VPN Config Assistance [Solved]

Hi @JW0914,

Hope you dont mind the tag...

I'm going through the process of trying to create a VPN server following this guide: https://wiki.openwrt.org/doc/howto/openvpn-streamlined-server-setup#tab__commands

Unfortunately when i try to run the first command to create the CA...

openssl req -x509 -new -sha512 -days 3650 -newkey rsa:4096 -keyout ca/OpenWrt-CA.key.pem -out ca/OpenWrt-CA.crt.pem -config ./openssl.cnf -extensions v3_ca

I get the following error...

3069977800:error:0E079065:lib(14):func(121):reason(101):NA:0:line 7

I'm using the openssl.cnf file downloaded from the guide: https://github.com/JW0914/Wikis/blob/master/Scripts%2BConfigs/OpenSSL/openssl.cnf

If i understand it right, Line 7 just has a load of #'s. Is this where i am supposed to input the Key Passphrase mentioned? I might have this totally wrong...

Any help would be greatly appreciated.



While working through Firewall section of the guide i came across an error with the logging rules here:

iptables    -I  INPUT       -p  tcp     --dport     5000    -m  state   --state NEW     -j  Rate_Limit
iptables    -I  INPUT       -p  udp     --dport     5000    -m  state   --state NEW     -j  Rate_Limit

Apparently -m state --state should now be -m conntrack --ctstate, so the new rule should be:

iptables    -I  INPUT       -p  tcp     --dport     5000    -m conntrack --ctstate NEW     -j  Rate_Limit
iptables    -I  INPUT       -p  udp     --dport     5000    -m conntrack --ctstate NEW     -j  Rate_Limit

At least, it got rid of the error i was getting.

I'm running iptables 1.6.2.


That wiki is the old wiki which is no longer updated, and once the OpenWrt site move is completed, I'll be removing that wiki. The new wiki can be located here.

  • If you're creating certs on Linux, refer to the comments at the very top of the OpenSSL config, regarding EOLs and formatting differences between Linux and Windows, as that's likely your current issue.

Thanks man,

I'll work through the comprehensive guide from the top.

The mistake i made was not copying the whole openssl config, everything looks to be where it should now. Such an idiot!

I may give you a nudge again if i get stuck. Last time i set up OpenVPN i was using easyrsa which i now understand is a bad idea.

Appreciate the work you put in to putting together a guide to doing it properly.

If you're looking for a quick setup just to get you up and running, I would recommend @stangri's OpenVPN (Server Setup) wiki.

Once I have the time to spend on my wiki again, I'll be breaking it up into smaller wikis, as well as incorporating @stangri's scripts, since they make setup much more convenient for the user

I think i'll have a go with your guide for now JW. There's a lot of detail and I'm happy to put in the extra work to understand exactly whats going on and how it's all put together. The script will just take away the learning, which i enjoy.

I'll try not to bother you with problems i cause myself through stupidity.

I've replaced all \ and \ with // and / as detailed at the top of the, now complete, openssl.cnf file because i'm running the commands on the router through SSH. Hopefully everything will go smoothly.

Thanks again for your efforts and pointing me in the right direction amigo. I'll report back here once i'm done.

You'll want to change the // to a single /, as it's only on Windows where the doubles are required, otherwise you're going to likely end up with OpenSSL errors.

Thanks yet again.

I'll make sure i do that before i call on the file.


Just a quick FYI, I've been working on my wiki for most of the day and have split off the OpenSSL section into it's own wiki: OpenSSL Certificates.

  • That wiki is a just a rough draft, but does mirror the previous layout in the VPN wiki, however, as I was porting the content over, I did discover OpenSSL moved their man page links, so many of the links for the man pages in the wiki are currently broken.

You are a scholar and a gentleman!

I'm having trouble grasping the changes i need to make to the openssl.conf file, specifically the lines below:

            ##----- Certificate Authority Clients -----##

# Main #

  # Servers #
    [ alt_sophos ]
    IP.1                =
    IP.2                =
    DNS.1               = UTM.LEDE
    DNS.2               = your.ddns.com

    [ alt_freenas ]
    IP.1                =
    IP.2                =
    IP.3                =
    DNS.1               = Free.LEDE
    DNS.2               = your-fqdn.com

    [ alt_vpn_server1 ]
    IP.1                =
    DNS.1               = your.ddns.com

  # Clients #
    [ alt_vpn1_user1 ]
    email.1             = user1@email.com
    DNS.1               = VPN1-Client1-Device-Hostname1
    DNS.2               = VPN1-Client1-Device-Hostname2

     ##----- Intermediate Certificate Authority Clients -----##

# Router 2 #

  # Servers #
    [ alt_lede ]
    IP.1                =
    IP.2                =
    DNS.1               = LAN.LEDE

    [ alt_vpn_server2 ]
    IP.1                =
    DNS.1               = your.ddns.com

I'll have one server, one user (me), with one external IP and a DNS address.

