EdgeRouter Lite OpenVPN setup

Hey! Listen! This post is part of a series on the Ubiquiti EdgeRouter Lite. Check them all out!

DateURLPart
2017-10-03Dyn DDNS on EdgeRouter
  • Setup DynDNS
  • 2017-04-25DuckDNS on EdgeRouter
  • Setup DuckDNS
  • 2017-01-08Ubiquiti EdgeRouter serial console settings
  • Serial console settings
  • 2016-11-29Ubiquiti UniFi controller setup on Raspberry Pi 3
  • Install UniFi Controller
  • 2016-08-30EdgeRouter Lite Dnsmasq setup
  • Setup dnsmasq
  • 2016-06-13EdgeRouter Lite software upgrade
  • Firmware upgrade
  • 2016-05-12EdgeRouter Lite OpenVPN setup
  • OpenVPN server setup
  • 2016-04-29Ubiquiti EdgeRouter Lite setup
  • Initial setup
  • Introduction

    In my last post, I setup the Ubiquiti EdgeRouter Lite (ERL) as a basic router and firewall. Is this post, I’ll be going over the setup of an OpenVPN server. In the past, I used an Archer C7 running OpenWrt to host OpenVPN, so I’ll be applying most of those principles again here.

    VPN types

    If you need a refresher on the different types of VPNs, see below.

     PPTPL2TP/IPSecOpenVPN
    Pro
  • Available in most operating systems by default
  • Available in most operating systems by default
  • More secure than PPTP
  • No known security flaws
  • Very configurable
  • Uses open source software
  • More secure than PPTP
  • No known security flaws
  • Can use any port, setting to TCP 443 makes it almost indistinguishable from HTTPS traffic
  • Con
  • Uses IP protocol 47 (GRE) and UDP port 1723, making it easily detectable and blockable by a firewall
  • Encryption is not strong
  • First on NSA's "to-hack" list
  • Uses UDP ports 50, 500, 1701, and 4500, making it easily detectable and blockable by a firewall
  • Slightly more overhead than OpenVPN, since traffic is passing through the tunnel and encryption in two separate steps
  • Not available in most operating systems by default, requires a third-party application
  • Split-tunnel vs full-tunnel

    When setting up a VPN, you’ll have to choose whether to use split-tunnel or full-tunnel for the clients.

    • Split-tunnel – Allows your local client to access resources on the remote server network (e.g., network shares, file servers, email servers, etc…). Regular internet traffic does not flow through the tunnel and is not encrypted.
    • Full-tunnel – Allows your local client to access resources on the remote server network (e.g., network shares, file servers, email servers, etc…). Regular internet traffic does flow through the tunnel and is encrypted. However, this might cut your client off from local resources. Typically, clients will have to connect/disconnect based on which group of resources they want to access (local or remote).

    I usually choose to go full-tunnel, since I’m usually trying to get access to resources at home and I’m not concerned about local resources. This is easy enough to change on each client by adding or removing one option.

    Hardware acceleration

    A big advantage of the ERL is that it allows you to offload some functions to hardware. One of these is the IPSec VPN, which greatly improves the throughput. Expect to get about 10Mbps (with one CPU at 100%) while using OpenVPN, and expect up to 150Mbps while using IPSec/L2TP with hardware offload enabled.

    I’m choosing to use OpenVPN because it’s what I’m more familiar with. If the performance is really bad, I’ll switch to IPSec/L2TP.

    OpenVPN security

    By default, OpenVPN developers tend to favor compatibility and speed over security. That’s not necessarily a bad thing, but in this case, I’m going to be changing a few default options. OpenVPN defaults to the following:

    • cipher – Blowfish in Cipher Block Chaining mode (BF-CBC)
    • authentication digest – SHA1

    OpenVPN themselves recommend AES-256 for more security. In addition, SHA1 is outdated, and shouldn’t be used if SHA2 is available. I’m going to be using the following:

    • cipher – AES-256-CBC
    • authentication digest – SHA256

    For more security reading, check out the resources here, here, and here.

    OpenVPN setup

    We’re basically going to create our own Certificate Authority (CA) on the router and use it to sign certificates for authentication. This isn’t best-practice, since the CA should be on its own machine, but it will do for this situation.

