Posted inNetwork

OpenVPN EdgeOS configuration

No Comments

Welcome to a new entry!

In this section, I will provide a step-by-step guide on setting up an OpenVPN server on EdgeOS routers. The main goal is to securely access your home, office, or company network from outside.

This particular router model is the Ubiquiti EdgeRouter-X, running EdgeOS version 1.10.9.

Certificates and key generation

First step is to SSH into our router and update the root user password so we can setup the vpn properly.

ssh ubnt@<router-ip>
sudo su -

Second step is to create a CA(Certification Authority) in order to create the certificates that clients (devices) will use to connect to our router vpn server from outside.

cd /usr/lib/ssl/misc/
./CA.sh -newca

To create the CA, we need to fill up below fields:

PEM Passphrase: Abc123
Country Name: ES
State Or Province Name: Malaga
Locality Name: Malaga
Organization Name: Jeronimo Diaz
Organizational Unit Name:
Common Name: UBNT Server
Email Address: [email protected]

After creating the CA, it is time to generate the certificate that the VPN server will serve to clients.

./CA.sh -newreq

Fields that need to be filled up are very similar to the ones required to create the CA.

Country Name: ES
State Or Province Name: Malaga
Locality Name: Malaga
Organization Name: Jeronimo Diaz
Organizational Unit Name:
Common Name: Server
Email Address: [email protected]

The VPN server needs to recognize the new certificate as a valid one. The new certificate needs to be signed by the CA.

./CA.sh -sign

Once it is signed, it is time to copy all the files to the path where the VPN server will read them from.

cp /usr/lib/ssl/misc/demoCA/cacert.pem /config/auth/
cp /usr/lib/ssl/misc/demoCA/private/cakey.pem /config/auth/
mv /usr/lib/ssl/misc/newcert.pem /config/auth/server.pem
mv /usr/lib/ssl/misc/newkey.pem /config/auth/server.key

To securely transmit data from the client (that is outside of the home network) to the server (our router), we need to configure something called a Diffie-Hellman key. Using this encryption method, we ensure that any information sent from the client to the server is encrypted before leaving the client and decrypted once it arrives at the server. This prevents third parties from reading the transmitted data.

Generating this key will take some time. Please be patient when you execute below command:

openssl dhparam -out /config/auth/dh2048.pem -2 2048

Next step is to decrypt the key that has been created while creating the certificate that the vpn server serves.

openssl rsa -in /config/auth/server.key -out /config/auth/server-decrypted.key
mv /config/auth/server-decrypted.key /config/auth/server.key

Although right now there aren´t any configured clients, in the future, we might want to revoke a certificate (forbid some client to connect to the VPN server). We need to create a file containing a list of clients that need to be blocked. This list should be regenerated periodically and everytime time a client needs to be blocked. By default, it must be regenerated every 30 days; however, if a client certificate is revoked prior to 30 days since the last regeneration, the file needs to be regenerated as well.

openssl ca -gencrl -out crl.pem
cp crl.pem /config/auth

To check when a certificate needs to be renovated, below command can be run:

openssl crl -in /config/auth/crl.pem -noout -text

Before moving to configure VPN server, to securize a bit more the server, an additional TLS key can be generated so the VPN server answers only to requests that present this TLS key.

openvpn --genkey --secret ta.key
cp ta.key /config/auth

VPN configuration

Once keys and certificates for the VPN server are generated, it is time to configure the VPN server:

configure
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet X.X.X.X/X
set interfaces openvpn vtun0 server push-route X.X.X.X/X
set interfaces openvpn vtun0 server name-server X.X.X.X
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem
set interfaces openvpn vtun0 tls key-file /config/auth/server.key
set interfaces openvpn vtun0 tls dh-file /config/auth/dh2048.pem
set interfaces openvpn vtun0 tls crl-file /config/auth/crl.pem
set interfaces openvpn vtun0 description "OpenVPN server"
set interfaces openvpn vtun0 encryption aes256
set interfaces openvpn vtun0 hash sha256
set interfaces openvpn vtun0 openvpn-option "--port 1194"
set interfaces openvpn vtun0 openvpn-option --tls-server
set interfaces openvpn vtun0 openvpn-option "--tls-auth /config/auth/ta.key 0"
set interfaces openvpn vtun0 openvpn-option "--comp-lzo yes"
set interfaces openvpn vtun0 openvpn-option --persist-key
set interfaces openvpn vtun0 openvpn-option --persist-tun
set interfaces openvpn vtun0 openvpn-option "--keepalive 10 120"
set interfaces openvpn vtun0 openvpn-option "--user nobody"
set interfaces openvpn vtun0 openvpn-option "--group nogroup"
set interfaces openvpn vtun0 openvpn-option "--ifconfig-pool-persist /var/log/ipp.txt"
set interfaces openvpn vtun0 openvpn-option "--status /var/log/openvpn-status.log"
set service dns forwarding listen-on vtun0

