Configure OpenVPN with X.509 – Ubiquiti EdgeRouter Lite
In this tutorial, we will be configuring an OpenVPN server with X.509 certs on a Ubiquiti EdgeRouter Lite. We will also go through how to connect a remote Linux client to the VPN. Below is a physical network diagram:
+--------------------------------+
| Ubiquiti ERL |
(Public IP)| |192.168.69.254
<INTERNET>=============={eth2 eth0}=============<internal network / LAN / 192.168.69.0/24>
| \ / |
| +----------------------+ |
| | iptables and | |
| | routing engine | |
| +--+----------------+--+ |
| |*1 |*2 \ |192.168.68.254
| | | eth1}=============<internal network / WLAN / 192.168.68.0/24>
| | | |
| (openvpn)-------{vtun0} |
| 192.168.70.1\24 |
+--------------------------------+
*1 - Only encrypted traffic will pass here, over UDP or TCP and only to the remote OpenVPN client
*2 - The unencrypted traffic will pass here. This is the exit/entry point for the VPN tunnel.
Note: If you would prefer to be lazy (like me), check out OpenVPN Server Configuration Script – Ubiquiti EdgeRouter Lite
Table of Contents [hide]
EdgeRouter Lite (Server) ∞
- Login via ssh, escalate to root
sudo su
- Generate a CA certificate
cd /usr/lib/ssl/misc/ ./CA.sh -newca
- You will then be presented with some prompts; fill out similar to the below
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Nevada Locality Name (eg, city) []:Las Vegas Organization Name (eg, company) [Internet Widgits Pty Ltd]:LasLabs Organizational Unit Name (eg, section) []:Product Development Common Name (eg, YOUR name) []:erl-ca-0.dlasley.net Email Address []:postmaster@dlasley.net Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:LasLabs
- Now we need to create our server cert/key.
./CA.sh -newreq ./CA.sh -sign
- Move the new files to
/config/auth/for preservation in the event of firmware upgradecp demoCA/cacert.pem demoCA/private/cakey.pem /config/auth/ mv newcert.pem /config/auth/host.pem mv newkey.pem /config/auth/host.key
- The next step is to create the Diffie-Helman parameter file (replace 1024 with whatever bit strength you would like)
openssl dhparam -out /config/auth/dhp.pem -2 1024
- Create a set of certs/keys for all clients that will be connecting
./CA.sh -newreq ./CA.sh -sign mv newcert.pem client1.pem mv newkey.pem client1.key
- Transfer the CA cert & client key/cert to associated clients
scp client1.* /config/auth/cacert.pem $CLIENT_USER@$CLIENT_IP:/etc/ssl/certs
- Enter ERL configuration mode
configure
- Setup the OpenVPN server
edit interfaces openvpn vtun0 set mode server set server subnet 192.168.70.0/24 set tls ca-cert-file /config/auth/cacert.pem set tls cert-file /config/auth/host.pem set tls key-file /config/auth/host.key set tls dh-file /config/auth/dhp.pem
- Configure the server to push LAN/WLAN routes to clients
set server push-route 192.168.69.0/24 set server push-route 192.168.68.0/24
- Setup static IPs for clients. Replace
static-client.dlasley.netwith the Common Name of the client (defined in the client cert). You can also setpush-routefor per-client routes.set server client static-client.dlasley.net ip 192.168.70.100 top
- Open the firewall for OpenVPN traffic to the router. Take care to not overwrite existing rules
edit firewall name WAN_LOCAL rule 1 set description OpenVPN set action accept set destination port 1194 set log disable set protocol udp top
- Commit and save
commit save
- The relevant portions of my config are below for reference:
# show interfaces openvpn openvpn vtun0 { mode server openvpn-option "--push route 192.168.69.0 255.255.255.0" openvpn-option "--push route 192.168.68.0 255.255.255.0" server { subnet 192.168.70.0/24 } tls { ca-cert-file /config/auth/cacert.pem cert-file /config/auth/host.pem dh-file /config/auth/dhp.pem key-file /config/auth/host.key } } # show firewall name WAN_LOCAL rule 1 action accept description OpenVPN destination { port 1194 } log disable protocol udp
EdgeRouter Lite (Client) ∞
