1. Openvpn Access Server License Key Generator
2. Openvpn License Keygen

When the OpenVPN Access Server is installed without a license key it allows only 2 simultaneous VPN connections. There is no time limit or functionality limit on this mode. The only difference between a licensed Access Server and an unlicensed one is the amount of simultaneous OpenVPN tunnel connections the Access Server allows. To the uninitiated, one VPN can seem just like Synology Router Openvpn Setup the next. We’ll break down everything – VPN speed comparison, price comparison, it’s all here. A simple answer in the sea Synology Router Openvpn Setup of marketing! $3.33 a month Get VPN Access 6 months ago.

Revised 20 February 2021.

1. Openvpn config generator free download. Respite vpn - ssh & openvpn injector Want me to continue this project? For Ubuntu, Mac and other OS please see.
2. OpenVPN Community Resources; Setting up your own Certificate Authority (CA) Setting up your own Certificate Authority (CA) Overview. The first step in building an OpenVPN 2.x configuration is to establish a PKI (public key infrastructure).

Contents

• Dynamic DNS
• Secure OpenVPN

Small home or office (SOHO) setups often involve services that a user wants to access when away from the home or office, security cameras, media collections and system monitoring tools for example. One solution to access these remotely is to open a number of firewall ports. An alternative and more secure method used is to open a single port and enable access through an OpenVPN connection. This guide will build upon the pfSense baseline guide and illustrate how to configure pfSense and an iOS device to enable secure remote access.

Dynamic DNS

Most non-business internet connections provide service through a dynamic IP address as opposed to a static one. To enable remote devices to locate and access our network we can use a dynamic DNS service that can keep a DNS record updated with our networks current local WAN address. PFsense has such a service that supports a wide variety of DNS services. This guide will use Amazon’s Route 53 but the same principles apply to the other services although the authorisation settings may vary slightly.

Dynamic DNS Configuration

Navigate to Services > Dynamic DNS and Click Add

• Service Type: Route53
• Interface to monitor: WAN
• Hostname: access.nguvu.org (replace with your domain)
• Verbose logging:
• HTTP API SSL/TLS Options:
• Username: Route53 Access Key ID
• Password & Password confirmation: Route53 Secret Access Key
• Zone ID: Zone ID that you received when you created your domain in Route 53
• TTL: 300
• Description: VPN access

Click Save and then Force Update

If everything is correct, your Dynamic DNS record will be updated to your WAN address. We will use this record in our VPN tunnel connection settings later.

Dynamic DNS Verification

From the command line, perform a DNS lookup to verify the correct address is correctly being returned (I’ve obfuscated the Address response below)

Secure OpenVPN

To provide secure access through OpenVPN we need to provision a Certificate Authority (CA) and generate a suitable certificate. The CA issues and validates the certificates that will secure the VPN.

Cipher selection

I decided to leave my recommendation as is for a 4096 bit RSA based system rather than a more modern elliptical curve based method for a couple of reasons.

• RSA is a proven technology and at 4096 bits, is considered secure against current compute hardware.
• Elliptical curve ciphers are less mature and haven’t been subjected to the same extensive and rigorous testing as RSA. There could be undiscovered design flaws or erroneous implementations still to be discovered.
• Snowden documents suggested that the NSA actively tried to enable surveillance by embedding weaknesses in commercially-deployed technology including at least one NIST standard.
• Several experts question the constants and believe the NSA has manipulated them.

I’ve added some links in the reference section below for further reading. I welcome feedback and suggestions as this is an area I’m actively researching.

