I had to generate new keys to use the latest version of OpenVPN client to connect to my Netgear R7000 router, as the stock ones used MD5 which is no longer supported.
I followed a guide to generate the new keys, producing a dh4096.pem
cert, but since the router originally used a dh1024.pem
cert, the guide simply instructs to rename dh4096.pem
to dh1024.pem
and overwrite the original file.
- This works, but for both learning and OCD purposes, I would like to modify the server configuration to point to the new file keeping its real name
dh4096.pem
- I searched every file in the server's filesystem for
1024
in.conf
files,.sh
files, and everything readable containingvpn
in its path, but with no luck.
- I searched every file in the server's filesystem for
I suspect that the OpenVPN executable looks for dh1024.pem
by default and it's up to me to explicitly add a parameter indicating the new location or in this case the new name.
Where should I look?
BusyBox v1.7.2 (2017-06-15 22:36:14 CST) built-in shell (ash)
# /usr/local/sbin/openvpn --version
OpenVPN 2.3.1 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jun 15 2017
dh4096.pem
cert, as a 2048 cert is more than sufficient, just as an encryption cipher over AES128 isn't needed, serving only to slow throughput with no additional gains in security (AES128 will remain uncrackable until >2030). Usually, OpenVPN config files are contained within/etc/openvpn
. (Just an FYI, you may want to consider flashing OpenWrt, an opensource router firmware, as your router is not only running 3yr old firmware, OpenVPN 2.4 introduced several improvements, including TLS EC cipher support, which is more efficient.)dh
line within OpenVPN's config file [openvpn.conf
] (man page), which is usually contained within/etc/openvpn
[above], however Netgear could have implemented the config in a variety of ways, including from a script that writes it to/tmp
or/var
, and if this is the case, you'll need to remodify it after every reboot. Example tuned server and client configs