Certificates are confusing. I have wanted to generate self signed certificates on OpenWrt using easy-rsa, and use them for openvpn and stunnel. Below are the relevant commands and configurations.
easy-rsa
The vpn guide for OpenWrt is quite good. A summary:
# cd /etc/easy-rsa # vim vars -- edit as you like # source ./vars # build-ca -- generates ca.crt # build-dh -- generates dh2048.pem # build-key-server myserver -- generates myserver.[crt+key+csr] # build-key myclient -- generates myclient.[crt+key+csr]
For stunnel purposes, you need to copy/rename your .crt file to .pem. The content is the same.
The .csr files are not needed. The clients need the ca.crt plus their .crt (or .pem) and .key files.
openvpn server
option ca '/etc/openvpn/ca.crt' option cert '/etc/openvpn/myserver.crt' option key '/etc/openvpn/myserver.key' option dh '/etc/openvpn/dh2048.pem'
openvpn client
option ca '/etc/openvpn/ca.crt' option cert '/etc/openvpn/myclient.crt' option key '/etc/openvpn/myclient.key'
stunnel server
cert = /etc/stunnel/myserver.pem key = /etc/stunnel/myserver.key CAfile = /etc/stunnel/ca.crt verify = 2
stunnel client
cert = /etc/stunnel/myclient.pem key = /etc/stunnel/mysclient.key CAfile = /etc/stunnel/ca.crt verify = 2
It looks very simple now, but without a working configuration it is not so easy to find the error.
0 Comments.