OpenVPN Setup on Vigor Router (DrayOS)  with XCA

OpenVPN is an open-source VPN technique which is capable of traversing network address translators (NATs) and firewalls since it uses a custom security protocol that utilizes SSL/TLS for key exchanges. A certificate is one of the client authentication methods that OpenVPN supports. With a Certificate Authority (CA) to sign the certificate, the server can use a different certificate for each client in a multi client-server topology.

 

In this article, we will use XCA, a free Certificate Authority (CA) software, to generate and manage the server and client certificate that required for OpenVPN configuration. This article includes:

 

Here is the URL link on where to download XCA software:

https://hohnstaedt.de/xca/index.php/download

 

Part 1. Making Server Certificate on the Router

Part 2. Create a new CA on XCA

Part 3. Importing Signed Server Certificate and CA Certificate to the Router

Part 4. Making a Private Certificate and Private key for VPN Client

Part 5. Router Setup as OpenVPN Server

Part 6: Client Setup in OpenVPN GUI

 

Part 1. Making Server Certificate on the Router:

 

1-1. Since the certificate has a validity period, please make sure the time and date settings correct at System Maintenance >> Time and Date.

1-2. Go to Certificate Management >> Local Certificate to generate a new certificate. Type the information, then click Generate.

 

Part 2. Create a new CA on XCA – using version 2.1.2:

Part 3. Importing Signed Server Certificate and CA Certificate to the Router:

 

3-1 Go to Certificate signing requests, select Paste PEM data and paste the PEM Format Content copied from the router in step 1-3.

3-2. Right-click on the imported certificate and select Sign. Use the certificate created in step 2 to signing.

3-3 At Certificate tab, export the Singed Local Certificate in .crt format.

Go back to the router’s GUI, import it to the router at Certificate Management >> Local Certificate >> Upload Local Certificate.

3-4 Make sure the status of the certificate uploaded is OK.

3-5 On XCA, go to Certificate, choose the CA certificate and export it in .crt format, and import it to the router at Certificate Management >> Trusted CA Certificate.

 

3-6 Make sure the status of the Trusted CA imported is OK.

Part 4. Making a Private Certificate and Private key for the VPN Client

4-1 On XCA, go to Certificates, click New Certificate.

4-2 Go to the Source page select CAtest in the signing and Template for the new certificate as [default] CA.

Then in the Subject file up the Internal Name, countryName, stateOrProvinceName and commonName. 

Tick “Generate a new Key”

Name of the New Key  Oclient “RSA” for Keytype and “2048 bit” for Keysize. Then click Create.

In the Certificate select Oclient and select Export:

Then save the Oclient.crt on one directory.

Then proceed to “Private Keys” tab and select Oclient, click Export for New Key.

Then click Ok to save the new key:

Part 5. Router Setup as OpenVPN Server

5-1. Go to VPN and Remote Access >> OpenVPN General Setup, and have the configuration below.

Make sure you tick the Certificate Authentication and click OK to apply the settings.

5-2. Go to the Client Config tab, specify the file name of CA Certificate, Client Certificate, and Client Key. Then, click Export.

5-3. Go to VPN and Remote Access >> Remote Dial-in User to create user profiles for OpenVPN Dial-in users.

Check to Enable this account, enter Username/Password, and check OpenVPN Tunnel in Allowed Dial-In Type.

5-4. Go to SSL VPN >> General Setup to change the Server Certificate to the Local Certificate generated in part 2.

For windows OpenVPN Import From File:

 

Please note that the current firmware the router can self generate its certificates – please refer to the URL link below:

OpenVPN to Vigor Router by using the self-generated certificate

https://www.draytek.com/support/knowledge-base/7462

By Ed