My notes on how I setup OpenVPN server on Edgerouter Lite.
Based mostly on this guide from openVPN wiki.
This guide assumes easyrsa3 is being used, otherwise substitute whatever the easyrsa2 versions are for the commands below.
A Public Key Infrastructure (PKI) will be created on each machine:
-
- Server - openVPN server (Edgerouter in this case).
-
- Client(s) - the device(s) you will be connecting from.
-
- CA Server - used to generate and sign certificates for server and clients to use.
Note: For security reasons CA should be a different machine to the server (not on the router!):
One common mistake when setting up a new CA is to place all the CA files on the OpenVPN server. DO NOT DO THAT! A CA requires a private key which is used for signing the certificates your clients and servers will use. If you lose control of your CA private key, you can no longer trust any certificates from this CA. Anyone with access to this CA private key can sign new certificates without your knowledge, which then can connect to your OpenVPN server without needing to modify anything on the VPN server. Place your CA files on a storage which can be offline as much as possible, only to be activated when you need to get a new certificate for a client or server.
| Filename | Needed By | Purpose | Secret |
|---|---|---|---|
| ca.crt | server + all clients | Root CA certificate | NO |
| ca.key | key signing machine only | Root CA key | YES |
| dh.pem | server only | Diffie Hellman parameters | NO |
| server.crt | server only | Server Certificate | NO |
| server.key | server only | Server Key | YES |
| client.crt | client only | Client Certificate | NO |
| client.key | client only | Client Key | YES |
| ta.key | server + all clients | TLS Key | YES |
TODO: file permissions for secret files
set -Ux EASY_RSA /path/to/easy-rsa # /etc/easy-rsa on Arch
mkdir -p /path/to/openvpn-pki # choose a secure location
set -Ux EASYRSA_PKI /path/to/openvpn-pki
easyrsa init-pki
easyrsa build-ca
- Files generated:
./private/ca.key,./ca.crt
Note: From easy-rsa3 onwards the only required field is 'Common Name (CN)' (others are set optional in the supplied openssl-1.0.cnf file). There is no need to fill out the other fields as suggested by random guides on the net, which are probably still on easy-rsa2.
Note: 'Common Name' is purely for display purposes and can be set as you like.
mkdir /config/auth/
curl -LOk https://github.com/OpenVPN/easy-rsa/releases/download/v3.2.0/EasyRSA-3.2.0.tgz
tar xf EasyRSA-3.2.0.tgz
cd EasyRSA-3.2.0
./easyrsa init-pki
./easyrsa gen-req server nopass
openvpn --genkey --secret ta.key
mv ta.key /config/auth/ta.key
cp ./pki/private/server.key /config/auth/server.key
- Files generated:
/pki/private/server.key,/pki/reqs/server.req,config/auth/ta.keyNote: easyrsa script is broken on Busybox systems at time of writing (v3.0.3), since it uses an option in mktemp which isn't available in the Busybox mktemp. Submitted PR to fix it here.
cd /path/to/openvpn-pki
scp -P<sshport> <routerusername>@<routerIP>:/path/toeasy-rsa-master/easyrsa3/pki/reqs/server.req server.req
easyrsa import-req server.req server
easyrsa sign-req server server
scp -P<sshport> issued/server.crt <routerusername>@<routerIP>:/config/auth/server.crt
- Files generated:
./issued/server.crt
TODO: delete .req files after successfully signing?
Note: Can ignore errors about index.txt.attr, see here.
./easyrsa gen-dh
cp ./pki/dh.pem /config/auth/dh.pem
Took about 15 mins on ERL.
configure
edit interfaces openvpn vtun0
set mode server
set openvpn-option "--port <your vpn port>"
set server subnet <your chosen subnet>
set tls ca-cert-file /config/auth/ca.crt
set tls cert-file /config/auth/server.crt
set tls key-file /config/auth/server.key
set tls dh-file /config/auth/dh.pem
set server name-server <ERL IP>
set server push-route <your LAN1 DHCP subnet>
set server push-route <your LAN2 DHCP subnet>
set openvpn-option "--push dhcp-option DNS 10.9.8.1"
set openvpn-option "--user nobody"
set openvpn-option "--group nogroup"
set openvpn-option "--tls-auth /config/auth/ta.key 0"
set openvpn-option --persist-key
set openvpn-option --persist-tun
top
edit firewall name pppoe-local rule 1
set rule 1 action accept
set rule 1 description OpenVPN
set rule 1 destination port <your vpn port>
set log disable
set protocol udp
compare
commit
save
Note: If commit fails check /var/log/messages
Note: Replace pppoe-local with whatever your WAN interface is (Ubiquiti default is WAN_LOCAL)
mkdir /path/to/clientpki
cd /path/to/clientpki
set -Ux EASY_RSA /path/to/easyrsa
set -Ux EASYRSA_PKI (pwd)
easyrsa init-pki
easyrsa gen-req <client_name>
Same as 3. but the signing command is easyrsa sign-req client <client_name>
- Template to use:
client
proto udp
remote your.openvpn.server
port 1194
dev tun
nobind
resolv-retry infinite
redirect-gateway def1
persist-key
persist-tun
key-direction 1
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
tls-auth keys/tls-auth.key 1
ns-cert-type server
verb 3
mute 20
Note: Set key direction to 0 if not using TLS AUTH
TODO: on Ubuntu machine it successfully connected to the VPN without asking for passphrase. Is this because of decrypting the preivate key to paste in hte .ovpn file??
TODO: check whether persist-key etc have to be set here or can be set in server config and pushed to client
- To have OpenVPN show up in Network Manager in Ubuntu, install
network-manager-openvpn-gnome.
Then you can import an *.ovpn file like with Android.