===== OBSOLETE, for historical purposes only for legacy installs =====
====== OpenVPN Road Warrior Server with Zone Based Firewall on Edgerouter, Behind Existing Router=====
We are going to setup an OpenVPN server on an Edgerouter behind an existing routing device. It will allow outside clients to connect and access the internal network(s). This document is based on the Edgerouter X since it has faster CPUs than the ERLite and is cheap. Optionally this will also run 2 different OpenVPN servers to allow for load balancing across the 2 CPUs of the ER-X, push DNS to clients so they can resolve internal hostnames via DNS and use OSPF to advertise routes of the internal LAN(s).
Note: to run an OpenVPN server behind an existing router, you will need to add a static route on said router pointing to the subnets of the OpenVPN client. In this example we'd use 10.4.1.247 (the IP of the E-RX) as the next hop for subnets 10.99.98.0/24 and 10.99.99.0/24.
Be sure to commit -> save after each section (until you get the firewall setup).
==== Initial Setup ====
* Get the default gateway of the LAN you want access to when dialing in, get the subnet and find an available static IP.
* Go to ubnt.com and download the latest firmware for the ER-X.
* Configure your network card with an IP address of 192.168.1.2 and a subnet of 255.255.255.0
* Connect an Ethernet cable to from your computer to ETH0 of the ER-X.
* Open a web browser and go to 192.168.1.1, the default username/password is ubnt/ubnt.
* Go to "System" then click on "Upgrade System Image" → "Upload a file" and browse to the firmware you just downloaded.
* After the reboot update the bootloader by logging into the cli and running add system boot-image then do a manual reboot.
* Via the web GUI go to "System" and reset the device to default.
====Create User and Configure Interfaces====
//(remember: configure -> commit -> save)//
==Configure user account==
set system login user vpnadmin authentication plaintext-password SuperSecretPW
==Delete Default ubnt Account==
Logout out of default account, login again using the new account then delete default account.
delete system login user ubnt
==Set Time and Date==
//(note, this is done at base login, don't use "configure")//
sudo su
set date mmddhhmmyyyy
exit
==Add Static Route for Gateway==
set protocols static route 0.0.0.0/0 next-hop 10.4.1.1
==Configure Base System Settings==
set system host-name wpnsec01
set system domain-name mclarenscottsdale.com
set system time-zone US/Pacific
set system name-server 208.67.220.220
set system name-server 8.8.4.4
set system ntp server pool.ntp.org
set system login banner pre-login "\n\n\n\tUNAUTHORIZED USE OF THIS SYSTEM\n\tIS STRICTLY PROHIBITED\n\n\t Please contact "support@domain.com" to gain\n\taccess to this equipment if you need authorization.\n\n\n"
==Configure physical interfaces==
set interfaces ethernet eth0 description "VPN_LANS"
set interfaces ethernet eth0 address 10.4.1.247/24
delete interfaces ethernet eth0 address 192.168.1.1/24
delete interfaces ethernet eth1 address dhcp
set interfaces ethernet eth1 description "MANAGEMENT_LAN"
set interfaces ethernet eth1 address 172.8.8.11/24
set interfaces ethernet eth2 disable
set interfaces ethernet eth3 disable
set interfaces ethernet eth4 disable
====Setup Certificate Authority====
Login to the CLI as a user and stay in operational mode.
ssh user@Router1
Enable root level access
sudo su
Change directory location
cd /usr/lib/ssl/misc/
* Edit /usr/lib/ssl/openssl.cnf and change the default_days from 365 to 1825. Also change the defaults under [ req_distinguished_name ] for countryName_default, stateOrProvinceName_default, 0.organizationName_default.
* Edit /usr/lib/ssl/misc/CA.sh and change the CADAYS from 1095 to 1825.
//(note: you'll need to do this after each firmware update, before you issue any new certificates)//
Generate Certificate Authority (check to make sure your date is correct 1st!)
./CA.sh -newca
CA certificate filename (or enter to create) #Press enter.
[Enter pem pass phrase:
###Create password.
Verifying - Enter PEM pass phrase:
###Verify created password.
Record this pass phrase for later use when additional VPN users are added, label it “CA PEM passphrase”.
Fill in information as needed following prompts
Country Name (2 letter code) [AU]:US
xxx State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:LEAVE BLANK
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company Name
Organizational Unit Name (eg, section) []:LEAVE BLANK
Common Name (e.g. server FQDN or YOUR name) []:WPN01 ###(don’t use domain name here, use a device name)
Email Address []:LEAVE BLANK
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:LEAVE BLANK
An optional company name []:LEAVE BLANK
This will create /usr/lib/ssl/misc/demoCA with associated files. (if you messed up or need to change something, just delete the contents of /usr/lib/ssl/misc/demoCA and start at step 4 again)
====Create Server Certificate and Key====
This is the key that will stay on the EdgeRouter \\
//Note: Continued from step 1, you will be logged in as user and in the /usr/lib/ssl/misc/ directory.//
Fill out prompts like above again with information as needed. “Common Name” must be unique, here use a simple temp password (e.g. 1234) since it will be removed later, record it though (use full domain name if available for “Common Name”, e.g. openvpn_obscured.domain.com)
==Generate Certificate==
./CA.sh -newreq
==Sign Certificate==
The password it asks for is your CA pem passphrase.