- Transfer the cacert and client key files to client as described here
- Enter configure mode, create vtun0 configuration node, and set to client mode
configure edit interfaces openvpn vtun0 set mode client
- Setup VPN client, take care to substitute the example configuration values for your own
set remote-host vpn.domain.com set tls ca-cert-file /etc/ssl/certs/cacert.pem set tls cert-file /etc/ssl/certs/client1.pem set tls key-file /etc/ssl/certs/client1.key set hash sha256 set openvpn-option '--comp-lzo'
- Commit and save changes
commit save
Linux Client ∞
- Transfer the cacert and client key files to client as described here
- (If CentOS) Add the EPEL Repo
- Install openvpn using your package manager
# Red Hat/CentOS/Fedora yum install openvpn # Debian/Ubuntu apt-get install openvpn
- Create a new client configuration file; a nice commented one is available on the OpenVPN website. I have pasted mine below for reference:
## File: /etc/openvpn/client.conf client dev tun proto udp remote vpn.dlasley.net 1194 resolv-retry infinite nobind persist-key persist-tun verb 3 ca /etc/ssl/certs/cacert.pem cert /etc/ssl/certs/client1.pem key /etc/ssl/certs/client1.key
- Set cert permissions
sudo chmod 600 /etc/ssl/certs/*.{key,pem} - Initiate the tunnel
openvpn /etc/openvpn/client.conf
Relevant openssl commands ∞
- The below command can be used to remove the password from your key files instead of having to enter it every time you start the server/initiate a VPN connection:
openssl rsa -in client1.key -out client1_nopass.key
- This command can be used to generate a PKCS#12 file (
.pfx,.p12) containing the certs and private keyopenssl pkcs12 -export -out client1.p12 -inkey client1.key \ -in client1.crt -certfile /config/auth/cacert.pem
Thanks for that share!
Hows the vpn throughput performance in that device?
I haven’t done extensive testing, but I slow down by about 25-40% if I go over VPN. Below are two sets of downloads, the internal IP is going over VPN while the `test.dlasley.net` is over the public interface:
test.dlasley.net 100% 7182KB 2.3MB/s 00:03192.168.69.100 100% 7182KB 1.4MB/s 00:05
test.dlasley.net 100% 128MB 2.5MB/s 00:51
192.168.69.100 100% 128MB 1.8MB/s 01:13
I would be more than happy to provide the results of other tests if you would like.
I followed your steps to the letter, but I’m having two problems. One is the {set server client kevin ip 10.100.2.101} command. I get this error; “The specified configuration node is not valid
Set failed”
Secondly if I try to connect I get the following error on the client side:
“read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)”
Any help would be greatly appreciated! Also, what if I wanted the OpenVPN server to dynamically assign IPs? What is the command for that? And, one last thing. What if I wanted to bridge the OpenVPN connection to ETH0; how would I go about doing that. If I bridge it, the DHCP server for that subnet should apply to VPN clients, correct?
Again, thanks!
Let’s try the absolute config node (instead of relative) for the first issue – `set interfaces openvpn vtun0 server client kevin ip 10.100.2.101`. Also note that your client name (kevin) should match the Common Name of the client as defined in its cert.
The `connection reset by peer` issue usually indicates a port accessibility problem/poor connection between client/server. I have had luck resolving this error by switching from UDP protocol to TCP. In the server, issue `set interfaces openvpn vtun0 protocol tcp-passive`. You will also need to modify the server’s firewall rule (WAN_LOCAL rule 1 in this guide) to allow packets on the TCP protocol, instead of UDP. In the client config, switch `proto udp` to `proto tcp`.
The server will automatically assign IPs within the subnet you have defined in the `interfaces openvpn vtun# server subnet` configuration node if the client’s CN is not found in the static reservations. No additional configuration is necessary for this feature.
