EdgeRouter - OpenVPN Server


Overview


Readers will learn how to configure an EdgeRouter as an OpenVPN server.

OpenVPN is characterized by the usage of virtual tunnel interfaces (vtun) and routing entries. In this article, the OpenVPN clients are authenticated using RSA certificates without passphrases.

ATTENTION: Packets passed through OpenVPN tunnel interfaces are not eligible for offloading. This means that the traffic is routed using the CPU and that the performance is limited. Please see the Hardware Offloading article for more information.

 

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configuration used in this article.
 
Devices used in this article:

Table of Contents


  1. Network Diagram
  2. Steps: OpenVPN Server
  3. Steps: OpenVPN Client
  4. Steps: Testing & Verification
  5. Related Articles

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter:

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24
  • vtun0 - 172.16.1.0/24


Steps: OpenVPN Server


Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Make sure that the date/time is set correctly on the EdgeRouter.

show date
Thu Dec 28 14:35:42 UTC 2017
NOTE: By default, the time is set using the Network Time Protocol (NTP). You can verify the NTP status with show ntp. If you want to manually set the date/time, the command is set date MMDDhhmmCCYY.

2. Log in as the root user.

sudo su

3. Generate a Diffie-Hellman (DH) key file and place it in the /config/auth directory.

openssl dhparam -out /config/auth/dh.pem -2 1024 
NOTE: The key size above is just an example. It is possible to use increased key sizes (such as 2048). The higher the key size, the more time it will take to generate the DH key file.

4. Change the current directory.

cd /usr/lib/ssl/misc

5. Generate a root certificate (replace <secret> with your desired passphrase).

./CA.sh -newca
PEM Passphrase: <secret>
Country Name: US
State Or Province Name: New York
Locality Name: New York
Organization Name: Ubiquiti
Organizational Unit Name: Support
Common Name: root
Email Address: support@ubnt.com
NOTE: The most important setting is the 'common name', which needs to be unique for all certificates you generate on the EdgeRouter. 

 

TIP: If you make a typing error, use CTRL+U to clear the output.

6. Copy the newly created certificate + key to the /config/auth directory.

cp demoCA/cacert.pem /config/auth
cp demoCA/private/cakey.pem /config/auth

7. Generate the server certificate.

./CA.sh -newreq
Country Name: US
State Or Province Name: New York
Locality Name: New York
Organization Name: Ubiquiti
Organizational Unit Name: Support
Common Name: server
Email Address: support@ubnt.com

8. Sign the server certificate.

./CA.sh -sign
Certificate Details:
        Validity
            Not Before: Dec 28 14:44:18 2017 GMT
            Not After : Dec 28 14:44:18 2018 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = New York
            localityName              = New York
            organizationName          = Ubiquiti
            organizationalUnitName    = Support
            commonName                = server
            emailAddress              = support@ubnt.com

Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y

9. Move and rename the server certificate + key to the /config/auth directory.

mv newcert.pem /config/auth/server.pem
mv newkey.pem /config/auth/server.key

10. Generate, sign and move the client1 certificates.

./CA.sh -newreq
Common Name: client1

./CA.sh -sign

mv newcert.pem /config/auth/client1.pem
mv newkey.pem /config/auth/client1.key

11. Repeat the process for client2.

./CA.sh -newreq
Common Name: client2

./CA.sh -sign

mv newcert.pem /config/auth/client2.pem
mv newkey.pem /config/auth/client2.key
NOTE: This process will need to be repeated for each OpenVPN client that connects to the server. The clients are distinguished based on their 'common name' which needs to be unique for each client.

12. Verify the contents of the /config/auth directory.

ls -l /config/auth
-rw-r--r--    1 root     vyattacf      4461 Dec 28 14:40 cacert.pem
-rw-r--r--    1 root     vyattacf      1834 Dec 28 14:40 cakey.pem
-rw-r--r--    1 root     vyattacf      1675 Dec 28 14:47 client1.key
-rw-r--r--    1 root     root          4643 Dec 28 14:46 client1.pem
-rw-r--r--    1 root     vyattacf      1675 Dec 28 14:48 client2.key
-rw-r--r--    1 root     root          4643 Dec 28 14:47 client2.pem
-rw-r--r--    1 root     vyattacf       245 Dec 28 16:08 dh.pem
-rw-r--r--    1 root     vyattacf      1675 Dec 28 14:47 server.key
-rw-r--r--    1 root     root          4638 Dec 28 14:44 server.pem

13. (Optional) Remove the password from the client + server keys. This allows the clients to connect using only the provided certificate.

openssl rsa -in /config/auth/server.key -out /config/auth/server-no-pass.key
openssl rsa -in /config/auth/client1.key -out /config/auth/client1-no-pass.key
openssl rsa -in /config/auth/client2.key -out /config/auth/client2-no-pass.key

14. (Optional) Overwrite the existing keys with the no-pass versions.

mv /config/auth/server-no-pass.key /config/auth/server.key 
mv /config/auth/client1-no-pass.key /config/auth/client1.key
mv /config/auth/client2-no-pass.key /config/auth/client2.key

15. Return to operational mode.

exit

16. Enter configuration mode.

configure

17. Add a firewall rule for the OpenVPN traffic to the local firewall policy.

set firewall group address-group OpenVPN_Clients address 192.0.2.1
set firewall group address-group OpenVPN_Clients address 198.51.100.1

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description OpenVPN
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 30 source group address-group OpenVPN_Clients
NOTE: Make sure that this rule does not override any existing firewall policies! 