    Create CA

    First, you’ll need to become root.

    sudo su -

    Next, move into the necessary directory and create a new CA certificate.

    cd /usr/lib/ssl/misc/
    ./CA.sh -newca

    Once this completes, you’ll have a new directory called demoCA. The two most important files in here are as follows:

    • private/cakey.pem – This is the private key for your CA (keep this secret)
    • cacert.pem – This the public key for your CA (you’ll be giving this out to your clients)

    Create server certificate

    Next, we’ll generate a public/private key for the server. The Common Name (CN) of your server certificate should be something unique (I used my dynamic DNS name).

    ./CA.sh -newreq

    Once this completes, you’ll have two new files, as follows:

    • newkey.pem – This is the private key for your server (keep this secret)
    • newreq.pem – This is the unsigned public key of the server (this needs to be signed by your CA)

    Now, sign the request.

    ./CA.sh -sign

    You’ll have one more file, shown below.

    • newcert.pem – This is the public key for your server

    Move files

    I recommend moving the important files to a directory where they won’t be wiped out during a firmware upgrade. In addition to moving the files, we’re also renaming them.

    cp /usr/lib/ssl/misc/demoCA/cacert.pem /config/auth/
    cp /usr/lib/ssl/misc/demoCA/private/cakey.pem /config/auth/
    mv /usr/lib/ssl/misc/newcert.pem /config/auth/host.pem
    mv /usr/lib/ssl/misc/newkey.pem /config/auth/host.key

    DH parameters

    Next, generate Diffie-Hellman (DH) parameters to ensure Perfect Forward Secrecy (PFS). Expect this to take 5-10 minutes with one CPU at 100%.

    openssl dhparam -out /config/auth/dh2048.pem -2 2048

    A good explanation of DH parameters and why you need them is located here.

    Create user certificate(s)

    Next, generate a request and sign it for a new user certificate. The Common Name (CN) of your user certificate should be something unique (I used my client’s host name).

    ./CA.sh -newreq
    ./CA.sh -sign

    Move the new files into your preserved directory while renaming them.

    mv newcert.pem /config/auth/client1.pem
    mv newkey.pem /config/auth/client1.key

    Repeat this as necessary for each client.

    Decrypt keys

    You’ll need to remove the password from the host and client(s) keys so that OpenVPN can run in interactive mode.

    openssl rsa -in /config/auth/host.key -out /config/auth/host-decrypted.key
    openssl rsa -in /config/auth/client1.key -out /config/auth/client1-decrypted.key

    Repeat this as necessary for each client(s).

    EdgeRouter setup

    First, I would recommend exiting back to the normal ubnt user.

    exit
    whoami

    The following steps were pretty straight-forward, since I’ve already setup an OpenVPN server on my Archer C7.

    Create interface

    Now, we’ll need to create a new interface for the VPN and set a few settings.

    configure
    set interfaces openvpn vtun0
    set interfaces openvpn vtun0 description "OpenVPN server"
    set interfaces openvpn vtun0 mode server
    set interfaces openvpn vtun0 encryption aes256
    set interfaces openvpn vtun0 hash sha256
    set interfaces openvpn vtun0 server subnet 10.10.10.0/24
    set interfaces openvpn vtun0 server push-route 10.10.2.0/24
    set interfaces openvpn vtun0 server name-server 10.10.2.1
    set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
    set interfaces openvpn vtun0 tls cert-file /config/auth/host.pem
    set interfaces openvpn vtun0 tls key-file /config/auth/host-decrypted.key
    set interfaces openvpn vtun0 tls dh-file /config/auth/dh2048.pem
    set interfaces openvpn vtun0 openvpn-option "--port 1194"
    set interfaces openvpn vtun0 openvpn-option --tls-server
    set interfaces openvpn vtun0 openvpn-option "--comp-lzo yes"
    set interfaces openvpn vtun0 openvpn-option --persist-key
    set interfaces openvpn vtun0 openvpn-option --persist-tun
    set interfaces openvpn vtun0 openvpn-option "--keepalive 10 120"
    set interfaces openvpn vtun0 openvpn-option "--user nobody"
    set interfaces openvpn vtun0 openvpn-option "--group nogroup"
    commit
    save

    A few notes on these settings:

    • The VPN subnet can’t be the same as your LAN subnet. In my case, my VPN subnet is 10.10.10.0/24 and my LAN subnet is 10.10.2.0/24.
    • You’ll need to push a route from the VPN subnet to your LAN subnet.
    • You’ll need to set a name server for the VPN subnet (I’m using my router, but you can use a public DNS server).
    • The standard OpenVPN port is 1194, but setting it to 443 would make it almost indistinguishable from HTTPS traffic 😉
    • The rest of the settings are explained in the OpenVPN manuals.