Configure Certificate Authority (CA)

Navigate to System > Cert Manager > CAs

• Click +Add

Create / Edit CA

• Descriptive Name = Roadwarrior_CA
• Method = Create an Internal Certificate Authority
• Trust Store: Add this Certificate Authority to the Operating System Trust Store:
• Randomize Serial: Use random serial numbers when signing certificates:

Internal Certificate Authority

• Key Type: RSA, 4096
• Key Length: 4096
• Digest Algorithm: SHA512
• Lifetime (Days): 3650
• Common Name: internal-ca
• Country Code: Your country or blank
• State or province: Your State or blank
• City: Your City or blank
• Organization: Your Company or blank
• Organizational Unit: Your department name or blank

Save

Verify your certificate authority looks like this when done

Generate certificate

Navigate to System > Cert Manager > Certificates

• Click Add/Sign

• Method: Create an internal certificate
• Descriptive name: Roadwarrior_cert

Internal Certificate

• Certificate authority: Roadwarrior_CA
• Key Type: RSA, 4096
• Digest Algorithm: SHA512
• Lifetime (Days): 398 (Server certificates should not have a lifetime over 398 days or some platforms may consider the certificate invalid)
• Common Name: internal-ca
• Country Code: Your country or blank
• State or province: Your State or blank
• City: Your City or blank
• Organization: Your Company or blank
• Organizational Unit: Your department name or blank

Certificate Attributes

• Certificate Type = Server certificate
• Alternative names
  - Type: FQDN or Hostname
  - Value: empty

Save

Openvpn Access Server License Key Generator

Verify your certificate looks like this when done

Configure Certificate Revocation List

The Certificate Revocation List (CRL) will allow certificates to be expired.

Navigate to System > Certificates > Certificate Revocation

• Next to Roadwarrior_CA, Click on Add or Import CRL
• Method = Create an internal Certificate Revocation List
• Descriptive name = Roadwarrior CRL
• Certificate Authority: Roadwarrior_CA

Internal Certificate Revocation List

• Lifetime Days = 9999
• Serial 0

Openvpn License Keygen

Click Save

Configure OpenVPN server

This section will configure a secure OpenVPN server running on port 443 rather than the default OpenVPN port of 1194. This reduces the likelihood of a remote network preventing access to your local infrastructure because port 1194 is not permitted or open.

Navigate to VPN > OpenVPN > Server

Click +Add

General Information

• Disabled:
• Server Mode: Remote Access (SSL/TLS)
• Protocol: UDP on IPv4 only
• Device mode: tun Layer 3 Tunnel Mode
• Interface: WAN
• Port: 443
• Description: Roadwarrior VPN

Cryptographic settings

• TLS Configuration:
• Automatically generate a shared TLS authentication key =
• Peer certificate authority = Roadwarrior_CA
• Peer certificate revocation list = Roadwarrior_CRL (CA: Roadwarrior_CA)
• OSCP Check: Check client certificates with OCSP
• Server certificate: Roadwarrior_cert (Server Yes, CA: Roadwarrior_CA)
• DH Parameter Length: 4096 bit
• ECDH curve: Use Default
• Data Encryption Negotiation:
• Allowed Data Encryption Algorithms: AES-256-GCM
• Fallback Data Encryption Algorithm: AES-256-CBC
• Auth Digest algorithm: SHA512 (512 bit)
• Hardware crypto: Intel RDRAND engine - RAND
• Certificate Depth: One (Client + Server)

Tunnel Settings

• IPv4 Tunnel: 192.168.200.0/24
• IPv6 Tunnel: blank
• Redirect IPv4 Gateway: Force all client generated traffic through the tunnel.
• Redirect IPv6 Gateway:
• IPv4 Local network(s): empty
• IPv6 Local network(s): empty
• Concurrent Connections: empty
• Compression: Refuse any non-stub compression (most secure)
• Push compression:
• Type-of-service:
• Inter-client communication:
• Duplicate Connection:

Client Settings

• Dynamic IP: Allow connected clients to retain their connections if their IP address changes.
• Topology: Subnet - One IP address per client in common subnet

Ping Settings

• Inactive: 0
• Ping method: keepalive - use keepalive helper to define ping configuration
• Interval: 5
• Timeout: 30