In regards to bridging the connections, that is a bit more than I can cover in the comments. This is probably a good subject for me to cover in a new post, in the interim take a look at Vyatta’s tutorial – http://www.brocade.com/downloads/documents/html_product_manuals/vyatta/vyatta_5400_manual/Bridging/wwhelp/wwhimpl/common/html/wwhelp.htm#context=Bridging&file=Bridging_Configuration_Examples.3.21.html
The problem with the “server client …” appears to be the “top” command in the instructions above. If you don’t enter top and stay in the vtun0 context, then it works. At least, that is how I understood it, you might consider removing the “top” statement above.
Hi Darren,
Thanks for the comment; you are 100% correct. I went ahead and updated the article.
one question I want to use it as a client I have seen the edgemax configuration but the thing is I cant put the certificates and the keys into the router because it tells me I dont have enough permissions and the user I am logging in with is administrator. what should I do or how to transfer the certificates from my computer to the router?
best regards,
MN.
ok I figured it out I transfer it to /tmp and then move it so the location, one question how do you start openvpn and stop openvpn?
To be honest, I have never configured an EdgeRouter client in anything other than a site-to-site scenario, so I’m not 100%. On a linux box, I would run the command `openvpn /path/to/openvpn/client/conf` to start the OpenVPN client. I don’t see why this wouldn’t work on the router as well.
When I try to complete the Copy from the Server to the Client (Both are Edgemax Router Lite(s), it asks for the Root Password. Nothing seems to work.
Any ideas?
Hi James – That would be the root password to the remote device. You can change the user by appending it before the remote IP, as so: `scp client1.* /config/auth/cacert.pem $CLIENT_USER@$CLIENT_IP:/etc/ssl/certs`
With the above config, you will get these errors:
read UDPv4 [ECONNREFUSED|ECONNREFUSED]: Connection refused (code=146)
You need to add:
set interfaces openvpn vtun0 hash sha256
set interfaces openvpn vtun0 openvpn-option ‘–comp-lzo’
Updated article to reflect this. Thanks for the feedback!
Are these defaults for something? It’s not anywhere else but that one section.
Hello,
Great information helped me a lot. A have still two issues and can not figured them out. Maybe you have the answers. I configured the ERL based on your given config for a simple SOHO config and the configuration of the OpenVPN x509 server config.
Question 1: After a boot of the ERL the vtun0 seems complete to be disappeared. Is there an option to start automaticaly the vtun0 adapter again after a boot?
Question 2: When I try to connect internally (local, directly at the ip adres of the ERL, I can connect and setup a VPN connection. But when I try to connect on the desired way, on the WAN address no connection can be made. Any idea? I already tried to add an additional rule in the WAN_IN set for opening up (accept) port 1194.
Grateful to any help, thnx!
With question 1, it seems that you may not have saved the configuration after committing. Try entering `save` after you enter the `commit` command, and that should keep the server active on boot.
Question 2 is probably a bit more involved. I can only connect clients from my WAN, and not from my WAN, so it sounds like something got reversed here. Can you put the out of `show interfaces` into a Patebin (http://pastebin.com/) and send me the link?
1) You may need to remove the passphrase from your SERVER’S key file. vtun0 disappeared on me as well (someone else in these comments had the same thing happen).
https://blog.laslabs.com/2013/06/configure-openvpn-with-x-509-ubiquiti-edgerouter-lite/#relevant-openssl-commands
2) A rule to accept on WAN_IN will pass the traffic through (from WAN through to the LAN) although probably not get very far without some port forwards. Definitely you want port 1194 open on WAN_LOCAL — that which affects traffic with a destination of your public IP address.
Your server may be listening on a LAN interface (eth2 for example), and not your WAN interface (eth0 for example). Although, after looking through my own config, I have no idea how that “listen on interface” gets set. And I cannot connect from the internal LAN side, either to the public IP address, or one of the internal ones. I can only think to check the settings under:
“show port-forward” (in configure mode) to make sure your correct interface is “wan-interface”
After thinking about this I’d really like to know how to make it listen on one of the LAN interfaces.
Thanks for your post, i am following your instructions with a openvpn setup only I have trouble with routing.
I use eth0 for public static ip then use NAT Masquerade for eth1,eth2, vtun0
I have all cert and config up, config details is here: http://pastebin.com/RHD6x4fL
Client can connect to server without problem.