./CA.sh -sign
### This will create newreq.pem, newkey.pem, and newcert.pem in /usr/lib/ssl/misc/
Move and rename files to /config/auth/ for preservation during firmware upgrades and clarity. //Note: Again, you will remain logged in as user in the /usr/lib/ssl/misc/ directory.//
==Move cacert.pem==
mkdir /config/auth/
cp demoCA/cacert.pem demoCA/private/cakey.pem /config/auth/
==Move and Rename newcert.pem==
mv newcert.pem /config/auth/server.pem
==Move and Rename newkey.pem==
mv newkey.pem /config/auth/server.key
### Note: the newkey.pem file extension changes to .key.
To confirm these files have transferred to the proper location with the proper name and extension you may type “ls /config/auth/“ to view files.
==Create Diffie-Helman Parameter File==
//Note: Remain logged in as user with root privileges by entering “sudo su” and in the /usr/lib/ssl/misc/ directory.//
openssl dhparam -out /config/auth/dhp.pem -2 2048
### This process will take some time and generate dhp.pem in /config/auth/
==Generate Additional TLS Auth key==
//(OpenVPN server will not respond to packets unless those packets have a valid signature from a pre-shared key)//
openvpn --genkey --secret /config/auth/ta.key
chmod 644 /config/auth/ta.key
==Add certificate revocation list (CRL)==
(note: this hasn't been tested to verify it works, now it has, sort of, see 2nd code block below)
echo 01 > /usr/lib/ssl/misc/demoCA/crlnumber
openssl ca -gencrl -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem -out demoCA/cacrl.pem
cp demoCA/cacrl.pem /config/auth/cacrl.pem
To revoke a certificate... you need the pem of the certificate you want to revoke, so keep a copy handy... I keep them in /config/auth
cd /usr/lib/ssl/misc
openssl ca -revoke /auth/config/.pem
openssl ca -gencrl -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem -out demoCA/cacrl.pem
cp demoCA/cacrl.pem /config/auth/cacrl.pem
Then remove the revoked certificate (.pem and .key) files from /config/auth so you don't accidentally use them again (cause they won't work). You can leave the client config in the openvpn server setup to be used again if it was a generic name otherwise delete that as well.
==Remove Passwords from Key Files==
sudo su
### Create new .key with no password
openssl rsa -in /config/auth/server.key -out /config/auth/server-rmpass.key
### The password prompt here is the temp password you used when generating the key (here we used 1234)
### Move server-rmpass.key to server.key overwriting the original
mv /config/auth/server-rmpass.key /config/auth/server.key
====Generate Client Certificates====
//Note: Logged in as user in operational mode in the /usr/lib/ssl/misc/ directory.//
==Generate Certificates==
sudo su
cd /usr/lib/ssl/misc
./CA.sh -newreq
Fill out fields like above with unique Common Name for each Client (in this example we will use “VPNCLIENT01,VPNCLIENT02,...” as the Common Names) (use CompanyName.FirstnameLastname.CompanyTelephone for the Common Name format if you want it clearly attributed to a specific user; don’t add an E-Mail or optional company name, use the “1234 temp password”).
Sign Certificate
./CA.sh -sign
==Move and Rename Client Certificates==
mv newcert.pem /config/auth/VPNCLIENT01.pem
mv newkey.pem /config/auth/VPNCLIENT01.key
==Create new .key with No Password==
openssl rsa -in /config/auth/VPNCLIENT01.key -out /config/auth/VPNCLIENT01-rmpass.key
###Enter password
==Move VPNCLIENT01-rmpass.key to VPNCLIENT01.key==
mv /config/auth/VPNCLIENT01-rmpass.key /config/auth/VPNCLIENT01.key
Repeat this process for each client using a unique Common Name for each starting at [[https://clientdata.haddentech.com/doku.php?id=tech_documents:openvpn_server_on_edgerouter#generate_certificates|Generate Certificates]], don't add a challenge password.
==Add static IPs for each VPN client==
NOTE: THIS NEED TO BE DONE AFTER THE OPENVPN INTERFACES HAVE BEEN CONFIGURED BELOW, it is only here to keep it grouped with generating client certificates so keep the process of adding clients later in one area.