Advanced Client Settings

• DNS Default Domain:
• DNS Default Domain: local.lan
• DNS Server enable:
• DNS Server 1: 192.168.200.1
• DNS Server 2: empty
• DNS Server 3: empty
• DNS Server 4: empty
• Block Outside DNS:
• Force DNS cache update:
• NTP Server Enable:
• NTP Server 1: 192.168.200.1
• NTP Server 2: blank
• NetBIOS enable:

Advanced Configuration

• Custom options = mute-replay-warningsmaybe beneficial if you replay warnings in the OpenVPN logs
• UDP Fast I/O =
• Exity notify: Reconnect to this server, retry once
• Send/receive buffer = 512KiB
• Gateway creation: IPv4 only
• Verbosity level: default
• Save

Assign OpenVPN interface

Create an interface for the OpenVPN server to support the configuration of firewall rules and enable other services such as NTP & DNS.

Navigate to Interfaces > Assign

Select ‘ovpns4 (Roadwarrior VPN)’
Click Add

Click on the OPTx interface next to Roadwarrior VPN Network port

• Enable =
• Description = RW_VPN
• IPv4 Configuration Type = None
• IPv6 Configuration Type = None
• Mac controls : Blank
• MTU = blank
• MSS = blank
• Block private networks =
• Block bogon networks =
• Save & Apply changes

After saving and applying the configuration, the interface should look similar to this

Configure OpenVPN gateway

Navigate to System > Routing

Click ‘copy gateway’ icon next to RW_VPN_VPNV4 gateway

• Disabled =
• Interface = RW_VPN
• Address Family = IPv4
• Name = RW_VPN
• Gateway = Dynamic
• Default Gateway =
• Gateway Monitoring =
• Gateway Action =
• Monitor IP = 8.8.8.8 or use another reliable public DNS server
• Description = Interface RW_VPN Gateway
• Save & Apply

Configure firewall rules

This section makes uses of several aliases that were configured as part of my pfSense baseline guide.
This section will setup firewall rules for the OpenVPN interface to provide the following access:-

• Allow ping for network debugging
• Allow access to LOCAL_SUBNETS only on approved ports (Allowed_OUT_ports_LAN)
• Allow internet access via the VPN gateway group only on approved ports (Allowed_OUT_ports_WAN)

Navigate to Firewall > Rules and select RW_VPN

Allow Pings for network diagnostics

• Click ‘↴+’
• Action: Pass
• Disabled:
• Interface: RW_VPN
• Address Family: IPv4
• Protocol: ICMP
• ICMP Type: Any
• Source: RW_VPN net
• Destination: Any
• Log:
• Description: RW_VPN: Pass ICMP
• Click [Save]

Allow traffic to local subnets (LOCAL_SUBNETS) on permitted ports (Allowed_OUT_ports_LAN).

• Click ‘↴+’
• Action: Pass
• Disabled:
• Interface: RW_VPN
• Address Family: IPv4
• Protocol: TCP/UDP
• Source: RW_VPN net
• Destination:
  - invert match:
  - Single host or alias
  - LOCAL_SUBNETS
• Destination Port Range:
  - From: Other
  - Custom: Allowed_OUT_ports_LAN
  - To: Other
  - Custom: Allowed_OUT_ports_LAN
• Log:
• Description: RW_VPN: Pass local traffic
• Click [Save]

Pass approved internet bound traffic out the VPN gateway

• Click ‘↴+’
• Action: Pass
• Disabled =
• Interface: RW_VPN
• Address Family: IPv4
• Protocol: TCP/UDP
• Source: RW_VPN net
• Destination:
  - Invert Match:
  - Single host or alias
  - Address: LOCAL_SUBNETS
• Destination Port Range:
  - From: Other
  - Custom: Allowed_OUT_ports_WAN
  - To: Other
  - Custom: Allowed_OUT_ports_WAN
• Log =
• Description: RW_VPN: Pass approved internet via VPN_GROUP
• Click Advanced Options
• Gateway: VPN_Group
• Click [Save]

Default Block & log IPv4

• Click ‘↴+’
• Action: Reject
• Disabled =
• Interface: RW_VPN
• Address Family: IPv4
• Protocol: any
• Source: Any
• Destination: Any
• Log:
• Description: RW_VPN: Default reject IPv4
• Click [Save]

Block default IPv6

• Click ‘↴+’
• Action: Reject
• Disbaled =
• Interface: RW_VPN
• Address Family: IPv6
• Protocol: any
• Source: Any
• Destination: Any
• Log:
• Description: RW_VPN: Default reject IPv6
• Click [Save]

The RW_VPN interface should look this this complete.