But I cannot ping ip at 192.168.1.1. I want to make the client access the web through the server, but I am not sure how to do it.
Any help is greatly appreciated. (being searching for a while, no good result, maybe I dont really understand how the routing work within openvpn)
Hi Kevin,
Sounds like you are trying to route all of your traffic through the VPN, but this tutorial only has a route being pushed for the internal subnet. Try `set interfaces openvpn vtun0 server push-route 0.0.0.0/8` on the server, then reconnect the client.
Thanks for your reply, i am wondering what subnet shall i set? (after the route pushed as 0.0.0.0/8 )
There’s also a pair of routes which override, but don’t need to delete the default gateway:
0.0.0.0/1
128.0.0.0/1
Combined, these match all addresses. They’re more specific than “0.0.0.0/0” which is default gateway (though seems to be improper. When you “push route” it looks like it puts in for you the next-hop as the OpenVPN server, for example in this tutorial network, 192.168.70.1
I found also, the “firewall all-ping disable” will not help you. Enable your pings! A sane firewall ruleset will block them from outside anyway.
Hi Dave, great post. I’m trying to generate a PKCS#12 file so that I can import it into the OpenVPN Android client.
I’m running the command (on the router) but it complains it can’t find the ‘client1.crt’ -don’t think one was created?
Can you tell me where I’m going wrong please?
Thanks in advance.
Paul
Hi Paul – I may have mixed the names up a bit, try `client1.pem`
Hi Dave,
This is one of the better tutorials I have come across for the Edgerouter using OVPN.
I have never used openvpn, just IPSEC for my site to site. I have a new challange that I hope the openvpn server and client will solve.
I have two ERLs. The “server” ERL will have a static IP address and will offer access to 1 subnet.
The other ERL is at a site that goes through a couple of hops before it gets to the internet, so a static address it out, and using dynamic DNS will not work either. So I am hopeing to use this one as an Openvpn client to connect to the server.
Will this work?
I assume that the Client just needs a certificate and the servers IP address to make the connection? I noticed somewhere in the script were it asks for the clients IP address.
Thanks for helping me clear this up.
Hi Shane – You are 100% correct in your proposed system architecture. OpenVPN is much less finicky than IPSEC when it comes to hops, so you should have little to no difficulties rigging it up.
Dave,
I finally got some time to sit down and do this. I changed the ssl config of the ERL so that it would create certs that are 4096 rather than the default 1024 (to weak). I did not change what you had it step #6 for the DH….from what it looks like it is group 2 at 1024 bits. So I hope everything plays well together…..or will I need to change that as well?
A reply from Ventz above stated he needed the two commands in step #9 to make it work….
set interfaces openvpn vtun0 hash sha256
set interfaces openvpn vtun0 openvpn-option ‘–comp-lzo’
Both are not in your your config above. Are they needed?
Lastly, on the client side (ERL) of things we need to transfer the cacert and client keys over. I am saving it to a USB drive using WinSCP and coping them up. Step #8 shows where to save the cacert. Do I replace the current cacert? Or give it a different name?
Do the client certs go in the same spot, or do they need to go somewhere else?
Thanks for the help
-Shane
Hi Shane,
The DH params and VPN keys are different entities, so you’re fine with differing bit strengths. I usually use 4096 RSA with a 2048 DH.
The options from Ventz’s comments were added, they were just added in context of the command block (`set hash sha256` & `set openvpn-option ‘–comp-lzo’`).
On the client, you can name and place the certs wherever you want; just make sure to update the config to reflect the new path (ERL Client Step 3, Linux Client Step 4).
Let me know if I missed anything :)
Dave,
I am close! I think I got the vpn up…..but I can not ping anything on the network I am trying to get to.
