I have a Raspberry OpenVPN server at home for which I have set up a server.ovpn file and built the following files, all with 4096-bit strength: ca.crt, server.key, server.crt, dh4096.pem, tls-auth.key.
I have created a client.ovpn file and, also with 4096-bit strength, and created the client.key, client.crt, and tls-auth.key files.
When I set up an OpenVPN client on another Raspberry with those client files, I can establish a VPN tunnel between client and server.
Questions:
-
Does the GL-750S support keys and certs with 4096 bit strength?
-
What is the maximum key length which I can use with the GL-AR750S? Is 4096 bits within the permissible range?
-
I know that Diffie-Hellman parameters are used at the server side. There is a factory Diffie-Hellman file name dh1024.pem in /etc/openvpn/cert; I figure it is there in case one wants to configure the GL-AR750S as an OpenVPN server. If the GL-AR750S functions with higher strengths than 1024 bits: How should the Diffie-Hellman file be named when it is not for a 1024-bit key, for instance for a 2048-bit key or for a 4096-bit key? Is dh2048.pem or dh4096.pem correct? Or do I need to change a reference to this file somewhere else?
-
Question: How do I include the certificates and keys in a ZIP file so that the AR750S will accept it?My working client.ovpn for the Raspberry looks like this:
client
dev tun
proto udp
remote my-secret-dyndns-domain 443 # DynDNS domain name
resolv-retry infinite
nobind # donât enforce a fixed port number
persist-key
persist-tun
tls-client
ca /etc/openvpn/cert/ca.crt
cert /etc/openvpn/cert/client.crt
key /etc/openvpn/cert/client.key # this must be kept secret
remote-cert-tls server
tls-auth /etc/openvpn/cert/tls-auth.key 1 # server: 0; client: 1
log /var/log/openvpn.log
cipher AES-256-CBC
auth SHA512
verb 1
mute 20 # silence repeating messges
When I look for instance at the sample from NordVPN, I notice that there are more sections in the client.ovpn file with begin and end tags (example , , ,
<ca>
-----BEGIN CERTIFICATE-----
[certificate binary data]
-----END CERTIFICATE-----
</ca>
key-direction 1 # can this option be listed above, or is this position mandatory?
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
[key binary data]
-----END OpenVPN Static key V1-----
</tls-auth>
(a) What are the begin and end tags for a client key and client certificate?
(b) Does the option âkey-direction 1â have to occur between ca.crt and tls-auth.key block, or can it be listed above with the other options?
(c) Does the âV1â in -----BEGIN OpenVPN Static key V1----- have any significance?
The easy-rsa utility surrounds the Diffie-Hellman data with
-----BEGIN DH PARAMETERS----- and
-----END DH PARAMETERS-----
What does the GL-AR750S expect? Should I edit the easy-rsa lines to match the NordVPN sample?
Are thes client key and certificate blocks position-dependent or can they just be appended in any sequence?
- I tried to copy the client .ovpn file, the client key and certificate files into the respective directories under /etc/openvpn. This alone did not suffice that GL-AR750S added a new OpenVPN configuration. Is there a manual way to add a configuration and not use a ZIP file?