EdgeRouter OpenVPN Server – Client Mode Configuration Steps

By | Last updated on |Home Networking|4 Comments

OpenVPN is configured on the EdgeRouter Lite after creating the PKI (CA, certs and keys). The EdgeRouter is configured as the OpenVPN server supporting multiple VPN clients. This project is continued from EdgeRouter OpenVPN: Create Public Key Infrastructure with Easy-RSA.

Project series index:

EdgeRouter OpenVPN Server – Client Mode Configuration Steps

This tutorial was last updated on April 7, 2018 for the latest versions of OpenVPN and Easy-RSA 2.0. See the project introduction for details.

The configuration steps covered in this tutorial are illustrated in this snippet from the OpenVPN master process diagram:

EdgeRouter OpenVPN Server Configuration Steps

EdgeRouter OpenVPN Server Configuration Steps

Recall the Public Key Infrastructure (PKI) was created on a Windows 10 Admin PC. The OpenVPN certs and keys will be transferred via SFTP to the EdgeRouter using the bitvise SSH/SFTP application:

EdgeRouter Lite OpenVPN Server and Client Configuration Files

EdgeRouter Lite OpenVPN Server and Client Configuration Files

The complete EdgeRouter network is explained in Ubiquiti EdgeRouter Lite SOHO Network Design.

4 EdgeRouter OpenVPN Server Configuration

The PKI was previously created with the easy-rsa batch scripts and the C:\OpenVPN-Server-Client-Build\easy-rsa\keys> folder now has the various CA, server and client certificates and keys:

OpenVPN Easy RSA – Keys Folder Content CA TA Server and Clients

OpenVPN Easy RSA – Keys Folder Content CA TA Server and Clients

4.a Copy Server Certificates and Keys to EdgeRouter

Subfolders are created for the EdgeRouter files and each VPN client (e.g. Bob_iPhone, Bob_Laptop) to organize your work. Create a subfolder (C:\OpenVPN-Server-Client-Build\easy-rsa\keys\EdgeRouter>) and copy the files:

from C:\OpenVPN-Server-Client-Build\easy-rsa\keys\

to C:\OpenVPN-Server-Client-Build\easy-rsa\keys\EdgeRouter\

The subfolder now contains:

OpenVPN Configuration – Ubiquiti EdgeRouter Certificates and Private Keys

OpenVPN Configuration – Ubiquiti EdgeRouter Certificates and Private Keys

Note: You can download the certs and keys used in this tutorial at the above links to see what a working setup looks like. Do not use these on your system to avoid a severe security risk and getting hacked due to this public disclosure. I tore down and recreated my PKI after writing this tutorial so there’s no risk to me sharing the files. The files have a .txt extension added for viewing in a web browser.

Run the bitvise SSH client (or your favorite SSH/SFTP app) and copy the files from the Admin Desktop PC (C:\OpenVPN-Server-Client-Build\easy-rsa\keys\EdgeRouter\) to /config/auth/ on the EdgeRouter:

Configure OpenVPN – Copy Certificate and Keys to Ubiquiti EdgeRouter

Configure OpenVPN – Copy Certificate and Keys to Ubiquiti EdgeRouter

Log into the EdgeRouter CLI via SSH and change the file permissions to Read & Write (chmod 600) only by the file owner, i.e. you as the root user because no one else needs access. The ta.key TLS Authorization Pre-Shared Key and server.key Private Encryption Key files must be kept private:

Bob@ubnt:/config/auth$ ls -l
total 20
-rw-r--r-- 1 Bob vyattacf 2528 Apr 7 10:46 ca.crt
-rw-r--r-- 1 Bob vyattacf 432 Apr 7 11:08 dh2048.pem
-rw-r--r-- 1 Bob vyattacf 3324 Apr 7 10:53 server.key
-rw-r--r-- 1 Bob vyattacf 2648 Apr 7 10:57 server.pem
-rw-r--r-- 1 Bob vyattacf 657 Apr 7 11:12 ta.key

Bob@ubnt:/config/auth$ chmod 600 *.*
Bob@ubnt:/config/auth$ ls -l
total 20
-rw------- 1 Bob vyattacf 2528 Apr 7 10:46 ca.crt
-rw------- 1 Bob vyattacf 432 Apr 7 11:08 dh2048.pem
-rw------- 1 Bob vyattacf 3324 Apr 7 10:53 server.key
-rw------- 1 Bob vyattacf 2648 Apr 7 10:57 server.pem
-rw------- 1 Bob vyattacf 657 Apr 7 11:12 ta.key
Bob@ubnt:/config/auth$

dos2unix format conversion

Because I created the PKI infrastructure on a Windows 10 PC with the Easy-RSA 2.0 scripts, the certificate and key files are in DOS format, where each line break has a carriage return & line feed (“\r\n”).  The EdgeRouter is a Linux-based system running Debian and expects only a line feed character (“\n”).