    Setup firewall

    We’ll need to open a port in the firewall for OpenVPN. If you’re not using the standard port (1194), change it appropriately.

    configure
    set firewall name WAN_LOCAL rule 50 action accept
    set firewall name WAN_LOCAL rule 50 description "OpenVPN"
    set firewall name WAN_LOCAL rule 50 destination port 1194
    set firewall name WAN_LOCAL rule 50 log enable
    set firewall name WAN_LOCAL rule 50 protocol udp
    commit
    save

    Set DNS

    Tell DNS to listen for requests on the new vtun0 interface.

    configure
    set service dns forwarding listen-on vtun0
    commit
    save

    Setup client configuration

    The client configuration will vary from client-to-client, but the configuration below should work for Android phones or Linux clients. If you’re using Windows, you’re going to have a tougher time, because it needs some extra options.

    echo "client" >> /config/auth/client1.ovpn
    echo "dev tun" >> /config/auth/client1.ovpn
    echo "proto udp" >> /config/auth/client1.ovpn
    echo "remote yourhostname.dyndns.com 1194" >> /config/auth/client1.ovpn
    echo "cipher AES-256-CBC" >> /config/auth/client1.ovpn
    echo "auth SHA256" >> /config/auth/client1.ovpn
    echo "resolv-retry infinite" >> /config/auth/client1.ovpn
    echo "redirect-gateway def1" >> /config/auth/client1.ovpn
    echo "nobind" >> /config/auth/client1.ovpn
    echo "comp-lzo yes" >> /config/auth/client1.ovpn
    echo "persist-key" >> /config/auth/client1.ovpn
    echo "persist-tun" >> /config/auth/client1.ovpn
    echo "user nobody" >> /config/auth/client1.ovpn
    echo "group nogroup" >> /config/auth/client1.ovpn
    echo "verb 3" >> /config/auth/client1.ovpn
    echo "ca cacert.pem" >> /config/auth/client1.ovpn
    echo "cert client1.pem" >> /config/auth/client1.ovpn
    echo "key client1-decrypted.key" >> /config/auth/client1.ovpn

    A few notes on these settings:

    • Obviously, subsititue your dynamic DNS hostname and port as needed.
    • To use full-tunnel, include the option redirect-gateway def1. To use split tunnel, leave it out.
    • The rest of the settings are explained in the OpenVPN manuals.

    Distribute keys

    You’ll need to move the following files from the router, to your client(s). All four files should be saved in the same folder/location on your client.

    • cacert.pem (CA certificate)
    • client1.pem (client1 certificate)
    • client1-decrypted.key (client1 key)
    • client1.ovpn (client1 configuration)

    You should use SFTP, SSH, or SCP to move the files to your client(s). DO NOT EMAIL THESE FILES TO YOURSELF!

    Client setup

    Android

    In this case, I’m going to be using the official OpenVPN Android app.

    Once installed, tap on the Option button, then tap on Import, then tap on Import Profile from SD Card.

    20160512_001 20160512_002

    Browse to the client1.ovpn file and import it into the OpenVPN Connect app.

    20160512_003

    The profile should be imported successfully, and you should be able to see your server’s name. Click Connect to establish a connection.

    20160512_004

    Verify your connection on the next screen.

    20160512_005

    iOS

    In this case, I’m going to be using the official OpenVPN iOS app.

    You should use iTunes to move the files to your iOS device, since emailing them is not secure. An example of how to transfer files with iTunes is shown here.

    Windows 10

    If you’re using a Windows client, check out Randy’s .ovpn file!

    Commenter Chris was nice enough to email me a configuration for Windows 10, shown below. For certificate/key generation he used this guide instead of the built-in scripts.

