Help Center Help Articles Professional Support Community RMA & Warranty Downloads Tech Specs

EdgeRouter - OpenVPN Server

Overview

Readers will learn how to configure an OpenVPN server on the EdgeRouter.

NOTES & REQUIREMENTS:
  • Applicable to the latest EdgeOS firmware on all EdgeRouter models.
  • Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required.

Table of Contents

  1. Configuring the OpenVPN Server
  2. Setting up the OpenVPN Client
  3. Related Articles

Configuring the OpenVPN Server

Back to Top

topology.gif

The EdgeRouter OpenVPN server provides access to the LAN (192.168.1.0/24) for authenticated OpenVPN clients.

CLI: Access the Command Line Interface. You can do this using the CLI button in the Web UI or by using a program such as PuTTY.

1. Make sure that the date/time is set correctly on the EdgeRouter.

show date
Mon Jan 21 12:13:07 UTC 2019

2. Log in as the root user.

sudo su

3. Generate a Diffie-Hellman (DH) key file and place it in the /config/auth directory.

openssl dhparam -out /config/auth/dh.pem -2 2048
NOTE: It is possible to use key sizes higher than 2048.

4. Change the current directory.

cd /usr/lib/ssl/misc

5. Generate a root certificate (replace <secret> with your desired passphrase).

ATTENTION: On older firmware versions (pre v2.0.0) the script is namedCA.sh.
./CA.pl -newca
PEM Passphrase: <secret>
Country Name: US
State Or Province Name: New York
Locality Name: New York
Organization Name: Ubiquiti
Organizational Unit Name: Support
Common Name: root
Email Address: support@ui.com
NOTE:Replace the location and organizational fields with your own information.

6. Copy the newly created certificate + key to the /config/auth directory.

cp demoCA/cacert.pem /config/auth
cp demoCA/private/cakey.pem /config/auth

7. Generate the server certificate.

./CA.pl -newreq
Country Name: US
State Or Province Name: New York
Locality Name: New York
Organization Name: Ubiquiti
Organizational Unit Name: Support
Common Name: server
Email Address: support@ui.com

8. Sign the server certificate.

./CA.pl -sign
Certificate Details:
        Validity
            Not Before: Jan 21 13:02:57 2019 GMT
            Not After : Jan 21 13:02:57 2020 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = New York
            localityName              = New York
            organizationName          = Ubiquiti
            organizationalUnitName    = Support
            commonName                = server
            emailAddress              = support@ui.com

Certificate is to be certified until Jan 21 13:02:57 2020 GMT (365 days)
Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

9. Move and rename the server certificate and key files to the /config/auth directory.

mv newcert.pem /config/auth/server.pem
mv newkey.pem /config/auth/server.key

10. Generate, sign and move the certificate and key files for the first OpenVPN client.

./CA.pl -newreq
Common Name: client1

./CA.pl -sign
Certificate Details:
        Validity
            Not Before: Jan 21 13:05:03 2019 GMT
            Not After : Jan 21 13:05:03 2020 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = New York
            localityName              = New York
            organizationName          = Ubiquiti
            organizationalUnitName    = Support
            commonName                = client1
            emailAddress              = support@ui.com

Certificate is to be certified until Jan 21 13:05:03 2020 GMT (365 days)
Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

mv newcert.pem /config/auth/client1.pem
mv newkey.pem /config/auth/client1.key

11. Repeat the process for the second OpenVPN client.

./CA.pl -newreq
Common Name: client2

./CA.pl -sign

mv newcert.pem /config/auth/client2.pem
mv newkey.pem /config/auth/client2.key

12. Remove the password from the server key file and optionally the client key file(s).

openssl rsa -in /config/auth/server.key -out /config/auth/server-no-pass.key
openssl rsa -in /config/auth/client1.key -out /config/auth/client1-no-pass.key
openssl rsa -in /config/auth/client2.key -out /config/auth/client2-no-pass.key
NOTE:When connecting, the OpenVPN clients will need to enter a password if this step is skipped.

