Configure OpenVPN with X.509 – Ubiquiti EdgeRouter Lite

In this tutorial, we will be configuring an OpenVPN server with X.509 certs on a Ubiquiti EdgeRouter Lite. We will also go through how to connect a remote Linux client to the VPN. Below is a physical network diagram:
{{{
+——————————–+
| Ubiquiti ERL |
(Public IP)| |192.168.69.254
=============={eth2 eth0}=============
| \ / |
| +———————-+ |
| | iptables and | |
| | routing engine | |
| +–+—————-+–+ |
| |*1 |*2 \ |192.168.68.254
| | | eth1}=============
| | | |
| (openvpn)——-{vtun0} |
| 192.168.70.1\24 |
+——————————–+

*1 – Only encrypted traffic will pass here, over UDP or TCP and only to the remote OpenVPN client
*2 – The unencrypted traffic will pass here. This is the exit/entry point for the VPN tunnel.
}}}

** __Note: If you would prefer to be lazy (like me), check out [[openvpn-server-configuration-script-ubiquiti-edgerouter-lite]]__ **

[[[TOC]]]

——
=EdgeRouter Lite (Server)=
# Login via ssh, escalate to root
{{{
sudo su
}}}
# Generate a CA certificate
{{{
cd /usr/lib/ssl/misc/
./CA.sh -newca
}}}
# You will then be presented with some prompts; fill out similar to the below
{{{
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Nevada
Locality Name (eg, city) []:Las Vegas
Organization Name (eg, company) [Internet Widgits Pty Ltd]:LasLabs
Organizational Unit Name (eg, section) []:Product Development
Common Name (eg, YOUR name) []:erl-ca-0.dlasley.net
Email Address []:postmaster@dlasley.net

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:LasLabs
}}}
# Now we need to create our server cert/key.
{{{
./CA.sh -newreq
./CA.sh -sign
}}}
# Move the new files to `/config/auth/` for preservation in the event of firmware upgrade
{{{
cp demoCA/cacert.pem demoCA/private/cakey.pem /config/auth/
mv newcert.pem /config/auth/host.pem
mv newkey.pem /config/auth/host.key
}}}
# The next step is to create the [[http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange|Diffie-Helman]] parameter file (replace 1024 with whatever bit strength you would like)
{{{
openssl dhparam -out /config/auth/dhp.pem -2 1024
}}}
# Create a set of certs/keys for all clients that will be connecting
{{{
./CA.sh -newreq
./CA.sh -sign
mv newcert.pem client1.pem
mv newkey.pem client1.key
}}}
# Transfer the CA cert & client key/cert to associated clients
{{{
scp client1.* /config/auth/cacert.pem $CLIENT_USER@$CLIENT_IP:/etc/ssl/certs
}}}
# Enter ERL configuration mode
{{{
configure
}}}
# Setup the OpenVPN server
{{{
edit interfaces openvpn vtun0
set mode server
set server subnet 192.168.70.0/24
set tls ca-cert-file /config/auth/cacert.pem
set tls cert-file /config/auth/host.pem
set tls key-file /config/auth/host.key
set tls dh-file /config/auth/dhp.pem
}}}
# Configure the server to push LAN/WLAN routes to clients
{{{
set server push-route 192.168.69.0/24
set server push-route 192.168.68.0/24
}}}
# Setup static IPs for clients. Replace `static-client.dlasley.net` with the Common Name of the client (defined in the client cert). You can also set `push-route` for per-client routes.
{{{
set server client static-client.dlasley.net ip 192.168.70.100
top
}}}
# Open the firewall for OpenVPN traffic to the router. Take care to not overwrite existing rules
{{{
edit firewall name WAN_LOCAL rule 1
set description OpenVPN
set action accept
set destination port 1194
set log disable
set protocol udp
top
}}}
# Commit and save
{{{
commit
save
}}}
* The relevant portions of my config are below for reference:
{{{
# show interfaces openvpn
openvpn vtun0 {
mode server
openvpn-option “–push route 192.168.69.0 255.255.255.0”
openvpn-option “–push route 192.168.68.0 255.255.255.0”
server {
subnet 192.168.70.0/24
}
tls {
ca-cert-file /config/auth/cacert.pem
cert-file /config/auth/host.pem
dh-file /config/auth/dhp.pem
key-file /config/auth/host.key
}
}