Open VPN WAN port

To enable devices to connect to the OpenVPN server the firewall needs port 443 opening.

Navigate to Firewall > WAN

Select ↑Add

• Action: Pass
• Disabled:
• Interface: WAN
• Address family: IPv4
• Protocol: UDP
• Source: Any
• Destination:
  - Invert match:
  - Address: WAN address
• Destination Port Range:
  - From: HTTPS (443)
  - To: HTTPS (443)
• Log:
• Description: WAN: Allow RW_VPN
• Save & Apply

Your WAN interface should look this this when done.

Configure DNS resolution

Navigate to Services > DNS Resolver

Under Network interfaces dropdown, verify and add the RW_VPN is selected

Save & Apply

Configure Network Address Translation (NAT)

NAT is needed to convert private local IP addresses (192.168.200.0/24) to the global address space for broadcast on the internet. This section will illustrate how to configure this for our VPN_WAN gateway (or gateways if you have already followed my multiple-VPN failover guide).

Navigate to Firewall > NAT and select the Outbound tab

Create ‘RW_VPN to VPN_WAN` NAT

Click ↴Add

• Disabled:
• Do not NAT:
• Interface: VPN_WAN
• Protocol: any
• Source
  - Type: Network
  - Source Network: 192.168.200.0 / 24
  - Source port: Blank
• Destination
  - Type: Any
  - Address: Blank
  - Destination Port: Blank
• Not :
• Translation
  - Address: Interface Address
  - Port:
• Miscellaneous
  - Description: RW_VPN to VPN_WAN
• Click Save

Create ‘RW_VPN to VPN2_WAN` NAT

Click ↴Add

• Disabled:
• Do not NAT:
• Interface: VPN2_WAN
• Protocol: any
• Source
  - Type: Network
  - Source Network: 192.168.200.0 / 24
  - Source port: Blank
• Destination
  - Type: Any
  - Address: Blank
  - Destination Port: Blank
• Not :
• Translation
  - Address: Interface Address
  - Port:
• Miscellaneous
  - Description: RW_VPN to VPN2_WAN
• Click Save

Create ‘RW_VPN to VPN_WAN` NAT

Click ↴Add

• Disabled:
• Do not NAT:
• Interface: VPN3_WAN
• Protocol: any
• Source
  - Type: Network
  - Source Network: 192.168.200.0 / 24
  - Source port: Blank
• Destination
  - Type: Any
  - Address: Blank
  - Destination Port: Blank
• Not :
• Translation
  - Address: Interface Address
  - Port:
• Miscellaneous
  - Description: RW_VPN to VPN3_WAN
• Click Save

Update aliases

The LOCAL_SUBNETS alias is used to identify internal and external networks. Verify the RW_VPN address range (192.168.200.0/24) is included in the alias so policy routing continues to function correctly. If you followed a later revision of my baseline guide, you may instead have a 192.168.0.0/16 entry, if so this already includes the `192.168.200.0/24 subnet.

Navigate to Firewall > Aliases

Click the pencil icon next to the LOCAL_SUBNETS alias to edit the list

Add the RW_VPN address range, i.e

• 192.168.200.0 / 24 “RW_VPN”

Click Save & Apply

Your LOCAL_SUBNETS alias should look this this when done.

Generate VPN user certificate

This section will illustrate how to create a client certificate suitable for an specific user or device to connect remotely. Although its possible to configure OpenVPN to accept the same certificate from multiple clients, its a less secure solution and avoided here.