//Record the clienthostname and assigned IP//
exit
configure
set interfaces openvpn vtun0 server client VPNCLIENT01 ip 10.99.99.X
commit
save
====Configure OpenVPN interfaces====
Network variables:
* OpenVPN subnet for vtun0 clients is: 10.99.98.0/24
* OpenVPN subnet for vtun1 clients is: 10.99.99.0/24
* Internal subnet that OpenVPN clients will gain access to is: 10.4.1.0/24
* Internal DNS servers that will be pushed to OpenVPN clients are: 10.4.1.1, 8.8.8.8
* Omit the [set interfaces openvpn vtun0 openvpn-option "--push dhcp-option DNS ip.add.re.ss"] lines if you don't want internal DNS servers pushed to your clients. This can cause issues for some people so unless you really need to resolve via hostname internal resources (and have put the effort into properly managing internal DNS) then omit the option.
* Omit the [set interfaces openvpn vtun0 ip ospf network point-to-point] lines if you don't use OSPF or plan to.
* Omit all lines containing [vtun1] if you only need 1 OpenVPN server instance and don't care to manage 2.
* Note: change the default OpenVPN server port and pick one for each openvpn instance you want to create (e.g 5173 and 5174)
set interfaces openvpn vtun0 description "OpenVPN Server for Company Users and IT VTUN0"
set interfaces openvpn vtun0 local-port 5173
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 hash sha256
set interfaces openvpn vtun0 encryption aes256
set interfaces openvpn vtun0 openvpn-option --comp-lzo
set interfaces openvpn vtun0 server subnet 10.99.98.0/24
set interfaces openvpn vtun0 openvpn-option "--push dhcp-option DNS 10.222.190.17"
set interfaces openvpn vtun0 openvpn-option "--push dhcp-option DNS 10.222.190.19"
set interfaces openvpn vtun0 server push-route 10.4.1.0/24
set interfaces openvpn vtun0 ip ospf network point-to-point
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem
set interfaces openvpn vtun0 tls key-file /config/auth/server.key
set interfaces openvpn vtun0 tls dh-file /config/auth/dhp.pem
set interfaces openvpn vtun0 openvpn-option "--tls-auth /config/auth/ta.key 0"
set interfaces openvpn vtun0 openvpn-option "--crl-verify /config/auth/cacrl.pem"
set interfaces openvpn vtun0 openvpn-option "--user nobody"
set interfaces openvpn vtun0 openvpn-option "--group nogroup"
set interfaces openvpn vtun0 openvpn-option --persist-key
set interfaces openvpn vtun0 openvpn-option --persist-tun
set interfaces openvpn vtun1 description "OpenVPN Server for Non-Company Users VTUN1"
set interfaces openvpn vtun1 local-port 5174
set interfaces openvpn vtun1 mode server
set interfaces openvpn vtun1 hash sha256
set interfaces openvpn vtun1 encryption aes256
set interfaces openvpn vtun1 openvpn-option --comp-lzo
set interfaces openvpn vtun1 server subnet 10.99.99.0/24
set interfaces openvpn vtun1 server push-route 10.4.1.0/24
set interfaces openvpn vtun1 ip ospf network point-to-point
set interfaces openvpn vtun1 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun1 tls cert-file /config/auth/server.pem
set interfaces openvpn vtun1 tls key-file /config/auth/server.key
set interfaces openvpn vtun1 tls dh-file /config/auth/dhp.pem
set interfaces openvpn vtun1 openvpn-option "--tls-auth /config/auth/ta.key 0"
set interfaces openvpn vtun1 openvpn-option "--crl-verify /config/auth/cacrl.pem"
set interfaces openvpn vtun1 openvpn-option "--user nobody"
set interfaces openvpn vtun1 openvpn-option "--group nogroup"
set interfaces openvpn vtun1 openvpn-option --persist-key
set interfaces openvpn vtun1 openvpn-option --persist-tun
==Setup OSPF for VPN_LANS==
Do this only if you plan on using OSPF elsewhere in your network or already do, if you already do, modify accordingly.
set protocols ospf parameters router-id 10.4.1.247
set protocols ospf area 0.0.0.0 network 10.4.1.0/24
set protocols ospf redistribute connected
set interfaces ethernet eth0 ip ospf cost 10
set interfaces ethernet eth0 ip ospf dead-interval 40
set interfaces ethernet eth0 ip ospf hello-interval 10
set interfaces ethernet eth0 ip ospf priority 1
set interfaces ethernet eth0 ip ospf retransmit-interval 5
set interfaces ethernet eth0 ip ospf transmit-delay 1
==Add md5 authentication to OSPF==
set protocols ospf area 0.0.0.0 authentication md5
set interfaces ethernet eth0 ip ospf authentication md5 key-id 1 md5-key SomeSuperSecretPasswordForOSPF
===REMEMBER===
If you haven't already added the static IP info for each of your VPNCLIENT01/etc users, scroll back up and do so now.
