Thank you so much for sharing the solution you have found. I don't quite understand why, but restoring to factory default with cert got OpenVPN working with password authentication. I do suspect the original cert was incorrectly dated  and once configured and restored to factory default, produced correctly dated cert. I wish manufacturers including Cisco which I am a big fan of would spend more time on product QA and usability engineering so we in the middle between user and maker would not have to waste so much time on trial and error.

Can somebody help me?
Mon Aug 13 11:25:23 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Mon Aug 13 11:25:23 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Aug 13 11:25:23 2018 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Mon Aug 13 11:25:23 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Mon Aug 13 11:25:23 2018 Need hold release from management interface, waiting...
Mon Aug 13 11:25:23 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Mon Aug 13 11:25:24 2018 MANAGEMENT: CMD 'state on'
Mon Aug 13 11:25:24 2018 MANAGEMENT: CMD 'log all on'
Mon Aug 13 11:25:24 2018 MANAGEMENT: CMD 'echo all on'
Mon Aug 13 11:25:24 2018 MANAGEMENT: CMD 'bytecount 5'
Mon Aug 13 11:25:24 2018 MANAGEMENT: CMD 'hold off'
Mon Aug 13 11:25:24 2018 MANAGEMENT: CMD 'hold release'
Mon Aug 13 11:25:31 2018 MANAGEMENT: CMD 'username "Auth" "emiliano"'
Mon Aug 13 11:25:31 2018 MANAGEMENT: CMD 'password [...]'
Mon Aug 13 11:25:31 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Aug 13 11:25:31 2018 OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
Mon Aug 13 11:25:31 2018 MANAGEMENT: Client disconnected
Mon Aug 13 11:25:31 2018 Cannot load inline certificate file
Mon Aug 13 11:25:31 2018 Exiting due to fatal error

Yes, no issue.

Default certificate can be unused even for the certificate of the web interface.

Indeed. I did a reset including certificates and was able to upload a couple of CAs I had generated before and generate new OVPN server and client certs. OVPN works. I assume the trick is to not delete the default certificate.

Is there a way to push a DNS server and search domain from the server to the client in split tunnel mode?

Also, now I'm looking to set up IPSec as only 5 tunnels for OVPN is not enough. So strange that the RV325 provides so many VPN options, all with various limits and no documentation or client software.

Is there a way to push a DNS server and search domain from the server to the client in split tunnel mode?

push "dhcp-option DNSLAN.IP.ADDR.XXX"

but i know that some client software are not using these settings properly when in split mode.

I know that for OVPN servers in general, but where do we enter it on the RV325?

I know I can also add that option in the VPN client or .ovpn file itself but I'd like it done by the server at connection time, rather than multiple users maintaining their local settings.

It feels more and more like this OpenVPN in the RV325 is a joke, one is better off just installing a proper OpenVPN server on Linux, for full control.

OVPN is generated by the router using the web interface. so you can't as the web interface didn't allow to add this option when in split mode. the only way is to set manually the dns on the client interface manually and not use FQDN.

Basically, OpenVPN server is good thing on this router as it allow me to manage connection directly by the router. in my case, I can poweroff my NAS and power up when needed using my vpn.

Your case (split mode + private LAN DNS only - when vpn up) is quite tricky and most of low cost stock router will not allow you to do so. You will have to make a vpn server for that or find a ddwrt router. But even in that case, I am not sure your solution is working in split mode.

Another tip is to add your personnal DNS as secondary dns for each client, like that, your internal naming will be resolved.

Good Luke

Hi,

1st, thx for your step-by-step document.

few comments :

- don't use standard openvpn TCP port. Personnnaly, I use UDP and a custom port (even if I have another router before internet).

- your admin login should be replaced by something else than "cisco"

- prefer full tunnelling (more compatible for Android phones, and all packets go through your vpn, and not over a free public wifi, for example)

- you can also use the internal firewall rules to allow or block incomming traffic to the vpn (for example, allow one IP if it's for homeworking, or allow only during the day, and block everything else for that vpn. Like that you can use log alerts for intrusion)

- log > System Log > activate the log of "Deny Policies" and fullfilled the email setup. Like that you will discover that TCP and 1194 is not a good idea even if no one know your router exist !!! I was thinking it was a myth, for scaring children, but no, internet is constantly scanned for vulnerabilities and rarely by good guys.

note concerning UDP vs TCP :

if you use wireshark a bit, you will discover that TCP is more verbose than UDP regarding the openvpn server. If you use UDP, your vpn will not be verbose anymore (server version, ...).

if you still use TCP, you will transmitt in clear some important information. Not critical directly, but can help an attacker to identify the server software, and its security holes... If I well remember, it give the version of the openvpn server, the CA name (if your name or company is in, it could be a problem because you are exposing it to the internet), ...

Bye

Hello, 

 

Can you please explain how to specify a custom UDP port on this file?

 

Thank you

Super helpful - thanks for doing this! I don't think I would have figured it out without your document.