In this tutorial, we will be configuring an OpenVPN server with X.509 certs on a Ubiquiti EdgeRouter Lite. We will also go through how to connect a remote Linux client to the VPN. Below is a physical network diagram:

                         |          Ubiquiti ERL          |
              (Public IP)|                                |
 <INTERNET>=============={eth2                        eth0}=============<internal network / LAN />
                         |   \                        /   |
                         |    +----------------------+    |
                         |    | iptables and         |    |
                         |    | routing engine       |    |
                         |    +--+----------------+--+    |
                         |       |*1              |*2 \   |
                         |       |                |   eth1}=============<internal network / WLAN />
                         |       |                |       |
                         |     (openvpn)-------{vtun0}    |
                         |     \24  |

   *1 - Only encrypted traffic will pass here, over UDP or TCP and only to the remote OpenVPN client
   *2 - The unencrypted traffic will pass here.  This is the exit/entry point for the VPN tunnel.

Note: If you would prefer to be lazy (like me), check out OpenVPN Server Configuration Script – Ubiquiti EdgeRouter Lite

EdgeRouter Lite (Server)

  1. Login via ssh, escalate to root
    sudo su
  2. Generate a CA certificate
    cd /usr/lib/ssl/misc/
    ./ -newca
  3. You will then be presented with some prompts; fill out similar to the below
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Nevada
    Locality Name (eg, city) []:Las Vegas
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:LasLabs
    Organizational Unit Name (eg, section) []:Product Development
    Common Name (eg, YOUR name) []
    Email Address []
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:123456
    An optional company name []:LasLabs
  4. Now we need to create our server cert/key.
    ./ -newreq
    ./ -sign
  5. Move the new files to /config/auth/ for preservation in the event of firmware upgrade
    cp demoCA/cacert.pem demoCA/private/cakey.pem /config/auth/
    mv newcert.pem /config/auth/host.pem
    mv newkey.pem /config/auth/host.key
  6. The next step is to create the Diffie-Helman parameter file (replace 1024 with whatever bit strength you would like)
    openssl dhparam -out /config/auth/dhp.pem -2 1024
  7. Create a set of certs/keys for all clients that will be connecting
    ./ -newreq
    ./ -sign
    mv newcert.pem client1.pem
    mv newkey.pem client1.key

  8. Transfer the CA cert & client key/cert to associated clients
    scp client1.* /config/auth/cacert.pem $CLIENT_USER@$CLIENT_IP:/etc/ssl/certs
  9. Enter ERL configuration mode
  10. Setup the OpenVPN server
    edit interfaces openvpn vtun0
    set mode server
    set server subnet
    set tls ca-cert-file /config/auth/cacert.pem
    set tls cert-file /config/auth/host.pem
    set tls key-file /config/auth/host.key
    set tls dh-file /config/auth/dhp.pem
  11. Configure the server to push LAN/WLAN routes to clients
    set server push-route
    set server push-route
  12. Setup static IPs for clients. Replace with the Common Name of the client (defined in the client cert). You can also set push-route for per-client routes.
    set server client ip
  13. Open the firewall for OpenVPN traffic to the router. Take care to not overwrite existing rules
    edit firewall name WAN_LOCAL rule 1
    set description OpenVPN
    set action accept
    set destination port 1194
    set log disable
    set protocol udp
  14. Commit and save
  • The relevant portions of my config are below for reference:
    # show interfaces openvpn
     openvpn vtun0 {
         mode server
         openvpn-option "--push route"
         openvpn-option "--push route"
         server {
         tls {
             ca-cert-file /config/auth/cacert.pem
             cert-file /config/auth/host.pem
             dh-file /config/auth/dhp.pem
             key-file /config/auth/host.key
    # show firewall name WAN_LOCAL rule 1
     action accept
     description OpenVPN
     destination {
         port 1194
     log disable
     protocol udp

EdgeRouter Lite (Client)

  1. Transfer the cacert and client key files to client as described here
  2. Enter configure mode, create vtun0 configuration node, and set to client mode
    edit interfaces openvpn vtun0
    set mode client
  3. Setup VPN client, take care to substitute the example configuration values for your own
    set remote-host
    set tls ca-cert-file /etc/ssl/certs/cacert.pem
    set tls cert-file /etc/ssl/certs/client1.pem
    set tls key-file /etc/ssl/certs/client1.key
    set hash sha256
    set openvpn-option '--comp-lzo'
  4. Commit and save changes

Linux Client

  1. Transfer the cacert and client key files to client as described here
  2. (If CentOS) Add the EPEL Repo
  3. Install openvpn using your package manager
    #  Red Hat/CentOS/Fedora
    yum install openvpn
    #  Debian/Ubuntu
    apt-get install openvpn
  4. Create a new client configuration file; a nice commented one is available on the OpenVPN website. I have pasted mine below for reference:
    ##  File: /etc/openvpn/client.conf
    dev tun
    proto udp
    remote 1194
    resolv-retry infinite
    verb 3
    ca /etc/ssl/certs/cacert.pem
    cert /etc/ssl/certs/client1.pem
    key /etc/ssl/certs/client1.key
  5. Set cert permissions
    sudo chmod 600 /etc/ssl/certs/*.{key,pem}
  6. Initiate the tunnel
    openvpn /etc/openvpn/client.conf

Relevant openssl commands

  • The below command can be used to remove the password from your key files instead of having to enter it every time you start the server/initiate a VPN connection:
    openssl rsa -in client1.key -out client1_nopass.key
  • This command can be used to generate a PKCS#12 file (.pfx, .p12) containing the certs and private key
    openssl pkcs12 -export -out client1.p12 -inkey client1.key \
      -in client1.crt -certfile /config/auth/cacert.pem