EdgeRouter OpenVPN Setup

In this post, I will help you through configuring an OpenVPN connection. I have found out that could not find a good configuration guide that configures everything I wanted in one post. I had to use 4-6 different websites to configure my OpenVPN on the EdgeRouter.. so i’ve decided to create a guide myself.

So about VPN.. In short, what is a VPN? You can think of a VPN connection like encrypted tunnels used to connect computers on different networks over the internet. VPNs can be used to provide yourself with a secure connection when using the internet on a public network, like a public wifi hotspot. They are also being used a lot to create a secure, remote connection to your (work or home) local network.

I have chosen to use the OpenVPN protocol instead of other well known protocols like PPTP (older, more insecure, easily detacable and blockable) or L2TP/IPSec (easily detacable and blockable but available on most operating systems).
I like the OpenVPN protocol because it is easy to setup, open source, more secure than PPTP and can be used with port 443 (https) which makes it almost undetectable and shown as normal HTTPS traffic. The downside of OpenVPN is that it uses a third-party app instead of the built-in software from Windows or your phone.

Different types of VPN tunneling

When configuring the VPN, you will need to chose how you want to use it. You can chose to use a split-tunnel or a full-tunnel.

  • Split-tunnel allows you to access your local network resources but normal internet traffic is not going through the tunnel and is not encrypted
  • full-tunnel allows you to access your local network resources and your normal internet traffic is going through the tunnel and is encrypted. But you can probably cannot access local resources, unless you are already connected to them.

I have chosen to use the full tunnel, because I want secure internet access and access to my local resources. You can also add a route to your work network to access its resources through vpn. I haven’t tested that.

Click the READ MORE button to start going though the actual configuration

Create OpenVPN client/server certificates

OpenVPN uses the same cryptography that is being use to browse HTTPS websites. This means we need our own client/server certificates to secure our connection between the client and the edgerouter openvpn server.

At first, we will generate a Diffe-Hellman file. This will allow the clients and the server to generate shared keys between their sessions without transmitting the key over the internet. If someone gets your server certificate, they wont be able to decrypt the traffic. Running this command will take a long time.. sit back, take some coffee and wait..

Now we can start to create our certificates. There is a script on the edgerouter that will help us generate the certificates.

You will be asked a few questions, make sure you answer all of them. You will have to do this a few times when creating the certificates. Name the certificate in the Common Name as root. Make sure you remember the passwords you have entered!

After this, we will need to create a public/private keypair for the server. Give this one the Common Name server and repeat this step again for Client1.

Remove the password from the client + server keys. This allows the clients to connect using only the provided certificate.

Overwrite the existing keys with the no-pass versions.

Configure OpenVPN server (EdgeRouter)

Now that the client and server certificates are created and downloaded, we can set up the OpenVPN configuration on the Edgerouter. I will use 192.168.200.0/24 as the network for the VPN clients and my local network is on 192.168.1.0/24. I will also use port 443 for the VPN tunnel. Because the Edgerouter webconsole is alo on 443, i will change the webconsole to port 4443.

Use the CLI from the Edgerouter to configure the OpenVPN with the following commands;

When you have entered this you will have:

  • Your VPN configured on network 192.168.200.0/24. Your VPN server will have 192.168.200.1 and cliens will start with 192.168.200.1-254.
  • You have configured AES256 and SHA256 instead of the default SHA1 encryption. This will slightly decrease performance but will be much more secure
  • Configured 192.168.1.1 as de DNS server, but you can chose whatever DNS server you like
  • Configured the OpenVPN server on port 443 so it will look like normal HTTPS traffic
  • With ‘–push route-gateway 192.168.200.1′ and ‘–push redirect-gateway def1′ you will be using full-tunneling. Delete those lines to have a split-tunnel

Configure firewall

We need to make sure that OpenVPN traffic on port 443 can go through the firewall and that NAT is allowed through the OpenVPN network. I use NAT and a NAT group as you can see in my previous post(s).

Configure OpenVPN client (Windows 10)

For the Windows 10 OpenVPN client, i have created the following .ovpn file for the above OpenVPN configuration.
Place this config file in C:\Program Files\OpenVPN\config.

Also place the cacert.pem, client1.key and client1.pem files in this directory. You can download these files from the /config/auth/ directory on the Edgerouter with WinSCP.

 

Leave a Reply

Your email address will not be published. Required fields are marked *