====Create Zone Policies and Firewall Rules====
**(READ WHOLE SENTENCE) !!!!!and!!!!! set firewall rules AND zone pairs policy before committing or !!!!!we'll be locked out!!!!!!**
==Setup Zones==
set zone-policy zone LOCAL description "this is the EdgeRouter or local device"
set zone-policy zone LOCAL default-action drop
set zone-policy zone LOCAL local-zone
set zone-policy zone VPN_LANS description "LAN for VPN devices"
set zone-policy zone VPN_LANS default-action drop
set zone-policy zone VPN_LANS interface eth0
set zone-policy zone MANAGEMENT_LAN description "Management LAN"
set zone-policy zone MANAGEMENT_LAN default-action drop
set zone-policy zone MANAGEMENT_LAN interface eth1
set zone-policy zone VTUN0 description "VPN for Company Employees + IT"
set zone-policy zone VTUN0 default-action drop
set zone-policy zone VTUN0 interface vtun0
set zone-policy zone VTUN1 description "VPN for Vendors"
set zone-policy zone VTUN1 default-action drop
set zone-policy zone VTUN1 interface vtun1
==MANAGEMENT_LAN <=> (LOCAL) Firewall Rules==
If you commit after this block of commands then'll you lose access on ETH0. If this happens change the IP on your network card to match the subnet used on ETH1, connect and resume.
set firewall name LOCAL_to_MGMT_LAN description "allow all traffic from LOCAL to MANAGEMENT_LAN zone"
set firewall name LOCAL_to_MGMT_LAN rule 1 action accept
set firewall name LOCAL_to_MGMT_LAN rule 1 log enable
set firewall name LOCAL_to_MGMT_LAN rule 1000 description "Drop invalid"
set firewall name LOCAL_to_MGMT_LAN rule 1000 action drop
set firewall name LOCAL_to_MGMT_LAN rule 1000 state invalid enable
set firewall name LOCAL_to_MGMT_LAN rule 1000 log enable
set firewall name MGMT_LAN_to_LOCAL description "filter traffic from MANAGEMENT_LAN to LOCAL zone"
set firewall name MGMT_LAN_to_LOCAL enable-default-log
set firewall name MGMT_LAN_to_LOCAL rule 10 description "Allow established/related"
set firewall name MGMT_LAN_to_LOCAL rule 10 action accept
set firewall name MGMT_LAN_to_LOCAL rule 10 state established enable
set firewall name MGMT_LAN_to_LOCAL rule 10 state related enable
set firewall name MGMT_LAN_to_LOCAL rule 10 log enable
set firewall name MGMT_LAN_to_LOCAL rule 1000 description "Drop invalid"
set firewall name MGMT_LAN_to_LOCAL rule 1000 action drop
set firewall name MGMT_LAN_to_LOCAL rule 1000 state invalid enable
set firewall name MGMT_LAN_to_LOCAL rule 1000 log enable
set firewall name MGMT_LAN_to_LOCAL rule 1020 description "Allow ICMP"
set firewall name MGMT_LAN_to_LOCAL rule 1020 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1020 icmp type-name echo-request
set firewall name MGMT_LAN_to_LOCAL rule 1020 protocol icmp
set firewall name MGMT_LAN_to_LOCAL rule 1020 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1020 log enable
set firewall name MGMT_LAN_to_LOCAL rule 1030 description "Allow DHCP Request"
set firewall name MGMT_LAN_to_LOCAL rule 1030 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1030 destination port 67
set firewall name MGMT_LAN_to_LOCAL rule 1030 protocol udp
set firewall name MGMT_LAN_to_LOCAL rule 1030 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1030 log enable
set firewall name MGMT_LAN_to_LOCAL rule 1040 description "Allow DNS Request"
set firewall name MGMT_LAN_to_LOCAL rule 1040 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1040 destination port 53
set firewall name MGMT_LAN_to_LOCAL rule 1040 protocol tcp_udp
set firewall name MGMT_LAN_to_LOCAL rule 1040 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1040 log enable
set firewall name MGMT_LAN_to_LOCAL rule 1050 description "Allow NTP Request"
set firewall name MGMT_LAN_to_LOCAL rule 1050 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1050 destination port 123
set firewall name MGMT_LAN_to_LOCAL rule 1050 protocol udp
set firewall name MGMT_LAN_to_LOCAL rule 1050 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1050 log enable
