Setting up OpenVPN server

I'm using

|Hostname|OpenWrt|
|---|---|
|Model|Linksys WRT3200ACM|
|Firmware Version|OpenWrt SNAPSHOT r6755-d089a5d / LuCI Master (git-18.113.52925-0c30ee0)|

I set up an OpenVPN server on LEDE, running on a WRT 3200ACM using the instructions at: https://wiki.openwrt.org/doc/howto/vpn.openvpn

I used the "OpenSSL" commands sections, and pasted these into bash scripts then ran them. This got me a working VPN that I could connect to from outside my LAN, usually from an Android phone over 4G.

The SSL certificate that it created had an expiry date of 30 days, not really quite sure why.

I tried logging into the router and running this script again. One of the commands seems to fail, and clients can't connect to the VPN server. Upon checking, my-client.crt seems to be a 0 bytes file, so it's empty. The command which is failing is:

ca  -batch -keyfile "ca.key" -cert "ca.crt" -in "my-server.csr" -out "my-server.crt" -config /etc/openvpn/ssl/openssl.cnf -extensions my-server

This fails with:

Using configuration from /etc/openvpn/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
ERROR:There is already a certificate for /CN=my-server
The matching entry has the following details
Type          :Valid
Expires on    :280421111903Z
Serial Number :1000
File name     :unknown
Subject Name  :/CN=my-serve

Any ideas how to delete this certificate, and more importantly create it with a longer expiry time? Ideally I'd like to make the certificate valid for thousands of days, so that it's never a concern.

I'm aware that by following these instructions, I have set up a VPN which is not using the most secure encryption.

I tried to do this using the easy-rsa scripts and pkitool. Various instructions tell me that I need to use pkitool commands. Even after installing openvpn-easy-rsa I can't find any pkitool command.

I'd be happy to reset the router back to factory defaults and start the VPN configuration again, but all of the instructions for using easy-rsa seem to be a bit out of date. Most of them reference commands which don't work.

Does anyone have a link to the most recent guide for getting an OpenVPN server up and running, which are up to date and actually working?

There's a reason that wiki had a notice and warning wrap at the top of the wiki...

• If looking for a quick way to get up and running, see @stangri's OpenVPN (Server Setup) wiki
  • This has been moved to OpenVPN Basic
    
    
• If wanting to delve deeper, with a comprehensive understanding of the setup and configuration of OpenVPN, see the OpenVPN Server (Comprehensive) wiki
  • This has been moved to OpenVPN Comprehensive
    
    
• If wanting to generate certs using an openssl.cnf, versus Easy-RSA (which I recommend never to use for a whole host of reasons), see the OpenSSL Certificates wiki
  • This has been moved to OpenSSL PKI

As to the expiry date of 30 days, that's specified by the default_crl_days setting in the openssl.cnf, the -days parameter of the x509 command, or the -days parameter of the ca command