Here is what the server shows….
root@ubnt:/usr/lib/ssl/misc# show interfaces openvpn
Codes: S – State, L – Link, u – Up, D – Down, A – Admin Down
Interface IP Address S/L Description
——— ———- — ———–
vtun0 192.168.70.1/24 u/u
root@ubnt:/usr/lib/ssl/misc# show interfaces openvpn detail
vtun0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 192.168.70.1/24 brd 192.168.70.255 scope global vtun0
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collisions
653605 7066 0 0 0 0
root@ubnt:/usr/lib/ssl/misc# show openvpn status server
OpenVPN server status on vtun0 []
Client CN Remote IP Tunnel IP TX byte RX byte Connected Since
————— ————— ————— ——- ——- —————- ——–
erl.trenton.co.dodge.wi.us xx.xxx.xxx.xxx 192.168.70.2 6.3K 4.9K Mon Oct 13 09:25:46 2014
This is what the client shows……
ubnt@ubnt:~$ show interfaces openvpn
Codes: S – State, L – Link, u – Up, D – Down, A – Admin Down
Interface IP Address S/L Description
——— ———- — ———–
vtun0 192.168.70.2/24 u/u
ubnt@ubnt:~$ show interfaces openvpn detail
vtun0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
link/none
inet 192.168.70.2/24 brd 192.168.70.255 scope global vtun0
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collisions
0 0 0 0 0 0
ubnt@ubnt:~$
ubnt@ubnt:~$ show openvpn status client
OpenVPN client status on vtun0 []
Server CN Remote IP Tunnel IP TX byte RX byte Connected Since
————— ————— ————— ——- ——- ————————
N/A yy.yy.yyy.yyy N/A 5.1K 6.5K N/A
So the tunnel appears to be up???
Thanks for your help.
It’s probably a routing issue. Try `sudo route add :LAN_SUBNET 192.168.70.1` on the client
I will give it a try tomarrow. I am also working though another problem outside the scope of this page…..When I reboot the routers (either one) I loose the openvpn and vtun0 interface configurations. I did the commit and save. I have a post on their support forum…we will see what they say….
Dave,
Got a line on what my problem may be with rebooting. I noticed this eror in the commit log…
[ system ntp ]
Stopping NTP server: ntpd.
Starting NTP server: ntpd.
[ interfaces openvpn vtun0 ]
Enter Private Key Password:OpenVPN configuration error: Failed to start OpenVPN tunnel.
[ service ssh ]
Restarting OpenBSD Secure Shell server: sshd.
[ vpn ]
Use of uninitialized value in numeric eq (==) at /opt/vyatta/sbin/vpn-config.pl line 417.
Commit failed
So it looks like its hanging on the password. Can we create certs without the password?
Yup there is, take a look in the tutorial under the `Relevant OpenSSL Commands` section. First line ;)
Doh!
Dave,
Removing the password from the cert cured the reboot problems. So now I am back to figuring out why the VPN is not passing traffic. I know the two routers are talking to each other because the server pushed the subnet to the client. Its probably something simple I am overlooking…
**truncated**
Hey Shane,
Sorry on the delayed response, I’ve been out of town. The fact that you can’t ping or traceroute definitely does point towards firewall. Your configs look fine, but I’m sure there’s something in there causing this.
The best way to identify the troublesome device would be to set the primary firewall rule on one of them to Accept, then try the connection again. If that doesn’t fix, try the other one. I would guess that the issue is client side, as your server config looks almost exactly like mine (I haven’t configured an ERL/Vyatta client before).
you are a bloody genius my friend. found your howto used it and it works like a charm.
Hah I’m glad it worked! Thanks for dropping a line to let me know :)
you are welcome ;-)
but one thing bothers me. i think it´s caused by setting a password when you generate the ca-cert. cause after reboot vtun0 is gone and of course i did commit and save (always do) is there a way without setting a password to the ca-cert?
Hey Dave,
thank you very much for this tutorial. It worked for me some month ago but today i decided to create new certificates from scratch due to changes in my configurations.
Now I stumble upon following error: When I’m trying to create the cert/key for my client I get following error message: “failed to update database TXT_DB error number 2”.
I already searched for the problem and found a way to manually create a clean index.txt file in the demoCA folder before creating the certs and to echo 01 into the demoCA/serial file.
Perhaps even though it works after this, this probably is the source of the problem. When copying the certs/keys and the cacert.pem onto my client and I try to connect to my openvpn server I get following error message:
VERIFY ERROR: depth=1, error=self signed certificate in certificate chain
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
I also checked. My firewall is set and my openvpn configuration seems to be correct…
I would be so grateful if you could probably help me with that or point me in some direction.
thx in advance
Sorry for the late response, I must have missed the email for this post!
