OpenVPN is configured on the EdgeRouter Lite after creating the PKI (CA, certs and keys). The EdgeRouter is configured as the OpenVPN server supporting multiple VPN clients. This project is continued from EdgeRouter OpenVPN: Create Public Key Infrastructure with Easy-RSA.

Project series index:

EdgeRouter OpenVPN Server – Client Mode Configuration Steps

The configuration steps covered in this tutorial are illustrated in this snippet from the OpenVPN master process diagram:

EdgeRouter OpenVPN Server Configuration Steps

EdgeRouter OpenVPN Server Configuration Steps

Recall the Public Key Infrastructure (PKI) was created on a Windows 10 Admin PC. The OpenVPN certs and keys will be transferred via SFTP to the EdgeRouter using the bitvise SSH/SFTP application:

EdgeRouter Lite OpenVPN Server and Client Configuration Files

EdgeRouter Lite OpenVPN Server and Client Configuration Files

The complete EdgeRouter network is explained in Ubiquiti EdgeRouter Lite SOHO Network Design.

4 EdgeRouter OpenVPN Server Configuration

The PKI was previously created with the easy-rsa batch scripts and the C:\OpenVPN-Server-Client-Build\easy-rsa\keys> folder now has the various CA, server and client certificates and keys:

OpenVPN Easy RSA - Keys Folder Content CA TA Server and Clients

OpenVPN Easy RSA – Keys Folder Content CA TA Server and Clients

4.a Copy Server Certificates and Keys to EdgeRouter

Subfolders are created for the EdgeRouter files and each VPN client (e.g. Bob_iPhone, Bob_Laptop) to organize your work. Create a subfolder (C:\OpenVPN-Server-Client-Build\easy-rsa\keys\EdgeRouter>) and copy the files:

from C:\OpenVPN-Server-Client-Build\easy-rsa\keys\

to C:\OpenVPN-Server-Client-Build\easy-rsa\keys\EdgeRouter\

The subfolder now contains:

OpenVPN Configuration - Ubiquiti EdgeRouter Certificates and Private Keys

OpenVPN Configuration – Ubiquiti EdgeRouter Certificates and Private Keys

Note: You can download the certs and keys used in this tutorial at the above links to see what a working setup looks like. Do not use these on your system to avoid a severe security risk and getting hacked due to this public disclosure. I tore down and recreated my PKI after writing this tutorial so there’s no risk to me sharing the files. The files have a .txt extension added for viewing in a web browser.

Run the bitvise SSH client (or your favorite SSH/SFTP app) and copy the files from the Admin Desktop PC (C:\OpenVPN-Server-Client-Build\easy-rsa\keys\EdgeRouter\) to /config/auth/ on the EdgeRouter:

Configure OpenVPN - Copy Certificate and Keys to Ubiquiti EdgeRouter

Configure OpenVPN – Copy Certificate and Keys to Ubiquiti EdgeRouter

Log into the EdgeRouter CLI via SSH and change the file permissions to Read & Write (chmod 600) only by the file owner, i.e. you as the root user because no one else needs access. The ta.key TLS Authorization Pre-Shared Key and server.key Private Encryption Key files must be kept private:

Bob@ubnt:/config/auth$ ls -l
total 16
-rw-rw-rw-    1 Bob vyattacf      1830 May  7 11:54 ca.crt
-rw-rw-rw-    1 Bob vyattacf       424 May  7 12:53 dh2048.pem
-rw-rw-rw-    1 Bob vyattacf      1704 May  7 12:02 server.key
-rw-rw-rw-    1 Bob vyattacf      1931 May  7 14:00 server.pem
-rw-rw-rw-    1 Bob vyattacf       657 May  7 13:05 ta.key

Bob@ubnt:/config/auth$ chmod 600 *.*

Bob@ubnt:/config/auth$ ls -l
total 16
-rw——-    1 Bob vyattacf      1830 May  7 11:54 ca.crt
-rw——-    1 Bob vyattacf       424 May  7 12:53 dh2048.pem
-rw——-    1 Bob vyattacf      1704 May  7 12:02 server.key
-rw——-    1 Bob vyattacf      1931 May  7 14:00 server.pem
-rw——-    1 Bob vyattacf       657 May  7 13:05 ta.key

Bob@ubnt:/config/auth$

4.b EdgeRouter OpenVPN Server – Client Mode Configuration CLI Commands

Backup your EdgeRouter configuration in case something goes wrong. Log into the EdgeRouter GUI and select SystemBackup ConfigDownload backup config file.