18. Configure the OpenVPN virtual tunnel (vtun) interface.

set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 172.16.1.0/24
set interfaces openvpn vtun0 server push-route 192.168.1.0/24
set interfaces openvpn vtun0 server name-server 192.168.1.1
NOTE: In this example, the 172.16.1.0/24 subnet is used for OpenVPN. The router also advertises the 192.168.1.0/24 route to the clients.

19. (Optional) Bind the OpenVPN clients to specific IP addresses.

set interfaces openvpn vtun0 server client client1 ip 172.16.1.240
set interfaces openvpn vtun0 server client client2 ip 172.16.1.241
NOTE: The clients are bound to an IP address based on their 'common name' listed in the certificate.

20. Link the server certificate/keys and DH key to the virtual tunnel interface.

set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem
set interfaces openvpn vtun0 tls key-file /config/auth/server.key
set interfaces openvpn vtun0 tls dh-file /config/auth/dh.pem

21. (Optional) Change the encryption and hash that the OpenVPN connection uses. 

set interfaces openvpn vtun0 encryption aes128
set interfaces openvpn vtun0 hash md5
NOTE: The following encryption and hashing options are available:
  • Encryption: DES / 3DES / BF-128 / BF-256 / AES-128 / AES-192 / AES-256
  • Hashing: MD5 / SHA-1 / SHA-256 / SHA-512

22. (Optional) Add the virtual tunnel interface to the DNS forwarding interface list.

set service dns forwarding listen-on vtun0

23. Commit the changes and save the configuration.

commit ; save

Steps - OpenVPN Client


Back to Top

The section below (briefly) focuses on configuring the OpenVPN client settings on a Windows 10 host. There are multiple guides available online that go into more detail than this article.

1. Navigate to the OpenVPN config folder.

C:\Program Files\OpenVPN\config\

2. Create a new folder (optional) and a OpenVPN configuration file (er.ovpn).

3. Transfer the certificates + key (cacert.pem / client1.pem / client1.key) from the EdgeRouter config/auth directory to the OpenVPN client.

NOTE: In this example, WinSCP is used to transfer the files.

3. Add the following information to the er.ovpn configuration file (replace <server-ip> with your ER public IP address)

client
dev tun
proto udp
remote <server-ip> 1194
float
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
auth md5
cipher aes-128-cbc
ca cacert.pem
cert client1.pem
key client1.key

Steps - Testing & Verification


Back to Top

1. Verify that the traffic is increasing the counters on the OpenVPN firewall rule.

show firewall name WAN_LOCAL statistics 
--------------------------------------------------------------------------------

IPv4 Firewall "WAN_LOCAL"  [WAN to router]

 Active on (eth0,LOCAL)

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
10    1549        142354      ACCEPT  Allow established/related
20    0           0           DROP    Drop invalid state
30    6           312         ACCEPT  OpenVPN
10000 9           702         DROP    DEFAULT ACTION

2. Capture the OpenVPN traffic on the WAN interface.

sudo tcpdump -i eth0 -n udp dst port 1194
IP 192.0.2.1.61798 > 203.0.113.1.1194: UDP, length 14
IP 192.0.2.1.61798 > 203.0.113.1.1194: UDP, length 22
IP 192.0.2.1.61798 > 203.0.113.1.1194: UDP, length 187
IP 192.0.2.1.61798 > 203.0.113.1.1194: UDP, length 22

IP 198.51.100.1.63734 > 203.0.113.1.1194: UDP, length 14
IP 198.51.100.1.63734 > 203.0.113.1.1194: UDP, length 22
IP 198.51.100.1.63734 > 203.0.113.1.1194: UDP, length 187
IP 198.51.100.1.63734 > 203.0.113.1.1194: UDP, length 22
NOTE: This is a live capture. If there is no output then the traffic is either not being generated or there is something blocking the traffic upstream.

3. Verify the status of the OpenVPN interface.

show interfaces 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description                
---------    ----------                        ---  -----------                
eth0         203.0.113.1/30                    u/u                             
eth1         192.168.1.1/24                    u/u                             
vtun0        172.16.1.1/24                     u/u   

show interfaces openvpn vtun0

vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 172.16.1.1/24 brd 172.16.1.255 scope global vtun0
       valid_lft forever preferred_lft forever

    RX:  bytes    packets     errors    dropped    overrun      mcast
        148941       1197          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
        261016        561          0          0          0          0

4. Verify the status of the OpenVPN client connections.

show openvpn status server 
OpenVPN server status on vtun0 []
Client CN       Remote IP       Tunnel IP       TX byte RX byte Connected Since
--------------- --------------- --------------- ------- ------- ------------------------
client2         198.51.100.1    172.16.1.241       6.8K   37.3K Thu Dec 28 17:16:03 2017
client1         192.0.2.1       172.16.1.240     295.9K  200.9K Thu Dec 28 17:01:53 2017

Related Articles


Back to Top