I have a Raspberry OpenVPN server at home for which I have set up a server.ovpn file and built the following files, all with 4096-bit strength: ca.crt, server.key, server.crt, dh4096.pem, tls-auth.key.
I have created a client.ovpn file and, also with 4096-bit strength, and created the client.key, client.crt, and tls-auth.key files.
When I set up an OpenVPN client on another Raspberry with those client files, I can establish a VPN tunnel between client and server.
Does the GL-750S support keys and certs with 4096 bit strength?
What is the maximum key length which I can use with the GL-AR750S? Is 4096 bits within the permissible range?
I know that Diffie-Hellman parameters are used at the server side. There is a factory Diffie-Hellman file name dh1024.pem in /etc/openvpn/cert; I figure it is there in case one wants to configure the GL-AR750S as an OpenVPN server. If the GL-AR750S functions with higher strengths than 1024 bits: How should the Diffie-Hellman file be named when it is not for a 1024-bit key, for instance for a 2048-bit key or for a 4096-bit key? Is dh2048.pem or dh4096.pem correct? Or do I need to change a reference to this file somewhere else?
Question: How do I include the certificates and keys in a ZIP file so that the AR750S will accept it?My working client.ovpn for the Raspberry looks like this:
remote my-secret-dyndns-domain 443 # DynDNS domain name
nobind # don’t enforce a fixed port number
key /etc/openvpn/cert/client.key # this must be kept secret
tls-auth /etc/openvpn/cert/tls-auth.key 1 # server: 0; client: 1
mute 20 # silence repeating messges
When I look for instance at the sample from NordVPN, I notice that there are more sections in the client.ovpn file with begin and end tags (example , , ,
<ca> -----BEGIN CERTIFICATE----- [certificate binary data] -----END CERTIFICATE----- </ca> key-direction 1 # can this option be listed above, or is this position mandatory? <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- [key binary data] -----END OpenVPN Static key V1----- </tls-auth>
(a) What are the begin and end tags for a client key and client certificate?
(b) Does the option “key-direction 1” have to occur between ca.crt and tls-auth.key block, or can it be listed above with the other options?
(c) Does the “V1” in -----BEGIN OpenVPN Static key V1----- have any significance?
The easy-rsa utility surrounds the Diffie-Hellman data with
-----BEGIN DH PARAMETERS----- and
-----END DH PARAMETERS-----
What does the GL-AR750S expect? Should I edit the easy-rsa lines to match the NordVPN sample?
Are thes client key and certificate blocks position-dependent or can they just be appended in any sequence?
- I tried to copy the client .ovpn file, the client key and certificate files into the respective directories under /etc/openvpn. This alone did not suffice that GL-AR750S added a new OpenVPN configuration. Is there a manual way to add a configuration and not use a ZIP file?