OpenVPN Setup on Vigor Router (DrayOS) with XCA
OpenVPN is an open-source VPN technique which is capable of traversing network address translators (NATs) and firewalls since it uses a custom security protocol that utilizes SSL/TLS for key exchanges. A certificate is one of the client authentication methods that OpenVPN supports. With a Certificate Authority (CA) to sign the certificate, the server can use a different certificate for each client in a multi client-server topology.
In this article, we will use XCA, a free Certificate Authority (CA) software, to generate and manage the server and client certificate that required for OpenVPN configuration. This article includes:
Here is the URL link on where to download XCA software:
https://hohnstaedt.de/xca/index.php/download
Part 1. Making Server Certificate on the Router
Part 2. Create a new CA on XCA
Part 3. Importing Signed Server Certificate and CA Certificate to the Router
Part 4. Making a Private Certificate and Private key for VPN Client
Part 5. Router Setup as OpenVPN Server
Part 6: Client Setup in OpenVPN GUI
Part 1. Making Server Certificate on the Router:
1-1. Since the certificate has a validity period, please make sure the time and date settings correct at System Maintenance >> Time and Date.
1-2. Go to Certificate Management >> Local Certificate to generate a new certificate. Type the information, then click Generate.
Part 2. Create a new CA on XCA – using version 2.1.2:
Part 3. Importing Signed Server Certificate and CA Certificate to the Router:
3-1 Go to Certificate signing requests, select Paste PEM data and paste the PEM Format Content copied from the router in step 1-3.
3-2. Right-click on the imported certificate and select Sign. Use the certificate created in step 2 to signing.
3-3 At Certificate tab, export the Singed Local Certificate in .crt format.
Go back to the router’s GUI, import it to the router at Certificate Management >> Local Certificate >> Upload Local Certificate.
3-4 Make sure the status of the certificate uploaded is OK.
3-5 On XCA, go to Certificate, choose the CA certificate and export it in .crt format, and import it to the router at Certificate Management >> Trusted CA Certificate.
3-6 Make sure the status of the Trusted CA imported is OK.
Part 4. Making a Private Certificate and Private key for the VPN Client
4-1 On XCA, go to Certificates, click New Certificate.
4-2 Go to the Source page select CAtest in the signing and Template for the new certificate as [default] CA.
Then in the Subject file up the Internal Name, countryName, stateOrProvinceName and commonName.
Tick “Generate a new Key”
Name of the New Key Oclient “RSA” for Keytype and “2048 bit” for Keysize. Then click Create.
In the Certificate select Oclient and select Export:
Then save the Oclient.crt on one directory.
Then proceed to “Private Keys” tab and select Oclient, click Export for New Key.
Then click Ok to save the new key:
Part 5. Router Setup as OpenVPN Server
5-1. Go to VPN and Remote Access >> OpenVPN General Setup, and have the configuration below.
Make sure you tick the Certificate Authentication and click OK to apply the settings.
5-2. Go to the Client Config tab, specify the file name of CA Certificate, Client Certificate, and Client Key. Then, click Export.
5-3. Go to VPN and Remote Access >> Remote Dial-in User to create user profiles for OpenVPN Dial-in users.
Check to Enable this account, enter Username/Password, and check OpenVPN Tunnel in Allowed Dial-In Type.
5-4. Go to SSL VPN >> General Setup to change the Server Certificate to the Local Certificate generated in part 2.
For windows OpenVPN Import From File:
Please note that the current firmware the router can self generate its certificates – please refer to the URL link below:
OpenVPN to Vigor Router by using the self-generated certificate
https://www.draytek.com/support/knowledge-base/7462
By Ed