openvpn with 2048bit Keys

[netbus]

Hello,
Gargoyle is generating generally only 1024bit Keys. Is it possible to increase it to 2048bit?
Thanks Tom

[CaptainKansloos]

My thoughts exactly! I wonder what the performance penalty will be for setting up a VPN tunnel though. I assume that you can change the default parameters in de openssl.conf file under /etc/ssl/ before activating OpenVPN for the fist time:

Code: Select all

####################################################################
[ req ]
default_bits		= 1024
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name

However, once configured, you'll probably need to run some openssl specific cmline stuff to generate new 2048 bit keypairs and certificates.

Unfortunately, my openssl cmdline guru-ness is unimpressive , so hopefully some other guy will step in and formulate the correct steps. In the meantime, you could try some of the stuff on the OpenVPN config page on the OpenWRT website (although the easy-rsa directory is obviously missing on Gargoyle):
http://wiki.openwrt.org/inbox/vpn.howto

[CaptainKansloos]

In the meantime, you could try some of the stuff on the OpenVPN config page on the OpenWRT website (although the easy-rsa directory is obviously missing on Gargoyle):
http://wiki.openwrt.org/inbox/vpn.howto

Mmm, that last piece of advice seems just silly. This is probably a better link:
http://openvpn.net/index.php/open-sourc ... o.html#pki

You can use the easy-rsa utilities that come with the GUI installer of the official Windows OpenVPN client (provided you work on Windows as I do). I suppose you can use this to replace all keys and certificates on the router. I've been fiddling around a bit though, but I'm unsure on how to proceed. Any help is appreciated.

[netbus]

I have found 3 files where the value 1024 have to be replaced to 2048.
Then you can generate via GUI 2048 Keys.

Code: Select all

/usr/lib/gargoyle/openvpn.sh
/www/openvpn.sh
/usr/lib/easy-rsa/vars

[CaptainKansloos]

I have found 3 files where the value 1024 have to be replaced to 2048.

Nice! Will try this and report back!

I assume you also replaced the value of the dh1024.pem file reference, so it creates a dh2048.pem file instead?

[CaptainKansloos]

Worked like a charm! Thanks! For those people interested in a short manual:

Note: this is not supported from the GUI, so use this at your own risk:

1) Make sure you're running Gargoyle v1.6.1 or higher
2) Disable the running OpenVPN service if you are already using it and delete all keys (you will be generating new ones later on). The 'delete all keys' button will become visible once you stop the OpenVPN service.
3) Connect to your router using SCP (i.e. WinSCP under Windows) and open the following files:

Code: Select all

/usr/lib/gargoyle/openvpn.sh
/www/openvpn.sh
/usr/lib/easy-rsa/vars

Make a copy of all the files before you alter them, so you have a safenet. Now, find all '1024' entries and replace them with a value of '2048'. Save the files.

4) At this point, restart your router.
5) Navigate to the OpenVPN page again using the GUI and start the OpenVPN service. If all is well, you're old config parameters should already be filled out. (portnumber, subnet etc.)

You should be prompted to generate new keys/certificates, which will take a while. The warning states 5-10 minutes, but the keys are twice the size, so this may take some more time. On my Netgear WNDR3700v2 this took about 10 min. I guess.

6) Once completed, generate new client config packages to include the new keys/certificates.
7) replace all old OpenVPN config and profile files in your OpenVPN clients, and import the contents of the new config.
8) You're done! Get some coffee