#edgerouter
Create CA
First, you’ll need to become root.
sudo su –
Next, move into the necessary directory and create a new CA certificate.
cd /usr/lib/ssl/misc/
./CA.sh -newca
Once this completes, you’ll have a new directory called demoCA. The two most important files in here are as follows:
private/cakey.pem – This is the private key for your CA (keep this secret)
cacert.pem – This the public key for your CA (you’ll be giving this out to your clients)
Create server certificate
Next, we’ll generate a public/private key for the server. The Common Name (CN) of your server certificate should be something unique (I used my dynamic DNS name).
./CA.sh -newreq
Once this completes, you’ll have two new files, as follows:
newkey.pem – This is the private key for your server (keep this secret)
newreq.pem – This is the unsigned public key of the server (this needs to be signed by your CA)
Now, sign the request.
./CA.sh -sign
You’ll have one more file, shown below.
newcert.pem – This is the public key for your server
Move files
I recommend moving the important files to a directory where they won’t be wiped out during a firmware upgrade. In addition to moving the files, we’re also renaming them.
cp /usr/lib/ssl/misc/demoCA/cacert.pem /config/auth/
cp /usr/lib/ssl/misc/demoCA/private/cakey.pem /config/auth/
mv /usr/lib/ssl/misc/newcert.pem /config/auth/host.pem
mv /usr/lib/ssl/misc/newkey.pem /config/auth/host.key
DH parameters
Next, generate Diffie-Hellman (DH) parameters to ensure Perfect Forward Secrecy (PFS). Expect this to take 5-10 minutes with one CPU at 100%.
openssl dhparam -out /config/auth/dh2048.pem -2 2048
A good explanation of DH parameters and why you need them is located here.
Create user certificate(s)
Next, generate a request and sign it for a new user certificate. The Common Name (CN) of your user certificate should be something unique (I used my client’s host name).
./CA.sh -newreq
./CA.sh -sign
Move the new files into your preserved directory while renaming them.
mv newcert.pem /config/auth/client1.pem
mv newkey.pem /config/auth/client1.key
Repeat this as necessary for each client.
Decrypt keys
You’ll need to remove the password from the host and client(s) keys so that OpenVPN can run in interactive mode.
openssl rsa -in /config/auth/host.key -out /config/auth/host-decrypted.key
openssl rsa -in /config/auth/client1.key -out /config/auth/client1-decrypted.key
Repeat this as necessary for each client(s).
EdgeRouter setup
First, I would recommend exiting back to the normal ubnt user.
exit
whoami
Create interface
Now, we’ll need to create a new interface for the VPN and set a few settings.
configure
set interfaces openvpn vtun0
set interfaces openvpn vtun0 description “OpenVPN server”
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 encryption aes256
set interfaces openvpn vtun0 hash sha256
set interfaces openvpn vtun0 server subnet 192.168.105.0/24
set interfaces openvpn vtun0 server push-route 192.168.5.0/24
set interfaces openvpn vtun0 server name-server 192.168.5.254
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/host.pem
set interfaces openvpn vtun0 tls key-file /config/auth/host-decrypted.key
set interfaces openvpn vtun0 tls dh-file /config/auth/dh2048.pem
set interfaces openvpn vtun0 openvpn-option “–port 1194”
set interfaces openvpn vtun0 openvpn-option –tls-server
set interfaces openvpn vtun0 openvpn-option “–comp-lzo yes”
set interfaces openvpn vtun0 openvpn-option –persist-key
set interfaces openvpn vtun0 openvpn-option –persist-tun
set interfaces openvpn vtun0 openvpn-option “–keepalive 10 120”
set interfaces openvpn vtun0 openvpn-option “–user nobody”
set interfaces openvpn vtun0 openvpn-option “–group nogroup”
commit
save
Setup firewall
We’ll need to open a port in the firewall for OpenVPN. If you’re not using the standard port (1194), change it appropriately.
configure
set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description “OpenVPN”
set firewall name WAN_LOCAL rule 50 destination port 1194
set firewall name WAN_LOCAL rule 50 log enable
set firewall name WAN_LOCAL rule 50 protocol udp
commit
save
Set DNS
Tell DNS to listen for requests on the new vtun0 interface.
configure
set service dns forwarding listen-on vtun0
commit
save
Setup client configuration
The client configuration will vary from client-to-client, but the configuration below should work for Android phones or Linux clients. If you’re using Windows, you’re going to have a tougher time, because it needs some extra options.
Recent Comments