#edgerouter
– Login to your EdgeRouter by ssh with your default admin user/pwd information:
– Change to sudo shell
sudo -i
– Change to /config/auth/ and create an empty directory openvpn/keys. In this way any generated key and certificates are also part of backups/archives.
cd /config/auth/
mkdir openvpn
mkdir openvpn/keys
– Change to the directory /config/auth/openvpn/keys and create textfiles index.txt and serial.
cd /config/auth/openvpn/keys
touch index.txt
echo 00 > serial
– Change to the directory /config and create a directory openvpn. Then prerequisites for generating OpenVPN keys and certifications are made.
cd /config
mkdir openvpn
cd /config/openvpn
cp -p /usr/share/doc/openvpn/examples/easy-rsa/2.0/vars ./
– Edit with vi the file /config/openvpn/vars.
cd /config/openvpn
vi ./vars
modifing the following lines and save it:
…
export EASY_RSA=”/usr/share/doc/openvpn/examples/easy-rsa/2.0″
…
export KEY_DIR=”/config/auth/openvpn/keys”
…
# export PKCS11_MODULE_PATH=”dummy” # commented out
# export PKCS11_PIN=”dummy” # commented out
…
export KEY_COUNTRY=”MyCountryCode” # e.g. “US”
export KEY_PROVINCE=”MyProvince”
export KEY_CITY=”MyCity”
export KEY_ORG=”MyOrganisationName”
export KEY_EMAIL=”admin@MyDomain.com”
export KEY_EMAIL=admin@MyDomain.com
export KEY_CN=gateway.MyDomain.com # can be some other gateway domain
export KEY_NAME=MyOrganisation_MyGatewayName # can be some other name
export KEY_OU=Operation
# export PKCS11_MODULE_PATH=changeme # commented out
# export PKCS11_PIN=1234 # commented out
– change to directory /usr/share/doc/openvpn/examples/easy-rsa/2.0 and create certificates and keys
cd /usr/share/doc/openvpn/examples/easy-rsa/2.0
# look at the dot and space
. /config/openvpn/vars
# cleans all in /config/auth/openvpn/keys previously genrated keys and certificates
./clean-all
# takes some time
./build-dh
# confirm all question with return or yes leave password unchanged/void
./build-ca
# take the same value as parameter as set in vars for KEY_CN=gateway.MyDomain.com
# confirm all question with return or yes leave password unchanged/void
./build-key-server gateway.MyDomain.com
the directory /config/auth/openvpn/keys should now contain the following files:
01.pem
ca.crt
ca.key
dh1024.pem
gateway.MyDomain.com.crt
gateway.MyDomain.com.csr
gateway.MyDomain.com.key
index.txt
index.txt.attr
index.txt.old
serial
serial.old
server.key
– Create an user group nobody which will be used by the OpenVPN server configuration
addgroup nobody
– Create now your OpenVPN client users in the EdgeRouter GUI or CLI. Select as user level “operator” and and set for each an appropriate password. You can create an delete users, and modify passworts as you want and at any time.