    Server

    ​xxxxx@​xxxxx# show interfaces openvpn vtun0
     description "OpenVPN Server"
     encryption aes256
     hash sha256
     mode server
     openvpn-option "--port ​xxxx"
     openvpn-option --tls-server
     openvpn-option "--comp-lzo yes"
     openvpn-option --persist-key
     openvpn-option --persist-tun
     openvpn-option "--keepalive 10 120"
     openvpn-option "--user nobody"
     openvpn-option "--group nogroup"
     openvpn-option "--tls-auth /config/auth/ta.key 0"
     openvpn-option "--tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA"
     server {
     name-server 10.10.0.1
     push-route 10.10.0.0/24
     push-route 0.0.0.0/0
     subnet 10.10.10.0/24
     }
     tls {
     ca-cert-file /config/auth/ca-chain.cert.pem
     cert-file /config/auth/openvpn.host.cert.pem
     dh-file /config/auth/dh2048.pem
     key-file /config/auth/openvpn.host.key.pem
     }​

    Client (Win10)

    pull
    tls-client
    dev tun
    proto udp
    remote ​xxx.xxx.xxx.xxx ​xxxx
    cipher AES-256-CBC
    tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA
    auth SHA256
    resolv-retry infinite
    redirect-gateway def1
    nobind
    comp-lzo yes
    persist-key
    persist-tun
    verb 3
    ca ca-chain.cert.pem
    cert openvpn.client01.cert.pem
    key openvpn.client01.key.pem
    tls-auth ta.key 1​

    Verify connection

    Try to browse a public site (e.g., www.google.com), then try to browse to your router’s IP (e.g., 10.10.2.1). If everything is setup correctly, both should load. You can also check your IP with an external tool, such as WhatIsMyIP, and you should see your router’s public IP. I’d also advise to check for DNS leaks (your DNS should be set to the DNS servers we set on the router).

    Speedtest

    On a Nexus 5 on AT&T LTE, I get 25.61Mbps down, and 23.37Mbps up.

    When connected to the VPN while on the same LTE, I get 11.52Mbps down and 5.35Mbps up. Not great, but certainly not bad.

    Backup CA

    Thanks to Axel for pointing this out. You should backup the entire /usr/lib/ssl/misc directory because it is wiped on a firmware upgrade, and you won’t be able to create any new certificates without creating a new CA from scratch.

    cp -r /usr/lib/ssl/misc /config/

    Then, after an upgrade, you can restore the misc directory from /config back to /usr/lib/ssl.

     

    Let me know how you setup OpenVPN!

    Logan

    95 thoughts on “EdgeRouter Lite OpenVPN setup

      • Glad to help!

        I’ve never used it, but it seems like a good idea! It seems like there is a configuration for it (shared-secret-key-file). You’d have to find a way to get it to your clients in a secure manner.
        shared-secret-key-file
        File containing the secret key shared with remote end of tunnel

    1. Thanks for the great directions! You rock. Really.

      One small error:

      “client1.conf (client1 configuration)” –> I assume you mean client1.ovpn

      Also, do you know how to bundle the keys and all into a single OVPN file? This makes it easier to import into OpenVPN.

      • Updated, thank you!

        What you’re referring to is unified format. Check out this page, about 1/3 of the way down. Just a heads up, some clients may not like that format and may require separate files.

    2. Hi Logan,

      Great guide! Thanks for explaining each step – helps me know what I’m doing as I’m going along.

      Question:
      Do you know configuration changes I would need to make in order to make this setup a split tunnel configuration? E.g. internet connectivity goes through my local connection, and then the VPN traffic(e.g. access a file server) goes through the the VPN?

    3. Hey logan,
      I stuffed up on the first step when putting in,

      cd /usr/lib/ssl/misc/
      ./CA.sh -newca

      I stuffed up when I entered the password the second time and it looks like it failed creating the /usr/lib/ssl/misc/demoCA/cacert.pem File is there a way I can restart the process?
      I did try but its just not creating the missing file?

        • I am very much a noob when it comes to the CLI,
          I did run it and it shows.
          root@ubnt:~# ls -la
          total 13
          drwxr-xr-x 1 root root 4096 Aug 30 16:38 .
          drwxr-xr-x 1 root vyattacf 4096 Aug 30 16:38 ..
          -rw-r–r– 1 root root 206 May 28 16:01 .bashrc
          -rw-r–r– 1 root root 140 Nov 19 2007 .profile
          -rw——- 1 root root 1024 Aug 30 16:42 .rnd

          so I don’t know what any of that means.

          I will keep looking online to see what I can find.
          Thanks for any help 🙂

          • Sorry, you need to move to the directory first.

            cd /usr/lib/ssl/misc/
            ls -la

            Also, if you’re not familiar with the CLI, the EdgeRouter may not be the router for you.

    4. Hello, i really like to read your tutorial, you take your time to explain things so even a newbie like me could make it so thanks for that lol. How you ever tried to use openvpn like a server in the cloud ? i see aws got instances set for that. I was thinking about running one and connect as client several edgerouter from different location on it for remote access each of them separately from time to time.