Bear in mind:

subnet: Network range that will be used to assign IPs to the clients that connect to the VPN server
push-route: Network ranges that clients connected to the VPN server will have access to
name-server: Gateway IP of the subnet designated for the clients that connect to the VPN server

Once the VPN server is configured, firewall rules need to be configured to accept inbound connections which destination is the VPN server

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description OpenVPN
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp
commit
save
exit

At this point. the VPN server is configured. Next step is generating a certificate for client. Note that below steps need to be executed everytime that we want to configure a new client in the VPN server.

cd /usr/lib/ssl/misc
./CA.sh -newreq
./CA.sh -sign
mv newcert.pem /config/auth/client1.pem
mv newkey.pem /config/auth/client1.key
openssl rsa -in /config/auth/client1.key -out /config/auth/client1-decrypted.key
mv /config/auth/client1-decrypted.key /config/auth/client1.key

During the creation of the client certificate, some parameters will be asked. Those parameters will be embedded into the client certificate. Bear in mind that the Common Name (CN) attribute must be unique per client.

Client file

In order to allow clients connecting to the VPN server, they need to have a file that uses ovpn extension. Below lines show an example file for a client. Bear in mind that some lines need to be replaced by the content of some files.

client
dev tun
proto udp
remote dominio\ip 1194
cipher AES-256-CBC
redirect-gateway def1
auth SHA256
resolv-retry infinite
nobind
comp-lzo yes
persist-key
persist-tun
user nobody
group nogroup
verb 3
key-direction 1
<ca>
PASTE /config/auth/cacert.pem content
</ca>
<cert>
PASTE /config/auth/client.pem content
</cert>
<key>
PASTE /config/auth/client.key content
</key>
<tls-auth>
PASTE /config/auth/ta.key content
</tls-auth>

Above file needs to be sent to the client so the connection can be configured on its side.

Revoke a certificate

Certificates are identified by the CN attribute. To revoke a certificate, this attribute must be known. All certificates that have been generated for the VPN server are stored in a file.

cat /usr/lib/ssl/misc/demoCA/index.txt

V       231101212507Z           89A35FBCB65F3220        unknown /C=ES/ST=Malaga/O=Jeronimo Diaz/CN=UBNT Jeronimo Diaz Server/emailAddress=xxxxxxxx
V       211101213123Z           89A35FBCB65F3221        unknown /C=ES/ST=Malaga/L=Malaga/O=Jeronimo Diaz/CN=VPN Server/emailAddress=xxxxxxxxxx
V       211101213503Z           89A35FBCB65F3222        unknown /C=ES/ST=Malaga/L=Malaga/O=Jeronimo Diaz/CN=Example Common Name/emailAddress=xxxxxxxx

Once we know which one is the certificate we want to revoke (CN=Example Common Name), we must copy the ID (89A35FBCB65F3222) of the client in order to revoke it. Below command is used to revoke the certificate:

cd /usr/lib/ssl/misc
openssl ca -revoke demoCA/newcerts/<id_certificado>.pem # En nuestro caso 89A35FBCB65F3222

Everytime that a certificate is revoked, the list of revoked certificates must be generated and copied over to the path where the VPN server looks for it.

openssl ca -gencrl -out crl.pem
cp crl.pem /config/auth

That is all you need to know to configure a VPN server in EdgeOS routes and create/revoke client certificates.

I hope it can be useful for you. Do not hesitate to ask any question in the comments section.

See you in the next post!

Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *