Enable Server Authentication for SSL VPN

Creating the Local Certificate

1.Go to System Maintenance >> Time and Date to make sure the router's time settings are correct, and it's better to match the client's time zone. Because when authenticating the server's identity, the client will check if the current time and date are within the server certificate’s validity period.

2. Go to Certificate Management >> Trusted CA Certificate, click Create Root CA.

3. Finish the following information:

1. Select type “None” for Subject Alternative Name
2. Fill out the contents including location, organization, name, and Email.
3. Select Key Size as “2048 Bit” for stronger security
4. Click Generate to generate the Root CA

4. It will take a few minutes for the Root CA be created. Wait until the status shows OK.

5. Next, generate a Local Certificate, this is the certificate that the router will send to the SSL VPN clients. Go to Certificate Management >> Local Certificate, click Generate.

6. Finish the fields below with correct information:

1. Enter Certification Name
2. For Subject Alternative Name, choose the type how the VPN clients will access the router, here we select IP Address for example.
3. Enter the router's WAN IP for IP Address. It should be the IP address which VPN clients use for their Server settings.
4. Enter location, organization, Common Name (CN) and Email. CN should be the same as Subject Alternative Name, so we put the IP address here.
5. Select Key Size as “2048 Bit” for stronger security
6. Click Generate to create the Local Certificate

7. Wait a few minutes until the signing request is ready, then click Sign to sign the certificate with Root CA.

8. Select the expiry date for the local certificate, and click Sign.

9. Make sure the status of the Local Certificate is OK.

10. Now, we can use the certificate for SSL VPN. Go to SSL VPN >> General Setup, select the certificate created in the previous step for Server Certificate. Click OK to save the settings.

11. Now, the VPN clients can use the "Match Server Name" for verification. That is, when establishing the SSL connection, it will check if the domain name or IP address in the server’s certificate matches the domain name or the IP address it is connecting.

Exporting Root CA to iOS

1. After generating the Root CA at Certificate Management >> Trusted CA Certificate, click Export to download the RootCA. Then, send it to the client device by E-mail.

2. On the client device, open the .crt file.

3. Tap Install then enter the passcode to start the installation

4. Read the warning message then tap Install.

5. After the installation is complete, you will see Root CA became verified.

6. On the client devices, go to General >> About >> Certificate Trust Settings, switch to enable the Root CA installed.

7. Now, we can use Verify RootCA for certificate verification settings. That is, during SSL handshake, the device will not only check the server certificate but also verify issuer of the certificate. It will only establish the VPN only if the server presents a certificate signed by a root CA trusted.

Import RootCA to Android Devices

1. Download the Root CA.

2. Open the .crt file and use it for VPN and apps, then tap OK.