13. Overwrite the existing keys with the no-pass versions.

mv /config/auth/server-no-pass.key /config/auth/server.key 
mv /config/auth/client1-no-pass.key /config/auth/client1.key
mv /config/auth/client2-no-pass.key /config/auth/client2.key

14. Add read permission for non-root users to the client key files.

chmod 644 /config/auth/client1.key
chmod 644 /config/auth/client2.key

15. Verify the contents of the /config/auth directory.

ls -l /config/auth
-rw-r--r--    1 root     vyattacf      4477 Jan 21 13:02 cacert.pem
-rw-------    1 root     vyattacf      1854 Jan 21 13:02 cakey.pem
-rw-r--r--    1 root     vyattacf      1675 Jan 21 13:06 client1.key
-rw-r--r--    1 root     root          4647 Jan 21 13:05 client1.pem
-rw-r--r--    1 root     vyattacf      1675 Jan 21 13:24 client2.key
-rw-r--r--    1 root     vyattacf      4647 Jan 21 13:24 client2.pem
-rw-r--r--    1 root     vyattacf       424 Jan 21 12:44 dh.pem
-rw-------    1 root     vyattacf      1679 Jan 21 13:06 server.key
-rw-r--r--    1 root     root          4642 Jan 21 13:02 server.pem

16. Return to operational mode.

exit

17. Enter configuration mode.

configure

18. Add a firewall rule for the OpenVPN traffic to the WAN_LOCAL firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description openvpn
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp

19. Configure the OpenVPN virtual tunnel interface.

set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 172.16.1.0/24
set interfaces openvpn vtun0 server push-route 192.168.1.0/24
set interfaces openvpn vtun0 server name-server 192.168.1.1

20. Link the server certificate/keys and DH key to the virtual tunnel interface.

set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem
set interfaces openvpn vtun0 tls key-file /config/auth/server.key
set interfaces openvpn vtun0 tls dh-file /config/auth/dh.pem

21.  Add the virtual tunnel interface to the DNS forwarding interface list.

set service dns forwarding listen-on vtun0

22. Commit the changes and save the configuration.

commit ; save

Full EdgeOS CLI configuration (step 17-22) below:

configure

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description openvpn
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp

set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 172.16.1.0/24
set interfaces openvpn vtun0 server push-route 192.168.1.0/24
set interfaces openvpn vtun0 server name-server 192.168.1.1
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem
set interfaces openvpn vtun0 tls key-file /config/auth/server.key
set interfaces openvpn vtun0 tls dh-file /config/auth/dh.pem

set service dns forwarding listen-on vtun0

commit ; save

Setting up the OpenVPN Client

Back to Top

 Windows Client

In this section, we are using a Windows 10 machine as the OpenVPN client.

1. Navigate to the OpenVPN config folder.

C:\Program Files\OpenVPN\config\

2. Create a new folder (optional) and an OpenVPN configuration file (er.ovpn).

3. Transfer the certificates and client key files from the EdgeRouter /config/auth directory to the OpenVPN client.

transfer.png

NOTE:In this example, WinSCP is used to transfer the files.

3. Add the following information to the er.ovpn configuration file (replace <server> with the EdgeRouter's external IP address or hostname).

client
dev tun
proto udp
remote <server> 1194
float
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca cacert.pem
cert client1.pem
key client1.key

4.  To send all traffic through the VPN connection, append the er.ovpn configuration file with the following line.

redirect-gateway def1

5. Connect to the server.

 macOS Client

In this section, we are using an Apple macOS computer as the OpenVPN client.

1. Open the macOS Terminal and create an OpenVPN directory and configuration file.

mkdir ~/Desktop/config
touch ~/Desktop/config/er.ovpn

2. From the macOS Terminal, transfer the certificates and client key files from the EdgeRouter /config/auth directory to the newly created directory on the client (replace username@<ip-address> with the username and IP address of the EdgeRouter).

scp username@<ip-address>:/config/auth/cacert.pem ~/Desktop/config
scp username@<ip-address>:/config/auth/client1.pem ~/Desktop/config
scp username@<ip-address>:/config/auth/client1.key ~/Desktop/config

3. Add the following information to the er.ovpn configuration file (replace <server> with the EdgeRouter's external IP address or hostname).

client
dev tun
proto udp
remote <server> 1194
float
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca cacert.pem
cert client1.pem
key client1.key

4.  To send all traffic through the VPN connection, append the er.ovpn configuration file with the following line.

redirect-gateway def1

5. Connect using your favorite OpenVPN client management software (for example Tunnelblick).

Related Articles

Back to Top

EdgeRouter - OpenVPN Site-to-Site

EdgeRouter - OpenVPN Layer 2 Tunnel

EdgeRouter - L2TP IPsec VPN Server

Intro to Networking - How to Establish a Connection Using SSH

Was this article helpful?