OpenVPN is configured on the EdgeRouter Lite after creating the PKI (CA, certs and keys). The EdgeRouter is configured as the OpenVPN server supporting multiple VPN clients. This project is continued from EdgeRouter OpenVPN: Create Public Key Infrastructure with Easy-RSA.
Project series index:
- Ubiquiti EdgeRouter Lite SOHO Network Design
- Ubiquiti EdgeRouter Lite SOHO Network Configuration
- EdgeRouter Lite SOHO Network Firewall Rules
- Ubiquiti EdgeRouter DNS Security & Content Filtering – Block Ransomware, Botnets, Phishing and Inappropriate Content
- Ubiquiti EdgeRouter: How to Enforce Different DNS Servers per VLAN
- Ubiquiti EdgeRouter OpenVPN Server-Client Configuration Tutorial
- EdgeRouter OpenVPN: Create Public Key Infrastructure with Easy-RSA
- EdgeRouter OpenVPN Server – Client Mode Configuration Steps (you are here)
- OpenVPN iPhone Client Configuration Steps
- OpenVPN Windows 10 Client Configuration Steps
EdgeRouter OpenVPN Server – Client Mode Configuration Steps
This tutorial was last updated on April 7, 2018 for the latest versions of OpenVPN and Easy-RSA 2.0. See the project introduction for details.
The configuration steps covered in this tutorial are illustrated in this snippet from the OpenVPN master process diagram:
Recall the Public Key Infrastructure (PKI) was created on a Windows 10 Admin PC. The OpenVPN certs and keys will be transferred via SFTP to the EdgeRouter using the bitvise SSH/SFTP application:
The complete EdgeRouter network is explained in Ubiquiti EdgeRouter Lite SOHO Network Design.
4 EdgeRouter OpenVPN Server Configuration
The PKI was previously created with the easy-rsa batch scripts and the C:OpenVPN-Server-Client-Buildeasy-rsa
keys> folder now has the various CA, server and client certificates and keys:
4.a Copy Server Certificates and Keys to EdgeRouter
Subfolders are created for the EdgeRouter files and each VPN client (e.g. Bob_iPhone, Bob_Laptop) to organize your work. Create a subfolder (C:OpenVPN-Server-Client-Buildeasy-rsa
keysEdgeRouter>) and copy the files:
from C:OpenVPN-Server-Client-Buildeasy-rsa
keys
to C:OpenVPN-Server-Client-Buildeasy-rsa
keysEdgeRouter
The subfolder now contains:
Note: You can download the certs and keys used in this tutorial at the above links to see what a working setup looks like. Do not use these on your system to avoid a severe security risk and getting hacked due to this public disclosure. I tore down and recreated my PKI after writing this tutorial so there’s no risk to me sharing the files. The files have a .txt extension added for viewing in a web browser.
Run the bitvise SSH client (or your favorite SSH/SFTP app) and copy the files from the Admin Desktop PC (C:OpenVPN-Server-Client-Buildeasy-rsa
keysEdgeRouter) to /config/auth/ on the EdgeRouter:
Log into the EdgeRouter CLI via SSH and change the file permissions to Read & Write (chmod 600) only by the file owner, i.e. you as the root user because no one else needs access. The ta.key TLS Authorization Pre-Shared Key and server.key Private Encryption Key files must be kept private:
Bob@ubnt:/config/auth$ ls -l total 20 -rw-r--r-- 1 Bob vyattacf 2528 Apr 7 10:46 ca.crt -rw-r--r-- 1 Bob vyattacf 432 Apr 7 11:08 dh2048.pem -rw-r--r-- 1 Bob vyattacf 3324 Apr 7 10:53 server.key -rw-r--r-- 1 Bob vyattacf 2648 Apr 7 10:57 server.pem -rw-r--r-- 1 Bob vyattacf 657 Apr 7 11:12 ta.key Bob@ubnt:/config/auth$ chmod 600 *.* Bob@ubnt:/config/auth$ ls -l total 20 -rw------- 1 Bob vyattacf 2528 Apr 7 10:46 ca.crt -rw------- 1 Bob vyattacf 432 Apr 7 11:08 dh2048.pem -rw------- 1 Bob vyattacf 3324 Apr 7 10:53 server.key -rw------- 1 Bob vyattacf 2648 Apr 7 10:57 server.pem -rw------- 1 Bob vyattacf 657 Apr 7 11:12 ta.key Bob@ubnt:/config/auth$
dos2unix format conversion
Because I created the PKI infrastructure on a Windows 10 PC with the Easy-RSA 2.0 scripts, the certificate and key files are in DOS format, where each line break has a carriage return & line feed (“rn”). The EdgeRouter is a Linux-based system running Debian and expects only a line feed character (“n”).
DOS format certs and keys will generate a cryptic error when you “commit” after running the “set interfaces openvpn” commands:
set interfaces openvpn vtun0 ...etc... commit [ interfaces openvpn vtun0 ] OpenVPN configuration error: Specified ca-cert-file "/config/auth/ca.cer" is not valid. OpenVPN configuration error: Specified cert-file "/config/auth/server.pem" is not valid.