      What will be the best configuration on both part ? I keep looking around but don’t see no tutorial on this case ! thanks for your thoughts

    5. Hi,

      after I run this line:
      openssl dhparam -out /config/auth/dh2048.pem -2 2048

      It took 3-4 Hours instead of 5-10mins, is this normal?

      I didn’t want to proceed just incase

    6. Your client configuration worked in Windows 10 for me. I started by toying with the client configuration by comparing it to an old OpenVPN setup I had but in the end used the same conf you have. Thanks for such a straight forward tutorial.

      client
      dev tun
      proto udp
      remote server.com 443
      cipher AES-256-CBC
      auth SHA256
      resolv-retry infinite
      redirect-gateway def1
      nobind
      comp-lzo yes
      persist-key
      persist-tun
      user nobody
      group nogroup
      verb 3
      ca cacert.pem
      cert client1.pem
      key client1-decrypted.key

    7. Would be nice if you add the index.* files and serial to your copy action. So you can recreate the demoCA dir. So if you need to add a client you don’t have to start from scratch as I now have to do.

    8. This is really an excellent tutorial on OpenVPN. I followed your instructions and it worked. I used windows 7 OpenVPN client.

      OpenVPN supports both certificate authentication and username/password authentication. Based on OpenVPN doc, “When combined together, both valid certificates and valid credentials are required, which improves security. “.

      Do you know how to add username+password authentication to your OpenVPN configuration on EdgeMax routers?

      It might relate to:
      plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login
      or
      –auth-user-pass-verify cmd method

      I just could not figure out how.

      • Shane, unfortunately, I don’t know how to add it. I believe the PAM plugin would be to authenticate with a username/password on the ERL itself. According to the docs, --auth-user-pass-verify should do it.

        You may need to add a line to the client config as well.
        --auth-user-pass [up]
        Authenticate with server using username/password. up is a file containing username/password on 2 lines (Note: OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h).
        If up is omitted, username/password will be prompted from the console.
        The server configuration must specify an --auth-user-pass-verify script to verify the username/password provided by the client.

    9. Couple words according tls-auth 🙂
      You may use it via
      set interfaces openvpn vtun0 openvpn-option “–tls-auth 0”
      for ex
      openvpn-option “–tls-auth /config/auth/static.key 0” at the server side
      and
      –tls-auth 1 in client config
      or
      remote-cert-tls server
      key-direction 1

      —–BEGIN OpenVPN Static key V1—–
      —–END OpenVPN Static key V1—–

      in ovpn file
      I had to remove hash256 to force it works
      Also some options may be ommited like
      set interfaces openvpn vtun0 openvpn-option –tls-server
      you may check which options sent twice via ps|grep

    10. If I accidentally forgot to backup /usr/lib/ssl/misc during a firmware upgrade, is there some way to recover the index.txt and serial files needed to create new client certs? I was able to grab the CA certs and key from /config/auth but it seems that isn’t enough.

      • Unfortunately, no (unless you get some forensic tools to recover data from deleted portions of the filesystem). I got bit by this as well and had to create a new CA. Now, I backup /usr/lib/ssl before an upgrade.

    11. Nice ERL blog you got here, for us that are found of the UBNT ERL series.
      – I was looking around for a faster way to do SITE2SITE – IPsec trottling above 150Mps, when I dropped into your blog, but have to admit its like beliving in Santa that Ubiquity will release some faster below USD100 routers that have optimized ASICS…

      May-be the Calculator people what won the battle of now releasing new stuff until the market is fed up waiting..

      Ive been running the expensive stuff in yrs (like Junos +++), and do fancy more the Vyos fork than the Microtik os shit when looking for the best bang for the buck. A bit disappointing with the slow release of new firmware since Stig quit the dev department. What a shame for Ubiquity 🙁

      But hopefully they will – give the community more power, better os and bang for the buck in the future.

      I wish that Egdeos also will have more power for coping with black-list ip´s and services that makes it easier to setup and more ram for routing – tables.. ++

      Edgemax is the poor mans stuff for crowd-blocking the DDos from growing spammers..

      If they manage to make the firmware better for doing that OUTofTHEbox!

    12. First, great set of blogs on configuring the ERL. It has been very helpful. Thanks for providing them.

      I am planning on replacing an existing NGFW/Router with the ERL and I am slightly confused on the settings and rules I may need to recreate. Specifically for OpenVPN access. I currently have an OpenVPN server in my network (using Synology OpenVPN). I am assuming that because I already have the server and the client certs generated, I can just skip to the setting up the firewall sections of your instructions? Do I still need to create the interface?

      In my configuration I have Verizon FIOS as well. My network setup is a sfollows:

      Verizon router External interface on NGFW (192.168.x.x) Internal Interface on NGFW (192.168.y.y) Ethernet switch for internal network
      (Hopefully that makes sense) The OpenVPN server sits on the internal network and both the Verizon router and the NGFW have the OpenVPN port forwarded to the IP Address of the server. I use the Tunnelblick client on my MAC to access the VPN. I also already have the Dyn setup on the FIOS router. I had to use destination NAT for the port forwarding the NGFW. I am assuming that is not the case on the ERL. Please let me know if I am not explaining anything correctly.

      • Thanks, glad to help!

        Sounds like the hard work is already done, you just need to swap out the router/firewall. So you’re double-NATed right? You have the FiOS router in front, the then ERL behind it? If that’s the case, you can skip the firewall section for the ERL (assuming you use/trust the FiOS firewall). Although, it wouldn’t hurt to run two firewalls. You don’t need an interface for vtun0 on the ERL, since the Synology runs OpenVPN. The OpenVPN traffic is just passing through the ERL.

        Just thinking out loud, I think all you need to do is forward the port (assuming you’re using 1194) through the ERL to the Synology. Something like this just says “forward 1194 to 1194 on 192.168.2.25”.
        port-forward {
        auto-firewall enable
        hairpin-nat enable
        lan-interface eth1
        rule 10 {
        description "Forward VPN to Synology"
        forward-to {
        address 192.168.2.25
        port 1194
        }
        original-port 1194
        protocol udp
        }
        wan-interface eth0
        }

        If you run into issues, just tail the logs and grep for that port.
        tail -f /var/log/messages | grep 1194

        • Logan,

          Thanks for getting back to me so quickly. You are correct, I am double NAT-ed thanks to Verizon and the crazy way they configure their media server stuff. (I have FIOS TV as well as their internet service, have never been able to change the default IP addressing scheme on the FIOS router because the media server is hard coded to look for their default address. Stupidest thing I’ve ever heard of, if you know a way around that, I’m all ears).

          I don’t mind running two FW’s but I’ll try your suggested config first and see were it takes me. I’m glad I was thinking along the correct path too, thanks for confirming.

    13. I am running into some issues and was hoping for some sage advice. I ran through all the steps, everything went smoothly, no errors. Grabbed the keys off the router via sftp, made an openvpn profile with the configs above, but I am getting a tls error and it won’t connect. Any suggestions? Here is my client config:

      client
      dev tun
      proto udp
      remote xxx.xxx.xxx.xxx 443
      cipher AES-256-CBC
      auth SHA256
      resolv-retry infinite
      redirect-gateway def1
      nobind
      comp-lzo yes
      persist-key
      persist-tun
      user nobody
      group nogroup
      verb 3
      ca cacert.pem
      cert john.pem
      key john-decrypted.key

      When running show interfaces in the cli I get this under vtun0
      openvpn vtun0 {
      description “OpenVPN Server”
      encryption aes256
      hash sha256
      mode server
      openvpn-option “–port 1194”
      openvpn-option –tls-server
      openvpn-option “–comp-lzo yes”
      openvpn-option –persist-key
      openvpn-option –persist-tun
      openvpn-option “–keepalive 10 120”
      openvpn-option “–user nobody”
      openvpn-option “–group nogroup”
      server {
      name-server 10.10.2.1
      push-route 10.10.2.0/24
      subnet 10.10.10.0/24
      }
      tls {
      ca-cert-file /config/auth/cacert.pem
      cert-file /config/auth/host.pem
      dh-file /config/auth/dh2048.pem
      key-file /config/auth/host-decrypted.key

    14. Something I’d like to add. I had some issues with accessing network shares unless I did a full tunnel. I didn’t want the internet traffic to be going over the vpn, as my main purpose is for file sharing, not anything else. So I found that I could add
      route 0.0.0.0 192.0.0.0 net_gateway
      route 64.0.0.0 192.0.0.0 net_gateway
      route 128.0.0.0 192.0.0.0 net_gateway
      route 192.0.0.0 192.0.0.0 net_gateway

      to the openvpn config and everything worked. I referenced this article
      https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway

      I figured I’d drop this here in case anyone finds it useful. Thanks for the great walkthrough.