The best way to go about doing what you are trying to do is to completely recreate the CA. I made a script that makes this a piece of cake – https://blog.laslabs.com/2013/08/openvpn-server-configuration-script-ubiquiti-edgerouter-lite/
“failed to update database TXT_DB error number 2”
Maybe you tried to generate a cert which it already had all the info exactly the same in the index. (That’s how I managed to coax this same cryptic message out of hiding.) I had gotten confused with renaming the output files, and decided to just re-generate the whole thing from scratch.
I resolved this by restoring the .old files. (after backing up the real ones with .er)
**N.B.** I’m pretty sure for this to work, you would have to do it before any other “CA.sh -newreq” was successful
mv serial serial.err
mv index.txt index.txt.err
mv serial.old serial
mv index.txt.old index.txt
never mind. just didn´t read properly. removed password and it works.
Hi Dave all Tutorials describe justh ow to set up the Router. Isit possible to helpmetoset it up as Tutorial for my VPN Provider?
I struggle since a long time for this. I realy do not know how to do this… With openwrti have a tutorial that works but iwasnot able to transfer it to the edge router
Thanks in advance
For OpenWRT:
cat >> /etc/config/openvpn <> /etc/openvpn/TrustedRoot.pem <> /etc/openvpn/login.auth <> /etc/config/network <> /etc/config/firewall << EOF
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option network 'wan'
option input 'ACCEPT'
config zone
option name 'hide'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'Hide'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'hide'
option src 'lan'
EOF
Sounds like you want the EdgeRouter to be a CLIENT which connects to the provider for you.
That’s right here (links to above section): https://blog.laslabs.com/2013/06/configure-openvpn-with-x-509-ubiquiti-edgerouter-lite/#edgerouter-lite-.28client.29
In Step 3 – use the files from your provider, which is meant by the advice “take care to substitute the example configuration values for your own” In this case “your own” is “your provider’s”
Fantastic tutorial! I’m thinking about implementing your setup to protect LAN clients with OpenVPN. Can devices on the 192.168.68.0/24 LAN network still access the Internet via the eth1 interface outside of an OpenVPN session, i.e. “in the clear”? For example, a home automation controller or security system sending an e-mail event notification or autonomously checking for firmware updates?
Thanks! Devices accessing the internet will be no problem.
Thanks for the post, I used this instruction – http://sysadm.pp.ua/linux/shifrovanie/openvpn-client-server.html . Can anybody suggest some usefull mobile OpenVPN client?
No problem! I use `OpenVPN Connect` on iPhone, and it works like a champ.
On Android I also use (and much recommend) OpenVPN Connect.
Thank you Dave. Thank you good sir! I’m not done, but getting there.
I got hung up on step 9 … edit interfaces openvpn vtun0
The command I needed to put in before that was “configure”
All the previous stuff was at the bash shell, but this is in the “configure” (aka “edit”?) shell.
I’m sure you’ve seen my other comments as at the moment they’re waiting moderation. Please make sure I’m not giving out bad advice? Thanks!
Hi Nate – Good call (and good advice in the other comments). I went ahead and updated the article to include the `configure` command. Let me know if you notice anything else – thanks!
Welp, I’m stumpped.
Using a default .ovpn file (from openvpn.org sample for client .conf file, renamed to .ovpn) with my stuff swapped in (hostname, pem files) and I can’t get Win or Android to connect. Bunches of options are set in there, but I can’t find *anywhere* what options the OpenVPN server is run with. Tried tcp and udp on 1194. openvpn.conf doesn’t appear to exist anywhere on the EdgeRouter, so not sure.
Maybe because I don’t know the cypher? Or some other options I’d find in /etc/openvpn.conf if it were there.
ER3Lite config (most of it, anyway some is sanitized) : http://pastebin.com/ah50bG3v
Both tries at an .ovpn file: http://pastebin.com/QhMgUwXw
So yeah, anyone that knows how to write a .ovpn profile compatible with this tutorial, please feel free to point me at what’s wrong! :o\
Thanks thanks! :o)
I was wrong, it was actually working.
