EdgeRouter - OpenVPN Server


Readers will learn how to configure an EdgeRouter as an OpenVPN server.

OpenVPN is characterized by the usage of virtual tunnel interfaces (vtun) and routing entries. In this article, the OpenVPN clients are authenticated using RSA certificates without passphrases.

warning_25x25white.png ATTENTION: Packets passed through OpenVPN tunnel interfaces are not eligible for offloading. This means that the traffic is routed using the CPU and that the performance is limited. Please see the EdgeRouter - Hardware Offloading Explained article for more information.




Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configuration used in this article.


Equipment used in this article:

- EdgeRouter-4 (ER-4)

- Windows 10 test clients

Table of Contents

  1. Network Diagram
  2. Steps: OpenVPN Server
  3. Steps: OpenVPN Client
  4. Steps: Testing & Verification
  5. Related Articles

Network Diagram

Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter:

  • eth0 (WAN) -
  • eth1 (LAN) -
  • vtun0 -

Steps: OpenVPN Server

Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Make sure that the date/time is set correctly on the EdgeRouter.

show date
Thu Dec 28 14:35:42 UTC 2017

NOTE: By default, the time is set using the Network Time Protocol (NTP). You can verify the NTP status with show ntp. If you want to manually set the date/time, the command is set date MMDDhhmmCCYY.

2. Log in as the root user.

sudo su

3. Generate a Diffie-Hellman (DH) key file and plae it in the /config/auth directory.

openssl dhparam -out /config/auth/dh.pem -2 1024

NOTE: The key size above is just an example. It is possible to use increased key sizes (such as 2048). The higher the key size, the more time it will take to generate the DH key file.

4. Change the current directory.

cd /usr/lib/ssl/misc

5. Generate a root certificate (replace <secret> with your desired passphrase).

./CA.sh -newca
PEM Passphrase: <secret>
Country Name: US
State Or Province Name: New York
Locality Name: New York
Organization Name: Ubiquiti
Organizational Unit Name: Support
Common Name: root
Email Address: support@ubnt.com

NOTE: The most important setting is the 'common name', which needs to be unique for all certificates you generate on the EdgeRouter. 


TIP: If you make a typing error, use CTRL+U to clear the output.

6. Copy the newly created certificate + key to the /config/auth directory.

cp demoCA/cacert.pem /config/auth
cp demoCA/private/cakey.pem /config/auth

7. Generate the server certificate.

./CA.sh -newreq
Country Name: US
State Or Province Name: New York
Locality Name: New York
Organization Name: Ubiquiti
Organizational Unit Name: Support
Common Name: server
Email Address: support@ubnt.com

8. Sign the server certificate.

./CA.sh -sign
Certificate Details:
            Not Before: Dec 28 14:44:18 2017 GMT
            Not After : Dec 28 14:44:18 2018 GMT
            countryName               = US
            stateOrProvinceName       = New York
            localityName              = New York
            organizationName          = Ubiquiti
            organizationalUnitName    = Support
            commonName                = server
            emailAddress              = support@ubnt.com

Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y

9. Move and rename the server certificate + key to the /config/auth directory.

mv newcert.pem /config/auth/server.pem
mv newkey.pem /config/auth/server.key

10. Generate, sign and move the client1 certificates.

./CA.sh -newreq
Common Name: client1

./CA.sh -sign

mv newcert.pem /config/auth/client1.pem
mv newkey.pem /config/auth/client1.key

11. Repeat the process for client2.

./CA.sh -newreq
Common Name: client2

./CA.sh -sign

mv newcert.pem /config/auth/client2.pem
mv newkey.pem /config/auth/client2.key

NOTE: This process will need to be repeated for each OpenVPN client that connects to the server. The clients are distinguished based on their 'common name' which needs to be unique for each client.

12. Verify the contents of the /config/auth directory.

ls -l /config/auth
-rw-r--r--    1 root     vyattacf      4461 Dec 28 14:40 cacert.pem
-rw-r--r--    1 root     vyattacf      1834 Dec 28 14:40 cakey.pem
-rw-r--r--    1 root     vyattacf      1675 Dec 28 14:47 client1.key
-rw-r--r--    1 root     root          4643 Dec 28 14:46 client1.pem
-rw-r--r--    1 root     vyattacf      1675 Dec 28 14:48 client2.key
-rw-r--r--    1 root     root          4643 Dec 28 14:47 client2.pem
-rw-r--r--    1 root     vyattacf       245 Dec 28 16:08 dh.pem
-rw-r--r--    1 root     vyattacf      1675 Dec 28 14:47 server.key
-rw-r--r--    1 root     root          4638 Dec 28 14:44 server.pem

13. (Optional) Remove the password from the client + server keys. This allows the clients to connect using only the provided certificate.

openssl rsa -in /config/auth/server.key -out /config/auth/server-no-pass.key
openssl rsa -in /config/auth/client1.key -out /config/auth/client1-no-pass.key
openssl rsa -in /config/auth/client2.key -out /config/auth/client2-no-pass.key