DOS format certs and keys will generate a cryptic error when you “commit” after running the “set interfaces openvpn” commands:

set interfaces openvpn vtun0 ...etc...
commit
[ interfaces openvpn vtun0 ]
OpenVPN configuration error: Specified ca-cert-file "/config/auth/ca.cer" is not valid.
OpenVPN configuration error: Specified cert-file "/config/auth/server.pem" is not valid.

The solution is to run the dos2unix command to convert DOS line breaks to Unix format:

Bob@ubnt:/config/auth$ dos2unix -u ca.crt
Bob@ubnt:/config/auth$ dos2unix -u dh2048.pem
Bob@ubnt:/config/auth$ dos2unix -u server.key
Bob@ubnt:/config/auth$ dos2unix -u server.pem
Bob@ubnt:/config/auth$ dos2unix -u ta.key

This will avoid hours of wondering what's wrong with your certificates.

4.b EdgeRouter OpenVPN Server – Client Mode Configuration CLI Commands

Backup your EdgeRouter configuration in case something goes wrong. Log into the EdgeRouter GUI and select SystemBackup ConfigDownload backup config file.

Some parameters in the following commands must be changed to match your particular EdgeRouter network, e.g. name server IP address and subnets. See Ubiquiti EdgeRouter Lite SOHO Network Design for my network specifications to better understand how it’s mapped the OpenVPN configuration.

Log into the EdgeRouter via SSH and enter configuration mode. User inputs are highlighted in green.

Bob@ubnt::~$ configure
[edit]
Bob@ubnt:#

Then run the following commands:

set interfaces openvpn vtun0 description 'OpenVPN server'
set interfaces openvpn vtun0 hash sha256
set interfaces openvpn vtun0 local-port 443
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 openvpn-option --comp-lzo
set interfaces openvpn vtun0 openvpn-option '--tls-auth /config/auth/ta.key 0'
set interfaces openvpn vtun0 openvpn-option '--verb 5'
set interfaces openvpn vtun0 openvpn-option --tls-server
set interfaces openvpn vtun0 openvpn-option '--cipher AES-256-CBC'
set interfaces openvpn vtun0 openvpn-option '--tls-cipher DHE-RSA-AES256-SHA'
set interfaces openvpn vtun0 openvpn-option --float
set interfaces openvpn vtun0 protocol tcp-passive
set interfaces openvpn vtun0 server name-server 10.10.0.1
set interfaces openvpn vtun0 server push-route 10.10.0.0/24
set interfaces openvpn vtun0 server push-route 10.10.1.0/24
set interfaces openvpn vtun0 server push-route 10.10.5.0/24
set interfaces openvpn vtun0 server subnet 10.99.99.0/24
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt
set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem
set interfaces openvpn vtun0 tls dh-file /config/auth/dh2048.pem
set interfaces openvpn vtun0 tls key-file /config/auth/server.key
commit
save

A couple of pointers and things you will need to customize for your OpenVPN setup. See the OpenVPN Manual for a complete reference.
  • openvpn vtun0 local-port 443
    Listen for OpenVPN connections on port 443. I chose this to avoid getting blocked by corporate firewalls.