The solution is to run the dos2unix command to convert DOS line breaks to Unix format:
Bob@ubnt:/config/auth$ dos2unix -u ca.crt Bob@ubnt:/config/auth$ dos2unix -u dh2048.pem Bob@ubnt:/config/auth$ dos2unix -u server.key Bob@ubnt:/config/auth$ dos2unix -u server.pem Bob@ubnt:/config/auth$ dos2unix -u ta.key This will avoid hours of wondering what's wrong with your certificates.
4.b EdgeRouter OpenVPN Server – Client Mode Configuration CLI Commands
Backup your EdgeRouter configuration in case something goes wrong. Log into the EdgeRouter GUI and select System → Backup Config → Download backup config file.
Some parameters in the following commands must be changed to match your particular EdgeRouter network, e.g. name server IP address and subnets. See Ubiquiti EdgeRouter Lite SOHO Network Design for my network specifications to better understand how it’s mapped the OpenVPN configuration.
Log into the EdgeRouter via SSH and enter configuration mode. User inputs are highlighted in green.
Bob@ubnt::~$ configure
[edit]
Bob@ubnt:#
Then run the following commands:
set interfaces openvpn vtun0 description 'OpenVPN server' set interfaces openvpn vtun0 hash sha256 set interfaces openvpn vtun0 local-port 443 set interfaces openvpn vtun0 mode server set interfaces openvpn vtun0 openvpn-option --comp-lzo set interfaces openvpn vtun0 openvpn-option '--tls-auth /config/auth/ta.key 0' set interfaces openvpn vtun0 openvpn-option '--verb 5' set interfaces openvpn vtun0 openvpn-option --tls-server set interfaces openvpn vtun0 openvpn-option '--cipher AES-256-CBC' set interfaces openvpn vtun0 openvpn-option '--tls-cipher DHE-RSA-AES256-SHA' set interfaces openvpn vtun0 openvpn-option --float set interfaces openvpn vtun0 protocol tcp-passive set interfaces openvpn vtun0 server name-server 10.10.0.1 set interfaces openvpn vtun0 server push-route 10.10.0.0/24 set interfaces openvpn vtun0 server push-route 10.10.1.0/24 set interfaces openvpn vtun0 server push-route 10.10.5.0/24 set interfaces openvpn vtun0 server subnet 10.99.99.0/24 set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem set interfaces openvpn vtun0 tls dh-file /config/auth/dh2048.pem set interfaces openvpn vtun0 tls key-file /config/auth/server.key commit save A couple of pointers and things you will need to customize for your OpenVPN setup. See the OpenVPN Manual for a complete reference.
-
openvpn vtun0 local-port 443
Listen for OpenVPN connections on port 443. I chose this to avoid getting blocked by corporate firewalls.
- openvpn vtun0 openvpn-option ‘–tls-auth /config/auth/ta.key 0‘
The zero (0) parameter is the key direction. Must be 0 for the EdgeRouter server and 1 for all clients.
- openvpn vtun0 openvpn-option ‘–verb 5’
Sets the log verbosity level. The higher values output more info. 1 – 4 is normal usage, 6 – 11 is for debugging. I like level 5.
-
openvpn vtun0 openvpn-option –tls-server
Enable TLS and assume server role during TLS handshake. - set interfaces openvpn vtun0 openvpn-option ‘–cipher AES-256-CBC’
Specifies the data channel cipher. - set interfaces openvpn vtun0 openvpn-option ‘–tls-cipher DHE-RSA-AES256-SHA’
Specifies the TLS control channel cipher. -
openvpn vtun0 protocol tcp-passive
I chose TCP instead of UDP for reliability, however TCP is a bit slower. - openvpn vtun0 server name-server 10.10.0.1
The LAN IP of my EdgeRouter is 10.10.0.1 and it’s the DNS Name Server for the LAN. Change the IP match your router.
-
The following specifies the routes to be pushed to all clients, which are the LAN/VLAN subnets that VPN clients can reach.
10.10.0.0/24 is the EdgeRouter management VLAN1 so I can login to the EdgeRouter over the VPN, 10.10.1.0/24 is the security camera VLAN10 and 10.10.5.0/24 is VLAN50 for IoT (my home automation controller). VLANs and LAN subnets not listed here cannot be accessed over the VPN. Refer to my home network diagram for details:
openvpn vtun0 server push-route 10.10.0.0/24
openvpn vtun0 server push-route 10.10.1.0/24
openvpn vtun0 server push-route 10.10.5.0/24
-
OpenVPN clients will be assigned a DHCP IPv4 address from the 10.99.99.0/24 subnet. Choose a subnet that doesn’t conflict your EdgeRouter LAN/VLAN subnets.