    15. Logan thanks a million for the amazing write-ups. These instructions worked right out of the box for me too, and are clear and super straightforward.

      As you note, “The VPN subnet can’t be the same as your LAN subnet.”

      As given, I can join my LAN from a device on openvpn and use dns for explicit routing to systems on my LAN, but has anyone tried (or, hopefully, succeeded) in setting up some sort of masquerade to bridge vtun0 to eth1 so they’re in the same broadcast domain?

      What I want are random apps (like smartthings and the like) to work remotely over openvpn… any advice?

    16. Excellent Guide for sure! Do I need to poke a hole on my Cable Modem? If so, can you please recommend which ports I should open.

      • Glad to help! I’m thinking about running an OpenVPN client on my ERL, so I might use some of your config if I set it up.

    17. To embed the certs, simply place the Base64 encoded cert text into the respective , and tags in your .ovpn config file and comment out the “ca”, “cert” and “key” keywords.

      ******************
      client
      remote my-server 1194
      proto udp
      dev tun
      persist-key
      persist-tun
      resolv-retry infinite
      nobind
      #ca ca.crt
      #cert client.crt
      #key client.key
      comp-lzo
      verb 3

      —–BEGIN CERTIFICATE—–
      ***Paste CA Cert Text Here***

      —–END CERTIFICATE—–

      —–BEGIN CERTIFICATE—–
      ***Paste Your Cert Text Here***

      —–END CERTIFICATE—–

      —–BEGIN PRIVATE KEY—–
      ***Paste Your Cert Private Key Here***

      —–END PRIVATE KEY—–

      ************************

    18. I have implemented this on my EdgeRouter and have tested with my iPhone GREAT INSTRUCTIONS. I want to also use with my Win10 laptop.

      1) How do you create the ta.key on the EdgeRouter?

      2) How does that get implemented into the iOS setup?

    19. Hi Logan,

      Thanks for the step-by-step it is great!! I am getting the error ” OpenVPN configuration error: Specified cert-file “/config/auth/host.pem” is not valid. ” I have tried to recreate the host.pem file but I still get the error. Any thoghts?

      Thanks

      Tim

      • Did you sign the key before you moved it? Also, make sure the actual file location matches what you have in your config.

    20. Thanks Logan,
      You were right on with the signing of the key. Oh the joy of copy-and-paste 🙂 I didn’t notice that the cli had kicked me out the step prior to the signing. New to the ubnt world and am really getting to like the edge router and switch.
      I made the mistake of getting a unifi switch, as well which I can’t configure without all of the other cloud software. I’m using it like an expensive hub now 🙁 Again thanks and I enjoy reading your blog,
      R/
      Tim

      • Glad it worked!

        You can host the controller on a your desktop temporarily (Win/Mac/Ubuntu/Debian) until you find a more permanent home for it. I host mine on a VM, but a RPi3 will work, as well as a VPS. Ubiquiti also sells the Cloud Key that is basically a linux device that hosts the controller locally.

    21. Incredibly helpful–thank you! I came back to your site a year later after my certificates expired and was able to get my EdgeRouter X-SFP OpenVPN server back up and running (with longer expiration dates).

    22. How to check certificate expiration date? Check cacert.pem file? In my configuration, it says:

      Validity
      Not Before: Jan 16 11:21:55 2017 GMT
      Not After : Jan 16 11:21:55 2020 GMT

      It seems to have 3 years lifespan. Any other certificates to check?

      Thanks again for your wonderful blog. It is very helpful.

      • You can use the command below. Each .pem file will have an expiration date (in my guide, you’ll need to check the CA, host, and client files).
        openssl x509 -dates -noout -in /path/to/cert.pem

    23. I just found client1.pem and host.pem expire in 1 year. For the client.pem, I can easily generate a new one by following your instruction. How about host.pem?

      How to generate these certificates with longer validity time?

      • I found CA.sh use environment variable DAYS and CADAYS, defaults are 1 year and 3 years respectively. I guess we just need set up those environment variables before generating certificates. Could you please confirm?

      • The host and client certificates aren’t any different, they are the same thing, we’re just calling one “host” and one “client”. So, you can generate a new host certificate just like a new client certificate, just rename it to “host” when you’re done.

