EdgeRouter - OpenVPN Server
Overview
Readers will learn how to configure an OpenVPN server on the EdgeRouter.
- Applicable to the latest EdgeOS firmware on all EdgeRouter models.
- Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required.
Table of Contents
Configuring the OpenVPN Server
The EdgeRouter OpenVPN server provides access to the LAN (192.168.1.0/24) for authenticated OpenVPN clients.
1. Make sure that the date/time is set correctly on the EdgeRouter.
show date
Mon Jan 21 12:13:07 UTC 2019
2. Log in as the root user.
sudo su
3. Generate a Diffie-Hellman (DH) key file and place it in the /config/auth directory.
openssl dhparam -out /config/auth/dh.pem -2 2048
4. Change the current directory.
cd /usr/lib/ssl/misc
5. Generate a root certificate (replace <secret> with your desired passphrase).
./CA.pl -newca
PEM Passphrase: <secret>
Country Name: US
State Or Province Name: New York
Locality Name: New York
Organization Name: Ubiquiti
Organizational Unit Name: Support
Common Name: root
Email Address: support@ui.com
6. Copy the newly created certificate + key to the /config/auth directory.
cp demoCA/cacert.pem /config/auth
cp demoCA/private/cakey.pem /config/auth
7. Generate the server certificate.
./CA.pl -newreq
Country Name: US
State Or Province Name: New York
Locality Name: New York
Organization Name: Ubiquiti
Organizational Unit Name: Support
Common Name: server
Email Address: support@ui.com
8. Sign the server certificate.
./CA.pl -sign
Certificate Details:
Validity
Not Before: Jan 21 13:02:57 2019 GMT
Not After : Jan 21 13:02:57 2020 GMT
Subject:
countryName = US
stateOrProvinceName = New York
localityName = New York
organizationName = Ubiquiti
organizationalUnitName = Support
commonName = server
emailAddress = support@ui.com
Certificate is to be certified until Jan 21 13:02:57 2020 GMT (365 days)
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y
9. Move and rename the server certificate and key files to the /config/auth directory.
mv newcert.pem /config/auth/server.pem
mv newkey.pem /config/auth/server.key
10. Generate, sign and move the certificate and key files for the first OpenVPN client.
./CA.pl -newreq
Common Name: client1
./CA.pl -sign
Certificate Details:
Validity
Not Before: Jan 21 13:05:03 2019 GMT
Not After : Jan 21 13:05:03 2020 GMT
Subject:
countryName = US
stateOrProvinceName = New York
localityName = New York
organizationName = Ubiquiti
organizationalUnitName = Support
commonName = client1
emailAddress = support@ui.com
Certificate is to be certified until Jan 21 13:05:03 2020 GMT (365 days)