Here’s something to keep in mind. OpenVPN Connect on Android will DROP THE SESSION apparently, if you’re on a cell data connection. So yeah, it actually was “working” just fine for me, but being on LTE instead of Wifi, I guess the connection went to sleep (like immediately) and OpenVPN Connect couldn’t maintain.
DON’T rely on cell data connection to give you an “internet” machine to test with.
Hi Dave,
Nice article and very helpful. I followed it and have my OpenVPN up and run OK.
One thing I would like to ask though. I would like to redirect all the traffic through my VPN, how would I do that?
Thanks
Hi James – That will slow your internet down quite a bit, but you would just use the firewall to route traffic out of the tunnel. Take a look at the bottom part of this article – http://lg.io/2015/01/11/the-ubiquiti-edgerouter-configuring-this-extremely-lowcost-enterprisegrade-router-for-home-use.html
Hi Dave,
Great, thank you for the link.
I’ve read on the OpenVPN website and saw a command like “redirect-gateway”….
link to this is here:
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Do you know how to do this from just the client config file, like mentioned in the article?
Thanks
James
Just to update, and solve the issue myself after several trial and error…
I added “redirect-gateway” (without quote) into the Client config file and voila, it takes my VPN’s IP address without any problem.
So you may want to update your guide with this info, if you want.
Regards
James
Hi Dave
Wonderful how-to. Unfortunately the certs expired. Is there a way to renew the certs without having to set up a new CA… Especially the expired cacert.pem – how to I renew that. And is there a way to extend the expiration period to more than a year?
Cheers
Tony
Hi Tony – Wow I had no idea I wrote this article more than a year ago; time flies! Take a look at this ServerFault post, which goes over the process fairly well – http://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal
Hi Dave,
Here:
openssl dhparam -out /config/auth/dhp.pem -2 1024
You create dh 1024 bit.
But how to create certs to use 2048 or 4096 bit?
Thanks!
The `1024` at the end of the command determines the bits, which can be replaced by any number for customization. For example, you can create a 4096 bit Diffie Helman with `openssl dhparam -out /config/auth/dhp.pem -2 4096`. I went ahead and updated the post to include this info as well.
Yes, I supposed so about the Diffie Hellman, but how to make RSA 2048bit with 1024 DH?
What RSA? The CA is bit agnostic, and there don’t look to be any other cert creations in this tutorial
OK, maybe I didn’t express myself well :)
I’m talking about this:
” I usually use 4096 RSA with a 2048 DH”
Edit:
And how to control cert expiration date?
Thanks!!!
Diffie Helman params don’t have an expiration date. Which cert are you referring to?
CA certificate
I’ll get back to you on this; the Vyatta/Ubiquiti interface isn’t fully Linux so I don’t know offhand. Will need to hop on a lab device
Followed the guide and so far everything is great.
But about this part:
set server push-route 192.168.69.0/24
This way client with IP 192.168.70.100 for example, will connect to all computers on 192.168.69.0 subnet. How to limit that OpenVPN client to communicate only with 192.168.69.12 – specific IP, not entire network.
Thanks!
Actually I found it out:
set server push-route 192.168.69.12/32
This will push only 69.12 IP to the VPN client.
I really appreciate the tutorial, and I used it boilerplate to get things working for a roadwarrior setup on my router. One limitation that you addressed in previous comments is the inability to get server certificate verification working with the way you generate certificates here. When I would uncomment remote-cert-tls server in my client configuration file, I would routinely get the error:
Certificate does not have key usage extension
OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I didn’t try your script to remedy this problem, but instead I just logged into another linux box, ran apt-get install easy-rsa, then followed the directions for certificate generation at http://www.v12n.com/mediawiki/index.php/Vyatta_How_To#OpenVPN_RoadWarrior. easy-rsa apparently generates certificates with appropriate keyUsage and extendedKeyUsage for openVPN. After I made the new CA, certs, and keys and transferred them to the EdgeRouter and client, your setup worked like a charm even with remote-cert-tls server uncommented in my client config file.
Thanks for publishing this!