  • openvpn vtun0 openvpn-option ‘–tls-auth /config/auth/ta.key 0
    The zero (0) parameter is the key direction. Must be 0 for the EdgeRouter server and 1 for all clients.
  • openvpn vtun0 openvpn-option ‘–verb 5’
    Sets the log verbosity level. The higher values output more info. 1 – 4 is normal usage, 6 – 11 is for debugging. I like level 5.
  • openvpn vtun0 openvpn-option –tls-server
    Enable TLS and assume server role during TLS handshake.
  • set interfaces openvpn vtun0 openvpn-option ‘–cipher AES-256-CBC’
    Specifies the data channel cipher.
  • set interfaces openvpn vtun0 openvpn-option ‘–tls-cipher DHE-RSA-AES256-SHA’
    Specifies the TLS control channel cipher.
  • openvpn vtun0 protocol tcp-passive
    I chose TCP instead of UDP for reliability, however TCP is a bit slower.
  • openvpn vtun0 server name-server 10.10.0.1
    The LAN IP of my EdgeRouter is 10.10.0.1 and it’s the DNS Name Server for the LAN. Change the IP match your router.
  • The following specifies the routes to be pushed to all clients, which are the LAN/VLAN subnets that VPN clients can reach.
    10.10.0.0/24 is the EdgeRouter management VLAN1 so I can login to the EdgeRouter over the VPN, 10.10.1.0/24 is the security camera VLAN10 and 10.10.5.0/24 is VLAN50 for IoT (my home automation controller). VLANs and LAN subnets not listed here cannot be accessed over the VPN. Refer to my home network diagram for details:

    openvpn vtun0 server push-route 10.10.0.0/24
    openvpn vtun0 server push-route 10.10.1.0/24
    openvpn vtun0 server push-route 10.10.5.0/24
  • OpenVPN clients will be assigned a DHCP IPv4 address from the 10.99.99.0/24 subnet. Choose a subnet that doesn’t conflict your EdgeRouter LAN/VLAN subnets.
    openvpn vtun0 server subnet 10.99.99.0/24

OpenVPN Firewall Rules

Firewall rules need to be defined to allow OpenVPN traffic on port 443. The general rules are shown below for context. Eth0 is connected to the cable modem for Internet access. I put OpenVPN last in the rule order since it’s a minority of traffic on my network. Change the rule # to match your firewall:

set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description ‘WAN to router’
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description ‘Allow established/related’
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description ‘Drop invalid state’
set firewall name WAN_LOCAL rule 20 state invalid enable

set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description OpenVPN
set firewall name WAN_LOCAL rule 60 destination port 443
set firewall name WAN_LOCAL rule 60 log disable

set interfaces ethernet eth0 firewall local name WAN_LOCAL

To avoid a conflict with OpenVPN listening on port 443 and HTTPS EdgeRouter GUI access, set the GUI to listen on port 8443:
set service gui http-port 80
set service gui https-port 8443

After applying the above CLI commands, remember to:

  • commit – changes to make them active.
  • save – changes to persist after reboot.
  • exit – exit configuration mode and return to operational mode.

My full EdgeRouter CLI configuration is explained in Ubiquiti EdgeRouter Lite SOHO Network Configuration.

EdgeRouter OpenVPN CLI Status & Reset Commands

The following CLI commands are useful for debugging and managing OpenVPN.

View active client connections:

Bob@ubnt:~$ show openvpn status server
OpenVPN server status on vtun0 [OpenVPN server]

Client CN       Remote IP       Tunnel IP       TX byte RX byte Connected Since
————— ————— ————— ——- ——- ————————
Bob_iPhone      107.xxx.xxx.57  10.99.99.2      27.0M   1.2M    Sat Apr 7 19:35:35 2018

Show interface details:

Bob@ubnt:~$ show interfaces openvpn detail
vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.99.99.1/24 brd 10.99.99.255 scope global vtun0
       valid_lft forever preferred_lft forever
    Description: OpenVPN server

    RX:  bytes    packets     errors    dropped    overrun      mcast
       1082167      19684          0          0          0          0
    TX:  bytes    packets     errors    dropped    carrier collisions
      49985496      36855          0          0          0          0

Reset the OpenVPN interface. All client connections will be dropped and should quickly reconnect:

Bob@ubnt:~$ reset openvpn interface vtun0
This will reset and re-establish all tunnel connections on this interface.
Are you sure you want to continue? (y/n) [y]y
Tunnel connections for interface vtun0 have been reset.