# show firewall name WAN_LOCAL rule 1
action accept
description OpenVPN
destination {
port 1194
}
log disable
protocol udp
}}}
——
=EdgeRouter Lite (Client)=
# Transfer the cacert and client key files to client as described here
# Enter configure mode, create vtun0 configuration node, and set to client mode
{{{
configure
edit interfaces openvpn vtun0
set mode client
}}}
# Setup VPN client, take care to substitute the example configuration values for your own
{{{
set remote-host vpn.domain.com
set tls ca-cert-file /etc/ssl/certs/cacert.pem
set tls cert-file /etc/ssl/certs/client1.pem
set tls key-file /etc/ssl/certs/client1.key
set hash sha256
set openvpn-option ‘–comp-lzo’
}}}
# Commit and save changes
{{{
commit
save
}}}
——
=Linux Client=
# Transfer the cacert and client key files to client as described here
# (If CentOS) Add the [[add-epel-repository-to-centos|EPEL Repo]]
# Install openvpn using your package manager
{{{
# Red Hat/CentOS/Fedora
yum install openvpn
# Debian/Ubuntu
apt-get install openvpn
}}}
# Create a new client configuration file; a nice commented one is available [[http://openvpn.net/index.php/open-source/documentation/howto.html#examples|on the OpenVPN website]]. I have pasted mine below for reference:
{{{
## File: /etc/openvpn/client.conf
client
dev tun
proto udp
remote vpn.dlasley.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ca /etc/ssl/certs/cacert.pem
cert /etc/ssl/certs/client1.pem
key /etc/ssl/certs/client1.key
}}}
# Set cert permissions
{{{
sudo chmod 600 /etc/ssl/certs/*.{key,pem}
}}}
# Initiate the tunnel
{{{
openvpn /etc/openvpn/client.conf
}}}
——
=Relevant openssl commands=
* The below command can be used to remove the password from your key files instead of having to enter it every time you start the server/initiate a VPN connection:
{{{
openssl rsa -in client1.key -out client1_nopass.key
}}}
* This command can be used to generate a PKCS#12 file (`.pfx`, `.p12`) containing the certs and private key
{{{
openssl pkcs12 -export -out client1.p12 -inkey client1.key \
-in client1.crt -certfile /config/auth/cacert.pem
}}}
——
=Credits=
* [[http://www.vyatta.com/downloads/documentation/VC6.5/Vyatta-VPN_6.5R1_v01.pdf|Vyatta VPN Configuration Guide]]
* [[https://community.openvpn.net/openvpn/wiki/|OpenVPN Wiki]]


Posted

in

by

Comments

73 responses to “Configure OpenVPN with X.509 – Ubiquiti EdgeRouter Lite”

  1. stephan oelze Avatar
    stephan oelze

    Thanks for that share!
    Hows the vpn throughput performance in that device?

    1. dlasley Avatar

      I haven’t done extensive testing, but I slow down by about 25-40% if I go over VPN. Below are two sets of downloads, the internal IP is going over VPN while the `test.dlasley.net` is over the public interface:
      test.dlasley.net 100% 7182KB 2.3MB/s 00:03
      192.168.69.100 100% 7182KB 1.4MB/s 00:05

      test.dlasley.net 100% 128MB 2.5MB/s 00:51
      192.168.69.100 100% 128MB 1.8MB/s 01:13

      I would be more than happy to provide the results of other tests if you would like.

  2. Kevin McCoy Avatar
    Kevin McCoy

    I followed your steps to the letter, but I’m having two problems. One is the {set server client kevin ip 10.100.2.101} command. I get this error; “The specified configuration node is not valid
    Set failed”

    Secondly if I try to connect I get the following error on the client side:
    “read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)”

    Any help would be greatly appreciated! Also, what if I wanted the OpenVPN server to dynamically assign IPs? What is the command for that? And, one last thing. What if I wanted to bridge the OpenVPN connection to ETH0; how would I go about doing that. If I bridge it, the DHCP server for that subnet should apply to VPN clients, correct?

    Again, thanks!

    1. dlasley Avatar

      Let’s try the absolute config node (instead of relative) for the first issue – `set interfaces openvpn vtun0 server client kevin ip 10.100.2.101`. Also note that your client name (kevin) should match the Common Name of the client as defined in its cert.

      The `connection reset by peer` issue usually indicates a port accessibility problem/poor connection between client/server. I have had luck resolving this error by switching from UDP protocol to TCP. In the server, issue `set interfaces openvpn vtun0 protocol tcp-passive`. You will also need to modify the server’s firewall rule (WAN_LOCAL rule 1 in this guide) to allow packets on the TCP protocol, instead of UDP. In the client config, switch `proto udp` to `proto tcp`.

