If i understand it right, Line 7 just has a load of #'s. Is this where i am supposed to input the Key Passphrase mentioned? I might have this totally wrong...
That wiki is the old wiki which is no longer updated, and once the OpenWrt site move is completed, I'll be removing that wiki. The new wiki can be located here.
If you're creating certs on Linux, refer to the comments at the very top of the OpenSSL config, regarding EOLs and formatting differences between Linux and Windows, as that's likely your current issue.
If you're looking for a quick setup just to get you up and running, I would recommend @stangri's OpenVPN (Server Setup) wiki.
Once I have the time to spend on my wiki again, I'll be breaking it up into smaller wikis, as well as incorporating @stangri's scripts, since they make setup much more convenient for the user
I think i'll have a go with your guide for now JW. There's a lot of detail and I'm happy to put in the extra work to understand exactly whats going on and how it's all put together. The script will just take away the learning, which i enjoy.
I'll try not to bother you with problems i cause myself through stupidity.
I've replaced all \ and \ with // and / as detailed at the top of the, now complete, openssl.cnf file because i'm running the commands on the router through SSH. Hopefully everything will go smoothly.
Thanks again for your efforts and pointing me in the right direction amigo. I'll report back here once i'm done.
You'll want to change the // to a single /, as it's only on Windows where the doubles are required, otherwise you're going to likely end up with OpenSSL errors.
Just a quick FYI, I've been working on my wiki for most of the day and have split off the OpenSSL section into it's own wiki: OpenSSL Certificates.
That wiki is a just a rough draft, but does mirror the previous layout in the VPN wiki, however, as I was porting the content over, I did discover OpenSSL moved their man page links, so many of the links for the man pages in the wiki are currently broken.
I'll have one server, one user (me), with one external IP and a DNS address.
I might be over thinking it, but i started commenting out the Sophos and freenas sections under CA Clients leaving me with one server and was going to do the same under ICA Clients, but i thought i better check with you.
In the wiki you also mention that line 244 should match the client username, would that be set to something like "jbloggs"?
Sorry for what probably seems like stupid questions.
There is no need to comment anything out of the openssl.cnf, as the V3 profile, which stipulates the SAN profile to utilize, is specified on the command line via the -extensions parameter.
In the wiki, the server's V3 profile parameter would be -extensions v3_vpn_server1
IIRC, there's a total of 14 lines to be edited in the openssl.cnf, and it may help you to look at @stangri's wiki mentioned in my prior post, as his wiki uses sed commands to change the information required, whereas the Comprehensive wiki walks the user through exactly what to change line by line.
Many users seem to have an issue with these specific 14 edits, and I've always been baffled as to why, however, to prevent the confusion, I will be incorporating @stangri's script in the OpenSSL wiki in lieu of walking through what to change line by line.
Sorry man, i get that it's a PITA to explain each and every time someone doesnt understand.
Now that you mention the extensions parameter it makes more sense. If i look at the commands i can see which sections of the config are being called on, so i only need to change the alt_vpn_server1 section and alt_vpn2_user1.
The bit that was causing me confusion was section 2 of the prerequisites for CA and ICA where it just states some line numbers, but not what to do with them. Now i know.
Thanks for your patience buddy. I'll open up stangri's wiki too and refer to that in the hopes that i dont have to bother you with more annoying questions.
That's just telling the user where to look in the openssl.cnf for the SAN profiles.
An OpenSSL config is not the easiest thing to look at and understand if one has never seen one before, which is what prompted me a few years ago to create a custom one to make it more cohesive and easier to understand for a user not familiar with one
This is why I originally decided to walk the user through the 14 or so edits line by line.
Trying to make heads or tails of the default openssl.cnf that comes with OpenSSL is next to impossible for a user who's not familiar with one
I purposefully kept comments to a minimum in the config portion of the config, putting the vast majority of comments and instructions at the bottom of the config, starting on line 430.
I broke up the SAN & V3 profiles into separate sections for the CA and any additional ICAs, however any SAN/V3 profile can be used.
I personally prefer to have a master CA that signs ICAs for each router and it's devices, as well as separate ICAs for VPNs because it makes it more convenient for the user if the VPN certs are ever compromised
Instead of creating an entirely new router ICA and new certs for all devices signed by that ICA, the user can simply create a new VPN ICA and issue new certs.
Another reason for listing where to find the SAN profiles in the openssl.cnf is to make it more convenient for users who want to create additional CAs/ICAs for other certs they require.
For example, I always recommend using an openssl.cnf to create a CA to sign the WebUI [LuCI] cert, as luci-ssl creates a self-signed cert, which is completely asinine and pointless since there's no chain of trust, thereby ensuring there's no way for the user to determine if their connection is truly secure, as it allows an MITM attack to occur.
And apologies again. I was clearly over thinking it. And i truly am grateful for your assistance and the work you put in to the guides.
I'll make sure to check out the comments in the conf starting at line 430 and cross reference your wiki with stangri's as well as doing other research before asking any other questions.
I'm usually much better at working these things out for myself, lack of sleep probably isn't helping... ZZZzzzzz
Majority of those comments were used to create the OpenSSL Wiki.
There is some additional information in there, but it's not relevant to most users, such as how to create your own signing certs for Android (if compiling your own firmware)
IIRC, the only thing that would potentially be relevant is a link regarding why remote-cert-tls server cannot be utilized if utilizing my openssl.cnf to generate certs.
It explains the bit values of the KUs and EKUs, which won't match since the remote-cert-tls parameter has never been configured for EKU usage.
Had some trouble once i had everything setup. When i was connected i couldn't connect to anything on the LAN side of the VPN or anything on the internet, but i figured out that was because i had LZO enabled on one end and disabled on the other.