I have upgraded one of my RV320-K9 V01 to 220.127.116.11 (revision including OpenVPN support).
Parameters are far from what I was expecting, I hope next release will give more options.
I would like to have a working configuration (even if it is for testing purpose).
What should I do ? (I have spent to much time to try lot of things without any success. for example, I can't select a CA cert as none are listed)
In addition to the selected answer :
I had to build server & client certificates with the cisco certificate bundled in the router (and restored with Factory Default including Certificates).
Solved! Go to Solution.
What do you mean with: " but I needed to specify the router "authority" certificate in the ovpn client configuration file, e.g. paste it in the <ca>...</ca> section."
What does need to be changed exactly? cause im trying to use this but it keeps looping when trying to connect to the router (Tunnelblick). Using password only.
Thank you so much for sharing the solution you have found. I don't quite understand why, but restoring to factory default with cert got OpenVPN working with password authentication. I do suspect the original cert was incorrectly dated and once configured and restored to factory default, produced correctly dated cert. I wish manufacturers including Cisco which I am a big fan of would spend more time on product QA and usability engineering so we in the middle between user and maker would not have to waste so much time on trial and error.
Running into the same issue with RV325 OpenVPN on the 18.104.22.168 firmware. Of course I made the mistake of deleting the default CA and generated my own and now nothing shows up in the OpenVPN settings and the server does not seem to start at all. I guess I have to reset to "Factory Defaults including Certificates" and start all over.
Question: if you do not delete the default certificate, can you still create new certificates and use those for OpenVPN or you must use the default certificate as that's the only way to get it to work?
Indeed. I did a reset including certificates and was able to upload a couple of CAs I had generated before and generate new OVPN server and client certs. OVPN works. I assume the trick is to not delete the default certificate.
Is there a way to push a DNS server and search domain from the server to the client in split tunnel mode?
Also, now I'm looking to set up IPSec as only 5 tunnels for OVPN is not enough. So strange that the RV325 provides so many VPN options, all with various limits and no documentation or client software.
I know that for OVPN servers in general, but where do we enter it on the RV325?
I know I can also add that option in the VPN client or .ovpn file itself but I'd like it done by the server at connection time, rather than multiple users maintaining their local settings.
It feels more and more like this OpenVPN in the RV325 is a joke, one is better off just installing a proper OpenVPN server on Linux, for full control.
OVPN is generated by the router using the web interface. so you can't as the web interface didn't allow to add this option when in split mode. the only way is to set manually the dns on the client interface manually and not use FQDN.
Basically, OpenVPN server is good thing on this router as it allow me to manage connection directly by the router. in my case, I can poweroff my NAS and power up when needed using my vpn.
Your case (split mode + private LAN DNS only - when vpn up) is quite tricky and most of low cost stock router will not allow you to do so. You will have to make a vpn server for that or find a ddwrt router. But even in that case, I am not sure your solution is working in split mode.
Another tip is to add your personnal DNS as secondary dns for each client, like that, your internal naming will be resolved.
1st, thx for your step-by-step document.
few comments :
- don't use standard openvpn TCP port. Personnnaly, I use UDP and a custom port (even if I have another router before internet).
- your admin login should be replaced by something else than "cisco"
- prefer full tunnelling (more compatible for Android phones, and all packets go through your vpn, and not over a free public wifi, for example)
- you can also use the internal firewall rules to allow or block incomming traffic to the vpn (for example, allow one IP if it's for homeworking, or allow only during the day, and block everything else for that vpn. Like that you can use log alerts for intrusion)
- log > System Log > activate the log of "Deny Policies" and fullfilled the email setup. Like that you will discover that TCP and 1194 is not a good idea even if no one know your router exist !!! I was thinking it was a myth, for scaring children, but no, internet is constantly scanned for vulnerabilities and rarely by good guys.
note concerning UDP vs TCP :
if you use wireshark a bit, you will discover that TCP is more verbose than UDP regarding the openvpn server. If you use UDP, your vpn will not be verbose anymore (server version, ...).
if you still use TCP, you will transmitt in clear some important information. Not critical directly, but can help an attacker to identify the server software, and its security holes... If I well remember, it give the version of the openvpn server, the CA name (if your name or company is in, it could be a problem because you are exposing it to the internet), ...
Can somebody help me?
Mon Aug 13 11:25:23 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Mon Aug 13 11:25:23 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Aug 13 11:25:23 2018 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Mon Aug 13 11:25:23 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Mon Aug 13 11:25:23 2018 Need hold release from management interface, waiting...
Mon Aug 13 11:25:23 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Mon Aug 13 11:25:24 2018 MANAGEMENT: CMD 'state on'
Mon Aug 13 11:25:24 2018 MANAGEMENT: CMD 'log all on'
Mon Aug 13 11:25:24 2018 MANAGEMENT: CMD 'echo all on'
Mon Aug 13 11:25:24 2018 MANAGEMENT: CMD 'bytecount 5'
Mon Aug 13 11:25:24 2018 MANAGEMENT: CMD 'hold off'
Mon Aug 13 11:25:24 2018 MANAGEMENT: CMD 'hold release'
Mon Aug 13 11:25:31 2018 MANAGEMENT: CMD 'username "Auth" "emiliano"'
Mon Aug 13 11:25:31 2018 MANAGEMENT: CMD 'password [...]'
Mon Aug 13 11:25:31 2018 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Aug 13 11:25:31 2018 OpenSSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
Mon Aug 13 11:25:31 2018 MANAGEMENT: Client disconnected
Mon Aug 13 11:25:31 2018 Cannot load inline certificate file
Mon Aug 13 11:25:31 2018 Exiting due to fatal error