set firewall name MGMT_LAN_to_LOCAL rule 1060 description "Allow HTTPS"
set firewall name MGMT_LAN_to_LOCAL rule 1060 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1060 destination port 443
set firewall name MGMT_LAN_to_LOCAL rule 1060 protocol tcp
set firewall name MGMT_LAN_to_LOCAL rule 1060 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1060 log enable
set firewall name MGMT_LAN_to_LOCAL rule 1100 description "Allow SSH"
set firewall name MGMT_LAN_to_LOCAL rule 1100 action accept
set firewall name MGMT_LAN_to_LOCAL rule 1100 destination port 22
set firewall name MGMT_LAN_to_LOCAL rule 1100 protocol tcp
set firewall name MGMT_LAN_to_LOCAL rule 1100 state new enable
set firewall name MGMT_LAN_to_LOCAL rule 1100 log enable
set zone-policy zone MANAGEMENT_LAN from LOCAL firewall name LOCAL_to_MGMT_LAN
set zone-policy zone LOCAL from MANAGEMENT_LAN firewall name MGMT_LAN_to_LOCAL
==VPN_LANS <=> (LOCAL) Firewall Rules==
set firewall name LOCAL_to_VPN_LANS description "allow all traffic from LOCAL to VPN_LANS zone"
set firewall name LOCAL_to_VPN_LANS rule 1 action accept
set firewall name LOCAL_to_VPN_LANS rule 1 log enable
set firewall name LOCAL_to_VPN_LANS rule 1000 description "Drop invalid"
set firewall name LOCAL_to_VPN_LANS rule 1000 action drop
set firewall name LOCAL_to_VPN_LANS rule 1000 state invalid enable
set firewall name LOCAL_to_VPN_LANS rule 1000 log enable
set firewall name VPN_LANS_to_LOCAL description "filter traffic from VPN_LANS to LOCAL zone"
set firewall name VPN_LANS_to_LOCAL enable-default-log
set firewall name VPN_LANS_to_LOCAL rule 10 description "Allow established/related"
set firewall name VPN_LANS_to_LOCAL rule 10 action accept
set firewall name VPN_LANS_to_LOCAL rule 10 state established enable
set firewall name VPN_LANS_to_LOCAL rule 10 state related enable
set firewall name VPN_LANS_to_LOCAL rule 10 log enable
set firewall name VPN_LANS_to_LOCAL rule 1000 description "Drop invalid"
set firewall name VPN_LANS_to_LOCAL rule 1000 action drop
set firewall name VPN_LANS_to_LOCAL rule 1000 state invalid enable
set firewall name VPN_LANS_to_LOCAL rule 1000 log enable
set firewall name VPN_LANS_to_LOCAL rule 1020 description "Allow ICMP"
set firewall name VPN_LANS_to_LOCAL rule 1020 action accept
set firewall name VPN_LANS_to_LOCAL rule 1020 icmp type-name echo-request
set firewall name VPN_LANS_to_LOCAL rule 1020 protocol icmp
set firewall name VPN_LANS_to_LOCAL rule 1020 state new enable
set firewall name VPN_LANS_to_LOCAL rule 1020 log enable
set firewall name VPN_LANS_to_LOCAL rule 1030 description "Allow DHCP Request"
set firewall name VPN_LANS_to_LOCAL rule 1030 action accept
set firewall name VPN_LANS_to_LOCAL rule 1030 destination port 67
set firewall name VPN_LANS_to_LOCAL rule 1030 protocol udp
set firewall name VPN_LANS_to_LOCAL rule 1030 state new enable
set firewall name VPN_LANS_to_LOCAL rule 1030 log enable
set firewall name VPN_LANS_to_LOCAL rule 1040 description "Allow DNS Request"
set firewall name VPN_LANS_to_LOCAL rule 1040 action accept
set firewall name VPN_LANS_to_LOCAL rule 1040 destination port 53
set firewall name VPN_LANS_to_LOCAL rule 1040 protocol tcp_udp
set firewall name VPN_LANS_to_LOCAL rule 1040 state new enable
set firewall name VPN_LANS_to_LOCAL rule 1040 log enable
set firewall name VPN_LANS_to_LOCAL rule 1050 description "Allow NTP Request"
set firewall name VPN_LANS_to_LOCAL rule 1050 action accept
set firewall name VPN_LANS_to_LOCAL rule 1050 destination port 123
set firewall name VPN_LANS_to_LOCAL rule 1050 protocol udp
set firewall name VPN_LANS_to_LOCAL rule 1050 state new enable
set firewall name VPN_LANS_to_LOCAL rule 1050 log enable
set firewall name VPN_LANS_to_LOCAL rule 1060 description "Allow OSPF"
set firewall name VPN_LANS_to_LOCAL rule 1060 action accept
set firewall name VPN_LANS_to_LOCAL rule 1060 protocol ospf
set firewall name VPN_LANS_to_LOCAL rule 1060 state new enable
set firewall name VPN_LANS_to_LOCAL rule 1060 log enable