      The server will automatically assign IPs within the subnet you have defined in the `interfaces openvpn vtun# server subnet` configuration node if the client’s CN is not found in the static reservations. No additional configuration is necessary for this feature.

      In regards to bridging the connections, that is a bit more than I can cover in the comments. This is probably a good subject for me to cover in a new post, in the interim take a look at Vyatta’s tutorial – http://www.brocade.com/downloads/documents/html_product_manuals/vyatta/vyatta_5400_manual/Bridging/wwhelp/wwhimpl/common/html/wwhelp.htm#context=Bridging&file=Bridging_Configuration_Examples.3.21.html

      1. Darren Hart Avatar
        Darren Hart

        The problem with the “server client …” appears to be the “top” command in the instructions above. If you don’t enter top and stay in the vtun0 context, then it works. At least, that is how I understood it, you might consider removing the “top” statement above.

        1. Dave Lasley Avatar

          Hi Darren,

          Thanks for the comment; you are 100% correct. I went ahead and updated the article.

  3. miguel Avatar
    miguel

    one question I want to use it as a client I have seen the edgemax configuration but the thing is I cant put the certificates and the keys into the router because it tells me I dont have enough permissions and the user I am logging in with is administrator. what should I do or how to transfer the certificates from my computer to the router?
    best regards,

    MN.

  4. miguel Avatar
    miguel

    ok I figured it out I transfer it to /tmp and then move it so the location, one question how do you start openvpn and stop openvpn?

    1. dlasley Avatar

      To be honest, I have never configured an EdgeRouter client in anything other than a site-to-site scenario, so I’m not 100%. On a linux box, I would run the command `openvpn /path/to/openvpn/client/conf` to start the OpenVPN client. I don’t see why this wouldn’t work on the router as well.

  5. James Avatar

    When I try to complete the Copy from the Server to the Client (Both are Edgemax Router Lite(s), it asks for the Root Password. Nothing seems to work.
    Any ideas?

    1. dlasley Avatar

      Hi James – That would be the root password to the remote device. You can change the user by appending it before the remote IP, as so: `scp client1.* /config/auth/cacert.pem $CLIENT_USER@$CLIENT_IP:/etc/ssl/certs`

  6. Ventz Avatar

    With the above config, you will get these errors:

    read UDPv4 [ECONNREFUSED|ECONNREFUSED]: Connection refused (code=146)

    You need to add:
    set interfaces openvpn vtun0 hash sha256
    set interfaces openvpn vtun0 openvpn-option ‘–comp-lzo’

    1. Dave Lasley Avatar

      Updated article to reflect this. Thanks for the feedback!

    2. Nate Avatar
      Nate

      Are these defaults for something? It’s not anywhere else but that one section.

  7. Carlo Hukema Avatar
    Carlo Hukema

    Hello,

    Great information helped me a lot. A have still two issues and can not figured them out. Maybe you have the answers. I configured the ERL based on your given config for a simple SOHO config and the configuration of the OpenVPN x509 server config.

    Question 1: After a boot of the ERL the vtun0 seems complete to be disappeared. Is there an option to start automaticaly the vtun0 adapter again after a boot?

    Question 2: When I try to connect internally (local, directly at the ip adres of the ERL, I can connect and setup a VPN connection. But when I try to connect on the desired way, on the WAN address no connection can be made. Any idea? I already tried to add an additional rule in the WAN_IN set for opening up (accept) port 1194.

    Grateful to any help, thnx!

    1. Dave Lasley Avatar

      With question 1, it seems that you may not have saved the configuration after committing. Try entering `save` after you enter the `commit` command, and that should keep the server active on boot.

      Question 2 is probably a bit more involved. I can only connect clients from my WAN, and not from my WAN, so it sounds like something got reversed here. Can you put the out of `show interfaces` into a Patebin (http://pastebin.com/) and send me the link?

    2. Nate Avatar
      Nate

      1) You may need to remove the passphrase from your SERVER’S key file. vtun0 disappeared on me as well (someone else in these comments had the same thing happen).
      https://blog.laslabs.com/2013/06/configure-openvpn-with-x-509-ubiquiti-edgerouter-lite/#relevant-openssl-commands

      2) A rule to accept on WAN_IN will pass the traffic through (from WAN through to the LAN) although probably not get very far without some port forwards. Definitely you want port 1194 open on WAN_LOCAL — that which affects traffic with a destination of your public IP address.
      Your server may be listening on a LAN interface (eth2 for example), and not your WAN interface (eth0 for example). Although, after looking through my own config, I have no idea how that “listen on interface” gets set. And I cannot connect from the internal LAN side, either to the public IP address, or one of the internal ones. I can only think to check the settings under:
      “show port-forward” (in configure mode) to make sure your correct interface is “wan-interface”

      After thinking about this I’d really like to know how to make it listen on one of the LAN interfaces.