Some parameters in the following commands must be changed to match your particular EdgeRouter network, e.g. name server IP address and subnets. See Ubiquiti EdgeRouter Lite SOHO Network Design for my network specifications to better understand how it’s mapped the OpenVPN configuration.

Log into the EdgeRouter via SSH and enter configuration mode. User inputs are highlighted in green.

Bob@ubnt::~$ configure
[edit]
Bob@ubnt:#

Then run the following commands:

set interfaces openvpn vtun0 description ‘OpenVPN server’
set interfaces openvpn vtun0 encryption aes256
set interfaces openvpn vtun0 hash sha256
set interfaces openvpn vtun0 local-port 443
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 openvpn-option –comp-lzo
set interfaces openvpn vtun0 openvpn-option ‘–tls-auth /config/auth/ta.key 0’
set interfaces openvpn vtun0 openvpn-option ‘–verb 5’
set interfaces openvpn vtun0 openvpn-option –tls-server
set interfaces openvpn vtun0 protocol tcp-passive
set interfaces openvpn vtun0 server name-server 10.10.0.1
set interfaces openvpn vtun0 server push-route 10.10.0.0/24
set interfaces openvpn vtun0 server push-route 10.10.1.0/24
set interfaces openvpn vtun0 server push-route 10.10.5.0/24
set interfaces openvpn vtun0 server subnet 10.99.99.0/24
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt
set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem
set interfaces openvpn vtun0 tls dh-file /config/auth/dh2048.pem
set interfaces openvpn vtun0 tls key-file /config/auth/server.key

A couple of pointers and things you will need to customize for your OpenVPN setup:

  • openvpn vtun0 local-port 443
    Listen for OpenVPN connections on port 443. I chose this to avoid getting blocked by corporate firewalls.

  • openvpn vtun0 openvpn-option ‘–tls-auth /config/auth/ta.key 0
    The zero (0) parameter is the key direction. Must be 0 for the EdgeRouter server and 1 for all clients.
  • openvpn vtun0 openvpn-option ‘–verb 5’
    Sets the log verbosity level. The higher values output more info. 1 – 4 is normal usage, 6 – 11 is for debugging. I like level 5.
  • openvpn vtun0 openvpn-option –tls-server
    Enable TLS and assume server role during TLS handshake.
  • openvpn vtun0 protocol tcp-passive
    I chose TCP instead of UDP for reliability, however TCP is a bit slower.
  • openvpn vtun0 server name-server 10.10.0.1
    The LAN IP of my EdgeRouter is 10.10.0.1 and it’s the DNS Name Server for the LAN. Change the IP match your router.
  • The following specifies the routes to be pushed to all clients, which are the LAN/VLAN subnets that VPN clients can reach.
    10.10.0.0/24 is the EdgeRouter management VLAN1 so I can login to the EdgeRouter over the VPN, 10.10.1.0/24 is the security camera VLAN10 and 10.10.5.0/24 is VLAN50 for IoT (my home automation controller). VLANs and LAN subnets not listed here cannot be accessed over the VPN. Refer to my home network diagram for details:

    openvpn vtun0 server push-route 10.10.0.0/24
    openvpn vtun0 server push-route 10.10.1.0/24
    openvpn vtun0 server push-route 10.10.5.0/24
  • OpenVPN clients will be assigned a DHCP IPv4 address from the 10.99.99.0/24 subnet. Choose a subnet that doesn’t conflict your EdgeRouter LAN/VLAN subnets.
    openvpn vtun0 server subnet 10.99.99.0/24

OpenVPN Firewall Rules

Firewall rules need to be defined to allow OpenVPN traffic on port 443. The general rules are shown below for context. Eth0 is connected to the cable modem for Internet access. I put OpenVPN last in the rule order since it’s a minority of traffic on my network. Change the rule # to match your firewall:

set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description ‘WAN to router’
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description ‘Allow established/related’
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description ‘Drop invalid state’
set firewall name WAN_LOCAL rule 20 state invalid enable

set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description OpenVPN
set firewall name WAN_LOCAL rule 60 destination port 443
set firewall name WAN_LOCAL rule 60 log disable

set interfaces ethernet eth0 firewall local name WAN_LOCAL

To avoid a conflict with OpenVPN listening on port 443 and HTTPS EdgeRouter GUI access, set the GUI to listen on port 8443:
set service gui http-port 80
set service gui https-port 8443

After applying the above CLI commands, remember to:

  • commit – changes to make them active.
  • save – changes to persist after reboot.
  • exit – exit configuration mode and return to operational mode.

