In this post, I will help you through configuring an OpenVPN connection. I have found out that could not find a good configuration guide that configures everything I wanted in one post. I had to use 4-6 different websites to configure my OpenVPN on the EdgeRouter.. so i’ve decided to create a guide myself.
So about VPN.. In short, what is a VPN? You can think of a VPN connection like encrypted tunnels used to connect computers on different networks over the internet. VPNs can be used to provide yourself with a secure connection when using the internet on a public network, like a public wifi hotspot. They are also being used a lot to create a secure, remote connection to your (work or home) local network.
I have chosen to use the OpenVPN protocol instead of other well known protocols like PPTP (older, more insecure, easily detacable and blockable) or L2TP/IPSec (easily detacable and blockable but available on most operating systems).
I like the OpenVPN protocol because it is easy to setup, open source, more secure than PPTP and can be used with port 443 (https) which makes it almost undetectable and shown as normal HTTPS traffic. The downside of OpenVPN is that it uses a third-party app instead of the built-in software from Windows or your phone.
Different types of VPN tunneling
When configuring the VPN, you will need to chose how you want to use it. You can chose to use a split-tunnel or a full-tunnel.
- Split-tunnel allows you to access your local network resources but normal internet traffic is not going through the tunnel and is not encrypted
- full-tunnel allows you to access your local network resources and your normal internet traffic is going through the tunnel and is encrypted. But you can probably cannot access local resources, unless you are already connected to them.
I have chosen to use the full tunnel, because I want secure internet access and access to my local resources. You can also add a route to your work network to access its resources through vpn. I haven’t tested that.
Click the READ MORE button to start going though the actual configuration
Create OpenVPN client/server certificates
OpenVPN uses the same cryptography that is being use to browse HTTPS websites. This means we need our own client/server certificates to secure our connection between the client and the edgerouter openvpn server.
At first, we will generate a Diffe-Hellman file. This will allow the clients and the server to generate shared keys between their sessions without transmitting the key over the internet. If someone gets your server certificate, they wont be able to decrypt the traffic. Running this command will take a long time.. sit back, take some coffee and wait..
openssl dhparam -out /config/auth/dhp.pem -2 2048
Now we can start to create our certificates. There is a script on the edgerouter that will help us generate the certificates.
sudo -s cd /usr/lib/ssl/misc ./CA.sh -newca
You will be asked a few questions, make sure you answer all of them. You will have to do this a few times when creating the certificates. Name the certificate in the Common Name as root. Make sure you remember the passwords you have entered!
The ./CA.sh -newca command will create a new directory called /demoCA. This folder will have the private/cakey.pem (private key) file and cacert.pem file (public key for your clients).
After this, we will need to create a public/private keypair for the server. Give this one the Common Name server and repeat this step again for Client1.
./CA.sh -newreq ./CA.sh -sign mv newcert.pem /config/auth/server.pem mv newkey.pem /config/auth/server.key
./CA.sh -newreq ./CA.sh -sign mv newcert.pem /config/auth/client1.pem mv newkey.pem /config/auth/client1.key
Remove the password from the client + server keys. This allows the clients to connect using only the provided certificate.
openssl rsa -in /config/auth/server.key -out /config/auth/server-no-pass.key openssl rsa -in /config/auth/client1.key -out /config/auth/client1-no-pass.key
Overwrite the existing keys with the no-pass versions.
mv /config/auth/server-no-pass.key /config/auth/server.key mv /config/auth/client1-no-pass.key /config/auth/client1.key
Configure OpenVPN server (EdgeRouter)
Now that the client and server certificates are created and downloaded, we can set up the OpenVPN configuration on the Edgerouter. I will use 192.168.200.0/24 as the network for the VPN clients and my local network is on 192.168.1.0/24. I will also use port 443 for the VPN tunnel. Because the Edgerouter webconsole is alo on 443, i will change the webconsole to port 4443.
Use the CLI from the Edgerouter to configure the OpenVPN with the following commands;
configure service gui https-port 4443 set interfaces openvpn vtun0 set interfaces openvpn vtun0 description "OpenVPN server" set interfaces openvpn vtun0 mode server set interfaces openvpn vtun0 local-port 443 set interfaces openvpn vtun0 encryption aes256 set interfaces openvpn vtun0 hash sha256 set interfaces openvpn vtun0 server subnet 192.168.200.0/24 set interfaces openvpn vtun0 server push-route 192.168.1.0/24 set interfaces openvpn vtun0 server name-server 192.168.1.1 set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem set interfaces openvpn vtun0 tls cert-file /config/auth/host.pem set interfaces openvpn vtun0 tls key-file /config/auth/host.key set interfaces openvpn vtun0 tls dh-file /config/auth/dh.pem set interfaces openvpn vtun0 openvpn-option --tls-server set interfaces openvpn vtun0 openvpn-option --persist-key set interfaces openvpn vtun0 openvpn-option --persist-tun set interfaces openvpn vtun0 openvpn-option "--user nobody" set interfaces openvpn vtun0 openvpn-option "--group nogroup" set interfaces openvpn vtun0 openvpn-option "--push route-gateway 192.168.200.1" set interfaces openvpn vtun0 openvpn-option "--push redirect-gateway def1" commit save
When you have entered this you will have:
- Your VPN configured on network 192.168.200.0/24. Your VPN server will have 192.168.200.1 and cliens will start with 192.168.200.1-254.
- You have configured AES256 and SHA256 instead of the default SHA1 encryption. This will slightly decrease performance but will be much more secure
- Configured 192.168.1.1 as de DNS server, but you can chose whatever DNS server you like
- Configured the OpenVPN server on port 443 so it will look like normal HTTPS traffic
- With ‘–push route-gateway 192.168.200.1′ and ‘–push redirect-gateway def1′ you will be using full-tunneling. Delete those lines to have a split-tunnel
We need to make sure that OpenVPN traffic on port 443 can go through the firewall and that NAT is allowed through the OpenVPN network. I use NAT and a NAT group as you can see in my previous post(s).
configure set firewall name WAN_LOCAL rule 30 action accept set firewall name WAN_LOCAL rule 30 description "OpenVPN" set firewall name WAN_LOCAL rule 30 destination port 443 set firewall name WAN_LOCAL rule 30 log enable set firewall name WAN_LOCAL rule 30 protocol tcp set firewall group network-group LAN 192.168.200.0/24 commit save
Configure OpenVPN client (Windows 10)
For the Windows 10 OpenVPN client, i have created the following .ovpn file for the above OpenVPN configuration.
Place this config file in C:\Program Files\OpenVPN\config.
Also place the cacert.pem, client1.key and client1.pem files in this directory. You can download these files from the /config/auth/ directory on the Edgerouter with WinSCP.
client dev tun proto tcp remote x.x.x.x 443 float resolv-retry infinite redirect-gateway def1 user nobody group nobody nobind persist-key persist-tun verb 3 ca cacert.pem cert client1.pem key client1.key cipher AES-256-CBC auth SHA256
You are correct. Thanks. Fixed the typo!
Where does the cacert.pem come from? Nowhere in your instructions is it created.
Hi David, cacert.pem is created after running ./CA.sh -newca in the beginning of the post. This will create a /demoCA folder. there is a cakey.pem (private) and cacert.pem (public) file in there.
I am prompted for ./demoCA/private/./cakey.pem pass phrase while generating the root CA certificate, but cakey.pem doesn’t exist yet. What could be going on?
Thanks for the tutorial! Unfortunately I got stuck at the first steps… Where do I create the diffs hetman file and the certificates? If I try to ssh into my router it cannot find the script to generate the certificates.
I think I am missing something…