For an explanation of all of the files, see my complete list of OpenVPN certificates, keys, and authorities.
Generating Your Keys and Certificates
Build keys and certificates per this story
Configuring the Router
Using Merlin 380.65_2. Open your router IP in a web browser (e.g. http://192.168.1.1)…
- VPN tab » OpenVPN Servers sub-tab » Server1 = On » VPN Details = Advanced Settings
- Interface Type = TUN
- Protocol = TCP (I don’t know why, but UDP performs poorly for me.)
- Server Port = 1194 (I’m using 1194 on the router. I have a router inside a ‘residential gateway.’ I’ll do port redirection from 443 on the RG to here.)
- Firewall = Auto
- Authorization Mode = TLS
- Content modification of Keys & Certification. Using files generated by easy-rsa per my Starbucks article (files in easy-rsa/keys_routervpn). For all keys/certs, copy just the “—- BEGIN” line through the “—-END” line.
- Static Key: Paste contents of ~/Packages/keys_xxxx/ta.key
- Certificate Authority: Paste contents of ~/Packages/keys_xxxx/ca.crt
- Server Certificate: Paste contents of ~/Packages/keys_xxxx/server_xxxx.crt
- Server Key: Paste contents of ~/Packages/keys_xxxx/server_xxxx.key
- Diffie Hellman: Paste contents of ~/Packages/keys_xxxx/dh2048.pem
- Certificate Revocation List: Paste contents of ~/Packages/keys_xxxx/crl.pem
- Extra Chain Certificates: (empty)
- Press Apply.
- Username/Password Authentication = No
- TLS control channel security = Incoming Auth(0)
- Auth digest = SHA256
- VPN Subnet/Netmask = 10.8.0.0, 255.255.255.0
- Poll interval = 0
- Push LAN to clients = Yes
- Direct clients to redirect Internet traffic = Yes
- Respond to DNS = Yes
- Advertise DNS to clients = Yes
- Cipher negotiation = Disabled
- Negotiable Ciphers = (doesn’t matter; don’t change it)
- Legacy/fallback cipher = AES-256-CBC
- Compression = LZO Adaptive
- TLS Renegotiation Time = -1
- Log level = 3
- Manage Client-Specific Options = No
- Custom Configuration =
- tls-version-min 1.2
- proto tcp4
- push “dhcp-option DNS 192.168.x.1”
- max-clients 40
- port-share 192.168.1.9 443
- Notes:
- I have a router one hop outside my VPN router, and I want it to do DNS, so I push its IP as the DNS server.
- My incoming traffic first hits OpenVPN, and it OpenVPN doesn’t recognize the frame as being an OpenVPN frame, it forwards the traffic to a downstream https server. This allows me to run multiple services on a single external port.
- Press Apply.
- Go to the System Log tab and make sure it started.
Other:
If you are using another router as your internet gateway (e.g. you cable modem or your U-verse modem), don’t forget to forward ports 1194 (TCP+UDP) and 443 (TCP) to your VPN router.