  8. Kevin Avatar
    Kevin

    Thanks for your post, i am following your instructions with a openvpn setup only I have trouble with routing.

    I use eth0 for public static ip then use NAT Masquerade for eth1,eth2, vtun0

    I have all cert and config up, config details is here: http://pastebin.com/RHD6x4fL

    Client can connect to server without problem.
    But I cannot ping ip at 192.168.1.1. I want to make the client access the web through the server, but I am not sure how to do it.

    Any help is greatly appreciated. (being searching for a while, no good result, maybe I dont really understand how the routing work within openvpn)

    1. Dave Lasley Avatar

      Hi Kevin,

      Sounds like you are trying to route all of your traffic through the VPN, but this tutorial only has a route being pushed for the internal subnet. Try `set interfaces openvpn vtun0 server push-route 0.0.0.0/8` on the server, then reconnect the client.

      1. Kevin Avatar
        Kevin

        Thanks for your reply, i am wondering what subnet shall i set? (after the route pushed as 0.0.0.0/8 )

      2. Nate Avatar
        Nate

        There’s also a pair of routes which override, but don’t need to delete the default gateway:
        0.0.0.0/1
        128.0.0.0/1
        Combined, these match all addresses. They’re more specific than “0.0.0.0/0” which is default gateway (though seems to be improper. When you “push route” it looks like it puts in for you the next-hop as the OpenVPN server, for example in this tutorial network, 192.168.70.1
        I found also, the “firewall all-ping disable” will not help you. Enable your pings! A sane firewall ruleset will block them from outside anyway.

  9. Paul Avatar
    Paul

    Hi Dave, great post. I’m trying to generate a PKCS#12 file so that I can import it into the OpenVPN Android client.
    I’m running the command (on the router) but it complains it can’t find the ‘client1.crt’ -don’t think one was created?
    Can you tell me where I’m going wrong please?
    Thanks in advance.
    Paul

    1. Dave Lasley Avatar

      Hi Paul – I may have mixed the names up a bit, try `client1.pem`

  10. Shane Van Loenen Avatar

    Hi Dave,
    This is one of the better tutorials I have come across for the Edgerouter using OVPN.
    I have never used openvpn, just IPSEC for my site to site. I have a new challange that I hope the openvpn server and client will solve.
    I have two ERLs. The “server” ERL will have a static IP address and will offer access to 1 subnet.
    The other ERL is at a site that goes through a couple of hops before it gets to the internet, so a static address it out, and using dynamic DNS will not work either. So I am hopeing to use this one as an Openvpn client to connect to the server.
    Will this work?
    I assume that the Client just needs a certificate and the servers IP address to make the connection? I noticed somewhere in the script were it asks for the clients IP address.

    Thanks for helping me clear this up.

    1. Dave Lasley Avatar

      Hi Shane – You are 100% correct in your proposed system architecture. OpenVPN is much less finicky than IPSEC when it comes to hops, so you should have little to no difficulties rigging it up.

  11. Shane Van Loenen Avatar

    Dave,
    I finally got some time to sit down and do this. I changed the ssl config of the ERL so that it would create certs that are 4096 rather than the default 1024 (to weak). I did not change what you had it step #6 for the DH….from what it looks like it is group 2 at 1024 bits. So I hope everything plays well together…..or will I need to change that as well?
    A reply from Ventz above stated he needed the two commands in step #9 to make it work….
    set interfaces openvpn vtun0 hash sha256
    set interfaces openvpn vtun0 openvpn-option ‘–comp-lzo’
    Both are not in your your config above. Are they needed?
    Lastly, on the client side (ERL) of things we need to transfer the cacert and client keys over. I am saving it to a USB drive using WinSCP and coping them up. Step #8 shows where to save the cacert. Do I replace the current cacert? Or give it a different name?
    Do the client certs go in the same spot, or do they need to go somewhere else?

