certs for other servers/uses besides the VPN, you then have to generate a new CA and new certs for everything.

.

  • Change what's after = to what you want your Country, State, City, Organization, and Organization Unit names to be.
    • These can be anything you want and do not have to reflect actual places, however Country and State are limited to two letters only
countryName_default             = US
stateOrProvinceName_default     = State
localityName_default            = Locality
0.organizationName_default      = Sophos UTM
organizationalUnitName_default  = LAN

.
If you're not creating two VPNs, I've modified your config

  • Change DNS.1 = LAN.LEDE to the local hostname.domain of your router (below is what mine is, so edit accordingly)
    • Hostname: /etc/config/system
      • option hostname 'LEDE'
    • Domain: /etc/config/dhcp
      • option domain 'WRT'
#--------------------------------------------------------------------
               ##----- Certificate Authorities -----##
#--------------------------------------------------------------------

# Main #
  [ alt_ca_main ]
  DNS.1                 = BellevueCA
  IP.1                  = 127.0.0.1

# Router 2 #
  [ alt_ica_router2 ]
  DNS.1                 = BellevueVPNICA
  IP.1                  = 127.0.0.1

# Code Signing #
  [ alt_signing_ica ]
  DNS.1                 = Code-Signing

#--------------------------------------------------------------------
            ##----- Certificate Authority Clients -----##
#--------------------------------------------------------------------

# Main #

  # Servers #
    [ alt_sophos ]
    IP.1                = 192.168.2.1
    IP.2                = 127.0.0.1
    DNS.1               = UTM.LEDE
    DNS.2               = your.ddns.com
    DNS.3               = your-fqdn.com

  # Clients #
    [ alt_client ]
    email.1             = client@mail.com
    DNS.1               = local.domain


#--------------------------------------------------------------------
     ##----- Intermediate Certificate Authority Clients -----##
#--------------------------------------------------------------------

# Router 2 #

  # Servers #
    [ alt_lede ]
    IP.1                = 192.168.0.1
    IP.2                = 127.0.0.1
    DNS.1               = LAN.LEDE

    [ alt_vpn_server ]
    IP.1                = 10.0.0.1
    DNS.1               = xxxx.duckdns.org
 
  # Clients #
    [ alt_xps13 ]
    DNS.1               = VPN-xps13-Hostname
    email.1             = xxxx@mailbox.org

    [ alt_remoop5 ]
    DNS.1               = VPN-remoop5-Hostname
    email.1             = xxxx@mailbox.org

    [ alt_matti ]
    DNS.1               = VPN-matti-Hostname
    email.1             = xxxx@mailbox.org

    [ alt_hanna ]
    DNS.1               = VPN-hanna-Hostname
    email.1             = xxxx@mailbox.org


# Code Signing #

  # Cert1 #
    [ alt_codesign ]
    email.1             = user@email.com


#####################################################################
     ##----- Establish Certificate Authority V3 Profiles -----##
#--------------------------------------------------------------------

[ v3_ca ]
basicConstraints            = critical, CA:TRUE
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always, issuer:always
subjectAltName              = @alt_ca_main
keyUsage                    = critical, cRLSign, digitalSignature, keyCertSign

[ v3_ica_router2 ]
basicConstraints            = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always, issuer:always
subjectAltName              = @alt_ica_router2
keyUsage                    = critical, cRLSign, digitalSignature, keyCertSign

[ v3_signing_ica ]
basicConstraints            = critical, CA:TRUE, pathlen:0
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always, issuer:always
keyUsage                    = critical, cRLSign, digitalSignature, keyCertSign
subjectAltName              = @alt_signing_ica

[ crl_ext ]
issuerAltName               = issuer:copy
authorityKeyIdentifier      = keyid:always, issuer:always


#####################################################################
    ##----- Establish Generalized V3 Certificate Profiles -----##
#--------------------------------------------------------------------

[ v3_req ]
basicConstraints            = critical, CA:FALSE
subjectKeyIdentifier        = hash

[ usr_cert_dn ]
basicConstraints            = critical, CA:FALSE
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always, issuer:always
keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage            = critical, clientAuth, emailProtection

[ usr_cert_not_dn ]
basicConstraints            = critical, CA:FALSE
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always, issuer:always
subjectAltName              = email:copy
keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage            = critical, clientAuth, emailProtection


#####################################################################
      ##----- Establish Client Certificate V3 Profiles -----##
#--------------------------------------------------------------------

#--------------------------------------------------------------------
            ##----- Certificate Authority Clients -----##
#--------------------------------------------------------------------

# Main #

  # Servers #
    [ v3_sophos ]
    basicConstraints            = critical, CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
    extendedKeyUsage            = critical, serverAuth
    subjectAltName              = @alt_sophos

  # Clients #
    [ v3_client ]
    basicConstraints            = critical,CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage            = critical, clientAuth
    subjectAltName              = @alt_client


#--------------------------------------------------------------------
      ##----- Intermediate Certificate Authority Clients -----##
#--------------------------------------------------------------------

# Router 2 #

  # Servers #
    [ v3_lede ]
    basicConstraints            = critical, CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
    extendedKeyUsage            = critical, serverAuth
    subjectAltName              = @alt_lede

    [ v3_vpn_server ]
    basicConstraints            = critical, CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
    extendedKeyUsage            = critical, serverAuth
    subjectAltName              = @alt_vpn_server

  # Clients #
    [ v3_xps13 ]
    basicConstraints            = critical,CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage            = critical, clientAuth
    subjectAltName              = @alt_xps13

    [ v3_remoop5 ]
    basicConstraints            = critical,CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage            = critical, clientAuth
    subjectAltName              = @alt_remoop5

    [ v3_matti ]
    basicConstraints            = critical,CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage            = critical, clientAuth
    subjectAltName              = @alt_matti

    [ v3_hanna ]
    basicConstraints            = critical,CA:FALSE
    subjectKeyIdentifier        = hash
    authorityKeyIdentifier      = keyid:always, issuer:always
    keyUsage                    = critical, nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage            = critical, clientAuth
    subjectAltName              = @alt_hanna

Probably this https://forum.openwrt.org/viewtopic.php?id=65138 will do the trick.