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] y
mv newcert.pem /config/auth/client1.pem
mv newkey.pem /config/auth/client1.key
11. Repeat the process for the second OpenVPN client.
./CA.pl -newreq
Common Name: client2
./CA.pl -sign
mv newcert.pem /config/auth/client2.pem
mv newkey.pem /config/auth/client2.key
12. Remove the password from the server key file and optionally the client key file(s).
openssl rsa -in /config/auth/server.key -out /config/auth/server-no-pass.key
openssl rsa -in /config/auth/client1.key -out /config/auth/client1-no-pass.key
openssl rsa -in /config/auth/client2.key -out /config/auth/client2-no-pass.key
13. Overwrite the existing keys with the no-pass versions.
mv /config/auth/server-no-pass.key /config/auth/server.key
mv /config/auth/client1-no-pass.key /config/auth/client1.key
mv /config/auth/client2-no-pass.key /config/auth/client2.key
14. Add read permission for non-root users to the client key files.
chmod 644 /config/auth/client1.key
chmod 644 /config/auth/client2.key
15. Verify the contents of the /config/auth directory.
ls -l /config/auth
-rw-r--r-- 1 root vyattacf 4477 Jan 21 13:02 cacert.pem
-rw------- 1 root vyattacf 1854 Jan 21 13:02 cakey.pem
-rw-r--r-- 1 root vyattacf 1675 Jan 21 13:06 client1.key
-rw-r--r-- 1 root root 4647 Jan 21 13:05 client1.pem
-rw-r--r-- 1 root vyattacf 1675 Jan 21 13:24 client2.key
-rw-r--r-- 1 root vyattacf 4647 Jan 21 13:24 client2.pem
-rw-r--r-- 1 root vyattacf 424 Jan 21 12:44 dh.pem
-rw------- 1 root vyattacf 1679 Jan 21 13:06 server.key
-rw-r--r-- 1 root root 4642 Jan 21 13:02 server.pem
16. Return to operational mode.
exit
17. Enter configuration mode.
configure
18. Add a firewall rule for the OpenVPN traffic to the WAN_LOCAL firewall policy.
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description openvpn
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp
19. Configure the OpenVPN virtual tunnel interface.
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 172.16.1.0/24
set interfaces openvpn vtun0 server push-route 192.168.1.0/24
set interfaces openvpn vtun0 server name-server 192.168.1.1
20. Link the server certificate/keys and DH key to the virtual tunnel interface.
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem
set interfaces openvpn vtun0 tls key-file /config/auth/server.key
set interfaces openvpn vtun0 tls dh-file /config/auth/dh.pem
21. Add the virtual tunnel interface to the DNS forwarding interface list.
set service dns forwarding listen-on vtun0
22. Commit the changes and save the configuration.
commit ; save
Full EdgeOS CLI configuration (step 17-22) below:
configure
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description openvpn
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 172.16.1.0/24
set interfaces openvpn vtun0 server push-route 192.168.1.0/24
set interfaces openvpn vtun0 server name-server 192.168.1.1
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem
set interfaces openvpn vtun0 tls key-file /config/auth/server.key
set interfaces openvpn vtun0 tls dh-file /config/auth/dh.pem
set service dns forwarding listen-on vtun0
commit ; save
Setting up the OpenVPN Client
Windows Client
In this section, we are using a Windows 10 machine as the OpenVPN client.
1. Navigate to the OpenVPN config folder.
C:\Program Files\OpenVPN\config\
2. Create a new folder (optional) and an OpenVPN configuration file (er.ovpn).
3. Transfer the certificates and client key files from the EdgeRouter /config/auth directory to the OpenVPN client.
3. Add the following information to the er.ovpn configuration file (replace <server> with the EdgeRouter's external IP address or hostname).
client
dev tun
proto udp
remote <server> 1194
float
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca cacert.pem
cert client1.pem
key client1.key
4. To send all traffic through the VPN connection, append the er.ovpn configuration file with the following line.
redirect-gateway def1
5. Connect to the server.
macOS Client
In this section, we are using an Apple macOS computer as the OpenVPN client.
1. Open the macOS Terminal and create an OpenVPN directory and configuration file.
mkdir ~/Desktop/config
touch ~/Desktop/config/er.ovpn
2. From the macOS Terminal, transfer the certificates and client key files from the EdgeRouter /config/auth directory to the newly created directory on the client (replace username@<ip-address> with the username and IP address of the EdgeRouter).
scp username@<ip-address>:/config/auth/cacert.pem ~/Desktop/config
scp username@<ip-address>:/config/auth/client1.pem ~/Desktop/config
scp username@<ip-address>:/config/auth/client1.key ~/Desktop/config
3. Add the following information to the er.ovpn configuration file (replace <server> with the EdgeRouter's external IP address or hostname).
client
dev tun
proto udp
remote <server> 1194
float
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca cacert.pem
cert client1.pem
key client1.key
4. To send all traffic through the VPN connection, append the er.ovpn configuration file with the following line.
redirect-gateway def1
5. Connect using your favorite OpenVPN client management software (for example Tunnelblick).
Related Articles
EdgeRouter - OpenVPN Site-to-Site
EdgeRouter - OpenVPN Layer 2 Tunnel
EdgeRouter - L2TP IPsec VPN Server
Intro to Networking - How to Establish a Connection Using SSH