    Thanks for the help

    -Shane

    1. Dave Lasley Avatar

      Hi Shane,
      The DH params and VPN keys are different entities, so you’re fine with differing bit strengths. I usually use 4096 RSA with a 2048 DH.
      The options from Ventz’s comments were added, they were just added in context of the command block (`set hash sha256` & `set openvpn-option ‘–comp-lzo’`).
      On the client, you can name and place the certs wherever you want; just make sure to update the config to reflect the new path (ERL Client Step 3, Linux Client Step 4).
      Let me know if I missed anything :)

  12. Shane Van Loenen Avatar

    Dave,
    I am close! I think I got the vpn up…..but I can not ping anything on the network I am trying to get to.
    Here is what the server shows….

    root@ubnt:/usr/lib/ssl/misc# show interfaces openvpn
    Codes: S – State, L – Link, u – Up, D – Down, A – Admin Down
    Interface IP Address S/L Description
    ——— ———- — ———–
    vtun0 192.168.70.1/24 u/u

    root@ubnt:/usr/lib/ssl/misc# show interfaces openvpn detail
    vtun0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 192.168.70.1/24 brd 192.168.70.255 scope global vtun0

    RX: bytes packets errors dropped overrun mcast
    0 0 0 0 0 0
    TX: bytes packets errors dropped carrier collisions
    653605 7066 0 0 0 0

    root@ubnt:/usr/lib/ssl/misc# show openvpn status server
    OpenVPN server status on vtun0 []

    Client CN Remote IP Tunnel IP TX byte RX byte Connected Since
    ————— ————— ————— ——- ——- —————- ——–
    erl.trenton.co.dodge.wi.us xx.xxx.xxx.xxx 192.168.70.2 6.3K 4.9K Mon Oct 13 09:25:46 2014

    This is what the client shows……

    ubnt@ubnt:~$ show interfaces openvpn
    Codes: S – State, L – Link, u – Up, D – Down, A – Admin Down
    Interface IP Address S/L Description
    ——— ———- — ———–
    vtun0 192.168.70.2/24 u/u

    ubnt@ubnt:~$ show interfaces openvpn detail
    vtun0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 192.168.70.2/24 brd 192.168.70.255 scope global vtun0

    RX: bytes packets errors dropped overrun mcast
    0 0 0 0 0 0
    TX: bytes packets errors dropped carrier collisions
    0 0 0 0 0 0
    ubnt@ubnt:~$

    ubnt@ubnt:~$ show openvpn status client
    OpenVPN client status on vtun0 []

    Server CN Remote IP Tunnel IP TX byte RX byte Connected Since
    ————— ————— ————— ——- ——- ————————
    N/A yy.yy.yyy.yyy N/A 5.1K 6.5K N/A

    So the tunnel appears to be up???
    Thanks for your help.

    1. Dave Lasley Avatar

      It’s probably a routing issue. Try `sudo route add :LAN_SUBNET 192.168.70.1` on the client

  13. Shane Van Loenen Avatar

    I will give it a try tomarrow. I am also working though another problem outside the scope of this page…..When I reboot the routers (either one) I loose the openvpn and vtun0 interface configurations. I did the commit and save. I have a post on their support forum…we will see what they say….

  14. Shane Van Loenen Avatar

    Dave,
    Got a line on what my problem may be with rebooting. I noticed this eror in the commit log…
    [ system ntp ]
    Stopping NTP server: ntpd.
    Starting NTP server: ntpd.
    [ interfaces openvpn vtun0 ]
    Enter Private Key Password:OpenVPN configuration error: Failed to start OpenVPN tunnel.
    [ service ssh ]
    Restarting OpenBSD Secure Shell server: sshd.
    [ vpn ]
    Use of uninitialized value in numeric eq (==) at /opt/vyatta/sbin/vpn-config.pl line 417.
    Commit failed

    So it looks like its hanging on the password. Can we create certs without the password?

    1. Dave Lasley Avatar

      Yup there is, take a look in the tutorial under the `Relevant OpenSSL Commands` section. First line ;)

  15. Shane Van Loenen Avatar

    Dave,
    Removing the password from the cert cured the reboot problems. So now I am back to figuring out why the VPN is not passing traffic. I know the two routers are talking to each other because the server pushed the subnet to the client. Its probably something simple I am overlooking…
    **truncated**

    1. Dave Lasley Avatar

      Hey Shane,

      Sorry on the delayed response, I’ve been out of town. The fact that you can’t ping or traceroute definitely does point towards firewall. Your configs look fine, but I’m sure there’s something in there causing this.

      The best way to identify the troublesome device would be to set the primary firewall rule on one of them to Accept, then try the connection again. If that doesn’t fix, try the other one. I would guess that the issue is client side, as your server config looks almost exactly like mine (I haven’t configured an ERL/Vyatta client before).

  16. crash9877 Avatar
    crash9877

    you are a bloody genius my friend. found your howto used it and it works like a charm.