– Leave now the sudo shell with exit and enter the CLI configure mode
exit
configure
now create the OpenVPN server configuration
# we select a tun setup as the OpenVPN Client for IOS does not support actually dev tap
set interfaces openvpn vtun0
set interfaces openvpn vtun0 encryption aes128
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 openvpn-option “–tls-server”
set interfaces openvpn vtun0 openvpn-option “–proto udp”
set interfaces openvpn vtun0 openvpn-option “–port 1194”
# set this only if you want the OpenVPN server to push DNS settings to the client and to overwrite its DNS-setting in order to pass all traffic over the VPN
# set interfaces openvpn vtun0 openvpn-option “–push dhcp-option DNS 192.168.5.254”
# change to your own LAN subnet
set interfaces openvpn vtun0 openvpn-option “–push route 192.168.5.0 255.255.5.0”
set interfaces openvpn vtun0 openvpn-option “–tun-mtu 1400”
set interfaces openvpn vtun0 openvpn-option “–persist-key”
set interfaces openvpn vtun0 openvpn-option “–persist-tun”
set interfaces openvpn vtun0 openvpn-option “–persist-local-ip”
set interfaces openvpn vtun0 openvpn-option “–persist-remote-ip”
set interfaces openvpn vtun0 openvpn-option “–keepalive 8 30”
set interfaces openvpn vtun0 openvpn-option “–comp-lzo”
set interfaces openvpn vtun0 openvpn-option “–duplicate-cn”
set interfaces openvpn vtun0 openvpn-option “–user nobody –group nobody”
set interfaces openvpn vtun0 openvpn-option “–plugin /usr/lib/openvpn/openvpn-auth-pam.so login”
set interfaces openvpn vtun0 openvpn-option “–client-cert-not-required –username-as-common-name”
set interfaces openvpn vtun0 openvpn-option “–verb 1”
set interfaces openvpn vtun0 openvpn-option “–client-to-client”
set interfaces openvpn vtun0 server
# change the VPN privat subnet if needed
set interfaces openvpn vtun0 server subnet 172.17.0.0/16
set interfaces openvpn vtun0 server topology subnet
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/openvpn/keys/ca.crt
# change to the appropriate file name
set interfaces openvpn vtun0 tls cert-file /config/auth/openvpn/keys/gw.newy.org.crt
set interfaces openvpn vtun0 tls dh-file /config/auth/openvpn/keys/dh1024.pem
# change to the appropriate file name
set interfaces openvpn vtun0 tls key-file /config/auth/openvpn/keys/gw.newy.org.key
– Commit now this settings with CLI commit. If the settings can not be commited have a look at the Log
more /var/log/messages
if commit was successful the OpenVPN Server is allready up. Save the settings with CLI save and exit from configure mode.
– Create in the EdgeRouter GUI a backup and export it to your desktop. In the backup you will find also the certificate you will need to configure your OpenVPN clients. On your desktop unpack the backup-archiv file.
I will now shortly describe how to configure OpenVPN client for Apple IOS devices (tested only on IOS 6.x). The configuration for MacOSX OpenVPN client like Tunnelblick is very similar (see at the end).
– Take an OpenVPN Client profile template or create a profile from scratch with a text editor in raw text mode and UTF-8 encodig. Set the following entries:
client
float
# we select a tun setup as the OpenVPN Client for IOS does not support actually dev tap
dev tun
proto udp
# replace gateway.MyDomain.com with Domain-Name or public IP of your EdgeRouter to connect to remote
gw.newy.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
# uncomment this lines if you use an OpenVPN Client
; ca ca.crt
; cert client.crt
; key client.key
cipher AES-128-CBC
auth-user-pass pull
comp-lzo
verb 3
—–BEGIN CERTIFICATE—–
# put your certificate block here
—–END CERTIFICATE—–
# this is an random certificate and is used in OpenVPN IOS Client. It can be copied as it is
—–BEGIN CERTIFICATE—–
MIIB1jCCAT+gAwIBAgIEAmLSTjANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpP
cGVuVlBOIENBMB4XDTEzMDExNzAyMTExMloXDTIzMDEyMjAyMTExMlowKDEmMCQG
A1UEAxQdZnJyaWN0aW9uQGdtYWlsLmNvbV9BVVRPTE9HSU4wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBALVEXIZYYu1Inmejuo4Si6Eo5AguTX5sg1pGbLkJSTR4
BXQsy6ocUnZ9py8htYkipkUUhjY7zDu+wJlUtWnVCwCYtewYfEc/+azH7+7eU6ue
