I'm setting up an OpenVPN server on a standard OpenWRT 18.06.1 using the guide at https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic.
After starting create-certs I'm asked "Enter PEM pass phrase". I assumed that a pass phrase is not required (even unwanted) so I pressed the ENTER key after which the script continues, is this the correct thing to do?
I do get a non-blocking message "vpnclient.csr: No such file or directory", does that mean anything?
(Moved to the Installing and Using OpenWrt section - in hopes others may see and assist with your issue.)
@marcoblom Encrypting the client key is not required, but is highly recommended, and if it's a client key for an Android device, the key must me encrypted, as Android has a non-customizable 771 permission structure for user land storage.
I'm not sure why it wouldn't be creating the the CSR for the client, as the command that's being ran is:
# Generating Client Cert & Key
openssl req -batch -new -keyout "vpnclient.key" -out "vpnclient.csr" -subj "/CN=vpnclient" -config "$PKI_CONF"
# Signing Client Cert
openssl ca -batch -keyfile "ca.key" -cert "ca.crt" -in "vpnclient.csr" -out "vpnclient.crt" -config "$PKI_CONF" -extensions "vpnclient"
Please run the following script, do not encrypt the first client cert, but do encrypt the second.
#!/bin/sh
CSR="/tmp/csr-output"
PKI_CONF="$PKI_DIR/openssl.cnf"
PKI_DIR="/tmp/ossl"
mkdir -p "$PKI_DIR"
chmod -R 600 "$PKI_DIR"
cd "$PKI_DIR"
touch index.txt index
echo 10000 > serial
cp -f /etc/openvpn/ssl/openssl.cnf "$PKI_DIR"
printf "\nCreating CA...\n"
openssl req -batch -nodes -new -keyout "ca.key" -out "ca.crt" -x509 -config "$PKI_CONF" -days "3650"
printf "\nCreating Unecnrypted Client Key...\n\n"
printf %b " DO NOT ENCRYPT this client key...\n\n"
openssl req -batch -new -keyout "vpnclient1.key" -out "vpnclient1.csr" -subj "/CN=vpnclient" -config "$PKI_CONF"
openssl ca -batch -keyfile "ca.key" -cert "ca.crt" -in "vpnclient1.csr" -out "vpnclient1.crt" -config "$PKI_CONF" -extensions "vpnclient"
printf "\nCreating Encrypted Client Key...\n\n"
printf %b " DO ENCRYPT this client key...\n"
openssl req -batch -new -keyout "vpnclient2.key" -out "vpnclien2.csr" -subj "/CN=vpnclient" -config "$PKI_CONF"
openssl ca -batch -keyfile "ca.key" -cert "ca.crt" -in "vpnclient2.csr" -out "vpnclient2.crt" -config "$PKI_CONF" -extensions "vpnclient"
printf "\nPlease post the output of /tmp/csr-output in forum reply IF receiving CSR error"
printf %b" # vpnclient1.csr #\n\n"
openssl req -in vpnclient1.csr -noout -text > $CSR
printf "\n\n\n" >> $CSR
printf %b" # vpnclient2.csr #\n\n"
openssl req -in vpnclient2.csr -noout -text >> $CSR
Thanks for the help.
I again tried the script create-certs.sh from https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic but this time I DID enter a pass phrase. That worked, it now creates the file vpnclient.csr and correctly creates other files in /etc/openvpn that were 0 bytes on my first try. The script create-ovpn.sh now also works (it didn't the first time). Perhaps it also helped that I rebooted my router between the first try yesterday and the second, successful try today.
I didn't try the alternate script provided in this topic.
Can you PM the openssl.cnf, as I utilize a custom one I created years ago, which is what the OpenSSL PKI wiki utilizes. My hunch is one of the req sections in the default openssl.cnf, likely req_attributes, is the cause of not generating a CSR if a passphrase is not provided when the command does not include -nodes.
Sure, thanks for checking it, PM sent.
It's due to the [ req_attributes ] section, which stipulates the minimum password length is 4 characters.
Unless the key is for a server, private keys should always be encrypted with a passphrase, else you're opening a massive hole in the security of the VPN and all data flowing through its tunnel.
Thanks! Can you perhaps update https://openwrt.org/docs/guide-user/services/vpn/openvpn/basic with this information?
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.