14. (Optional) Overwrite the existing keys with the no-pass versions.

mv /config/auth/server-no-pass.key /config/auth/server.key 
mv /config/auth/client1-no-pass.key /config/auth/client1.key
mv /config/auth/client2-no-pass.key /config/auth/client2.key

15. Return to operational mode.


16. Enter configuration mode.


17. Add a firewall rule for the OpenVPN traffic to the local firewall policy.

set firewall group address-group OpenVPN_Clients address
set firewall group address-group OpenVPN_Clients address

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description OpenVPN
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 30 source group address-group OpenVPN_Clients

NOTE: Make sure that this rule does not override any existing firewall policies! The name of the local firewall policy applied to the WAN interface might be different in your environment. Whatever the naming scheme, make sure that the correct firewall rule is applied under the WAN interface.

18. Configure the OpenVPN virtual tunnel (vtun) interface.

set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet
set interfaces openvpn vtun0 server push-route
set interfaces openvpn vtun0 server name-server

NOTE: In this example the subnet is used for OpenVPN. The router also advertises the route to the clients.

19. (Optional) Bind the OpenVPN clients to specific IP addresses.

set interfaces openvpn vtun0 server client client1 ip
set interfaces openvpn vtun0 server client client2 ip

NOTE The clients are bound to an IP address based on their 'common name' listed in the certificate.

20. Link the server certificate/keys and DH key to the virtual tunnel interface.

set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem
set interfaces openvpn vtun0 tls key-file /config/auth/server.key
set interfaces openvpn vtun0 tls dh-file /config/auth/dh.pem

21. (Optional) Change the encryption and hash that the OpenVPN connection uses. 

set interfaces openvpn vtun0 encryption aes128
set interfaces openvpn vtun0 hash md5

NOTE The following encryption and hashing options are available:


  • Encryption: DES / 3DES / BF-128 / BF-256 / AES-128 / AES-192 / AES-256
  • Hashing: MD5 / SHA-1 / SHA-256 / SHA-512

22. (Optional) Add the vtun interface to the DNS forwarding interface list.

set service dns forwarding listen-on vtun0

23. Commit the changes and save the configuration.

commit ; save

Steps - OpenVPN Client

Back to Top

The section below (briefly) focuses on configuring the OpenVPN client settings on a Windows 10 host. There are multiple guides available online that go into more detail than this article.

1. Navigate to the OpenVPN config folder.

C:\Program Files\OpenVPN\config\

2. Create a new folder (optional) and a OpenVPN configuration file (er.ovpn).

3. Transfer the certificates + key (cacert.pem / client1.pem / client1.key) from the EdgeRouter config/auth directory to the OpenVPN client.


NOTE In this example WinSCP is used to transfer the files.

3. Add the following information to the er.ovpn configuration file (replace <server-ip> with your ER public IP address)

dev tun
proto udp
remote <server-ip> 1194
resolv-retry infinite
verb 3
auth md5
cipher aes-128-cbc
ca cacert.pem
cert client1.pem
key client1.key

Steps - Testing & Verification

Back to Top

1. Verify that the traffic is increasing the counters on the OpenVPN firewall rule.

show firewall name WAN_LOCAL statistics 

IPv4 Firewall "WAN_LOCAL"  [WAN to router]

 Active on (eth0,LOCAL)

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
10    1549        142354      ACCEPT  Allow established/related
20    0           0           DROP    Drop invalid state
30    6           312         ACCEPT  OpenVPN
10000 9           702         DROP    DEFAULT ACTION

2. Capture the OpenVPN traffic on the WAN interface.

sudo tcpdump -i eth0 -n udp dst port 1194
IP > UDP, length 14
IP > UDP, length 22
IP > UDP, length 187
IP > UDP, length 22

IP > UDP, length 14
IP > UDP, length 22
IP > UDP, length 187
IP > UDP, length 22

NOTE This is a live capture. If there is no output that means that the traffic is either not being generated by the client, or there is something blocking the traffic upstream. If there is output here and the connection is not establishing, verify the firewall rules above.

3. Verify the status of the OpenVPN interface.

show interfaces 
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down

Interface    IP Address                        S/L  Description                
---------    ----------                        ---  -----------                
eth0                    u/u                             
eth1                    u/u                             
vtun0                     u/u   

show interfaces openvpn vtun0

vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    inet brd scope global vtun0
       valid_lft forever preferred_lft forever

    RX:  bytes    packets     errors    dropped    overrun      mcast
        148941       1197          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
        261016        561          0          0          0          0

4. Verify the status of the OpenVPN client connections.

show openvpn status server 
OpenVPN server status on vtun0 []
Client CN       Remote IP       Tunnel IP       TX byte RX byte Connected Since
--------------- --------------- --------------- ------- ------- ------------------------
client2       6.8K   37.3K Thu Dec 28 17:16:03 2017
client1     295.9K  200.9K Thu Dec 28 17:01:53 2017

Related Articles

Back to Top