Show the OpenVPN server configuration:

Bob@ubnt:~$ configure
[edit]
VladTheImpaler@Rias# show interfaces openvpn vtun0
description “OpenVPN server”
hash sha256
local-port 443
mode server
openvpn-option –comp-lzo
openvpn-option “–tls-auth /config/auth/ta.key 0”
openvpn-option “–verb 5”
openvpn-option –tls-server
openvpn-option “–cipher AES-256-CBC”
openvpn-option “–tls-cipher DHE-RSA-AES256-SHA”
openvpn-option –float
protocol tcp-passive
server {
name-server 10.10.0.1
push-route 10.10.0.0/24
push-route 10.10.1.0/24
push-route 10.10.5.0/24
subnet 10.99.99.0/24
}
tls {
ca-cert-file /config/auth/ca.crt
cert-file /config/auth/server.pem
dh-file /config/auth/dh2048.pem
key-file /config/auth/server.key
}
[edit]

Bob@ubnt#

Display the OpenVPN process status (line breaks added for readability):

Bob@ubnt:~$ ps aux | grep openvpn
1000 7679 0.0 0.1 2320 568 pts/0 S+ 19:38 0:00 /bin/busybox grep openvpn
root 29267 0.0 0.5 6324 2820 ? Ss 12:06 0:12 /usr/sbin/openvpn –daemon –verb 3 –writepid /var/run/openvpn-vtun0.pid –status /var/run/openvpn/status/vtun0.status 30 –dev-type tun –dev vtun0 –mode server –tls-server –topology subnet –keepalive 10 60 –lport 443 –proto tcp-server –auth sha256 –ca /config/auth/ca.crt –cert /config/auth/server.pem –key /config/auth/server.key –dh /config/auth/dh2048.pem –management /tmp/openvpn-mgmt-intf unix –push dhcp-option DNS 10.10.0.1 –push route 10.10.0.0 255.255.255.0 –push route 10.10.1.0 255.255.255.0 –push route 10.10.5.0 255.255.255.0 –server 10.99.99.0 255.255.255.0 –client-config-dir /var/run/openvpn/ccd/vtun0 –comp-lzo –tls-auth /config/auth/ta.key 0 –verb 5 –tls-server –cipher AES-256-CBC –tls-cipher DHE-RSA-AES256-SHA –float

Display the log to see OpenVPN (and all other) entries:

Bob@ubnt:~$ tail -n 100 /var/log/messages

where “-n 100” is the number of lines to display. Check the log for error messages if you’re having configuration problems.

======

This tutorial is continued in OpenVPN iPhone Client Configuration Steps.

Thanks for reading,

Bob

Copyright © 2018 HandymanHowTo.com   Reproduction strictly prohibited.

4 Comments

  1. CDr Scowl November 30, 2017 at 11:51 pm - Reply

    Hello Bob

    I have been working on my setup when time permits. I realize a couple of lines are duplicated in another comment I made, but I wanted to post my settings that worked in the correct area this time. I have made some additions to my setup:

    Server settings which increased my vpn throughput, but I don’t know why:
    set interfaces openvpn vtun0 openvpn-option ‘–sndbuf 0’
    set interfaces openvpn vtun0 openvpn-option ‘–rcvbuf 0’
    set interfaces openvpn vtun0 openvpn-option ‘–mtu-disc yes’

    Force clients to send all traffic over the VPN:
    set interfaces openvpn vtun0 openvpn-option ‘–push redirect-gateway local def1’
    (note: use pull in your client ovpn file)

    Drop root privileges after openvpn initializes:
    set interfaces openvpn vtun0 openvpn-option ‘–user nobody’
    set interfaces openvpn vtun0 openvpn-option ‘–group nogroup’

    • Bob Jackson December 1, 2017 at 7:16 pm - Reply

      Hi,
      I’ve not noticed any performance issues on my OpenVPN connections. Mostly because I have 300Mbps down & 30Mpbs up at home which is way faster than the remote Internet connections I use to connect remotely. I’ll try your settings and run speed tests.

      > Server settings which increased my vpn throughput, but I don’t know why:
      The OpenVPN MAN page details the various settings. For sndbuf & rcvbuf it “Set[s] the TCP/UDP socket send [receive] buffer size. Currently defaults to 65536 bytes.” The Speed up OpenVPN and get faster speed over its channel tutorial explains that setting the buffers to zero (0) let’s the Operating System determine the best buffer size. Seems to be an issue for Windows clients connecting to a Linux server (the EdgeRouter runs Debian).

      “–mtu-disc yes” means don’t fragment frames and it’s only supported on Linux.

      > Drop root privileges after openvpn initializes:
      That is a best practice. Because I’m the EdgeRouter Admin and no one else has remote access accounts I didn’t bother. For a business environment you should lock it down.

  2. Cdr Scowl December 7, 2017 at 1:15 pm - Reply

    Hi Bob

    Thanks for the explanation. I do use Debian and Windows, so that makes sense.

    You have the best howto for the EdgeRouter I’ve seen.

Leave A Comment