Skip to content

EdgeRouter OpenVPN Setup

In this post, I will help you through configuring an OpenVPN connection. I have found out that could not find a good configuration guide that configures everything I wanted in one post. I had to use 4-6 different websites to configure my OpenVPN on the EdgeRouter.. so i’ve decided to create a guide myself.

So about VPN.. In short, what is a VPN? You can think of a VPN connection like encrypted tunnels used to connect computers on different networks over the internet. VPNs can be used to provide yourself with a secure connection when using the internet on a public network, like a public wifi hotspot. They are also being used a lot to create a secure, remote connection to your (work or home) local network.

I have chosen to use the OpenVPN protocol instead of other well known protocols like PPTP (older, more insecure, easily detacable and blockable) or L2TP/IPSec (easily detacable and blockable but available on most operating systems).
I like the OpenVPN protocol because it is easy to setup, open source, more secure than PPTP and can be used with port 443 (https) which makes it almost undetectable and shown as normal HTTPS traffic. The downside of OpenVPN is that it uses a third-party app instead of the built-in software from Windows or your phone.

Different types of VPN tunneling

When configuring the VPN, you will need to chose how you want to use it. You can chose to use a split-tunnel or a full-tunnel.

  • Split-tunnel allows you to access your local network resources but normal internet traffic is not going through the tunnel and is not encrypted
  • full-tunnel allows you to access your local network resources and your normal internet traffic is going through the tunnel and is encrypted. But you can probably cannot access local resources, unless you are already connected to them.

I have chosen to use the full tunnel, because I want secure internet access and access to my local resources. You can also add a route to your work network to access its resources through vpn. I haven’t tested that.

Click the READ MORE button to start going though the actual configuration

Create OpenVPN client/server certificates

OpenVPN uses the same cryptography that is being use to browse HTTPS websites. This means we need our own client/server certificates to secure our connection between the client and the edgerouter openvpn server.

At first, we will generate a Diffe-Hellman file. This will allow the clients and the server to generate shared keys between their sessions without transmitting the key over the internet. If someone gets your server certificate, they wont be able to decrypt the traffic. Running this command will take a long time.. sit back, take some coffee and wait..

openssl dhparam -out /config/auth/dhp.pem -2 2048

Now we can start to create our certificates. There is a script on the edgerouter that will help us generate the certificates.

sudo -s
cd /usr/lib/ssl/misc
./CA.sh -newca

You will be asked a few questions, make sure you answer all of them. You will have to do this a few times when creating the certificates. Name the certificate in the Common Name as root. Make sure you remember the passwords you have entered!
The ./CA.sh -newca command will create a new directory called /demoCA. This folder will have the private/cakey.pem (private key) file and cacert.pem file (public key for your clients).

After this, we will need to create a public/private keypair for the server. Give this one the Common Name server and repeat this step again for Client1.

./CA.sh -newreq
./CA.sh -sign

mv newcert.pem /config/auth/server.pem
mv newkey.pem /config/auth/server.key
./CA.sh -newreq 
./CA.sh -sign

mv newcert.pem /config/auth/client1.pem
mv newkey.pem /config/auth/client1.key

Remove the password from the client + server keys. This allows the clients to connect using only the provided certificate.

openssl rsa -in /config/auth/server.key -out /config/auth/server-no-pass.key
openssl rsa -in /config/auth/client1.key -out /config/auth/client1-no-pass.key

Overwrite the existing keys with the no-pass versions.

mv /config/auth/server-no-pass.key /config/auth/server.key 
mv /config/auth/client1-no-pass.key /config/auth/client1.key

Configure OpenVPN server (EdgeRouter)

Now that the client and server certificates are created and downloaded, we can set up the OpenVPN configuration on the Edgerouter. I will use 192.168.200.0/24 as the network for the VPN clients and my local network is on 192.168.1.0/24. I will also use port 443 for the VPN tunnel. Because the Edgerouter webconsole is alo on 443, i will change the webconsole to port 4443.

Use the CLI from the Edgerouter to configure the OpenVPN with the following commands;

configure
service gui https-port 4443
set interfaces openvpn vtun0
set interfaces openvpn vtun0 description "OpenVPN server"
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 local-port 443
set interfaces openvpn vtun0 encryption aes256
set interfaces openvpn vtun0 hash sha256
set interfaces openvpn vtun0 server subnet 192.168.200.0/24
set interfaces openvpn vtun0 server push-route 192.168.1.0/24
set interfaces openvpn vtun0 server name-server 192.168.1.1
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/host.pem
set interfaces openvpn vtun0 tls key-file /config/auth/host.key
set interfaces openvpn vtun0 tls dh-file /config/auth/dh.pem
set interfaces openvpn vtun0 openvpn-option --tls-server
set interfaces openvpn vtun0 openvpn-option --persist-key
set interfaces openvpn vtun0 openvpn-option --persist-tun
set interfaces openvpn vtun0 openvpn-option "--user nobody"
set interfaces openvpn vtun0 openvpn-option "--group nogroup"
set interfaces openvpn vtun0 openvpn-option "--push route-gateway 192.168.200.1"
set interfaces openvpn vtun0 openvpn-option "--push redirect-gateway def1"
commit
save

