EdgeRouter - OpenVPN Server


Overview


Readers will learn how to configure an EdgeRouter as an OpenVPN server.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
 
Devices used in this article:

Table of Contents


  1. Configuring the OpenVPN Server
  2. Setting up the OpenVPN Client
  3. Related Articles

Configuring the OpenVPN Server


Back to Top

topology.png

The EdgeRouter OpenVPN server provides access to the LAN (192.168.1.0/24) for authenticated OpenVPN clients.

CLI: Access the Command Line Interface. You can do this using the CLI button in the Web UI or by using a program such as PuTTY.

1. Make sure that the date/time is set correctly on the EdgeRouter.

show date
Mon Jan 21 12:13:07 UTC 2019

2. Log in as the root user.

sudo su

3. Generate a Diffie-Hellman (DH) key file and place it in the /config/auth directory.

openssl dhparam -out /config/auth/dh.pem -2 2048
NOTE: It is possible to use key sizes higher than 2048.

4. Change the current directory.

cd /usr/lib/ssl/misc

5. Generate a root certificate (replace <secret> with your desired passphrase).

./CA.pl -newca
PEM Passphrase: <secret>
Country Name: US
State Or Province Name: New York
Locality Name: New York
Organization Name: Ubiquiti
Organizational Unit Name: Support
Common Name: root
Email Address: support@ubnt.com
NOTE: On older firmware versions (pre v2.0.0) the script is named CA.sh.

6. Copy the newly created certificate + key to the /config/auth directory.

cp demoCA/cacert.pem /config/auth
cp demoCA/private/cakey.pem /config/auth

7. Generate the server certificate.

./CA.pl -newreq
Country Name: US
State Or Province Name: New York
Locality Name: New York
Organization Name: Ubiquiti
Organizational Unit Name: Support
Common Name: server
Email Address: support@ubnt.com

8. Sign the server certificate.

./CA.pl -sign
Certificate Details:
        Validity
            Not Before: Jan 21 13:02:57 2019 GMT
            Not After : Jan 21 13:02:57 2020 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = New York
            localityName              = New York
            organizationName          = Ubiquiti
            organizationalUnitName    = Support
            commonName                = server
            emailAddress              = support@ubnt.com

Certificate is to be certified until Jan 21 13:02:57 2020 GMT (365 days)
Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

9. Move and rename the server certificate and key files to the /config/auth directory.

mv newcert.pem /config/auth/server.pem
mv newkey.pem /config/auth/server.key

10. Generate, sign and move the certificate and key files for the first OpenVPN client.

./CA.pl -newreq
Common Name: client1

./CA.pl -sign
Certificate Details:
        Validity
            Not Before: Jan 21 13:05:03 2019 GMT
            Not After : Jan 21 13:05:03 2020 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = New York
            localityName              = New York
            organizationName          = Ubiquiti
            organizationalUnitName    = Support
            commonName                = client1
            emailAddress              = support@ubnt.com

Certificate is to be certified until Jan 21 13:05:03 2020 GMT (365 days)
Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

mv newcert.pem /config/auth/client1.pem
mv newkey.pem /config/auth/client1.key

11. Repeat the process for the second OpenVPN client.

./CA.sh -newreq
Common Name: client2

./CA.sh -sign

mv newcert.pem /config/auth/client2.pem
mv newkey.pem /config/auth/client2.key

12. Remove the password from the client and server key files.

openssl rsa -in /config/auth/server.key -out /config/auth/server-no-pass.key
openssl rsa -in /config/auth/client1.key -out /config/auth/client1-no-pass.key
openssl rsa -in /config/auth/client2.key -out /config/auth/client2-no-pass.key

13. Overwrite the existing keys with the no-pass versions.

mv /config/auth/server-no-pass.key /config/auth/server.key 
mv /config/auth/client1-no-pass.key /config/auth/client1.key
mv /config/auth/client2-no-pass.key /config/auth/client2.key

14. Add read permission for non-root users to the client key files.

chmod 644 /config/auth/client1.key
chmod 644 /config/auth/client2.key

15. Verify the contents of the /config/auth directory.

ls -l /config/auth
-rw-r--r--    1 root     vyattacf      4477 Jan 21 13:02 cacert.pem
-rw-------    1 root     vyattacf      1854 Jan 21 13:02 cakey.pem
-rw-r--r--    1 root     vyattacf      1675 Jan 21 13:06 client1.key
-rw-r--r--    1 root     root          4647 Jan 21 13:05 client1.pem
-rw-r--r--    1 root     vyattacf      1675 Jan 21 13:24 client2.key
-rw-r--r--    1 root     vyattacf      4647 Jan 21 13:24 client2.pem
-rw-r--r--    1 root     vyattacf       424 Jan 21 12:44 dh.pem
-rw-------    1 root     vyattacf      1679 Jan 21 13:06 server.key
-rw-r--r--    1 root     root          4642 Jan 21 13:02 server.pem

16. Return to operational mode.

exit

17. Enter configuration mode.

configure

18. Add a firewall rule for the OpenVPN traffic to the WAN_LOCAL firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description openvpn
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp

19. Configure the OpenVPN virtual tunnel interface.

set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 172.16.1.0/24
set interfaces openvpn vtun0 server push-route 192.168.1.0/24
set interfaces openvpn vtun0 server name-server 192.168.1.1

20. Link the server certificate/keys and DH key to the virtual tunnel interface.

set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem
set interfaces openvpn vtun0 tls key-file /config/auth/server.key
set interfaces openvpn vtun0 tls dh-file /config/auth/dh.pem

21.  Add the virtual tunnel interface to the DNS forwarding interface list.

set service dns forwarding listen-on vtun0

22. Commit the changes and save the configuration.

commit ; save

Setting up the OpenVPN Client


Back to Top

 Windows Client


In this section, we are using a Windows 10 machine as the OpenVPN client.

1. Navigate to the OpenVPN config folder.

C:\Program Files\OpenVPN\config\

2. Create a new folder (optional) and an OpenVPN configuration file (er.ovpn).

3. Transfer the certificates and client key files from the EdgeRouter /config/auth directory to the OpenVPN client.

transfer.png

NOTE: In this example, WinSCP is used to transfer the files.

3. Add the following information to the er.ovpn configuration file (replace <server> with the EdgeRouter's external IP address or hostname.

client
dev tun
proto udp
remote <server> 1194
float
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca cacert.pem
cert client1.pem
key client1.key

Related Articles


Back to Top

EdgeRouter - OpenVPN Site-to-Site

EdgeRouter - OpenVPN Layer 2 Tunnel

EdgeRouter - L2TP IPsec VPN Server

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!