T2K2IKdik1KWhdtNbaNphVvSlgdyKiuZDTCedptgWyiL50N7FMcUUMjjXYh/hftB
AgMBAAGjIDAeMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgeAMA0GCSqGSIb3
DQEBBQUAA4GBABhVzSYXHlQEPNaKGmx9hMwwnNKcHgD9cCmC9lX/KR2Y+vT/QGxK
7sYlJInb/xmpa5TUQYc1nzDs9JBps1mCtZbYNNDpYnKINAKSDsM+KOQaSYQ2FhHk
bmBZk/K96P7VntzYI5S02+hOWnvjq5Wk4gOt1+L18+R/XujuxGbwnHW2
—–END CERTIFICATE—–
# this is an random key and is used in OpenVPN IOS Client. It can be copied as it is
—–BEGIN PRIVATE KEY—–
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALVEXIZYYu1Inmej
uo4Si6Eo5AguTX5sg1pGbLkJSTR4BXQsy6ocUnZ9py8htYkipkUUhjY7zDu+wJlU
tWnVCwCYtewYfEc/+azH7+7eU6ueT2K2IKdik1KWhdtNbaNphVvSlgdyKiuZDTCe
dptgWyiL50N7FMcUUMjjXYh/hftBAgMBAAECgYEAsNjgOEYVRhEaUlzfzmpzhakC
SKT8AALYaAPbYO+ZVzJdh8mIbg+xuF7A9G+7z+5ZL35lrpXKnONuvmlxkK5ESwvV
Q7EOQYCZCqa8xf3li3GUBLwcwXKtOUr3AYXhdbOh2viQdisD4Ky7H6/Nd3yMc3bu
R4pErmWeHei+l6dIwAECQQDqljNxi9babmHiei6lHaznCMg5+jfAyDXgHvO/afFr
1bDQVDTDK+64kax4E9pvDZC6B/HGse9hOUGWXTjb0WZBAkEAxdAw/14iJIUcE5sz
HDy2R0RmbUQYFjrNgBCi5tnmr1Ay1zHAs1VEF+Rg5IOtCBO50I9jm4WCSwCtN6zF
FoFVAQJAUGfBJDcZIm9ZL6ZPXJrqS5oP/wdLmtFE3hfd1gr7C8oHu7BREWB6h1qu
8c1kPlI4+/qDHWaZtQpJ977mIToJwQJAMcgUHKAm/YPWLgT31tpckRDgqgzh9u4z
e1A0ft5FlMcdFFT8BuWlblHWJIwSxp6YO6lqSuBNiuyPqxw6uVAxAQJAWGxOgn2I
fGkWLLw4WMpkFHmwDVTQVwhTpmMP8rWGYEdYX+k9HeOJyVMrJKg2ZPXOPtybrw8T
PUZE7FgzVNxypQ==
—–END PRIVATE KEY—–
Save the file as raw text and append the file suffix “.ovpn”
– Open on your Desktop the unpacked EdgeRouter backup-archive. Go to the folder /config/auth/openvpn/keys and locate the file ca.crt. Open this file with an text editor in raw mode that supports UTF-8. Copy the certificate block in-between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” and paste it to the OpenVPN profile in-between the tags …. – and -blocks contains random code but are required by the OpenVPN Client for IOS. Without these blocks the profile can not be successfully imported in to the OpenVPN Client for IOS.
– In our case we deployed the OpenVPN Client profile to the IOS devices by eMail. This may be a security issue but it was the fastest way to test and get ready. The same profile can be used for all users configured previously or in future on the EdgeRouter GUI (users are differentiated by there user/pwd ).
– Install the OpenVPN Client for IOS from the App-Store:
https://itunes.apple.com/ch/app/openvpn-connect/id590379981
– Send the previously create OpenVPN Client profile “.ovpn” as attachment to an eMail Account that is already configurated on the IOS device.
– Open the appropriate sent eMail on the IOS device and then open the OpenVPN Client profile attachment by clicking on the icon. The OpenVPN Connect App should now open and shows the new Client profile to import. Approve the import and enter the user/pwd info you configured in the EdgeRouter user GUI. Now you are ready to connect by OpenVPN to your EdgeRouter (this works of course only from outside of your EdgeRouters LAN).
– Configuration for MacOSX OpenVPN Client Tunnelblick is straightforward forward. Install Tunnelblick if it is not allready installed on your system
http://code.google.com/p/tunnelblick/wiki/DownloadsEntry?tm=2
– Create on your MacOSX Destop a new folder and name it as you want your profile been shown later on in the Tunnelblick: e.g. “openvpn MyCompany”.
– Copy your previously create OpenVPN Client profile “.ovpn” file into the previously create folder “openvpn MyCompany”.
– Add to the folders name the suffix “.tblk” in order it shows like “openvpn MyCompany.tblk”. In the moment when the suffix “.tblk” is added the folder gets a package and shows up as file with the Tunnelblick.app icon.
– Doubleclick on this new Tunnelblick file. In succession the Tunnelblick.app will open and your profile is importet. Your are now ready to connect to your remote EdgeRouter. For the first time you connect you will asked your MacOSX user account info or admin info (the profile gets ready only) and then also it ask in an appropriate user/password dialog for your OpenVPN user/pwd information to connect to your remote EgdeRouter.
Recent Comments