    1. Dave Lasley Avatar

      Hah I’m glad it worked! Thanks for dropping a line to let me know :)

      1. crash9877 Avatar
        crash9877

        you are welcome ;-)
        but one thing bothers me. i think it´s caused by setting a password when you generate the ca-cert. cause after reboot vtun0 is gone and of course i did commit and save (always do) is there a way without setting a password to the ca-cert?

  17. Johannes Avatar
    Johannes

    Hey Dave,

    thank you very much for this tutorial. It worked for me some month ago but today i decided to create new certificates from scratch due to changes in my configurations.

    Now I stumble upon following error: When I’m trying to create the cert/key for my client I get following error message: “failed to update database TXT_DB error number 2”.
    I already searched for the problem and found a way to manually create a clean index.txt file in the demoCA folder before creating the certs and to echo 01 into the demoCA/serial file.

    Perhaps even though it works after this, this probably is the source of the problem. When copying the certs/keys and the cacert.pem onto my client and I try to connect to my openvpn server I get following error message:

    VERIFY ERROR: depth=1, error=self signed certificate in certificate chain
    TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    TLS Error: TLS object -> incoming plaintext read error
    TLS Error: TLS handshake failed

    I also checked. My firewall is set and my openvpn configuration seems to be correct…
    I would be so grateful if you could probably help me with that or point me in some direction.

    thx in advance

    1. Dave Lasley Avatar

      Sorry for the late response, I must have missed the email for this post!

      The best way to go about doing what you are trying to do is to completely recreate the CA. I made a script that makes this a piece of cake – https://blog.laslabs.com/2013/08/openvpn-server-configuration-script-ubiquiti-edgerouter-lite/

    2. Nate Avatar
      Nate

      “failed to update database TXT_DB error number 2”

      Maybe you tried to generate a cert which it already had all the info exactly the same in the index. (That’s how I managed to coax this same cryptic message out of hiding.) I had gotten confused with renaming the output files, and decided to just re-generate the whole thing from scratch.

      I resolved this by restoring the .old files. (after backing up the real ones with .er)
      **N.B.** I’m pretty sure for this to work, you would have to do it before any other “CA.sh -newreq” was successful

      mv serial serial.err
      mv index.txt index.txt.err

      mv serial.old serial
      mv index.txt.old index.txt

  18. crash9877 Avatar
    crash9877

    never mind. just didn´t read properly. removed password and it works.

  19. Wilfried Goedert Avatar
    Wilfried Goedert

    Hi Dave all Tutorials describe justh ow to set up the Router. Isit possible to helpmetoset it up as Tutorial for my VPN Provider?
    I struggle since a long time for this. I realy do not know how to do this… With openwrti have a tutorial that works but iwasnot able to transfer it to the edge router
    Thanks in advance

    1. Wilfried Goedert Avatar
      Wilfried Goedert

      For OpenWRT:
      cat >> /etc/config/openvpn <> /etc/openvpn/TrustedRoot.pem <> /etc/openvpn/login.auth <> /etc/config/network <> /etc/config/firewall << EOF
      config defaults
      option syn_flood '1'
      option input 'ACCEPT'
      option output 'ACCEPT'
      option forward 'REJECT'

      config zone
      option name 'lan'
      option network 'lan'
      option input 'ACCEPT'
      option output 'ACCEPT'
      option forward 'REJECT'

      config zone
      option name 'wan'
      option output 'ACCEPT'
      option forward 'REJECT'
      option network 'wan'
      option input 'ACCEPT'

      config zone
      option name 'hide'
      option input 'REJECT'
      option output 'ACCEPT'
      option forward 'REJECT'
      option masq '1'
      option mtu_fix '1'
      option network 'Hide'

      config rule
      option name 'Allow-DHCP-Renew'
      option src 'wan'
      option proto 'udp'
      option dest_port '68'
      option target 'ACCEPT'
      option family 'ipv4'

      config rule
      option name 'Allow-Ping'
      option src 'wan'
      option proto 'icmp'
      option icmp_type 'echo-request'
      option family 'ipv4'
      option target 'ACCEPT'

      config rule
      option name 'Allow-DHCPv6'
      option src 'wan'
      option proto 'udp'
      option src_ip 'fe80::/10'
      option src_port '547'
      option dest_ip 'fe80::/10'
      option dest_port '546'
      option family 'ipv6'
      option target 'ACCEPT'

