Skip to content

Instantly share code, notes, and snippets.

Last active September 2, 2024 19:06
Show Gist options
  • Save ammgws/22b56798122e66ed9bda98be4209d1a3 to your computer and use it in GitHub Desktop.
Save ammgws/22b56798122e66ed9bda98be4209d1a3 to your computer and use it in GitHub Desktop.
Notes on setting up OpenVPN on Edgerouter Lite

My notes on how I setup OpenVPN server on Edgerouter Lite. Based mostly on this guide from openVPN wiki. This guide assumes easyrsa3 is being used, otherwise substitute whatever the easyrsa2 versions are for the commands below.

This guide will use 3 different machines.

A Public Key Infrastructure (PKI) will be created on each machine:

    1. Server - openVPN server (Edgerouter in this case).
    1. Client(s) - the device(s) you will be connecting from.
    1. CA Server - used to generate and sign certificates for server and clients to use.

Note: For security reasons CA should be a different machine to the server (not on the router!):

One common mistake when setting up a new CA is to place all the CA files on the OpenVPN server. DO NOT DO THAT! A CA requires a private key which is used for signing the certificates your clients and servers will use. If you lose control of your CA private key, you can no longer trust any certificates from this CA. Anyone with access to this CA private key can sign new certificates without your knowledge, which then can connect to your OpenVPN server without needing to modify anything on the VPN server. Place your CA files on a storage which can be offline as much as possible, only to be activated when you need to get a new certificate for a client or server.

Generated files:

Filename Needed By Purpose Secret
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client.crt client only Client Certificate NO
client.key client only Client Key YES

TODO: file permissions for secret files

1. [On CA] Setup PKI and generate CA cert and private key.

set -Ux EASY_RSA /path/to/easy-rsa  # /etc/easy-rsa on Arch
mkdir -p /path/to/openvpn-pki  # choose a secure location
set -Ux EASYRSA_PKI /path/to/openvpn-pki
easyrsa init-pki
easyrsa build-ca
  • Files generated: ./private/ca.key, ./ca.crt

Note: From easy-rsa3 onwards the only required field is 'Common Name (CN)' (others are set optional in the supplied openssl-1.0.cnf file). There is no need to fill out the other fields as suggested by random guides on the net, which are probably still on easy-rsa2.

Note: 'Common Name' is purely for display purposes and can be set as you like.

2. [On Server] Generate a public/private keypair.

mkdir /config/auth/
curl -LOk
tar xf master.tar.gz
cd easy-rsa-master/easyrsa3
easyrsa init-pki
easyrsa gen-req server nopass
cp ./pki/private/server.key /config/auth/server.key
  • Files generated: /pki/private/server.key, /pki/reqs/server.req Note: easyrsa script is broken on Busybox systems at time of writing (v3.0.3), since it uses an option in mktemp which isn't available in the Busybox mktemp. Submitted PR to fix it here.

TODO: also setup TLS-AUTH

3. [On CA] Copy req from server, sign it and copy back to server

cd /path/to/openvpn-pki
scp -P<sshport> <routerusername>@<routerIP>:/path/toeasy-rsa-master/easyrsa3/pki/reqs/server.req server.req
easyrsa import-req server.req server
easyrsa sign-req server server
scp -P<sshport> issued/server.crt <routerusername>@<routerIP>:/config/auth/server.crt
  • Files generated: ./issued/server.crt

TODO: delete .req files after successfully signing?

Note: Can ignore errors about index.txt.attr, see here.

4. [On Server] Generate Diffie-Hellman (DH) params

./easyrsa gen-dh
cp ./pki/dh.pem /config/auth/dh.pem

Took about 15 mins on ERL.

edit interfaces openvpn vtun0
set mode server
set openvpn-option "--port <your vpn port>"
set server subnet <your chosen subnet>
set tls ca-cert-file /config/auth/ca.crt
set tls cert-file /config/auth/server.crt
set tls key-file /config/auth/server.key
set tls dh-file /config/auth/dh.pem
set server name-server <ERL IP>
set server push-route <your LAN1 DHCP>
set server push-route <your LAN2 DHCP>
set openvpn-option "--comp-lzo"
set openvpn-option "--push dhcp-option DNS"
set interfaces openvpn vtun0 openvpn-option "--user nobody"
set interfaces openvpn vtun0 openvpn-option "--group nogroup"
edit firewall name pppoe-local rule 1
set rule 1 action accept
set rule 1 description OpenVPN
set rule 1 destination port <your vpn port>
set log disable
set protocol udp

Note: If commit fails check /var/log/messages
Note: Replace pppoe-local with whatever your WAN interface is (Ubiquiti default is WAN_LOCAL)

5. [On Client] Generate a public/private keypair for client.

mkdir /path/to/clientpki
cd /path/to/clientpki
set -Ux EASY_RSA /path/to/easyrsa
set -Ux EASYRSA_PKI (pwd)
easyrsa init-pki
easyrsa gen-req <client_name>

6. [On CA] Copy req to CA, sign it and copy back to server

Same as 3. but the signing command is easyrsa sign-req client <client_name>

A1. Create .ovpn file for Android clients

  • Template to use:
proto udp
remote your.openvpn.server
port 1194
dev tun
resolv-retry infinite
redirect-gateway def1
key-direction 1

# insert base64 blob from ca.crt

# insert base64 blob from client.crt

# insert base64 blob from client.key (decrypt it first: openssl rsa -in client.key -out client.keyd)

-----BEGIN OpenVPN Static key V1-----
# insert ta.key
-----END OpenVPN Static key V1-----

Note: Set key direction to 0 if not using TLS AUTH

TODO: on Ubuntu machine it successfully connected to the VPN without asking for passphrase. Is this because of decrypting the preivate key to paste in hte .ovpn file??

TODO: check whether persist-key etc have to be set here or can be set in server config and pushed to client

A2. Other notes

  • To have OpenVPN show up in Network Manager in Ubuntu, install network-manager-openvpn-gnome.
    Then you can import an *.ovpn file like with Android.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment