Openvpn Server Generate DH Parameters on PC then import them to OpenWrt

t_router · January 31, 2023, 8:17am

Can I generate the DH key pair on my intel processor PC then import them to openwrt?
If yes can you please tell me how step by step?

I'm following this guide to create an openvpn server and this step always takes an hours at least:

Guide: https://openwrt.org/docs/guide-user/services/vpn/openvpn/server
Step: easyrsa gen-dh

d687r02j8g · January 31, 2023, 8:25am

You can use openssl to generate it on any machine

openssl dhparam -out dh.pem 2048

t_router · January 31, 2023, 8:53am

yes but then how do I import it back to openwrt? I'm not sure how to use the .pem back with openvpn server exactly. Sorry for noobie question

d687r02j8g · January 31, 2023, 8:58am

No problem

Copy the dh.pem file to /etc/easy-rsa/pki/ this should be where easy-rsa will create it too.

ulmwind · January 31, 2023, 10:51am

See https://easy-rsa.readthedocs.io/en/latest/#getting-started-the-basics

DH-file is just separate file (not signed as certificate), you can generate on any PC, and just copy to router file system.

P. S. You can configure modern EC-cryptography instead of outdated RSA, so you do not need DH-file in this case.

t_router · February 1, 2023, 6:48pm

how would you do that exactly in this case? can you please give me more details

d687r02j8g · February 1, 2023, 7:13pm

Are you using openvpn to connect to your home network?

You should consider using wireguard. It's faster and simpler to setup. No need for pki and certificates.

ulmwind · February 1, 2023, 7:21pm

https://www.maths.tcd.ie/~fionn/misc/ec_vpn/

The common approach: you should download Easy-RSA package on your PC by the link https://github.com/OpenVPN/easy-rsa/releases

Download it, and unpack.

Copy vars.example to vars, and edit vars, as it is described above.

After that use EasyRSA-Start.bat to run EasyRSA-shell, and generate certificates.

I do NOT recommend to use WireGuard, it is shit IMHO.

psherman · February 1, 2023, 7:49pm

When I have setup OpenVPN in the past, I did all of the key generation using EasyRSA on a full desktop computer and then copied the files to the router. This is much faster that attempting to generate them on the router itself.

However, I concur that Wireguard is much easier to configure and also significantly faster/higher performance. I would recommend it over OpenVPN for most use cases these days.

t_router · February 2, 2023, 10:05am

yes this worked!

psherman · February 5, 2023, 1:25am

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

system · February 15, 2023, 1:25am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.