set firewall name VPN_LANS_to_LOCAL rule 1070 description "Allow OpenVPN Request"
set firewall name VPN_LANS_to_LOCAL rule 1070 action accept
set firewall name VPN_LANS_to_LOCAL rule 1070 destination port 5173
set firewall name VPN_LANS_to_LOCAL rule 1070 protocol udp
set firewall name VPN_LANS_to_LOCAL rule 1070 state new enable
set firewall name VPN_LANS_to_LOCAL rule 1070 log enable
set firewall name VPN_LANS_to_LOCAL rule 1080 description "Allow OpenVPN Request 2"
set firewall name VPN_LANS_to_LOCAL rule 1080 action accept
set firewall name VPN_LANS_to_LOCAL rule 1080 destination port 5174
set firewall name VPN_LANS_to_LOCAL rule 1080 protocol udp
set firewall name VPN_LANS_to_LOCAL rule 1080 state new enable
set firewall name VPN_LANS_to_LOCAL rule 1080 log enable
set zone-policy zone VPN_LANS from LOCAL firewall name LOCAL_to_VPN_LANS
set zone-policy zone LOCAL from VPN_LANS firewall name VPN_LANS_to_LOCAL
==VTUN0 <=> (LOCAL + VPN_LANS) Firewall Rules==
set firewall name LOCAL_to_VTUN0 description "allow all traffic from LOCAL to VTUN0 zone"
set firewall name LOCAL_to_VTUN0 rule 1 action accept
set firewall name LOCAL_to_VTUN0 rule 1 log enable
set firewall name LOCAL_to_VTUN0 rule 1000 description "Drop invalid"
set firewall name LOCAL_to_VTUN0 rule 1000 action drop
set firewall name LOCAL_to_VTUN0 rule 1000 state invalid enable
set firewall name LOCAL_to_VTUN0 rule 1000 log enable
set firewall name VTUN0_to_VPN_LANS description "allow all traffic from VTUN0 to VPN_LANS zone"
set firewall name VTUN0_to_VPN_LANS rule 1 action accept
set firewall name VTUN0_to_VPN_LANS rule 1 log enable
set firewall name VTUN0_to_VPN_LANS rule 1000 description "Drop invalid"
set firewall name VTUN0_to_VPN_LANS rule 1000 action drop
set firewall name VTUN0_to_VPN_LANS rule 1000 state invalid enable
set firewall name VTUN0_to_VPN_LANS rule 1000 log enable
set firewall name VPN_LANS_to_VTUN0 description "filter traffic from VPN_LANS to VTUN0 zone"
set firewall name VPN_LANS_to_VTUN0 enable-default-log
set firewall name VPN_LANS_to_VTUN0 rule 10 description "Allow established/related"
set firewall name VPN_LANS_to_VTUN0 rule 10 action accept
set firewall name VPN_LANS_to_VTUN0 rule 10 state established enable
set firewall name VPN_LANS_to_VTUN0 rule 10 state related enable
set firewall name VPN_LANS_to_VTUN0 rule 10 log enable
set firewall name VPN_LANS_to_VTUN0 rule 1000 description "Drop invalid"
set firewall name VPN_LANS_to_VTUN0 rule 1000 action drop
set firewall name VPN_LANS_to_VTUN0 rule 1000 state invalid enable
set firewall name VPN_LANS_to_VTUN0 rule 1000 log enable
set firewall name VTUN0_to_LOCAL description "filter traffic from VTUN0 to LOCAL zone"
set firewall name VTUN0_to_LOCAL enable-default-log
set firewall name VTUN0_to_LOCAL rule 10 description "Allow established/related"
set firewall name VTUN0_to_LOCAL rule 10 action accept
set firewall name VTUN0_to_LOCAL rule 10 state established enable
set firewall name VTUN0_to_LOCAL rule 10 state related enable
set firewall name VTUN0_to_LOCAL rule 10 log enable
set firewall name VTUN0_to_LOCAL rule 1000 description "Drop invalid"
set firewall name VTUN0_to_LOCAL rule 1000 action drop
set firewall name VTUN0_to_LOCAL rule 1000 state invalid enable
set firewall name VTUN0_to_LOCAL rule 1000 log enable
set firewall name VTUN0_to_LOCAL rule 1020 description "Allow ICMP"
set firewall name VTUN0_to_LOCAL rule 1020 action accept
set firewall name VTUN0_to_LOCAL rule 1020 icmp type-name echo-request
set firewall name VTUN0_to_LOCAL rule 1020 protocol icmp
set firewall name VTUN0_to_LOCAL rule 1020 state new enable
set firewall name VTUN0_to_LOCAL rule 1020 log enable
set firewall name VTUN0_to_LOCAL rule 1030 description "Allow DHCP Request"
set firewall name VTUN0_to_LOCAL rule 1030 action accept
set firewall name VTUN0_to_LOCAL rule 1030 destination port 67
set firewall name VTUN0_to_LOCAL rule 1030 protocol udp
set firewall name VTUN0_to_LOCAL rule 1030 state new enable