When you have entered this you will have:

  • Your VPN configured on network 192.168.200.0/24. Your VPN server will have 192.168.200.1 and cliens will start with 192.168.200.1-254.
  • You have configured AES256 and SHA256 instead of the default SHA1 encryption. This will slightly decrease performance but will be much more secure
  • Configured 192.168.1.1 as de DNS server, but you can chose whatever DNS server you like
  • Configured the OpenVPN server on port 443 so it will look like normal HTTPS traffic
  • With ‘–push route-gateway 192.168.200.1′ and ‘–push redirect-gateway def1′ you will be using full-tunneling. Delete those lines to have a split-tunnel

Configure firewall

We need to make sure that OpenVPN traffic on port 443 can go through the firewall and that NAT is allowed through the OpenVPN network. I use NAT and a NAT group as you can see in my previous post(s).

configure
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description "OpenVPN"
set firewall name WAN_LOCAL rule 30 destination port 443
set firewall name WAN_LOCAL rule 30 log enable
set firewall name WAN_LOCAL rule 30 protocol tcp
set firewall group network-group LAN 192.168.200.0/24
commit
save

Configure OpenVPN client (Windows 10)

For the Windows 10 OpenVPN client, i have created the following .ovpn file for the above OpenVPN configuration.
Place this config file in C:\Program Files\OpenVPN\config.

Also place the cacert.pem, client1.key and client1.pem files in this directory. You can download these files from the /config/auth/ directory on the Edgerouter with WinSCP.

client
dev tun
proto tcp
remote x.x.x.x 443
float
resolv-retry infinite 
redirect-gateway def1
user nobody
group nobody
nobind
persist-key 
persist-tun 
verb 3
ca cacert.pem 
cert client1.pem
key client1.key
cipher AES-256-CBC
auth SHA256
Published inUncategorized

7 Comments

    • Hi David, cacert.pem is created after running ./CA.sh -newca in the beginning of the post. This will create a /demoCA folder. there is a cakey.pem (private) and cacert.pem (public) file in there.

  1. Shaun Shaun

    I am prompted for ./demoCA/private/./cakey.pem pass phrase while generating the root CA certificate, but cakey.pem doesn’t exist yet. What could be going on?

  2. Ben Ben

    Hi Robin,

    Thanks for the tutorial! Unfortunately I got stuck at the first steps… Where do I create the diffs hetman file and the certificates? If I try to ssh into my router it cannot find the script to generate the certificates.

    I think I am missing something…

  3. Hoi,
    geweldige howto!

    Heb toch voor udp 1194 gekozen, en dus de volgende aanpassingen.
    set interfaces openvpn vtun0 local-port 1194
    set firewall name WAN_LOCAL rule 50 destination port 1194
    set firewall name WAN_LOCAL rule 50 protocol udp

    Er zaten wel een paar foutjes in, maar verder flawless.

    set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
    set interfaces openvpn vtun0 tls cert-file /config/auth/host.pem
    set interfaces openvpn vtun0 tls key-file /config/auth/host.key
    set interfaces openvpn vtun0 tls dh-file /config/auth/dh.pem

    moet zijn:
    set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem
    set interfaces openvpn vtun0 tls key-file /config/auth/server.key
    set interfaces openvpn vtun0 tls dh-file /config/auth/dhp.pem

    set firewall group network-group LAN 192.168.200.0/24 lukte mij niet via cli,
    via gui wel aan kunnen maken

    De client files zijn van root, en dus niet 123 over te zetten naar windows/linux ivm permissies, gekopieerd naar /tmp en daar een chmod 655 gedaan, dan werkt het wel.

    Windows ovpn file zou ik net anders doen:
    de pem’s en key als plain tekst erin plakken ( werkt bij mijn openvpn client voor windows beter )

    client
    dev tun
    proto udp
    remote x.x.x.x 1194
    float
    resolv-retry infinite
    redirect-gateway def1
    user nobody
    group nobody
    nobind
    persist-key
    persist-tun
    verb 3

    —–BEGIN CERTIFICATE—–
    —–END CERTIFICATE—–

    —–BEGIN CERTIFICATE—–
    —–END CERTIFICATE—–

    —–BEGIN RSA PRIVATE KEY—–
    —–END RSA PRIVATE KEY—–

    cipher AES-256-CBC
    auth SHA256

Leave a Reply to Shaun Cancel reply

Your email address will not be published. Required fields are marked *