My notes on how I setup OpenVPN server on Edgerouter Lite.
Based mostly on this guide from openVPN wiki.
This guide assumes easyrsa3 is being used, otherwise substitute whatever the easyrsa2 versions are for the commands below.
A Public Key Infrastructure (PKI) will be created on each machine:
-
- Server - openVPN server (Edgerouter in this case).
-
- Client(s) - the device(s) you will be connecting from.
-
- CA Server - used to generate and sign certificates for server and clients to use.
Note: For security reasons CA should be a different machine to the server (not on the router!):
One common mistake when setting up a new CA is to place all the CA files on the OpenVPN server. DO NOT DO THAT! A CA requires a private key which is used for signing the certificates your clients and servers will use. If you lose control of your CA private key, you can no longer trust any certificates from this CA. Anyone with access to this CA private key can sign new certificates without your knowledge, which then can connect to your OpenVPN server without needing to modify anything on the VPN server. Place your CA files on a storage which can be offline as much as possible, only to be activated when you need to get a new certificate for a client or server.
| Filename | Needed By | Purpose | Secret |
|---|---|---|---|
| ca.crt | server + all clients | Root CA certificate | NO |
| ca.key | key signing machine only | Root CA key | YES |
| dh.pem | server only | Diffie Hellman parameters | NO |
| server.crt | server only | Server Certificate | NO |
| server.key | server only | Server Key | YES |
| client.crt | client only | Client Certificate | NO |
| client.key | client only | Client Key | YES |
| tlsauth.key | server + all clients | TLS Handshake | ?? |
TODO: file permissions for secret files
set -Ux EASY_RSA /path/to/easy-rsa # /etc/easy-rsa on Arch
mkdir -p /path/to/openvpn-pki # choose a secure location
set -Ux EASYRSA_PKI /path/to/openvpn-pki
easyrsa init-pki
easyrsa build-ca
- Files generated:
./private/ca.key,./ca.crt
Note: From easy-rsa3 onwards the only required field is 'Common Name (CN)' (others are set optional in the supplied openssl-1.0.cnf file). There is no need to fill out the other fields as suggested by random guides on the net, which are probably still on easy-rsa2.
Note: 'Common Name' is purely for display purposes and can be set as you like.
mkdir /config/auth/
curl -LOk https://github.com/OpenVPN/easy-rsa/archive/master.tar.gz
tar xf master.tar.gz
cd easy-rsa-master/easyrsa3
easyrsa init-pki
easyrsa gen-req server nopass
cp ./pki/private/server.key /config/auth/server.key
- Files generated:
/pki/private/server.key,/pki/reqs/server.reqNote: easyrsa script is broken on Busybox systems at time of writing (v3.0.3), since it uses an option in mktemp which isn't available in the Busybox mktemp. Submitted PR to fix it here.
cd /path/to/openvpn-pki
scp -P<sshport> <routerusername>@<routerIP>:/path/toeasy-rsa-master/easyrsa3/pki/reqs/server.req server.req
easyrsa import-req server.req server
easyrsa sign-req server server
scp -P<sshport> issued/server.crt <routerusername>@<routerIP>:/config/auth/server.crt
- Files generated:
./issued/server.crt
TODO: delete .req files after successfully signing?
Note: Can ignore errors about index.txt.attr, see here.
./easyrsa gen-dh
cp ./pki/dh.pem /config/auth/dh.pem
Took about 15 mins on ERL.
configure
set service gui https-port 8080
set interfaces openvpn vtun0 description OpenVPN
set interfaces openvpn vtun0 encryption aes256
set interfaces openvpn vtun0 hash sha256
set interfaces openvpn vtun0 local-port 443
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 openvpn-option '--user nobody'
set interfaces openvpn vtun0 openvpn-option '--group nogroup'
set interfaces openvpn vtun0 openvpn-option --persist-key
set interfaces openvpn vtun0 openvpn-option --persist-tun
set interfaces openvpn vtun0 openvpn-option '--remote-cert-tls client'
set interfaces openvpn vtun0 openvpn-option '--tls-auth /config/auth/tlsauth.key 0'
set interfaces openvpn vtun0 protocol udp
set interfaces openvpn vtun0 server push-route 192.168.10.0/24
set interfaces openvpn vtun0 server subnet 192.168.11.0/24
set interfaces openvpn vtun0 server topology subnet
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt
set interfaces openvpn vtun0 tls cert-file /config/auth/server.crt
set interfaces openvpn vtun0 tls dh-file /config/auth/dh.pem
set interfaces openvpn vtun0 tls key-file /config/auth/server.key
set encryption aes256
set hash sha256
commit
save
Note: If commit fails check /var/log/messages
Note: Replace pppoe-local with whatever your WAN interface is (Ubiquiti default is WAN_LOCAL)
mkdir /path/to/clientpki
cd /path/to/clientpki
set -Ux EASY_RSA /path/to/easyrsa
set -Ux EASYRSA_PKI (pwd)
easyrsa init-pki
easyrsa gen-req <client_name>
Same as 3. but the signing command is easyrsa sign-req client <client_name>
cd /auth/config
openvpn --genkey --secret tlsauth.key
cp /config/auth/easy-rsa-master/easyrsa3/pki/dh.pem /auth/config/
openssl rsa -in <client_name>.key -out <client_name>_no_pass.key
- Template to use:
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote <<VPNGATEWAY>> 443
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key
# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth tlsauth.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
auth SHA256
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
### MTU FIX
mssfix 1420
# Pass all traffic throug VPN
redirect-gateway def1
Note: Set key direction to 0 if not using TLS AUTH
TODO: on Ubuntu machine it successfully connected to the VPN without asking for passphrase. Is this because of decrypting the preivate key to paste in hte .ovpn file??
TODO: check whether persist-key etc have to be set here or can be set in server config and pushed to client
- To have OpenVPN show up in Network Manager in Ubuntu, install
network-manager-openvpn-gnome.
Then you can import an *.ovpn file like with Android.