My full EdgeRouter CLI configuration is explained in Ubiquiti EdgeRouter Lite SOHO Network Configuration.

EdgeRouter OpenVPN CLI Status & Reset Commands

The following CLI commands are useful for debugging and managing OpenVPN.

View active client connections:

Bob@ubnt:~$ show openvpn status server
OpenVPN server status on vtun0 [OpenVPN server]

Client CN       Remote IP       Tunnel IP       TX byte RX byte Connected Since
————— ————— ————— ——- ——- ————————
Bob_iPhone      107.xxx.xxx.57  10.99.99.2      27.0M   1.2M    Sun May 21 15:05:05 201

Show interface details:

Bob@ubnt:~$ show interfaces openvpn detail
vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.99.99.1/24 brd 10.99.99.255 scope global vtun0
       valid_lft forever preferred_lft forever
    Description: OpenVPN server

    RX:  bytes    packets     errors    dropped    overrun      mcast
       1082167      19684          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
      49985496      36855          0          0          0          0

Reset the OpenVPN interface. All client connections will be dropped and should quickly reconnect:

Bob@ubnt:~$ reset openvpn interface vtun0
This will reset and re-establish all tunnel connections on this interface.
Are you sure you want to continue? (y/n) [y]y
Tunnel connections for interface vtun0 have been reset.

Show the OpenVPN server configuration:

Bob@ubnt:~$ configure
[edit]
Bob@ubnt# show interfaces openvpn vtun0
 description “OpenVPN server”
 hash sha256
 local-port 443
 mode server
 openvpn-option –comp-lzo
 openvpn-option “–tls-auth /config/auth/ta.key 0”
 openvpn-option “–verb 5”
 openvpn-option –tls-server
 openvpn-option “–cipher AES-256-CBC”
 openvpn-option –float
 openvpn-option “–tls-cipher DHE-RSA-AES256-SHA”
 protocol tcp-passive
 server {
     name-server 10.10.0.1
     push-route 10.10.0.0/24
     push-route 10.10.1.0/24
     push-route 10.10.5.0/24
     subnet 10.99.99.0/24
 }
 tls {
     ca-cert-file /config/auth/ca.crt
     cert-file /config/auth/server.pem
     dh-file /config/auth/dh2048.pem
     key-file /config/auth/server.key
 }
[edit]
Bob@ubnt#

Display the OpenVPN process status (line breaks added for readability):

Bob@ubnt:~$ ps aux | grep openvpn
root   6953  0.0  0.5  6244  2908 ?  Ss  May19  1:25 /usr/sbin/openvpn
    –daemon –verb 3 –writepid /var/run/openvpn-vtun0.pid
    –status /var/run/openvpn/status/vtun0.status 30 –dev-type tun
    –dev vtun0 –mode server –tls-server –topology subnet –keepalive 10 60
    –lport 443 –proto tcp-server –auth sha256
    –ca /config/auth/ca.crt –cert /config/auth/server.pem
    –key /config/auth/server.key –dh /config/auth/dh2048.pem
    –management /tmp/openvpn-mgmt-intf unix
    –push dhcp-option DNS 10.10.0.1 –push route 10.10.0.0 255.255.255.0
    –push route 10.10.1.0 255.255.255.0 –push route 10.10.5.0 255.255.255.0
    –server 10.99.99.0 255.255.255.0
    –client-config-dir /var/run/openvpn/ccd/vtun0 –comp-lzo
    –tls-auth /config/auth/ta.key 0 –verb 5 –tls-server
    –cipher AES-256-CBC –float –tls-cipher DHE-RSA-AES256-SHA
1000   32427  0.0  0.1  2320  568 pts/0   S+   15:07   0:00 /bin/busybox
    grep openvpn

Display the log to see OpenVPN (and all other) entries:

Bob@ubnt:~$ tail -n 100 /var/log/messages

where “-n 100” is the number of lines to display. Check the log for error messages if you’re having configuration problems.

======

This tutorial is continued in OpenVPN iPhone Client Configuration Steps.

Thanks for reading,

Bob

Copyright © 2017 HandymanHowTo.com   Reproduction strictly prohibited.