I might be over thinking it, but i started commenting out the Sophos and freenas sections under CA Clients leaving me with one server and was going to do the same under ICA Clients, but i thought i better check with you.

In the wiki you also mention that line 244 should match the client username, would that be set to something like "jbloggs"?

Sorry for what probably seems like stupid questions.

The VPN Server will be at with the LAN subnet being

Simply follow what the wiki is stating to change under the subjectAltName [SAN] profiles:

  • Servers:
    • Modify the SubjectAltNames Profile
      • Intermediate Certificate Authority Clients (Line 226)
        • Change the server's SAN IP from to match your VPN Server IP
          • Line 239: IP.1 =

        • Change the SAN DNS from your.ddns.com to match your own DDNS and/or FQDN
          • Line 240: DNS.1 = your.ddns.com
            • For each additional DNS or FQDN, add a new line in sequential order (i.e. DNS.2, DNS.3, etc.)

  • Clients

  • For additional info, see the subjectAltName man page
    • There is no need to comment anything out of the openssl.cnf, as the V3 profile, which stipulates the SAN profile to utilize, is specified on the command line via the -extensions parameter.
      • In the wiki, the server's V3 profile parameter would be -extensions v3_vpn_server1

IIRC, there's a total of 14 lines to be edited in the openssl.cnf, and it may help you to look at @stangri's wiki mentioned in my prior post, as his wiki uses sed commands to change the information required, whereas the Comprehensive wiki walks the user through exactly what to change line by line.

  • Many users seem to have an issue with these specific 14 edits, and I've always been baffled as to why, however, to prevent the confusion, I will be incorporating @stangri's script in the OpenSSL wiki in lieu of walking through what to change line by line.

Sorry man, i get that it's a PITA to explain each and every time someone doesnt understand.

Now that you mention the extensions parameter it makes more sense. If i look at the commands i can see which sections of the config are being called on, so i only need to change the alt_vpn_server1 section and alt_vpn2_user1.

The bit that was causing me confusion was section 2 of the prerequisites for CA and ICA where it just states some line numbers, but not what to do with them. Now i know.

Thanks for your patience buddy. I'll open up stangri's wiki too and refer to that in the hopes that i dont have to bother you with more annoying questions.

That's just telling the user where to look in the openssl.cnf for the SAN profiles.

  • An OpenSSL config is not the easiest thing to look at and understand if one has never seen one before, which is what prompted me a few years ago to create a custom one to make it more cohesive and easier to understand for a user not familiar with one
    • This is why I originally decided to walk the user through the 14 or so edits line by line.

    • Trying to make heads or tails of the default openssl.cnf that comes with OpenSSL is next to impossible for a user who's not familiar with one

    • I purposefully kept comments to a minimum in the config portion of the config, putting the vast majority of comments and instructions at the bottom of the config, starting on line 430.

  • I broke up the SAN & V3 profiles into separate sections for the CA and any additional ICAs, however any SAN/V3 profile can be used.
    • I personally prefer to have a master CA that signs ICAs for each router and it's devices, as well as separate ICAs for VPNs because it makes it more convenient for the user if the VPN certs are ever compromised
      • Instead of creating an entirely new router ICA and new certs for all devices signed by that ICA, the user can simply create a new VPN ICA and issue new certs.

Another reason for listing where to find the SAN profiles in the openssl.cnf is to make it more convenient for users who want to create additional CAs/ICAs for other certs they require.

  • For example, I always recommend using an openssl.cnf to create a CA to sign the WebUI [LuCI] cert, as luci-ssl creates a self-signed cert, which is completely asinine and pointless since there's no chain of trust, thereby ensuring there's no way for the user to determine if their connection is truly secure, as it allows an MITM attack to occur.

Thanks man,

And apologies again. I was clearly over thinking it. And i truly am grateful for your assistance and the work you put in to the guides.

I'll make sure to check out the comments in the conf starting at line 430 and cross reference your wiki with stangri's as well as doing other research before asking any other questions.

I'm usually much better at working these things out for myself, lack of sleep probably isn't helping... ZZZzzzzz

Majority of those comments were used to create the OpenSSL Wiki.

  • There is some additional information in there, but it's not relevant to most users, such as how to create your own signing certs for Android (if compiling your own firmware)

  • IIRC, the only thing that would potentially be relevant is a link regarding why remote-cert-tls server cannot be utilized if utilizing my openssl.cnf to generate certs.
    • It explains the bit values of the KUs and EKUs, which won't match since the remote-cert-tls parameter has never been configured for EKU usage.

In that case i'll stick to the wiki.


Hi JW,

Managed to get everything sorted eventually.

Had some trouble once i had everything setup. When i was connected i couldn't connect to anything on the LAN side of the VPN or anything on the internet, but i figured out that was because i had LZO enabled on one end and disabled on the other.

Thanks for all your help buddy.

For future reference, ~99% of OpenVPN config options must be mirrored in the server and client configs

  • If you want this be automated, you can always push the options to the client via the list push option in the server config.

Thanks again man,

Truly a legend!