cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
63214
Views
30
Helpful
28
Replies

How to configure CISCO RV320 OPENVPN internal server ?

landsteph49
Level 1
Level 1

Hello,

I have upgraded one of my RV320-K9 V01 to 1.3.1.10 (revision including OpenVPN support).

Parameters are far from what I was expecting, I hope next release will give more options.

I would like to have a working configuration (even if it is for testing purpose).

What should I do ? (I have spent to much time to try lot of things without any success. for example, I can't select a CA cert as none are listed)

BR,

LS

In addition to the selected answer :

I had to build server & client certificates with the cisco certificate bundled in the router (and restored with Factory Default including Certificates).

1 Accepted Solution

Accepted Solutions

Hi I basically rolled my own issuer certificate under:  certificate generator -> Self signed certificate

Once this was done I could generate my own server and client side certs for Openvpn, where i could select my own cert as issuer.

  • One server side cert for the server.
  • One client side cert for each user.

After generating the certs the logins started to work. I was not able to pull off a cert less login.

View solution in original post

28 Replies 28

werner
Level 1
Level 1

Same Problem here, I have updated my RV325, and basically created new openvpn users, exported the config into Tunnelblick (I am on osx but I have the same problem with Android) and no matter what I do I cannot get any connection.

Here is the Tunnelblick connection log:

2016-03-27 19:02:19 Socket Buffers: R=[131072->131072] S=[131072->131072]

2016-03-27 19:02:19 MANAGEMENT: >STATE:1459098139,RESOLVE,,,

2016-03-27 19:02:20 Attempting to establish TCP connection with [AF_INET]xx.xx.xx.xx:1194 [nonblock]

2016-03-27 19:02:20 MANAGEMENT: >STATE:1459098140,TCP_CONNECT,,,

2016-03-27 19:02:21 TCP: connect to [AF_INET]xx.xx.xx.xxx:1194 failed, will try again in 5 seconds: Connection refused

I am getting a connection refused no matter what I do on the firewall settings. I even factory reset my router to no help. I wonder if this feature works at all. I rather doubt it. Given that I have zero problems to open an openvpn connection to a Synology which also has an openvpn server integrated with a similar setup just by forwarding the port.

Never mind, it was a misconfiguration on my side, I still had port forwarding enabled. I now am able to run a connection with a self signed server certificate and client certificate.

OpenVPN works.

Hi,

On the server, I am not able to set Root Certificate Authority as there is nothing inside. Even if I make new certificates.

Concerning the server certificate, it's useless also at it is a generator that will make this new certificate.

for the client, no possibility to set a certificate in my router...

how did you the factory reset ? did you sanitize ? did you reset your certs too ?

thx

Hi I basically rolled my own issuer certificate under:  certificate generator -> Self signed certificate

Once this was done I could generate my own server and client side certs for Openvpn, where i could select my own cert as issuer.

  • One server side cert for the server.
  • One client side cert for each user.

After generating the certs the logins started to work. I was not able to pull off a cert less login.

well, I will have to try a full reset :

System Management > Backup and Restore > Sanitize Configuration

System Management > Factory Default > Factory Default including Certificates

I am not sure of the purpose of the 1st action (sanitize)

Now it's working but I am not happy with the current configuration. I will have to find how do it better next time.

1) I had to make a Factory Default including Certificates (The sanitize option didn't help).

2) I had to build server & client certificates with the cisco certificate bundled in the router (and restored with Factory Default including Certificates).

After some investigations :

I think that this firmware is buggy.

When I have n+1 selfsigned certs, only n selfsigned certs are shown.

That's an example. But I think it's not the only problem.

