Notes on setting up OpenVPN on Edgerouter Lite

edgerouter_lite_openvpn.md

My notes on how I setup OpenVPN server on Edgerouter Lite. Based mostly on this guide from openVPN wiki. This guide assumes easyrsa3 is being used, otherwise substitute whatever the easyrsa2 versions are for the commands below.

This guide will use 3 different machines.

A Public Key Infrastructure (PKI) will be created on each machine:

• 1. Server - openVPN server (Edgerouter in this case).
• 2. Client(s) - the device(s) you will be connecting from.
• 3. CA Server - used to generate and sign certificates for server and clients to use.

Note: For security reasons CA should be a different machine to the server (not on the router!):

One common mistake when setting up a new CA is to place all the CA files on the OpenVPN server. DO NOT DO THAT! A CA requires a private key which is used for signing the certificates your clients and servers will use. If you lose control of your CA private key, you can no longer trust any certificates from this CA. Anyone with access to this CA private key can sign new certificates without your knowledge, which then can connect to your OpenVPN server without needing to modify anything on the VPN server. Place your CA files on a storage which can be offline as much as possible, only to be activated when you need to get a new certificate for a client or server.

Generated files:

Filename	Needed By	Purpose	Secret
ca.crt	server + all clients	Root CA certificate	NO
ca.key	key signing machine only	Root CA key	YES
dh.pem	server only	Diffie Hellman parameters	NO
server.crt	server only	Server Certificate	NO
server.key	server only	Server Key	YES
client.crt	client only	Client Certificate	NO
client.key	client only	Client Key	YES
tlsauth.key	server + all clients	TLS Handshake	??

TODO: file permissions for secret files

1. [On CA] Setup PKI and generate CA cert and private key.

set -Ux EASY_RSA /path/to/easy-rsa  # /etc/easy-rsa on Arch
mkdir -p /path/to/openvpn-pki  # choose a secure location
set -Ux EASYRSA_PKI /path/to/openvpn-pki
easyrsa init-pki
easyrsa build-ca

• Files generated: ./private/ca.key, ./ca.crt

Note: From easy-rsa3 onwards the only required field is 'Common Name (CN)' (others are set optional in the supplied openssl-1.0.cnf file). There is no need to fill out the other fields as suggested by random guides on the net, which are probably still on easy-rsa2.

Note: 'Common Name' is purely for display purposes and can be set as you like.

2. [On Server] Generate a public/private keypair.

mkdir /config/auth/
curl -LOk https://github.com/OpenVPN/easy-rsa/archive/master.tar.gz
tar xf master.tar.gz
cd easy-rsa-master/easyrsa3
easyrsa init-pki
easyrsa gen-req server nopass
cp ./pki/private/server.key /config/auth/server.key

• Files generated: /pki/private/server.key, /pki/reqs/server.req Note: easyrsa script is broken on Busybox systems at time of writing (v3.0.3), since it uses an option in mktemp which isn't available in the Busybox mktemp. Submitted PR to fix it here.

3. [On CA] Copy req from server, sign it and copy back to server

cd /path/to/openvpn-pki
scp -P<sshport> <routerusername>@<routerIP>:/path/toeasy-rsa-master/easyrsa3/pki/reqs/server.req server.req
easyrsa import-req server.req server
easyrsa sign-req server server
scp -P<sshport> issued/server.crt <routerusername>@<routerIP>:/config/auth/server.crt

• Files generated: ./issued/server.crt

TODO: delete .req files after successfully signing?

Note: Can ignore errors about index.txt.attr, see here.

4. [On Server] Generate Diffie-Hellman (DH) params

./easyrsa gen-dh
cp ./pki/dh.pem /config/auth/dh.pem

Took about 15 mins on ERL.

configure
set service gui https-port 8080
set interfaces openvpn vtun0 description OpenVPN
set interfaces openvpn vtun0 encryption aes256
set interfaces openvpn vtun0 hash sha256
set interfaces openvpn vtun0 local-port 443
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 openvpn-option '--user nobody'
set interfaces openvpn vtun0 openvpn-option '--group nogroup'
set interfaces openvpn vtun0 openvpn-option --persist-key
set interfaces openvpn vtun0 openvpn-option --persist-tun
set interfaces openvpn vtun0 openvpn-option '--remote-cert-tls client'
set interfaces openvpn vtun0 openvpn-option '--tls-auth /config/auth/tlsauth.key 0'
set interfaces openvpn vtun0 protocol udp
set interfaces openvpn vtun0 server push-route 192.168.10.0/24
set interfaces openvpn vtun0 server subnet 192.168.11.0/24
set interfaces openvpn vtun0 server topology subnet
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt
set interfaces openvpn vtun0 tls cert-file /config/auth/server.crt
set interfaces openvpn vtun0 tls dh-file /config/auth/dh.pem
set interfaces openvpn vtun0 tls key-file /config/auth/server.key
set encryption aes256
set hash sha256
commit 
save

Note: If commit fails check /var/log/messages
Note: Replace pppoe-local with whatever your WAN interface is (Ubiquiti default is WAN_LOCAL)

5. [On Client] Generate a public/private keypair for client.

mkdir /path/to/clientpki
cd /path/to/clientpki
set -Ux EASY_RSA /path/to/easyrsa
set -Ux EASYRSA_PKI (pwd)
easyrsa init-pki
easyrsa gen-req <client_name>

6. [On CA] Copy req to CA, sign it and copy back to server

Same as 3. but the signing command is easyrsa sign-req client <client_name>

7. [On Server ] Create TLS AuthKey , Copy to every Client

cd /auth/config
openvpn --genkey --secret tlsauth.key
cp /config/auth/easy-rsa-master/easyrsa3/pki/dh.pem /auth/config/

8 [On Client] Remove Password

openssl rsa -in <client_name>.key -out <client_name>_no_pass.key

Client Config

• Template to use:

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.

remote <<VPNGATEWAY>> 443


# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert client.crt
key client.key

# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
#   digitalSignature, keyEncipherment
# and the extendedKeyUsage to
#   serverAuth
# EasyRSA can do this for you.
remote-cert-tls server

# If a tls-auth key is used on the server
# then every client must also have the key.
tls-auth tlsauth.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
auth SHA256

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20
### MTU FIX
mssfix 1420
# Pass all traffic throug VPN
redirect-gateway def1

Note: Set key direction to 0 if not using TLS AUTH

TODO: on Ubuntu machine it successfully connected to the VPN without asking for passphrase. Is this because of decrypting the preivate key to paste in hte .ovpn file??

TODO: check whether persist-key etc have to be set here or can be set in server config and pushed to client

A2. Other notes

• To have OpenVPN show up in Network Manager in Ubuntu, install network-manager-openvpn-gnome.
  Then you can import an *.ovpn file like with Android.