      config rule
      option name 'Allow-ICMPv6-Input'
      option src 'wan'
      option proto 'icmp'
      list icmp_type 'echo-request'
      list icmp_type 'echo-reply'
      list icmp_type 'destination-unreachable'
      list icmp_type 'packet-too-big'
      list icmp_type 'time-exceeded'
      list icmp_type 'bad-header'
      list icmp_type 'unknown-header-type'
      list icmp_type 'router-solicitation'
      list icmp_type 'neighbour-solicitation'
      list icmp_type 'router-advertisement'
      list icmp_type 'neighbour-advertisement'
      option limit '1000/sec'
      option family 'ipv6'
      option target 'ACCEPT'

      config rule
      option name 'Allow-ICMPv6-Forward'
      option src 'wan'
      option dest '*'
      option proto 'icmp'
      list icmp_type 'echo-request'
      list icmp_type 'echo-reply'
      list icmp_type 'destination-unreachable'
      list icmp_type 'packet-too-big'
      list icmp_type 'time-exceeded'
      list icmp_type 'bad-header'
      list icmp_type 'unknown-header-type'
      option limit '1000/sec'
      option family 'ipv6'
      option target 'ACCEPT'

      config include
      option path '/etc/firewall.user'

      config forwarding
      option dest 'hide'
      option src 'lan'
      EOF

    2. Nate Avatar
      Nate

      Sounds like you want the EdgeRouter to be a CLIENT which connects to the provider for you.

      That’s right here (links to above section): https://blog.laslabs.com/2013/06/configure-openvpn-with-x-509-ubiquiti-edgerouter-lite/#edgerouter-lite-.28client.29

    3. Nate Avatar
      Nate

      In Step 3 – use the files from your provider, which is meant by the advice “take care to substitute the example configuration values for your own” In this case “your own” is “your provider’s”

  20. Robert Avatar
    Robert

    Fantastic tutorial! I’m thinking about implementing your setup to protect LAN clients with OpenVPN. Can devices on the 192.168.68.0/24 LAN network still access the Internet via the eth1 interface outside of an OpenVPN session, i.e. “in the clear”? For example, a home automation controller or security system sending an e-mail event notification or autonomously checking for firmware updates?

    1. Dave Lasley Avatar

      Thanks! Devices accessing the internet will be no problem.

  21. aprog Avatar
    aprog

    Thanks for the post, I used this instruction – http://sysadm.pp.ua/linux/shifrovanie/openvpn-client-server.html . Can anybody suggest some usefull mobile OpenVPN client?

    1. Dave Lasley Avatar

      No problem! I use `OpenVPN Connect` on iPhone, and it works like a champ.

    2. Nate Avatar
      Nate

      On Android I also use (and much recommend) OpenVPN Connect.

  22. Nate Avatar
    Nate

    Thank you Dave. Thank you good sir! I’m not done, but getting there.

    I got hung up on step 9 … edit interfaces openvpn vtun0
    The command I needed to put in before that was “configure”

    All the previous stuff was at the bash shell, but this is in the “configure” (aka “edit”?) shell.

    I’m sure you’ve seen my other comments as at the moment they’re waiting moderation. Please make sure I’m not giving out bad advice? Thanks!

    1. Dave Lasley Avatar

      Hi Nate – Good call (and good advice in the other comments). I went ahead and updated the article to include the `configure` command. Let me know if you notice anything else – thanks!

  23. Nate Avatar
    Nate

    Welp, I’m stumpped.

    Using a default .ovpn file (from openvpn.org sample for client .conf file, renamed to .ovpn) with my stuff swapped in (hostname, pem files) and I can’t get Win or Android to connect. Bunches of options are set in there, but I can’t find *anywhere* what options the OpenVPN server is run with. Tried tcp and udp on 1194. openvpn.conf doesn’t appear to exist anywhere on the EdgeRouter, so not sure.

    Maybe because I don’t know the cypher? Or some other options I’d find in /etc/openvpn.conf if it were there.

    ER3Lite config (most of it, anyway some is sanitized) : http://pastebin.com/ah50bG3v
    Both tries at an .ovpn file: http://pastebin.com/QhMgUwXw

    So yeah, anyone that knows how to write a .ovpn profile compatible with this tutorial, please feel free to point me at what’s wrong! :o\

    Thanks thanks! :o)

    1. Nate Avatar
      Nate

      I was wrong, it was actually working.

      Here’s something to keep in mind. OpenVPN Connect on Android will DROP THE SESSION apparently, if you’re on a cell data connection. So yeah, it actually was “working” just fine for me, but being on LTE instead of Wifi, I guess the connection went to sleep (like immediately) and OpenVPN Connect couldn’t maintain.

      DON’T rely on cell data connection to give you an “internet” machine to test with.

  24. James Avatar
    James

    Hi Dave,
    Nice article and very helpful. I followed it and have my OpenVPN up and run OK.
    One thing I would like to ask though. I would like to redirect all the traffic through my VPN, how would I do that?

    Thanks

    1. Dave Lasley Avatar

      Hi James – That will slow your internet down quite a bit, but you would just use the firewall to route traffic out of the tunnel. Take a look at the bottom part of this article – http://lg.io/2015/01/11/the-ubiquiti-edgerouter-configuring-this-extremely-lowcost-enterprisegrade-router-for-home-use.html

      1. James Avatar
        James

        Hi Dave,
        Great, thank you for the link.
        I’ve read on the OpenVPN website and saw a command like “redirect-gateway”….
        link to this is here:
        https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
        Do you know how to do this from just the client config file, like mentioned in the article?

        Thanks
        James

  25. James Avatar
    James

    Just to update, and solve the issue myself after several trial and error…

    I added “redirect-gateway” (without quote) into the Client config file and voila, it takes my VPN’s IP address without any problem.

    So you may want to update your guide with this info, if you want.

    Regards
    James

  26. Tony Avatar
    Tony

    Hi Dave
    Wonderful how-to. Unfortunately the certs expired. Is there a way to renew the certs without having to set up a new CA… Especially the expired cacert.pem – how to I renew that. And is there a way to extend the expiration period to more than a year?
    Cheers
    Tony

    1. Dave Lasley Avatar

      Hi Tony – Wow I had no idea I wrote this article more than a year ago; time flies! Take a look at this ServerFault post, which goes over the process fairly well – http://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal

  27. Ivan A. Avatar
    Ivan A.

    Hi Dave,

    Here:
    openssl dhparam -out /config/auth/dhp.pem -2 1024
    You create dh 1024 bit.

    But how to create certs to use 2048 or 4096 bit?

    Thanks!

    1. Dave Lasley Avatar

      The `1024` at the end of the command determines the bits, which can be replaced by any number for customization. For example, you can create a 4096 bit Diffie Helman with `openssl dhparam -out /config/auth/dhp.pem -2 4096`. I went ahead and updated the post to include this info as well.

      1. Ivan A. Avatar
        Ivan A.

        Yes, I supposed so about the Diffie Hellman, but how to make RSA 2048bit with 1024 DH?

        1. Dave Lasley Avatar

          What RSA? The CA is bit agnostic, and there don’t look to be any other cert creations in this tutorial

          1. Ivan A. Avatar
            Ivan A.

            OK, maybe I didn’t express myself well :)
            I’m talking about this:
            ” I usually use 4096 RSA with a 2048 DH”

    2. Ivan A. Avatar
      Ivan A.

      Edit:
      And how to control cert expiration date?

      Thanks!!!

      1. Dave Lasley Avatar

        Diffie Helman params don’t have an expiration date. Which cert are you referring to?

        1. Ivan A. Avatar
          Ivan A.

          CA certificate

          1. Dave Lasley Avatar

            I’ll get back to you on this; the Vyatta/Ubiquiti interface isn’t fully Linux so I don’t know offhand. Will need to hop on a lab device

  28. Ivan A. Avatar
    Ivan A.

    Followed the guide and so far everything is great.
    But about this part:
    set server push-route 192.168.69.0/24
    This way client with IP 192.168.70.100 for example, will connect to all computers on 192.168.69.0 subnet. How to limit that OpenVPN client to communicate only with 192.168.69.12 – specific IP, not entire network.
    Thanks!

    1. Ivan A. Avatar
      Ivan A.

      Actually I found it out:
      set server push-route 192.168.69.12/32
      This will push only 69.12 IP to the VPN client.

  29. Mike Avatar
    Mike

    I really appreciate the tutorial, and I used it boilerplate to get things working for a roadwarrior setup on my router. One limitation that you addressed in previous comments is the inability to get server certificate verification working with the way you generate certificates here. When I would uncomment remote-cert-tls server in my client configuration file, I would routinely get the error:

    Certificate does not have key usage extension
    OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

    I didn’t try your script to remedy this problem, but instead I just logged into another linux box, ran apt-get install easy-rsa, then followed the directions for certificate generation at http://www.v12n.com/mediawiki/index.php/Vyatta_How_To#OpenVPN_RoadWarrior. easy-rsa apparently generates certificates with appropriate keyUsage and extendedKeyUsage for openVPN. After I made the new CA, certs, and keys and transferred them to the EdgeRouter and client, your setup worked like a charm even with remote-cert-tls server uncommented in my client config file.

    Thanks for publishing this!

Leave a Reply to Nate Cancel reply

Your email address will not be published. Required fields are marked *