    24. I’ve found it difficult to get the 4 files over to the OpenVPN app on an iPhone. Immensely easier to embed into the ovpn and just get the one file across. The note above by Tim seems good, but I wanted to update what worked for me specifically on an up to date iPhone/iOS (July 2018).

      To embed the certs and keys, simply place the appropriate text from each cert/key into the respective tags in your .ovpn config file. Example draft text is below (you can use this to create your ovpn file).

      #******************
      client
      dev tun
      proto udp
      remote MY-SERVER 1194
      cipher AES-256-CBC
      auth SHA256
      resolv-retry infinite
      redirect-gateway def1
      nobind
      comp-lzo yes
      persist-key
      persist-tun
      user nobody
      group nogroup
      verb 3

      —–BEGIN CERTIFICATE—–
      ***Paste CA Cert Text Here***
      —–END CERTIFICATE—–

      —–BEGIN CERTIFICATE—–
      ***Paste Your Cert Text Here***
      —–END CERTIFICATE—–

      —–BEGIN PRIVATE KEY—–
      ***Paste Your RSA Private Key Here***
      —–END PRIVATE KEY—–

      #************************

    25. Thanks for the post, really useful. I follow all the steps and I was able to connect using Android, everything works, I see the traffic in the dashboard.

      The only thing that I can’t make it work is be able to connect to ip addresses that belong to my home network. I type them in the browser but nothing. I follow the very same IP address schema in your post but no luck. What do you think am I missing?

      • Did you push a route on the server? Also, did you reboot the ERL?
        set interfaces openvpn vtun0 server push-route 10.10.2.0/24

        • Yes. My home subnet is 10.10.0.0/24 and the VPN subnet is 10.10.10.0/24. From a client I can successfully query my internal DNS and it works (I have some custom domain names) but I can’t reach any device in my local network. I did reboot the ERL but nothing.

          • What client OS are you using? Windows?
            Can you not even ping a device on your home network while on the VPN?

    26. Thank you for the guide! I manged to create android client, and it works!
      But cannot make windows 10 client. I don’t understand what are needed steps to make windows 10 client?

    27. Hey Logan.
      I have seen it, but it’s unclear to me what changes I have to make in order to connect with win client?
      I followed your guide and successfully connected with android device, but I am unable to connect with same certificate on windows machine.
      Do I have to create new cert? Is there anything I have to change on edgerouter itself?
      Thank you for your patiance.

      • The certificate files are the same. For the server, you may need to push a route for 0.0.0.0.
        push-route 0.0.0.0/0

        What client on the Windows machine are you using and what error messages are you receiving in the logs?

    28. Here is the error log

      Tue Aug 21 15:25:40 2018 NOTE: –user option is not implemented on Windows
      Tue Aug 21 15:25:40 2018 NOTE: –group option is not implemented on Windows
      Options error: –ca fails with ‘cacert.pem’: No such file or directory (errno=2)
      Options error: –cert fails with ‘bb1.pem’: No such file or directory (errno=2)
      Tue Aug 21 15:25:40 2018 WARNING: cannot stat file ‘bb1-decrypted.key’: No such file or directory (errno=2)
      Options error: –key fails with ‘bb1-decrypted.key’: No such file or directory (errno=2)
      Options error: Please correct these errors.
      Use –help for more information.

      • Seems like it can’t find your certs. Did you move the certs to the Windows client? Also, try embedding the certs directly in the .ovpn file.

    29. I tried that already, when i embedd all certs here is the error log

      Tue Aug 21 15:32:29 2018 NOTE: –user option is not implemented on Windows
      Tue Aug 21 15:32:29 2018 NOTE: –group option is not implemented on Windows
      Tue Aug 21 15:32:29 2018 ERROR: Endtag missing
      Tue Aug 21 15:32:29 2018 Exiting due to fatal error

      • Looks like you’re missing something at the end of one of your certificates. A closing bracket or some whitespace maybe?

    30. I copied cert file from android device, and edited .ovpn file like randy’s, also changed the ranys file with my ip adress and port, and client cert name.

      • I would attempt to make a .ovpn file from scratch, instead of copying/pasting Randy’s. Just use Randy’s as a guide.

    31. Finaly maged to connect!
      The problem was I saved a folder with certs in there on root of the c driver, when I moved the folder in C:\Users\USER\OpenVPN\config and edited with Randy’s ovpn template, everything works!
      Thank’s a lot for your patiance!

    Leave a Reply to GreenUkr Cancel reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.