set firewall name VTUN0_to_LOCAL rule 1030 log enable
set firewall name VTUN0_to_LOCAL rule 1040 description "Allow DNS Request"
set firewall name VTUN0_to_LOCAL rule 1040 action accept
set firewall name VTUN0_to_LOCAL rule 1040 destination port 53
set firewall name VTUN0_to_LOCAL rule 1040 protocol tcp_udp
set firewall name VTUN0_to_LOCAL rule 1040 state new enable
set firewall name VTUN0_to_LOCAL rule 1040 log enable
set firewall name VTUN0_to_LOCAL rule 1050 description "Allow NTP Request"
set firewall name VTUN0_to_LOCAL rule 1050 action accept
set firewall name VTUN0_to_LOCAL rule 1050 destination port 123
set firewall name VTUN0_to_LOCAL rule 1050 protocol udp
set firewall name VTUN0_to_LOCAL rule 1050 state new enable
set firewall name VTUN0_to_LOCAL rule 1050 log enable
set firewall name VTUN0_to_LOCAL rule 1060 description "Allow OSPF"
set firewall name VTUN0_to_LOCAL rule 1060 action accept
set firewall name VTUN0_to_LOCAL rule 1060 protocol ospf
set firewall name VTUN0_to_LOCAL rule 1060 state new enable
set firewall name VTUN0_to_LOCAL rule 1060 log enable
set firewall name VTUN0_to_LOCAL rule 1070 description "Allow OpenVPN Request"
set firewall name VTUN0_to_LOCAL rule 1070 action accept
set firewall name VTUN0_to_LOCAL rule 1070 destination port 5173
set firewall name VTUN0_to_LOCAL rule 1070 protocol udp
set firewall name VTUN0_to_LOCAL rule 1070 state new enable
set firewall name VTUN0_to_LOCAL rule 1070 log enable
set zone-policy zone VTUN0 from LOCAL firewall name LOCAL_to_VTUN0
set zone-policy zone LOCAL from VTUN0 firewall name VTUN0_to_LOCAL
set zone-policy zone VPN_LANS from VTUN0 firewall name VTUN0_to_VPN_LANS
set zone-policy zone VTUN0 from VPN_LANS firewall name VPN_LANS_to_VTUN0
==VTUN1 <=> (LOCAL + VPN_LANS) Firewall Rules==
set firewall name LOCAL_to_VTUN1 description "allow all traffic from LOCAL to VTUN1 zone"
set firewall name LOCAL_to_VTUN1 rule 1 action accept
set firewall name LOCAL_to_VTUN1 rule 1 log enable
set firewall name LOCAL_to_VTUN1 rule 1000 description "Drop invalid"
set firewall name LOCAL_to_VTUN1 rule 1000 action drop
set firewall name LOCAL_to_VTUN1 rule 1000 state invalid enable
set firewall name LOCAL_to_VTUN1 rule 1000 log enable
set firewall name VTUN1_to_VPN_LANS description "allow all traffic from VTUN1 to VPN_LANS zone"
set firewall name VTUN1_to_VPN_LANS rule 1 action accept
set firewall name VTUN1_to_VPN_LANS rule 1 log enable
set firewall name VTUN1_to_VPN_LANS rule 1000 description "Drop invalid"
set firewall name VTUN1_to_VPN_LANS rule 1000 action drop
set firewall name VTUN1_to_VPN_LANS rule 1000 state invalid enable
set firewall name VTUN1_to_VPN_LANS rule 1000 log enable
set firewall name VPN_LANS_to_VTUN1 description "filter traffic from VPN_LANS to VTUN1 zone"
set firewall name VPN_LANS_to_VTUN1 enable-default-log
set firewall name VPN_LANS_to_VTUN1 rule 10 description "Allow established/related"
set firewall name VPN_LANS_to_VTUN1 rule 10 action accept
set firewall name VPN_LANS_to_VTUN1 rule 10 state established enable
set firewall name VPN_LANS_to_VTUN1 rule 10 state related enable
set firewall name VPN_LANS_to_VTUN1 rule 10 log enable
set firewall name VPN_LANS_to_VTUN1 rule 1000 description "Drop invalid"
set firewall name VPN_LANS_to_VTUN1 rule 1000 action drop
set firewall name VPN_LANS_to_VTUN1 rule 1000 state invalid enable
set firewall name VPN_LANS_to_VTUN1 rule 1000 log enable
set firewall name VTUN1_to_LOCAL description "filter traffic from VTUN1 to LOCAL zone"
set firewall name VTUN1_to_LOCAL enable-default-log
set firewall name VTUN1_to_LOCAL rule 10 description "Allow established/related"
set firewall name VTUN1_to_LOCAL rule 10 action accept
set firewall name VTUN1_to_LOCAL rule 10 state established enable
set firewall name VTUN1_to_LOCAL rule 10 state related enable
set firewall name VTUN1_to_LOCAL rule 10 log enable
set firewall name VTUN1_to_LOCAL rule 1000 description "Drop invalid"
