EdgeRouter - OpenVPN Server


Overview


Readers will learn how to configure an EdgeRouter as an OpenVPN server.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
 
Devices used in this article:

Table of Contents


  1. Network Diagram
  2. OpenVPN Server
  3. OpenVPN Client
  4. Related Articles

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter:

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24
  • vtun0 - 172.16.1.0/24

topology_pptp_server_new.png


OpenVPN Server


Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Make sure that the date/time is set correctly on the EdgeRouter.

show date
Thu Dec 28 14:35:42 UTC 2017

2. Log in as the root user.

sudo su

3. Generate a Diffie-Hellman (DH) key file and place it in the /config/auth directory.

openssl dhparam -out /config/auth/dh.pem -2 1024 
NOTE: It is possible to use key sizes higher than 1024.

4. Change the current directory.

cd /usr/lib/ssl/misc

5. Generate a root certificate (replace <secret> with your desired passphrase).

./CA.sh -newca
PEM Passphrase: <secret>
Country Name: US
State Or Province Name: New York
Locality Name: New York
Organization Name: Ubiquiti
Organizational Unit Name: Support
Common Name: root
Email Address: support@ubnt.com
NOTE: The Common Name needs to be unique for all certificates.

6. Copy the newly created certificate + key to the /config/auth directory.

cp demoCA/cacert.pem /config/auth
cp demoCA/private/cakey.pem /config/auth

7. Generate the server certificate.

./CA.sh -newreq
Country Name: US
State Or Province Name: New York
Locality Name: New York
Organization Name: Ubiquiti
Organizational Unit Name: Support
Common Name: server
Email Address: support@ubnt.com

8. Sign the server certificate.

./CA.sh -sign
Certificate Details:
        Validity
            Not Before: Dec 28 14:44:18 2017 GMT
            Not After : Dec 28 14:44:18 2018 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = New York
            localityName              = New York
            organizationName          = Ubiquiti
            organizationalUnitName    = Support
            commonName                = server
            emailAddress              = support@ubnt.com

Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y

9. Move and rename the server certificate + key to the /config/auth directory.

mv newcert.pem /config/auth/server.pem
mv newkey.pem /config/auth/server.key

10. Generate, sign and move the client1 certificates.

./CA.sh -newreq
Common Name: client1

./CA.sh -sign

mv newcert.pem /config/auth/client1.pem
mv newkey.pem /config/auth/client1.key

11. Repeat the process for client2.

./CA.sh -newreq
Common Name: client2

./CA.sh -sign

mv newcert.pem /config/auth/client2.pem
mv newkey.pem /config/auth/client2.key

12. Verify the contents of the /config/auth directory.

ls -l /config/auth
-rw-r--r--    1 root     vyattacf      4461 Dec 28 14:40 cacert.pem
-rw-r--r--    1 root     vyattacf      1834 Dec 28 14:40 cakey.pem
-rw-r--r--    1 root     vyattacf      1675 Dec 28 14:47 client1.key
-rw-r--r--    1 root     root          4643 Dec 28 14:46 client1.pem
-rw-r--r--    1 root     vyattacf      1675 Dec 28 14:48 client2.key
-rw-r--r--    1 root     root          4643 Dec 28 14:47 client2.pem
-rw-r--r--    1 root     vyattacf       245 Dec 28 16:08 dh.pem
-rw-r--r--    1 root     vyattacf      1675 Dec 28 14:47 server.key
-rw-r--r--    1 root     root          4638 Dec 28 14:44 server.pem

13. Remove the password from the client + server keys. This allows the clients to connect using only the provided certificate.

openssl rsa -in /config/auth/server.key -out /config/auth/server-no-pass.key
openssl rsa -in /config/auth/client1.key -out /config/auth/client1-no-pass.key
openssl rsa -in /config/auth/client2.key -out /config/auth/client2-no-pass.key

14. Overwrite the existing keys with the no-pass versions.

mv /config/auth/server-no-pass.key /config/auth/server.key 
mv /config/auth/client1-no-pass.key /config/auth/client1.key
mv /config/auth/client2-no-pass.key /config/auth/client2.key

15. Return to operational mode.

exit

16. Enter configuration mode.

configure

17. Add a firewall rule for the OpenVPN traffic to the local firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description OpenVPN
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp

18. Configure the OpenVPN virtual tunnel interface.

set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 172.16.1.0/24
set interfaces openvpn vtun0 server push-route 192.168.1.0/24
set interfaces openvpn vtun0 server name-server 192.168.1.1

19. Bind the OpenVPN clients to specific IP addresses.

set interfaces openvpn vtun0 server client client1 ip 172.16.1.240
set interfaces openvpn vtun0 server client client2 ip 172.16.1.241

20. Link the server certificate/keys and DH key to the virtual tunnel interface.

set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem
set interfaces openvpn vtun0 tls key-file /config/auth/server.key
set interfaces openvpn vtun0 tls dh-file /config/auth/dh.pem

21. Change the encryption and hashing algorithms. 

set interfaces openvpn vtun0 encryption aes256
set interfaces openvpn vtun0 hash sha256

22. Add the virtual tunnel interface to the DNS forwarding interface list.

set service dns forwarding listen-on vtun0

23. Commit the changes and save the configuration.

commit ; save

OpenVPN Client


Back to Top

In this article, we are using a Windows 10 machine as the OpenVPN client.

Windows_logo_-_2012.svg.png

1. Navigate to the OpenVPN config folder.

C:\Program Files\OpenVPN\config\

2. Create a new folder (optional) and a OpenVPN configuration file (er.ovpn).

3. Transfer the certificates + key from the EdgeRouter /config/auth directory to the OpenVPN client.

NOTE: In this example, WinSCP is used to transfer the files.

3. Add the following information to the er.ovpn configuration file.

client
dev tun
proto udp
remote <server-ip> 1194
float
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca cacert.pem
cert client1.pem
key client1.key

 

You can verify the VPN settings using the following commands from operational mode:

show firewall name WAN_LOCAL statistics 
show interfaces
show interfaces openvpn vtun0
show openvpn status server

Related Articles


Back to Top

EdgeRouter - OpenVPN Site-to-Site

EdgeRouter - PPTP VPN Server

EdgeRouter - L2TP IPsec VPN Server

Intro to Networking - How to Establish a Connection Using SSH