In this tutorial, we will be configuring an OpenVPN server with X.509 certs on a Ubiquiti EdgeRouter Lite. We will also go through how to connect a remote Linux client to the VPN. Below is a physical network diagram:
{{{
+——————————–+
| Ubiquiti ERL |
(Public IP)| |192.168.69.254
| \ / |
| +———————-+ |
| | iptables and | |
| | routing engine | |
| +–+—————-+–+ |
| |*1 |*2 \ |192.168.68.254
| | | eth1}=============
| | | |
| (openvpn)——-{vtun0} |
| 192.168.70.1\24 |
+——————————–+
*1 – Only encrypted traffic will pass here, over UDP or TCP and only to the remote OpenVPN client
*2 – The unencrypted traffic will pass here. This is the exit/entry point for the VPN tunnel.
}}}
** __Note: If you would prefer to be lazy (like me), check out [[openvpn-server-configuration-script-ubiquiti-edgerouter-lite]]__ **
[[[TOC]]]
——
=EdgeRouter Lite (Server)=
# Login via ssh, escalate to root
{{{
sudo su
}}}
# Generate a CA certificate
{{{
cd /usr/lib/ssl/misc/
./CA.sh -newca
}}}
# You will then be presented with some prompts; fill out similar to the below
{{{
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Nevada
Locality Name (eg, city) []:Las Vegas
Organization Name (eg, company) [Internet Widgits Pty Ltd]:LasLabs
Organizational Unit Name (eg, section) []:Product Development
Common Name (eg, YOUR name) []:erl-ca-0.dlasley.net
Email Address []:postmaster@dlasley.net
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:LasLabs
}}}
# Now we need to create our server cert/key.
{{{
./CA.sh -newreq
./CA.sh -sign
}}}
# Move the new files to `/config/auth/` for preservation in the event of firmware upgrade
{{{
cp demoCA/cacert.pem demoCA/private/cakey.pem /config/auth/
mv newcert.pem /config/auth/host.pem
mv newkey.pem /config/auth/host.key
}}}
# The next step is to create the [[http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange|Diffie-Helman]] parameter file (replace 1024 with whatever bit strength you would like)
{{{
openssl dhparam -out /config/auth/dhp.pem -2 1024
}}}
# Create a set of certs/keys for all clients that will be connecting
{{{
./CA.sh -newreq
./CA.sh -sign
mv newcert.pem client1.pem
mv newkey.pem client1.key
}}}
# Transfer the CA cert & client key/cert to associated clients
{{{
scp client1.* /config/auth/cacert.pem $CLIENT_USER@$CLIENT_IP:/etc/ssl/certs
}}}
# Enter ERL configuration mode
{{{
configure
}}}
# Setup the OpenVPN server
{{{
edit interfaces openvpn vtun0
set mode server
set server subnet 192.168.70.0/24
set tls ca-cert-file /config/auth/cacert.pem
set tls cert-file /config/auth/host.pem
set tls key-file /config/auth/host.key
set tls dh-file /config/auth/dhp.pem
}}}
# Configure the server to push LAN/WLAN routes to clients
{{{
set server push-route 192.168.69.0/24
set server push-route 192.168.68.0/24
}}}
# Setup static IPs for clients. Replace `static-client.dlasley.net` with the Common Name of the client (defined in the client cert). You can also set `push-route` for per-client routes.
{{{
set server client static-client.dlasley.net ip 192.168.70.100
top
}}}
# Open the firewall for OpenVPN traffic to the router. Take care to not overwrite existing rules
{{{
edit firewall name WAN_LOCAL rule 1
set description OpenVPN
set action accept
set destination port 1194
set log disable
set protocol udp
top
}}}
# Commit and save
{{{
commit
save
}}}
* The relevant portions of my config are below for reference:
{{{
# show interfaces openvpn
openvpn vtun0 {
mode server
openvpn-option “–push route 192.168.69.0 255.255.255.0”
openvpn-option “–push route 192.168.68.0 255.255.255.0”
server {
subnet 192.168.70.0/24
}
tls {
ca-cert-file /config/auth/cacert.pem
cert-file /config/auth/host.pem
dh-file /config/auth/dhp.pem
key-file /config/auth/host.key
}
}
# show firewall name WAN_LOCAL rule 1
action accept
description OpenVPN
destination {
port 1194
}
log disable
protocol udp
}}}
——
=EdgeRouter Lite (Client)=
# Transfer the cacert and client key files to client as described here
# Enter configure mode, create vtun0 configuration node, and set to client mode
{{{
configure
edit interfaces openvpn vtun0
set mode client
}}}
# Setup VPN client, take care to substitute the example configuration values for your own
{{{
set remote-host vpn.domain.com
set tls ca-cert-file /etc/ssl/certs/cacert.pem
set tls cert-file /etc/ssl/certs/client1.pem
set tls key-file /etc/ssl/certs/client1.key
set hash sha256
set openvpn-option ‘–comp-lzo’
}}}
# Commit and save changes
{{{
commit
save
}}}
——
=Linux Client=
# Transfer the cacert and client key files to client as described here
# (If CentOS) Add the [[add-epel-repository-to-centos|EPEL Repo]]
# Install openvpn using your package manager
{{{
# Red Hat/CentOS/Fedora
yum install openvpn
# Debian/Ubuntu
apt-get install openvpn
}}}
# Create a new client configuration file; a nice commented one is available [[http://openvpn.net/index.php/open-source/documentation/howto.html#examples|on the OpenVPN website]]. I have pasted mine below for reference:
{{{
## File: /etc/openvpn/client.conf
client
dev tun
proto udp
remote vpn.dlasley.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca /etc/ssl/certs/cacert.pem
cert /etc/ssl/certs/client1.pem
key /etc/ssl/certs/client1.key
}}}
# Set cert permissions
{{{
sudo chmod 600 /etc/ssl/certs/*.{key,pem}
}}}
# Initiate the tunnel
{{{
openvpn /etc/openvpn/client.conf
}}}
——
=Relevant openssl commands=
* The below command can be used to remove the password from your key files instead of having to enter it every time you start the server/initiate a VPN connection:
{{{
openssl rsa -in client1.key -out client1_nopass.key
}}}
* This command can be used to generate a PKCS#12 file (`.pfx`, `.p12`) containing the certs and private key
{{{
openssl pkcs12 -export -out client1.p12 -inkey client1.key \
-in client1.crt -certfile /config/auth/cacert.pem
}}}
——
=Credits=
* [[http://www.vyatta.com/downloads/documentation/VC6.5/Vyatta-VPN_6.5R1_v01.pdf|Vyatta VPN Configuration Guide]]
* [[https://community.openvpn.net/openvpn/wiki/|OpenVPN Wiki]]
Leave a Reply