1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenVPN Client Setup Question and how to save certificates on USB-stick

Discussion in 'Tomato Firmware' started by richyroland, Jul 9, 2017.

  1. richyroland

    richyroland New Member Member

    Hi!

    I got a configuration-file from my VPN-server, however, I am not sure how to interoduce the settings into Tomato.

    Furthermore, I want to safe the certificates to a USB-stick instead of writing them into the GUI. Anyway, I can't figure out, how to tell the router to use the certificates on the Stick... maybe a beginner's question, anyway, I would appreciate help.

    So here the settings of the ovpn - configuration -file that I have to translate to Tomato-settings:

    remote (ip deleted for forum) 80
    remote (ip deleted for forum) 443
    remote-random

    client
    dev tun
    proto udp
    nobind
    persist-key
    persist-tun
    mute-replay-warnings
    remote-cert-tls server
    cipher AES-256-CBC
    verb 3

    auth SHA512
    explicit-exit-notify 3
    key-direction 1

    tun-mtu 1500
    fragment 1300
    mssfix

    auth-user-pass

    <ca>
    -----BEGIN CERTIFICATE-----
    (key deleted for forum)
    -----END CERTIFICATE-----
    </ca>

    <cert>
    -----BEGIN CERTIFICATE-----
    (key deleted for forum)
    -----END CERTIFICATE-----
    </cert>

    <key>
    -----BEGIN PRIVATE KEY-----
    ....... (key deleted for forum)
    -----END PRIVATE KEY-----
    </key>

    <tls-auth>
    -----BEGIN OpenVPN Static key V1-----
    ........ (key deleted for forum)
    -----END OpenVPN Static key V1-----
    </tls-auth>



    I tried these settings - no success:

    BASIC
    Start with WAN: Enable
    Interface Type: TUN
    Protocol UDP
    Server Address/Port: (deleted for forum)
    Firewall: Automatic
    Authrization Mode: TLS
    Username/Password Authentication: Enable
    Username: Username
    Password: pw
    Username Authen. Only: Disable
    Extra HMAC authorization (tls-auth): Disable
    Create NAT on tunnel: Enable

    ADVANCED
    Poll interval: 0 (=disabled)
    Redirect internet traffic: enable
    Accept DNS configuration: Exclusive
    Encryption cipher: AES-256-CBC
    Compression: Adaptive
    TLS Renegotionation time: -1 (=default)
    Connection retry: -1 (=infinite)
    Verify server certificate (tls-remote): disable
    Custom configuration: empty

    KEYS
    Certificate Authority: Copy-pasted <ca> - Certificate.
    Client Certificate: Copy-pasted <cert> - CERTIFICATE
    Client Key: Copy-pasted <key> PRIVATE KEY

    However, I did not find in particular two settings out of the configuration file:
    - where to seht "auth SHA512"
    - where to enter <tls-auth> OpenVPN Static key V1
    - where to set: tun-mtu 1500
    - where to set: fragment 1300
    - where to set: mssfix


    THANKS for help!
     
    Last edited: Jul 14, 2017
  2. kille72

    kille72 Addicted to LI Member

    cert/keys (Custom Configuration):

    ca /path/ca.crt
    cert /path/server.crt
    key /path/server.key
    dh /path/dh2048.pem
    tls-auth /path/static.key 1
     
    richyroland and NutsN'bolts like this.
  3. richyroland

    richyroland New Member Member

    thanks, this is already helpful!

    However, excuse me that I am a crypto and linux beginner... So some comprehension questions:

    - How to I get the content of this dh2048.pem - file out of the "config"-file I cited above? I don't see the section that might be the equivalent.

    - How must I translate the "config" - file-content into these seperate certificate-files? Is there a syntax, or do I simply copy everything between
    -----BEGIN CERTIFICATE-----
    (key deleted for forum)
    -----END CERTIFICATE-----
    into the ca.crt - file (and similar for the other files)?

    - Do I guess right, that the content of the config files translates as follows into the seperate files?:
    <ca> - </ca> ---> ca.crt
    <cert> - </cert> ---> server.crt
    <key> - </key> ---> server.key
    <tls-auth> - </tls-auth> ---> static.key

    - What would be the synthax to introduce into custom configuration the following settings (or do I just write them into the field as such?):
    auth SHA512
    mssfix
    fragment 1300
     
  4. richyroland

    richyroland New Member Member

Share This Page