Navigate to System > Cert Manager > Certificates

Click Add/Sign

• Method: Create an internal certificate
• Descriptive name: nguvu_iphone_cert

Internal Certificate

• Certificate authority: Roadwarrior_CA
• Key type: RSA, 4096
• Digest Algorithm: SHA512
• Lifetime (Days): 3650
• Common Name: memorable name for this certificate, e.g nguvu_iphone
• Country Code: Your country or blank
• State or province: Your State or blank
• City: Your City or blank
• Organization: Your Organisation or blank
• e-mail Address: Your email or blank

Certificate Attributes

• Certificate Type: User certificate
• Alternative names: FQDN or Hostname blank
• Save

When complete the certificate summary should look similar to this.

Install OpenVPN Client Export wizard

The Client Export Wizard simplifies the export of client certificates in a format compatible with a number of devices and software packages.

Navigate to System > Packages > Available packages and click Install next to the OpenVPN-client-export to install the utility.

A window will display installation progress…

Export user certificate

Navigate to VPN > OpenVPN and select Client Export tab. Configure as follows:-

OpenVPN Server

• Remote Access Server: Roadwarrior VPN UDP:443

Client Connection Behaviour

• Host name Resolution: Other
• hostname: access.nguvu.org (replace with your dynamic hostname you setup earlier)
• Verify Server CN: Automatic - Use verify-x509-name where possible
• Block outside DNS:
• Legacy Client:
• Silent Installer:
• Use Random local port:

Certificate export options

• PKCS#11 Certificate storage: Use PKCS#11 storage device (cryptographic token, HSM, smart card) instead of local files.
• Microsoft certificate storage: Use Microsoft Certificate Storage instead of local files.
• Password protect certificate: Use a password to protect the pkcs12 file contents or key in Viscosity bundle.

Proxy Options

• Use a proxy: Use proxy to communicate with the OpenVPN server.

Advanced

• Additional configuration options: empty

Click Save as default

Certificates can be exported by selecting one of the options to the right of each certificate.

Click on OpenVPN connect (Android or iOS) and a .ovpn configuration file will be downloaded to your desktop.

Install client software

The official OpenVPN connect client (iOS & Android) applications provide easy to use and secure OpenVPN functionality and can utilise the the exported .ovpn configuration file.
There are many ways to transfer the configuration file to your device. Please be mindful of the security risks transferring this file via a third party service such as email or dropbox. This file contains all the details needed to access your network remotely so its worth taking precautions to prevent it being compromised. Consider using self hosted file storage systems such as Seafile or direct connection utilities such as Instashare.

Having transferred the configuration file to the mobile device, there wll be a prompt to add the connection profile.

Once imported its possible to finally connect.

Assuming everything has gone well, your mobile device should connect to your OpenVPN server.

If the connection isn’t successful, inspect the logs available within the application.

Here’s a log example for reference

Verification of functionality and performance

Navigate to Status > OpenVPN

Verify the OpenVPN tunnel is connected as expected

Revoking certificates

To expire a certificate, Navigate to System > Cert Manager > Cert Revocation

• Click Edit CRL next to Roadwarrior_CRL

Select the certificate to expire, enter a reason and select ‘Add’

The certificate will now be revoked and access denied. It is possible to reinstall the certificate by deleting the revocation with the blue ‘x’ on the right of the screen.

References

torproject: NIST approved crypto in Tor
Wikipedia:Dual_EC_DRBG
New York Times: N.S.A. Able to Foil Basic Safeguards of Privacy on Web
CryptoExchange: Should we trust the NIST-recommended ECC parameters
Safecurves

20 February 2021
Updates for pfSense 2.5
Updates for OpenVPN 2.5
Added reasoning around RSA preferences over ECC ciphers

15 January 2018
Fixed error in certificate export instruction
Fixed typos

2 November 2017
Fixed roadwarrior certificate server type error
Fixed RW_VPN NAT section