Bye

I struggled to start OpenVPN server too but at the end I managed to run it. Also I needed to reset mu configuration anyway because I was upgrading from 1.1.1.xx firmware. Here I have a couple of points for attention:

  • The common name of the OpenVPN server certificate should differ from the rest of the certificates installed on the router. In general I had various problems when I installed on the router more certificates with the same common name.
  • The certificate generator does not allow generating more than one OpenVPN server certificate
  • I managed to connect to OpenVPN without generating client certificate with password authentication, but I needed to specify the router "authority" certificate in the ovpn client configuration file, e.g. paste it in the <ca>...</ca> section.

Hope this helps

CN is generally representing the server IP (or server name) of the equipment. That's why there so much trouble to generate multiple certs with the same CN

In the openvpn settings, there is a couple of linked value that are important to know in order to easily make certs :

1) on the server setting : you can't select a root ca if there is not an openvpn server cert defined. when you select a root ca, the openvpn server cert is automatically selected.

2) on the account setting, the root CA will be the same than the server CA. That's why your client cert have to use the same Root CA.

3) you can create multiple client account, but you can't select twice the same client cert.

On my router certs are something similar to (for OPENVPN of cause) :

Root CA is the one bundled in the router (I didn't succed in using my own Root CA)

  • OPENVPN Server cert :
    • OU = Vulcan High Council
    • CN = Vulcan High Council
  • OPENVPN Client cert
    • OU = Vulcan High Council (<= autmatically set by the router)
    • CN = Vulcan Science Minister

In the server setting :

  • There is some bug regarding the CA selection. (see my previous post) but it's working with the original root ca bundled in the router.
  • I choose UDP as it is more difficult to detect open port using UDP and it is less verbose (in UDP, the vpn is not verbose at all. I used WireShark to make some listening).
  • And for a more secure channel, I choosed full tunnel (as split tunnel is making internet exchange not going inside the tunnel - only access to LAN network go through the split tunnel)

Can someone please explain how to make this work with password only and then being able to connect to it from OSX? Thank you. Cause it keeps going in a loop for me.

Hi,

1) did you made a full factory reset ?

2) On the tab : "OpenVPN" > "OpenVPN Server" , is your authentification set to "Pasword" only ?

BR,

LS49

Yes it's set to password only. I've also tried the Easy VPN way (using Macbook with OSX - Cisco VPN), but also cannot get that to work, same problem. Does firewall > SSL VPN need to be enabled? and any other rules/firewall stuff?

No other rules, and that can be a problem because you can't block openvpn port (time base for example).

I didn't test the password only, but as said gk00000001 above, you have to add the root certificate to the openvpn file you downloaded.

steps are as follow :

- configure openvpn cisco server (password only)

- configure openvpn cisco username & password

- download the .ovpn file

- edit the .ovpn file and add ,at the end of the file, the root certificate between <ca></ca> tag. have a look on the faq available on open vpn 

=> for this have a look at : that's also applicable for other os.

https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-android-faq.html

chapter : Q: I am having trouble importing my .ovpn file.

I had to reset my router back to factory w/ certs as well. This is super frustrating. I've used DynDNS and OpenVPN for 6 years with ASUS and other routers and I had it up and running in less than 15 minutes on those. You couldn't have made that process more difficult if you tried. Come on Cisco, this is super embarrassing! I expect way more out of you...

I followed the above procedure described by landsteph49, but haven't been able to get OpenVPN to work.

 

This is my device:

PID VID: RV325-WB-K9 V01
Firmware Version: v1.5.1.13 (2020-10-27, 13:37:43)

 

I did the factory reset, including the root certificate.

After two days trying different things, still no joy so far.

I haven't been able to get any phone support either.


I thought about downgrading to v1.4, to see if it has something to do with the firmware, but I get the following warning in the firmware upgrade section: "1.2.1.14 is the first release to support Web Filtering feature. Please don't downgrade the firmware if the device PID is RV320-WB-K9 or RV325-WB-K9. Downgrading the firmware may damage your device." I'm not sure if it means that I shouldn't downgrade to something less than 1.2.1.14 or if I shouldn't downgrade from the current 1.5.1.13.


Anyone any ideas what else to try?

Thanks!