set firewall name VTUN1_to_LOCAL rule 1000 action drop
set firewall name VTUN1_to_LOCAL rule 1000 state invalid enable
set firewall name VTUN1_to_LOCAL rule 1000 log enable
set firewall name VTUN1_to_LOCAL rule 1020 description "Allow ICMP"
set firewall name VTUN1_to_LOCAL rule 1020 action accept
set firewall name VTUN1_to_LOCAL rule 1020 icmp type-name echo-request
set firewall name VTUN1_to_LOCAL rule 1020 protocol icmp
set firewall name VTUN1_to_LOCAL rule 1020 state new enable
set firewall name VTUN1_to_LOCAL rule 1020 log enable
set firewall name VTUN1_to_LOCAL rule 1030 description "Allow DHCP Request"
set firewall name VTUN1_to_LOCAL rule 1030 action accept
set firewall name VTUN1_to_LOCAL rule 1030 destination port 67
set firewall name VTUN1_to_LOCAL rule 1030 protocol udp
set firewall name VTUN1_to_LOCAL rule 1030 state new enable
set firewall name VTUN1_to_LOCAL rule 1030 log enable
set firewall name VTUN1_to_LOCAL rule 1040 description "Allow DNS Request"
set firewall name VTUN1_to_LOCAL rule 1040 action accept
set firewall name VTUN1_to_LOCAL rule 1040 destination port 53
set firewall name VTUN1_to_LOCAL rule 1040 protocol tcp_udp
set firewall name VTUN1_to_LOCAL rule 1040 state new enable
set firewall name VTUN1_to_LOCAL rule 1040 log enable
set firewall name VTUN1_to_LOCAL rule 1050 description "Allow NTP Request"
set firewall name VTUN1_to_LOCAL rule 1050 action accept
set firewall name VTUN1_to_LOCAL rule 1050 destination port 123
set firewall name VTUN1_to_LOCAL rule 1050 protocol udp
set firewall name VTUN1_to_LOCAL rule 1050 state new enable
set firewall name VTUN1_to_LOCAL rule 1050 log enable
set firewall name VTUN1_to_LOCAL rule 1060 description "Allow OSPF"
set firewall name VTUN1_to_LOCAL rule 1060 action accept
set firewall name VTUN1_to_LOCAL rule 1060 protocol ospf
set firewall name VTUN1_to_LOCAL rule 1060 state new enable
set firewall name VTUN1_to_LOCAL rule 1060 log enable
set firewall name VTUN1_to_LOCAL rule 1070 description "Allow OpenVPN Request"
set firewall name VTUN1_to_LOCAL rule 1070 action accept
set firewall name VTUN1_to_LOCAL rule 1070 destination port 5174
set firewall name VTUN1_to_LOCAL rule 1070 protocol udp
set firewall name VTUN1_to_LOCAL rule 1070 state new enable
set firewall name VTUN1_to_LOCAL rule 1070 log enable
set zone-policy zone VTUN1 from LOCAL firewall name LOCAL_to_VTUN1
set zone-policy zone LOCAL from VTUN1 firewall name VTUN1_to_LOCAL
set zone-policy zone VPN_LANS from VTUN1 firewall name VTUN1_to_VPN_LANS
set zone-policy zone VTUN1 from VPN_LANS firewall name VPN_LANS_to_VTUN1
====Backup the SSL and Config Directories to Your Computer====
sudo su
cd /tmp
tar -czf OpenVPN-CA_dir-Config_dir-Date.tar.gz /config /usr/lib/ssl
Then use either WinSCP on Windows or SFTP in a Linux file manager to login and copy the file from the /tmp folder to your computer. Be sure to keep it in a safe place, also extract it because we'll need it to create the opvn config files.
====VPN Client Config and Certificates in Single File====
[[http://blog.iopsl.com/openvpn-configuration-in-a-single-file/|http://blog.iopsl.com/openvpn-configuration-in-a-single-file/]]
The benefit of a single configuration file is that it can be used on mobile devices where OpenVPN Connect is the official client (or imported in OSX tunnelier or a Linux network manager UI).
Insert file contents into following parts accordingly, namely ca.crt, client.crt, client.key and ta.key.
Base opvn config file without keys
client
float
resolv-retry infinite
nobind
mute-replay-warnings
verb 5
persist-key
persist-tun
explicit-exit-notify 1
dev tun
####comp-lzo
compress lz4
proto udp
cipher AES-256-CBC
auth SHA256
key-direction 1
#cert VPNCLIENT01.pem
#key VPNCLIENT01.key
#ca cacert.pem
#tls-auth ta.key 1
remote vpn.server.domain.name.com 5187
And the key files. You should be able to gather which is which based on the file names saved and their commented out references in the area above.
…
…
…
…