Ubiquiti EdgeRouter OpenVPN Server-Client Configuration Tutorial

How to configure OpenVPN in Server/Client mode on a Ubiquiti EdgeRouter Lite for secure remote access from multiple clients to a small office/home office (SOHO) network:

Ubiquiti EdgeRouter OpenVPN Server - Client Network Diagram

Ubiquiti EdgeRouter OpenVPN Server – Client Network Diagram

The EdgeRouter OpenVPN server listens on port 443 to pass through corporate firewalls that often block other TCP/IP ports. Port 443 is allowed on most firewalls because it’s used for HTTPS (HTTP over TLS/SSL) and the firewall can’t tell the difference between  encrypted HTTPS and OpenVPN network traffic.

Port Forwarding is not enabled and I only allow OpenVPN connections to my home network. See VPN vs Port Forwarding (.pdf) by Luxul for details.

Project series index:

  1. Ubiquiti EdgeRouter Lite SOHO Network Design
  2. Ubiquiti EdgeRouter Lite SOHO Network Configuration
  3. EdgeRouter Lite SOHO Network Firewall Rules
  4. Ubiquiti EdgeRouter DNS Security & Content Filtering – Block Ransomware, Botnets, Phishing and Inappropriate Content
  5. Ubiquiti EdgeRouter OpenVPN Server-Client Configuration Tutorial (you are here)
  6. EdgeRouter OpenVPN: Create Public Key Infrastructure with Easy-RSA
  7. EdgeRouter OpenVPN Server – Client Mode Configuration Steps
  8. OpenVPN iPhone Client Configuration Steps
  9. OpenVPN Windows 10 Client Configuration Steps

Remote Access vs Site-to-Site vs Private Internet Access VPNs

There are several types of VPNs to solve various privacy and connectivity requirements:

  • Remote Access VPN
    Provides remote connectivity to a LAN network from one or more clients as illustrated in the above diagram.
    A client (smart phone, PC, teleworker, etc.) connects to an OpenVPN server (e.g. EdgeRouter). The VPN client behaves like a local user and can access network applications, printers and servers. Network administrators also use VPNs to manage the router, switches and servers. This is the way big companies do it and the subject of this tutorial.
  • Site-to-Site VPN
    A site-to-site VPN transparently links two remote networks through a secure connection over the Internet. This is useful when a company has two offices (each with a router & LAN) and needs to route traffic traffic between the two. The advantage is it only involves configuring the routers and is transparent (i.e. no changes) to the local servers and clients.
  • Private Internet Access (PIA) VPN
    PIA‘s are a means for anonymous Internet access to avoid eavesdropping by your Internet Service Provider (ISP) or to make it appear that your Internet connection (IP address) originates in a different country to access services that may be blocked in foreign countries.

    • A non-anonymous PIA-like configuration is supported by the Viscosity OpenVPN PC/MAC client to force all web browser traffic through the EdgeRouter and it’s Internet connection.

Ubiquiti EdgeRouter OpenVPN Server-Client Configuration Tutorial

Configuring OpenVPN is a bit complex but I’ve provided diagrams and a complete working PKI that should make it a straightforward exercise. This tutorial only assumes your EdgeRouter is up & running and you want to enable OpenVPN in server/client mode.

The Public Key Infrastructure (PKI) consisting of the root Certificate Authority (CA), Server & Client Certificates and Private Encryption Keys will be created on a Windows 10 desktop PC using the OpenVPN easy-rsa scripts included with OpenVPN. The certificates, keys and OpenVPN (.ovpn) client Profiles will be installed on the EdgeRouter, iPhone and Windows 10 laptop:

EdgeRouter Lite OpenVPN Server and Client Configuration Files

EdgeRouter Lite OpenVPN Server and Client Configuration Files

Creating the PKI and related items is faster, more convenient and secure on the Windows PC versus directly on the EdgeRouter. You also have to use Apple iTunes on the PC to sync the iPhone OpenVPN client configuration file.

Windows 10 Admin PC Software Apps

The software applications installed on the Windows 10 Admin PC are:

  • OpenVPN – Installer for Windows. I used the latest version 2.4.1 at the time of this writing. It’s free.
    The “easy-rsa 2” scripts are bundled with the Windows installer.
  • bitvise SSH & SFTP client for convenient GUI access from the Windows Admin PC to the EdgeRouter. Also free.
  • UltraEdit is my favorite text editor but any text editor will do.

