To do this you'll need to use Notepad++ and have the OpenVPN software installed.
Prerequisites
1) Install the above prerequisites
a. Notepad++ & OpenVPN & OpenSSL may be installed in their default locations
2) Open Notepad++ in administrative mode (if you're opening the application from an icon on your Desktop, right-click on the icon while holding down the Shift key and select "Run as administrator", click yes on any UAC prompts. If you search for it in the Start Menu, just right click on it and select "Run as administrator")
3) Open File Explorer and browse to C:\Program Files\OpenVPN\sample-config
a. Copy the client.ovpn file to a convenient location to work on it, somewhere such as your Desktop
4) In the Notepad++ application you opened in step 1 above, click File > Open
a. Browse to where you saved the copy of client.ovpn in step 3 above and open it
5) Most of what is in the file will remain the same. Our goal is to set up this file so it contains everything the client computer will need to successfully connect to the OpenVPN server running on your EdgeRouter including the certificates and keys
a. Edit line 42 so it points to the external IP address of your EdgeRouter. If you use a Dynamic DNS service such as DynDns.com, ionos.com, noip.com, etc... you may insert your DDNS name here instead of the IP. Only change the my-server-1 section, leave the port number (1194) as is.
6) Here's where we get to the bulk of the edits. We'll be inserting the Certificate Authority certificate, the client cert & private no pass key as well as the TLS Auth key directly into the file. This will allow us to only have the OVPN file on the client machine and not have to copy the actual cert and key files themselves as well.
a. Comment out, by placing a semi-colon, lines 88, 89 & 90
b. Below line 90, insert a line reading <ca>
c. In Notepad++ open the ca.crt file from D:\EasyRSA\pki
i. Copy the contents of ca.crt into memory (CTRL+V)
d. Switch back to the client.ovpn file
e. Directly underneath the <ca> line, paste in what you copied from the ca.crt file
f. Directly underneath what you just pasted in, insert a line readying </ca>
g. The final result should look similar to this:
<ca>
-----BEGIN CERTIFICATE-----
Lines of random, gibberish looking text with upper and lowercase letters, symbols and numbers
-----END CERTIFICATE-----
</ca>
h. Below the line </ca>, insert a line reading <cert>
i. In Notepad++ open the clientname.crt file from D:\EasyRSA\pki\issued
i. Copy the contents of the clientname.crt certificate from what is in between Begin Certificate and End Certificate (including those lines), at the bottom of that file into memory (CTRL+V)
j. Switch back to the client.ovpn file
k. Directly underneath the <cert> line, paste in what you copied from the clientname.crt file
l. Directly underneath what you just pasted in, insert a line readying </cert>
m. The final result should look similar to this:
<cert>
-----BEGIN CERTIFICATE-----
Lines of random, gibberish looking text with upper and lowercase letters, symbols and numbers
-----END CERTIFICATE-----
</cert>
n. Below the line </cert>, insert a line reading <key>
o. In Notepad++ open the clientname-nopass.key file from D:\EasyRSA\pki\private
i. Copy the contents of the clientname-nopass.key into memory (CTRL+V)
p. Switch back to the client.ovpn file
q. Directly underneath the <key> line, paste in what you copied from the clientname-nopass.key file
r. Directly underneath what you just pasted in, insert a line readying </key>
s. The final result should look similar to this:
<key>
-----BEGIN RSA PRIVATE KEY-----
Lines of random, gibberish looking text with upper and lowercase letters, symbols and numbers
-----END RSA PRIVATE KEY-----
</key>
t. Below the line </key>, insert a line reading key-direction 1
u. Below the line key-direction 1, insert a line reading <tls-auth>
v. In Notepad++ open the ta.key file from D:\EasyRSA\pki
i. Copy the contents of the ta.key into memory (CTRL+V)
w. Switch back to the client.ovpn file
x. Directly underneath the </key> line, paste in what you copied from the ta.key file
y. Directly underneath what you just pasted in, insert a line readying </tls-auth>
z. The final result should look similar to this:
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
Lines of lowercase letters and numbers (this is a hexadecimal number)
-----END OpenVPN Static key V1-----
</tls-auth>
aa. The completed section of certs and keys should look similar to this:
<ca>
-----BEGIN CERTIFICATE-----
Lines of random, gibberish looking text with upper and lowercase letters, symbols and numbers
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
Lines of random, gibberish looking text with upper and lowercase letters, symbols and numbers
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
Lines of random, gibberish looking text with upper and lowercase letters, symbols and numbers
-----END RSA PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
Lines of lowercase letters and numbers (this is a hexadecimal number)
-----END OpenVPN Static key V1-----
</tls-auth>
7) In the section beginning with "If a tls-auth key is used...", uncomment the tls-auth ta.key 1 line by removing the semi-colon
8) In the section beginning with "Select a cryptographic cipher.", change the line reading cipher AES-256-CBC to cipher AES-256-GCM
9) Below that line, add a line reading auth SHA256
a. I moved the "Select a cryptographic cipher." section up in the file to line 45, just below the section beginning with "The hostname/IP and port of the server." I'm not certain this is absolutely necessary, but I wanted to set the cipher parameters early in the file.
10) At the bottom of my file I added two parameters. The first is float the the second is auth-nocache.
a. The float parameter, according to the OpenVPN manual, allows a remote peer to change its IP address and/or port number, such as due to DHCP.
b. The auth-nocache parameter prevents the caching of usernames and passwords in virtual memory.
c. At the end of the file, enter the following lines
i. float
ii. auth-nocache
11) Rename the client.ovpn file to something you'd associate with the particular client you created it for and copy it into C:\Program Files\OpenVPN\config on the Windows 10 machine (please tell me you're not still using Windows 7 or heaven forbid, XP!) you'll be using to connect to your EdgeRouter from elsewhere. C:\Program Files\OpenVPN\config is where the OpenVPN software will, by default, save and use the client configuration file.
DO NOT email the file, make sure to move it to the new machine securely either on the same internal network or via a USB drive.
12) Copy the newly named file so you have a template to work from for future clients. On those, the only options you'll need to change/replace are the client certificate and the client key sections. Everything else remains the same.
13) Open the OpenVPN GUI on the machine With the client configuration file installed on the particular client you created it for, double-click on the OpenVPN icon in the System Tray and OpenVPN will attempt to connect to the EdgeRouter.
I hope this has been informative and instructive for you. Part 3 of the blog post (coming soon) will concentrate on the options you need to configure on the EdgeRouter to setup the VPN tunnel and allow connectivity.