openvpn vtun0 server subnet 10.99.99.0/24
DNS Forwarding vtun0
Enable DNS forwarding for VPN connections. This is necessary to resolve internal hosts and Internet domains:
configure set service dns forwarding listen-on vtun0 commit save
OpenVPN Firewall Rules
Firewall rules need to be defined to allow OpenVPN traffic on port 443. The general rules are shown below for context. Eth0 is connected to the cable modem for Internet access. I put OpenVPN last in the rule order since it’s a minority of traffic on my network. Change the rule # to match your firewall:
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description ‘WAN to router’
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description ‘Allow established/related’
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description ‘Drop invalid state’
set firewall name WAN_LOCAL rule 20 state invalid enable
…
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description OpenVPN
set firewall name WAN_LOCAL rule 60 destination port 443
set firewall name WAN_LOCAL rule 60 log disable
…
set interfaces ethernet eth0 firewall local name WAN_LOCAL
To avoid a conflict with OpenVPN listening on port 443 and HTTPS EdgeRouter GUI access, set the GUI to listen on port 8443:
set service gui http-port 80
set service gui https-port 8443
After applying the above CLI commands, remember to:
- commit – changes to make them active.
- save – changes to persist after reboot.
- exit – exit configuration mode and return to operational mode.
My full EdgeRouter CLI configuration is explained in Ubiquiti EdgeRouter Lite SOHO Network Configuration. Also see my latest EdgeRouter configuration.
EdgeRouter OpenVPN CLI Status & Reset Commands
The following CLI commands are useful for debugging and managing OpenVPN.
View active client connections:
Bob@ubnt:~$ show openvpn status server
OpenVPN server status on vtun0 [OpenVPN server]
Client CN Remote IP Tunnel IP TX byte RX byte Connected Since
————— ————— ————— ——- ——- ————————
Bob_iPhone 107.xxx.xxx.57 10.99.99.2 27.0M 1.2M Sat Apr 7 19:35:35 2018
Show interface details:
Bob@ubnt:~$ show interfaces openvpn detail
vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.99.99.1/24 brd 10.99.99.255 scope global vtun0
valid_lft forever preferred_lft forever
Description: OpenVPN server
RX: bytes packets errors dropped overrun mcast
1082167 19684 0 0 0 0
TX: bytes packets errors dropped carrier collisions
49985496 36855 0 0 0 0
Reset the OpenVPN interface. All client connections will be dropped and should quickly reconnect:
Bob@ubnt:~$ reset openvpn interface vtun0
This will reset and re-establish all tunnel connections on this interface.
Are you sure you want to continue? (y/n) [y]y
Tunnel connections for interface vtun0 have been reset.
Show the OpenVPN server configuration:
Bob@ubnt:~$ configure
[edit]
VladTheImpaler@Rias# show interfaces openvpn vtun0
description “OpenVPN server”
hash sha256
local-port 443
mode server
openvpn-option –comp-lzo
openvpn-option “–tls-auth /config/auth/ta.key 0”
openvpn-option “–verb 5”
openvpn-option –tls-server
openvpn-option “–cipher AES-256-CBC”
openvpn-option “–tls-cipher DHE-RSA-AES256-SHA”
openvpn-option –float
protocol tcp-passive
server {
name-server 10.10.0.1
push-route 10.10.0.0/24
push-route 10.10.1.0/24
push-route 10.10.5.0/24
subnet 10.99.99.0/24
}
tls {
ca-cert-file /config/auth/ca.crt
cert-file /config/auth/server.pem
dh-file /config/auth/dh2048.pem
key-file /config/auth/server.key
}
[edit]
Bob@ubnt#
Display the OpenVPN process status (line breaks added for readability):
Bob@ubnt:~$ ps aux | grep openvpn
1000 7679 0.0 0.1 2320 568 pts/0 S+ 19:38 0:00 /bin/busybox grep openvpn
root 29267 0.0 0.5 6324 2820 ? Ss 12:06 0:12 /usr/sbin/openvpn –daemon –verb 3 –writepid /var/run/openvpn-vtun0.pid –status /var/run/openvpn/status/vtun0.status 30 –dev-type tun –dev vtun0 –mode server –tls-server –topology subnet –keepalive 10 60 –lport 443 –proto tcp-server –auth sha256 –ca /config/auth/ca.crt –cert /config/auth/server.pem –key /config/auth/server.key –dh /config/auth/dh2048.pem –management /tmp/openvpn-mgmt-intf unix –push dhcp-option DNS 10.10.0.1 –push route 10.10.0.0 255.255.255.0 –push route 10.10.1.0 255.255.255.0 –push route 10.10.5.0 255.255.255.0 –server 10.99.99.0 255.255.255.0 –client-config-dir /var/run/openvpn/ccd/vtun0 –comp-lzo –tls-auth /config/auth/ta.key 0 –verb 5 –tls-server –cipher AES-256-CBC –tls-cipher DHE-RSA-AES256-SHA –float
Display the log to see OpenVPN (and all other) entries:
Bob@ubnt:~$ tail -n 100 /var/log/messages
where “-n 100” is the number of lines to display. Check the log for error messages if you’re having configuration problems.
======
This tutorial is continued in OpenVPN iPhone Client Configuration Steps.
Thanks for reading,
Bob