OpenVPN Configuration Process Diagram – EdgeRouter Server and Clients

The following OpenVPN configuration process diagram outlines the major steps to setup OpenVPN on the EdgeRouter, laptop and iPhone:

EdgeRouter Lite OpenVPN EasyRSA Certificate Authority Server and Client Configuration Steps

EdgeRouter Lite OpenVPN EasyRSA Certificate Authority Server and Client Configuration Steps

The following instructions covers steps 1, 1.a and 2 in this except from the above master process diagram:

EdgeRouter OpenVPN Configuration Initial Steps

EdgeRouter OpenVPN Configuration Initial Steps

1. Install OpenVPN

Download OpenVPN for Windows and run the installer. Be sure to select “OpenVPN RSA Certificate Management Scripts” which will also install the easy-rsa scripts:

OpenVPN Windows PC Install - OpenVPN RSA Certificate Management Scripts

OpenVPN Windows PC Install – OpenVPN RSA Certificate Management Scripts

Choose the default installation folder, C:\Program Files\OpenVPN:

OpenVPN Install Wizard

OpenVPN Install Wizard

After the installer is finished, there’s an easy-rsa folder in C:\Program Files\OpenVPN:

OpenVPN Easy RSA Scripts Folder

OpenVPN Easy RSA Scripts Folder

1.a Create an Easy-RSA Work Folder

Doing work in C:\Program Files isn’t a best practice. Create a new folder C:\OpenVPN-Server-Client-Build for where the Certificate Authority, certificates and keys will be generated. I created a new folder in the C:\ root directory to keep the directory paths short for this tutorial. A better place would be in your Windows Documents folder.

Copy C:\Program Files\OpenVPN\easy-rsa folder and contents to C:\OpenVPN-Server-Client-Build. Screen grab after copying the folder:

Copy Easy RSA Folder from ProgramFiles to Build

Copy Easy RSA Folder from ProgramFiles to Build

2. Document your Certificate Authority (CA), Server and Clients parameters in Excel

Decide now what to name your CA, organization, Common Names, Private Key (PEM) Passphrases, etc. because these values will used by the easy-rsa scripts. Since this is a home network instead of a company or institution with a real domain name (i.e. example.com) you’ll need to invent meaningful names. The most important items are the Common Names which must be unique within your Certificate Authority.

Create an Excel Worksheet or text file to document your CA. This document is highly confidential because it contains your client Private Key (PEM) Passphrases. I keep my sensitive files in an encrypted Veracrypt file and an Apricorn Aegis Secure Key for on-the-road access. The Excel worksheet is:

OpenVPN EasyRSA Configuration Worksheet

OpenVPN EasyRSA Configuration Worksheet

The following parameters are the same as in the above Excel worksheet.

The CA parameters in this example are:

Certificate Authority
PEM pass phraseopensaysme
KEY_COUNTRYUS
KEY_PROVINCEGeorgia
KEY_CITYAtlanta
KEY_ORGOpenVPN
KEY_EMAILbob@handymanhowto.com
KEY_CNOpenVPNBobER3-CA
KEY_NAMEOpenVPN-CA
KEY_OUBobER3CertificateAuthority
PKCS11_MODULE_PATHchangeme
PKCS11_PIN1234

The EdgeRouter Server Certificate parameters are:

Server Certificate (VPN Server Public/Private Key)
PEM pass phraseopensaysme1
CountryUS
StateGeorgia
CityAtlanta
Organization NameOpenVPN
Org Unit NameHomeNetwork
Common Nameserver
Key NameOpenVPNBobER3
Email Addressbob@handymanhowto.com
Challenge Password<blank>
Optional Company Name<blank>

and the iPhone client:

Client Certificates (VPN Server Public/Private Key)
PEM pass phraseopensaysme2
CountryUS
StateGeorgia
CityAtlanta
Organization NameOpenVPN
Org Unit NameHomeNetwork
Common NameBob_iPhone
Key Nameclient
Email Addressbob@handymanhowto.com
Challenge Password<blank>
Optional Company Name<blank>

The laptop client certificate is very similar to the iPhone table above except the “Common Name” is Bob_Laptop and the PEM Passphrase is “opensaysme3”.

The PEM Passphrase is optional but a recommended extra layer of security to encrypt the OpenVPN client Private Key. It should be strong password and not “opensaysme” in this example! The passphrase is input when the OpenVPN client is run. It’s an extra safeguard in case your laptop files are stolen and to prevent someone from connecting to your OpenVPN if they have your iPhone or laptop.

This tutorial is continued in EdgeRouter OpenVPN: Create a Public Key Infrastructure with Easy-RSA.

Thanks,

Bob

Copyright © 2017 HandymanHowTo.com   Reproduction strictly prohibited.

No comments yet.

Leave a Reply