It's generally recommended to read a thread prior to posting, and if that had been done, one would have realized this has nothing to do with dnsmasq or dns.

Is there any way to get the old OpenVPN page back as a simpler reference?
I used that and my VPN works fine (I'm ok with EasyRSA).
I will try your guide at some point when I have the time to devote to it, but it looks quite intimidating.

Disregard, I was able to roll back using the controls in the sidebar.

Of course you're right, I just need a one VPN server. Thanks, I now have the configuration ready for testing.

Before I start, I have two more questions:

  1. If I understood everything correctly, I don't have to execute the commands in the ICA section, is that correct?

  2. Do I have to replace vpn-client1-<username>-<hostname>-<hostname>.key.pem with e.g.VPN-xps13-Hostname.key.pem or not? (This refers to the commands in the Client Certs section.

@nodakbarnes There's far more to the streamlined wiki I wrote than using an openssl.cnf, however it's seems to appear you wish to have convenience over security & efficiency... although even that's a bit baffling since all one needs to do is edit ~14 lines in the openssl.cnf, as all the commands are given. ...I prefer to do things right the first time around, which is why I wrote that wiki as couple of years ago - create a comprehensive, easy to follow wiki, providing the best and most secure way of configuring a VPN without sacrificing speed and efficiency of the VPN.

  • As to Easy-RSA, as I stated in the wiki, it does not create secure enough certs, does not allow for EKUs, does not allow KUs customization, of which means it will always be inefficient when compared to a cert created with my openssl.cnf, as Easy-RSA certs limit, due their non-customizable KUs, the encryption protocols a user can utilize, and for some unknown reason still insists on using a certification value for NetScape Browser for server authentication.

    • I took the time to read through the OpenSSL man pages when I wrote my wiki, and I did so in order to make it easier for other users by simply providing them with a prebuilt openssl.cnf, with commenting kept to a minimum, puposefully placing the vast majority of comments at the bottom of the config. Granted, I still link to those man pages, as I beleive users should ultimately refer to those man pages for configuration based questions. A VPN and the certs that protect it are vital, and to configure something without a comprehensive understanding of each is doing the user an injustice to themselves.

.
As to the original VPN Server wiki, it was subpar and vastly inefficient, explained nothing, and, by default, set the VPN for gateway redirect, of which is not something most users will use it for. Most will be utilizing a VPN server for remote access to their LAN, not to push their internet traffic through (this would only benefit the user who is behind a primary WAN facing router or for devices on a VLAN).

  • The original VPN server wiki was nothing more than a cookie cutter setup that was written 5+ years ago, and can be found on 99% of websites... google "OpenVPN server setup" and 99% of the server configs will mirror it. I personally believe if a wiki is going to be provided it should provide thorough information the first time around

    • It should be kept in mind majority of LEDE wiki pages were ported from the OpenWrt Wiki, and as such, are quite dated, written when Barrier Breaker was around, not to mention most lack quality DokuWiki formatting (it really is unfortunate most don't bother to take an hour and read through the DokuWiki plugins to learn how to properly format a wiki before writing one)
  • When I wrote that wiki, as well as several times since, I've considered combining all required commands into a simple script, however each time I've decided not to because of how important a VPN is and if one is configuring a VPN, they need to understand what they're doing, how the configs are laid out, etc. otherwise the risk is great that the VPN will either be exploited due to user ignorance [i.e. they don't know any better because they didn't bother to understand what the functions of any arbitrary setting is], or they'll spend hours on forums trying to troubleshoot something they did that caused the VPN to malfunction in some form/fashion. My stance is if someone doesn't want to take the 1 - 2 hrs to read and understand the configuration of a VPN, then they really shouldn't be setting one up since they're doing themselves an injustice by selling themselves short..

.
@mrremo Yes, whenever you see a value with < > anywhere in documentation across the web, it means to replace what's in it with your custom input, at least in regards to commands and config/ini files, etc.

  • That host name is important, and must be unique to each client (just as the common name must always be unique to each), in case you decide to configure CCD (Client Configuration Directory). To understand what this is, please see the OpenVPN HowTo linked to in the Wiki. I recommend always setting up CCD, but one needs to fully understand what it is before configuring it.

  • The hostname layout, much as all other customizable data, is simply an example and does not have to be what you see (i.e. you could simply have the hostname be XPS13 or BellevueVPN-XPS13.

    • I wrote the hostname that way in the wiki to show how one could ensure hostnames are kept sane across multiple VPN servers.
  • As to your first question, please follow the wiki, else please see the openssl man pages provided in the wiki. I've provided help due to you starting over with the ported wiki, however every question asked thus far could have been answered by 1. following the wiki as written, and/or 2: checking the appropriate man page linked to in the Wiki.

@JW0914 thanks for your help so fare. I'll test it next year, because I'm going on vacation tomorrow. :grinning: