We are going to setup an OpenVPN server on an Edgerouter behind an existing routing device. It will allow outside clients to connect and access the internal network(s). This document is based on the Edgerouter X since it has faster CPUs than the ERLite and is cheap. Optionally this will also run 2 different OpenVPN servers to allow for load balancing across the 2 CPUs of the ER-X, push DNS to clients so they can resolve internal hostnames via DNS and use OSPF to advertise routes of the internal LAN(s).
Note: to run an OpenVPN server behind an existing router, you will need to add a static route on said router pointing to the subnets of the OpenVPN client. In this example we'd use 10.4.1.247 (the IP of the E-RX) as the next hop for subnets 10.99.98.0/24 and 10.99.99.0/24.
Be sure to commit → save after each section (until you get the firewall setup).
add system boot-image
then do a manual reboot.
(remember: configure → commit → save)
set system login user vpnadmin authentication plaintext-password SuperSecretPW
Logout out of default account, login again using the new account then delete default account.
delete system login user ubnt
(note, this is done at base login, don't use “configure”)
sudo su set date mmddhhmmyyyy exit
set protocols static route 0.0.0.0/0 next-hop 10.4.1.1
set system host-name wpnsec01 set system domain-name mclarenscottsdale.com set system time-zone US/Pacific set system name-server 208.67.220.220 set system name-server 8.8.4.4 set system ntp server pool.ntp.org set system login banner pre-login "\n\n\n\tUNAUTHORIZED USE OF THIS SYSTEM\n\tIS STRICTLY PROHIBITED\n\n\t Please contact "support@domain.com" to gain\n\taccess to this equipment if you need authorization.\n\n\n"
set interfaces ethernet eth0 description "VPN_LANS" set interfaces ethernet eth0 address 10.4.1.247/24 delete interfaces ethernet eth0 address 192.168.1.1/24 delete interfaces ethernet eth1 address dhcp set interfaces ethernet eth1 description "MANAGEMENT_LAN" set interfaces ethernet eth1 address 172.8.8.11/24 set interfaces ethernet eth2 disable set interfaces ethernet eth3 disable set interfaces ethernet eth4 disable
Login to the CLI as a user and stay in operational mode.
ssh user@Router1
Enable root level access
sudo su
Change directory location
cd /usr/lib/ssl/misc/
(note: you'll need to do this after each firmware update, before you issue any new certificates)
Generate Certificate Authority (check to make sure your date is correct 1st!)
./CA.sh -newca CA certificate filename (or enter to create) #Press enter. [Enter pem pass phrase: ###Create password. Verifying - Enter PEM pass phrase: ###Verify created password.
Record this pass phrase for later use when additional VPN users are added, label it “CA PEM passphrase”.
Fill in information as needed following prompts
Country Name (2 letter code) [AU]:US xxx State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:LEAVE BLANK Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company Name Organizational Unit Name (eg, section) []:LEAVE BLANK Common Name (e.g. server FQDN or YOUR name) []:WPN01 ###(don’t use domain name here, use a device name) Email Address []:LEAVE BLANK Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:LEAVE BLANK An optional company name []:LEAVE BLANK
This will create /usr/lib/ssl/misc/demoCA with associated files. (if you messed up or need to change something, just delete the contents of /usr/lib/ssl/misc/demoCA and start at step 4 again)
This is the key that will stay on the EdgeRouter
Note: Continued from step 1, you will be logged in as user and in the /usr/lib/ssl/misc/ directory.
Fill out prompts like above again with information as needed. “Common Name” must be unique, here use a simple temp password (e.g. 1234) since it will be removed later, record it though (use full domain name if available for “Common Name”, e.g. openvpn_obscured.domain.com)
./CA.sh -newreq
The password it asks for is your CA pem passphrase.
./CA.sh -sign ### This will create newreq.pem, newkey.pem, and newcert.pem in /usr/lib/ssl/misc/
Move and rename files to /config/auth/ for preservation during firmware upgrades and clarity. Note: Again, you will remain logged in as user in the /usr/lib/ssl/misc/ directory.
mkdir /config/auth/ cp demoCA/cacert.pem demoCA/private/cakey.pem /config/auth/
mv newcert.pem /config/auth/server.pem
mv newkey.pem /config/auth/server.key ### Note: the newkey.pem file extension changes to .key.
To confirm these files have transferred to the proper location with the proper name and extension you may type “ls /config/auth/“ to view files.
Note: Remain logged in as user with root privileges by entering “sudo su” and in the /usr/lib/ssl/misc/ directory.
openssl dhparam -out /config/auth/dhp.pem -2 2048 ### This process will take some time and generate dhp.pem in /config/auth/
(OpenVPN server will not respond to packets unless those packets have a valid signature from a pre-shared key)
openvpn --genkey --secret /config/auth/ta.key chmod 644 /config/auth/ta.key
(note: this hasn't been tested to verify it works, now it has, sort of, see 2nd code block below)
echo 01 > /usr/lib/ssl/misc/demoCA/crlnumber openssl ca -gencrl -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem -out demoCA/cacrl.pem cp demoCA/cacrl.pem /config/auth/cacrl.pem
To revoke a certificate… you need the pem of the certificate you want to revoke, so keep a copy handy… I keep them in /config/auth
cd /usr/lib/ssl/misc openssl ca -revoke /auth/config/<filename>.pem openssl ca -gencrl -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem -out demoCA/cacrl.pem cp demoCA/cacrl.pem /config/auth/cacrl.pem
Then remove the revoked certificate (.pem and .key) files from /config/auth so you don't accidentally use them again (cause they won't work). You can leave the client config in the openvpn server setup to be used again if it was a generic name otherwise delete that as well.
sudo su ### Create new .key with no password openssl rsa -in /config/auth/server.key -out /config/auth/server-rmpass.key ### The password prompt here is the temp password you used when generating the key (here we used 1234) ### Move server-rmpass.key to server.key overwriting the original mv /config/auth/server-rmpass.key /config/auth/server.key
Note: Logged in as user in operational mode in the /usr/lib/ssl/misc/ directory.
sudo su cd /usr/lib/ssl/misc ./CA.sh -newreq Fill out fields like above with unique Common Name for each Client (in this example we will use “VPNCLIENT01,VPNCLIENT02,...” as the Common Names) (use CompanyName.FirstnameLastname.CompanyTelephone for the Common Name format if you want it clearly attributed to a specific user; don’t add an E-Mail or optional company name, use the “1234 temp password”).
Sign Certificate
./CA.sh -sign
mv newcert.pem /config/auth/VPNCLIENT01.pem mv newkey.pem /config/auth/VPNCLIENT01.key
openssl rsa -in /config/auth/VPNCLIENT01.key -out /config/auth/VPNCLIENT01-rmpass.key ###Enter password
mv /config/auth/VPNCLIENT01-rmpass.key /config/auth/VPNCLIENT01.key
Repeat this process for each client using a unique Common Name for each starting at Generate Certificates, don't add a challenge password.
NOTE: THIS NEED TO BE DONE AFTER THE OPENVPN INTERFACES HAVE BEEN CONFIGURED BELOW, it is only here to keep it grouped with generating client certificates so keep the process of adding clients later in one area.
Record the clienthostname and assigned IP
exit configure set interfaces openvpn vtun0 server client VPNCLIENT01 ip 10.99.99.X commit save
Network variables:
set interfaces openvpn vtun0 description "OpenVPN Server for Company Users and IT VTUN0" set interfaces openvpn vtun0 local-port 5173 set interfaces openvpn vtun0 mode server set interfaces openvpn vtun0 hash sha256 set interfaces openvpn vtun0 encryption aes256 set interfaces openvpn vtun0 openvpn-option --comp-lzo set interfaces openvpn vtun0 server subnet 10.99.98.0/24 set interfaces openvpn vtun0 openvpn-option "--push dhcp-option DNS 10.222.190.17" set interfaces openvpn vtun0 openvpn-option "--push dhcp-option DNS 10.222.190.19" set interfaces openvpn vtun0 server push-route 10.4.1.0/24 set interfaces openvpn vtun0 ip ospf network point-to-point set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem set interfaces openvpn vtun0 tls key-file /config/auth/server.key set interfaces openvpn vtun0 tls dh-file /config/auth/dhp.pem set interfaces openvpn vtun0 openvpn-option "--tls-auth /config/auth/ta.key 0" set interfaces openvpn vtun0 openvpn-option "--crl-verify /config/auth/cacrl.pem" set interfaces openvpn vtun0 openvpn-option "--user nobody" set interfaces openvpn vtun0 openvpn-option "--group nogroup" set interfaces openvpn vtun0 openvpn-option --persist-key set interfaces openvpn vtun0 openvpn-option --persist-tun set interfaces openvpn vtun1 description "OpenVPN Server for Non-Company Users VTUN1" set interfaces openvpn vtun1 local-port 5174 set interfaces openvpn vtun1 mode server set interfaces openvpn vtun1 hash sha256 set interfaces openvpn vtun1 encryption aes256 set interfaces openvpn vtun1 openvpn-option --comp-lzo set interfaces openvpn vtun1 server subnet 10.99.99.0/24 set interfaces openvpn vtun1 server push-route 10.4.1.0/24 set interfaces openvpn vtun1 ip ospf network point-to-point set interfaces openvpn vtun1 tls ca-cert-file /config/auth/cacert.pem set interfaces openvpn vtun1 tls cert-file /config/auth/server.pem set interfaces openvpn vtun1 tls key-file /config/auth/server.key set interfaces openvpn vtun1 tls dh-file /config/auth/dhp.pem set interfaces openvpn vtun1 openvpn-option "--tls-auth /config/auth/ta.key 0" set interfaces openvpn vtun1 openvpn-option "--crl-verify /config/auth/cacrl.pem" set interfaces openvpn vtun1 openvpn-option "--user nobody" set interfaces openvpn vtun1 openvpn-option "--group nogroup" set interfaces openvpn vtun1 openvpn-option --persist-key set interfaces openvpn vtun1 openvpn-option --persist-tun
Do this only if you plan on using OSPF elsewhere in your network or already do, if you already do, modify accordingly.
set protocols ospf parameters router-id 10.4.1.247 set protocols ospf area 0.0.0.0 network 10.4.1.0/24 set protocols ospf redistribute connected set interfaces ethernet eth0 ip ospf cost 10 set interfaces ethernet eth0 ip ospf dead-interval 40 set interfaces ethernet eth0 ip ospf hello-interval 10 set interfaces ethernet eth0 ip ospf priority 1 set interfaces ethernet eth0 ip ospf retransmit-interval 5 set interfaces ethernet eth0 ip ospf transmit-delay 1
set protocols ospf area 0.0.0.0 authentication md5 set interfaces ethernet eth0 ip ospf authentication md5 key-id 1 md5-key SomeSuperSecretPasswordForOSPF
If you haven't already added the static IP info for each of your VPNCLIENT01/etc users, scroll back up and do so now.
(READ WHOLE SENTENCE) !!!!!and!!!!! set firewall rules AND zone pairs policy before committing or !!!!!we'll be locked out!!!!!!
set zone-policy zone LOCAL description "this is the EdgeRouter or local device" set zone-policy zone LOCAL default-action drop set zone-policy zone LOCAL local-zone set zone-policy zone VPN_LANS description "LAN for VPN devices" set zone-policy zone VPN_LANS default-action drop set zone-policy zone VPN_LANS interface eth0 set zone-policy zone MANAGEMENT_LAN description "Management LAN" set zone-policy zone MANAGEMENT_LAN default-action drop set zone-policy zone MANAGEMENT_LAN interface eth1 set zone-policy zone VTUN0 description "VPN for Company Employees + IT" set zone-policy zone VTUN0 default-action drop set zone-policy zone VTUN0 interface vtun0 set zone-policy zone VTUN1 description "VPN for Vendors" set zone-policy zone VTUN1 default-action drop set zone-policy zone VTUN1 interface vtun1
If you commit after this block of commands then'll you lose access on ETH0. If this happens change the IP on your network card to match the subnet used on ETH1, connect and resume.
set firewall name LOCAL_to_MGMT_LAN description "allow all traffic from LOCAL to MANAGEMENT_LAN zone" set firewall name LOCAL_to_MGMT_LAN rule 1 action accept set firewall name LOCAL_to_MGMT_LAN rule 1 log enable set firewall name LOCAL_to_MGMT_LAN rule 1000 description "Drop invalid" set firewall name LOCAL_to_MGMT_LAN rule 1000 action drop set firewall name LOCAL_to_MGMT_LAN rule 1000 state invalid enable set firewall name LOCAL_to_MGMT_LAN rule 1000 log enable set firewall name MGMT_LAN_to_LOCAL description "filter traffic from MANAGEMENT_LAN to LOCAL zone" set firewall name MGMT_LAN_to_LOCAL enable-default-log set firewall name MGMT_LAN_to_LOCAL rule 10 description "Allow established/related" set firewall name MGMT_LAN_to_LOCAL rule 10 action accept set firewall name MGMT_LAN_to_LOCAL rule 10 state established enable set firewall name MGMT_LAN_to_LOCAL rule 10 state related enable set firewall name MGMT_LAN_to_LOCAL rule 10 log enable set firewall name MGMT_LAN_to_LOCAL rule 1000 description "Drop invalid" set firewall name MGMT_LAN_to_LOCAL rule 1000 action drop set firewall name MGMT_LAN_to_LOCAL rule 1000 state invalid enable set firewall name MGMT_LAN_to_LOCAL rule 1000 log enable set firewall name MGMT_LAN_to_LOCAL rule 1020 description "Allow ICMP" set firewall name MGMT_LAN_to_LOCAL rule 1020 action accept set firewall name MGMT_LAN_to_LOCAL rule 1020 icmp type-name echo-request set firewall name MGMT_LAN_to_LOCAL rule 1020 protocol icmp set firewall name MGMT_LAN_to_LOCAL rule 1020 state new enable set firewall name MGMT_LAN_to_LOCAL rule 1020 log enable set firewall name MGMT_LAN_to_LOCAL rule 1030 description "Allow DHCP Request" set firewall name MGMT_LAN_to_LOCAL rule 1030 action accept set firewall name MGMT_LAN_to_LOCAL rule 1030 destination port 67 set firewall name MGMT_LAN_to_LOCAL rule 1030 protocol udp set firewall name MGMT_LAN_to_LOCAL rule 1030 state new enable set firewall name MGMT_LAN_to_LOCAL rule 1030 log enable set firewall name MGMT_LAN_to_LOCAL rule 1040 description "Allow DNS Request" set firewall name MGMT_LAN_to_LOCAL rule 1040 action accept set firewall name MGMT_LAN_to_LOCAL rule 1040 destination port 53 set firewall name MGMT_LAN_to_LOCAL rule 1040 protocol tcp_udp set firewall name MGMT_LAN_to_LOCAL rule 1040 state new enable set firewall name MGMT_LAN_to_LOCAL rule 1040 log enable set firewall name MGMT_LAN_to_LOCAL rule 1050 description "Allow NTP Request" set firewall name MGMT_LAN_to_LOCAL rule 1050 action accept set firewall name MGMT_LAN_to_LOCAL rule 1050 destination port 123 set firewall name MGMT_LAN_to_LOCAL rule 1050 protocol udp set firewall name MGMT_LAN_to_LOCAL rule 1050 state new enable set firewall name MGMT_LAN_to_LOCAL rule 1050 log enable set firewall name MGMT_LAN_to_LOCAL rule 1060 description "Allow HTTPS" set firewall name MGMT_LAN_to_LOCAL rule 1060 action accept set firewall name MGMT_LAN_to_LOCAL rule 1060 destination port 443 set firewall name MGMT_LAN_to_LOCAL rule 1060 protocol tcp set firewall name MGMT_LAN_to_LOCAL rule 1060 state new enable set firewall name MGMT_LAN_to_LOCAL rule 1060 log enable set firewall name MGMT_LAN_to_LOCAL rule 1100 description "Allow SSH" set firewall name MGMT_LAN_to_LOCAL rule 1100 action accept set firewall name MGMT_LAN_to_LOCAL rule 1100 destination port 22 set firewall name MGMT_LAN_to_LOCAL rule 1100 protocol tcp set firewall name MGMT_LAN_to_LOCAL rule 1100 state new enable set firewall name MGMT_LAN_to_LOCAL rule 1100 log enable set zone-policy zone MANAGEMENT_LAN from LOCAL firewall name LOCAL_to_MGMT_LAN set zone-policy zone LOCAL from MANAGEMENT_LAN firewall name MGMT_LAN_to_LOCAL
set firewall name LOCAL_to_VPN_LANS description "allow all traffic from LOCAL to VPN_LANS zone" set firewall name LOCAL_to_VPN_LANS rule 1 action accept set firewall name LOCAL_to_VPN_LANS rule 1 log enable set firewall name LOCAL_to_VPN_LANS rule 1000 description "Drop invalid" set firewall name LOCAL_to_VPN_LANS rule 1000 action drop set firewall name LOCAL_to_VPN_LANS rule 1000 state invalid enable set firewall name LOCAL_to_VPN_LANS rule 1000 log enable set firewall name VPN_LANS_to_LOCAL description "filter traffic from VPN_LANS to LOCAL zone" set firewall name VPN_LANS_to_LOCAL enable-default-log set firewall name VPN_LANS_to_LOCAL rule 10 description "Allow established/related" set firewall name VPN_LANS_to_LOCAL rule 10 action accept set firewall name VPN_LANS_to_LOCAL rule 10 state established enable set firewall name VPN_LANS_to_LOCAL rule 10 state related enable set firewall name VPN_LANS_to_LOCAL rule 10 log enable set firewall name VPN_LANS_to_LOCAL rule 1000 description "Drop invalid" set firewall name VPN_LANS_to_LOCAL rule 1000 action drop set firewall name VPN_LANS_to_LOCAL rule 1000 state invalid enable set firewall name VPN_LANS_to_LOCAL rule 1000 log enable set firewall name VPN_LANS_to_LOCAL rule 1020 description "Allow ICMP" set firewall name VPN_LANS_to_LOCAL rule 1020 action accept set firewall name VPN_LANS_to_LOCAL rule 1020 icmp type-name echo-request set firewall name VPN_LANS_to_LOCAL rule 1020 protocol icmp set firewall name VPN_LANS_to_LOCAL rule 1020 state new enable set firewall name VPN_LANS_to_LOCAL rule 1020 log enable set firewall name VPN_LANS_to_LOCAL rule 1030 description "Allow DHCP Request" set firewall name VPN_LANS_to_LOCAL rule 1030 action accept set firewall name VPN_LANS_to_LOCAL rule 1030 destination port 67 set firewall name VPN_LANS_to_LOCAL rule 1030 protocol udp set firewall name VPN_LANS_to_LOCAL rule 1030 state new enable set firewall name VPN_LANS_to_LOCAL rule 1030 log enable set firewall name VPN_LANS_to_LOCAL rule 1040 description "Allow DNS Request" set firewall name VPN_LANS_to_LOCAL rule 1040 action accept set firewall name VPN_LANS_to_LOCAL rule 1040 destination port 53 set firewall name VPN_LANS_to_LOCAL rule 1040 protocol tcp_udp set firewall name VPN_LANS_to_LOCAL rule 1040 state new enable set firewall name VPN_LANS_to_LOCAL rule 1040 log enable set firewall name VPN_LANS_to_LOCAL rule 1050 description "Allow NTP Request" set firewall name VPN_LANS_to_LOCAL rule 1050 action accept set firewall name VPN_LANS_to_LOCAL rule 1050 destination port 123 set firewall name VPN_LANS_to_LOCAL rule 1050 protocol udp set firewall name VPN_LANS_to_LOCAL rule 1050 state new enable set firewall name VPN_LANS_to_LOCAL rule 1050 log enable set firewall name VPN_LANS_to_LOCAL rule 1060 description "Allow OSPF" set firewall name VPN_LANS_to_LOCAL rule 1060 action accept set firewall name VPN_LANS_to_LOCAL rule 1060 protocol ospf set firewall name VPN_LANS_to_LOCAL rule 1060 state new enable set firewall name VPN_LANS_to_LOCAL rule 1060 log enable set firewall name VPN_LANS_to_LOCAL rule 1070 description "Allow OpenVPN Request" set firewall name VPN_LANS_to_LOCAL rule 1070 action accept set firewall name VPN_LANS_to_LOCAL rule 1070 destination port 5173 set firewall name VPN_LANS_to_LOCAL rule 1070 protocol udp set firewall name VPN_LANS_to_LOCAL rule 1070 state new enable set firewall name VPN_LANS_to_LOCAL rule 1070 log enable set firewall name VPN_LANS_to_LOCAL rule 1080 description "Allow OpenVPN Request 2" set firewall name VPN_LANS_to_LOCAL rule 1080 action accept set firewall name VPN_LANS_to_LOCAL rule 1080 destination port 5174 set firewall name VPN_LANS_to_LOCAL rule 1080 protocol udp set firewall name VPN_LANS_to_LOCAL rule 1080 state new enable set firewall name VPN_LANS_to_LOCAL rule 1080 log enable set zone-policy zone VPN_LANS from LOCAL firewall name LOCAL_to_VPN_LANS set zone-policy zone LOCAL from VPN_LANS firewall name VPN_LANS_to_LOCAL
set firewall name LOCAL_to_VTUN0 description "allow all traffic from LOCAL to VTUN0 zone" set firewall name LOCAL_to_VTUN0 rule 1 action accept set firewall name LOCAL_to_VTUN0 rule 1 log enable set firewall name LOCAL_to_VTUN0 rule 1000 description "Drop invalid" set firewall name LOCAL_to_VTUN0 rule 1000 action drop set firewall name LOCAL_to_VTUN0 rule 1000 state invalid enable set firewall name LOCAL_to_VTUN0 rule 1000 log enable set firewall name VTUN0_to_VPN_LANS description "allow all traffic from VTUN0 to VPN_LANS zone" set firewall name VTUN0_to_VPN_LANS rule 1 action accept set firewall name VTUN0_to_VPN_LANS rule 1 log enable set firewall name VTUN0_to_VPN_LANS rule 1000 description "Drop invalid" set firewall name VTUN0_to_VPN_LANS rule 1000 action drop set firewall name VTUN0_to_VPN_LANS rule 1000 state invalid enable set firewall name VTUN0_to_VPN_LANS rule 1000 log enable set firewall name VPN_LANS_to_VTUN0 description "filter traffic from VPN_LANS to VTUN0 zone" set firewall name VPN_LANS_to_VTUN0 enable-default-log set firewall name VPN_LANS_to_VTUN0 rule 10 description "Allow established/related" set firewall name VPN_LANS_to_VTUN0 rule 10 action accept set firewall name VPN_LANS_to_VTUN0 rule 10 state established enable set firewall name VPN_LANS_to_VTUN0 rule 10 state related enable set firewall name VPN_LANS_to_VTUN0 rule 10 log enable set firewall name VPN_LANS_to_VTUN0 rule 1000 description "Drop invalid" set firewall name VPN_LANS_to_VTUN0 rule 1000 action drop set firewall name VPN_LANS_to_VTUN0 rule 1000 state invalid enable set firewall name VPN_LANS_to_VTUN0 rule 1000 log enable set firewall name VTUN0_to_LOCAL description "filter traffic from VTUN0 to LOCAL zone" set firewall name VTUN0_to_LOCAL enable-default-log set firewall name VTUN0_to_LOCAL rule 10 description "Allow established/related" set firewall name VTUN0_to_LOCAL rule 10 action accept set firewall name VTUN0_to_LOCAL rule 10 state established enable set firewall name VTUN0_to_LOCAL rule 10 state related enable set firewall name VTUN0_to_LOCAL rule 10 log enable set firewall name VTUN0_to_LOCAL rule 1000 description "Drop invalid" set firewall name VTUN0_to_LOCAL rule 1000 action drop set firewall name VTUN0_to_LOCAL rule 1000 state invalid enable set firewall name VTUN0_to_LOCAL rule 1000 log enable set firewall name VTUN0_to_LOCAL rule 1020 description "Allow ICMP" set firewall name VTUN0_to_LOCAL rule 1020 action accept set firewall name VTUN0_to_LOCAL rule 1020 icmp type-name echo-request set firewall name VTUN0_to_LOCAL rule 1020 protocol icmp set firewall name VTUN0_to_LOCAL rule 1020 state new enable set firewall name VTUN0_to_LOCAL rule 1020 log enable set firewall name VTUN0_to_LOCAL rule 1030 description "Allow DHCP Request" set firewall name VTUN0_to_LOCAL rule 1030 action accept set firewall name VTUN0_to_LOCAL rule 1030 destination port 67 set firewall name VTUN0_to_LOCAL rule 1030 protocol udp set firewall name VTUN0_to_LOCAL rule 1030 state new enable set firewall name VTUN0_to_LOCAL rule 1030 log enable set firewall name VTUN0_to_LOCAL rule 1040 description "Allow DNS Request" set firewall name VTUN0_to_LOCAL rule 1040 action accept set firewall name VTUN0_to_LOCAL rule 1040 destination port 53 set firewall name VTUN0_to_LOCAL rule 1040 protocol tcp_udp set firewall name VTUN0_to_LOCAL rule 1040 state new enable set firewall name VTUN0_to_LOCAL rule 1040 log enable set firewall name VTUN0_to_LOCAL rule 1050 description "Allow NTP Request" set firewall name VTUN0_to_LOCAL rule 1050 action accept set firewall name VTUN0_to_LOCAL rule 1050 destination port 123 set firewall name VTUN0_to_LOCAL rule 1050 protocol udp set firewall name VTUN0_to_LOCAL rule 1050 state new enable set firewall name VTUN0_to_LOCAL rule 1050 log enable set firewall name VTUN0_to_LOCAL rule 1060 description "Allow OSPF" set firewall name VTUN0_to_LOCAL rule 1060 action accept set firewall name VTUN0_to_LOCAL rule 1060 protocol ospf set firewall name VTUN0_to_LOCAL rule 1060 state new enable set firewall name VTUN0_to_LOCAL rule 1060 log enable set firewall name VTUN0_to_LOCAL rule 1070 description "Allow OpenVPN Request" set firewall name VTUN0_to_LOCAL rule 1070 action accept set firewall name VTUN0_to_LOCAL rule 1070 destination port 5173 set firewall name VTUN0_to_LOCAL rule 1070 protocol udp set firewall name VTUN0_to_LOCAL rule 1070 state new enable set firewall name VTUN0_to_LOCAL rule 1070 log enable set zone-policy zone VTUN0 from LOCAL firewall name LOCAL_to_VTUN0 set zone-policy zone LOCAL from VTUN0 firewall name VTUN0_to_LOCAL set zone-policy zone VPN_LANS from VTUN0 firewall name VTUN0_to_VPN_LANS set zone-policy zone VTUN0 from VPN_LANS firewall name VPN_LANS_to_VTUN0
set firewall name LOCAL_to_VTUN1 description "allow all traffic from LOCAL to VTUN1 zone" set firewall name LOCAL_to_VTUN1 rule 1 action accept set firewall name LOCAL_to_VTUN1 rule 1 log enable set firewall name LOCAL_to_VTUN1 rule 1000 description "Drop invalid" set firewall name LOCAL_to_VTUN1 rule 1000 action drop set firewall name LOCAL_to_VTUN1 rule 1000 state invalid enable set firewall name LOCAL_to_VTUN1 rule 1000 log enable set firewall name VTUN1_to_VPN_LANS description "allow all traffic from VTUN1 to VPN_LANS zone" set firewall name VTUN1_to_VPN_LANS rule 1 action accept set firewall name VTUN1_to_VPN_LANS rule 1 log enable set firewall name VTUN1_to_VPN_LANS rule 1000 description "Drop invalid" set firewall name VTUN1_to_VPN_LANS rule 1000 action drop set firewall name VTUN1_to_VPN_LANS rule 1000 state invalid enable set firewall name VTUN1_to_VPN_LANS rule 1000 log enable set firewall name VPN_LANS_to_VTUN1 description "filter traffic from VPN_LANS to VTUN1 zone" set firewall name VPN_LANS_to_VTUN1 enable-default-log set firewall name VPN_LANS_to_VTUN1 rule 10 description "Allow established/related" set firewall name VPN_LANS_to_VTUN1 rule 10 action accept set firewall name VPN_LANS_to_VTUN1 rule 10 state established enable set firewall name VPN_LANS_to_VTUN1 rule 10 state related enable set firewall name VPN_LANS_to_VTUN1 rule 10 log enable set firewall name VPN_LANS_to_VTUN1 rule 1000 description "Drop invalid" set firewall name VPN_LANS_to_VTUN1 rule 1000 action drop set firewall name VPN_LANS_to_VTUN1 rule 1000 state invalid enable set firewall name VPN_LANS_to_VTUN1 rule 1000 log enable set firewall name VTUN1_to_LOCAL description "filter traffic from VTUN1 to LOCAL zone" set firewall name VTUN1_to_LOCAL enable-default-log set firewall name VTUN1_to_LOCAL rule 10 description "Allow established/related" set firewall name VTUN1_to_LOCAL rule 10 action accept set firewall name VTUN1_to_LOCAL rule 10 state established enable set firewall name VTUN1_to_LOCAL rule 10 state related enable set firewall name VTUN1_to_LOCAL rule 10 log enable set firewall name VTUN1_to_LOCAL rule 1000 description "Drop invalid" set firewall name VTUN1_to_LOCAL rule 1000 action drop set firewall name VTUN1_to_LOCAL rule 1000 state invalid enable set firewall name VTUN1_to_LOCAL rule 1000 log enable set firewall name VTUN1_to_LOCAL rule 1020 description "Allow ICMP" set firewall name VTUN1_to_LOCAL rule 1020 action accept set firewall name VTUN1_to_LOCAL rule 1020 icmp type-name echo-request set firewall name VTUN1_to_LOCAL rule 1020 protocol icmp set firewall name VTUN1_to_LOCAL rule 1020 state new enable set firewall name VTUN1_to_LOCAL rule 1020 log enable set firewall name VTUN1_to_LOCAL rule 1030 description "Allow DHCP Request" set firewall name VTUN1_to_LOCAL rule 1030 action accept set firewall name VTUN1_to_LOCAL rule 1030 destination port 67 set firewall name VTUN1_to_LOCAL rule 1030 protocol udp set firewall name VTUN1_to_LOCAL rule 1030 state new enable set firewall name VTUN1_to_LOCAL rule 1030 log enable set firewall name VTUN1_to_LOCAL rule 1040 description "Allow DNS Request" set firewall name VTUN1_to_LOCAL rule 1040 action accept set firewall name VTUN1_to_LOCAL rule 1040 destination port 53 set firewall name VTUN1_to_LOCAL rule 1040 protocol tcp_udp set firewall name VTUN1_to_LOCAL rule 1040 state new enable set firewall name VTUN1_to_LOCAL rule 1040 log enable set firewall name VTUN1_to_LOCAL rule 1050 description "Allow NTP Request" set firewall name VTUN1_to_LOCAL rule 1050 action accept set firewall name VTUN1_to_LOCAL rule 1050 destination port 123 set firewall name VTUN1_to_LOCAL rule 1050 protocol udp set firewall name VTUN1_to_LOCAL rule 1050 state new enable set firewall name VTUN1_to_LOCAL rule 1050 log enable set firewall name VTUN1_to_LOCAL rule 1060 description "Allow OSPF" set firewall name VTUN1_to_LOCAL rule 1060 action accept set firewall name VTUN1_to_LOCAL rule 1060 protocol ospf set firewall name VTUN1_to_LOCAL rule 1060 state new enable set firewall name VTUN1_to_LOCAL rule 1060 log enable set firewall name VTUN1_to_LOCAL rule 1070 description "Allow OpenVPN Request" set firewall name VTUN1_to_LOCAL rule 1070 action accept set firewall name VTUN1_to_LOCAL rule 1070 destination port 5174 set firewall name VTUN1_to_LOCAL rule 1070 protocol udp set firewall name VTUN1_to_LOCAL rule 1070 state new enable set firewall name VTUN1_to_LOCAL rule 1070 log enable set zone-policy zone VTUN1 from LOCAL firewall name LOCAL_to_VTUN1 set zone-policy zone LOCAL from VTUN1 firewall name VTUN1_to_LOCAL set zone-policy zone VPN_LANS from VTUN1 firewall name VTUN1_to_VPN_LANS set zone-policy zone VTUN1 from VPN_LANS firewall name VPN_LANS_to_VTUN1
sudo su cd /tmp tar -czf OpenVPN-CA_dir-Config_dir-Date.tar.gz /config /usr/lib/ssl
Then use either WinSCP on Windows or SFTP in a Linux file manager to login and copy the file from the /tmp folder to your computer. Be sure to keep it in a safe place, also extract it because we'll need it to create the opvn config files.
http://blog.iopsl.com/openvpn-configuration-in-a-single-file/
The benefit of a single configuration file is that it can be used on mobile devices where OpenVPN Connect is the official client (or imported in OSX tunnelier or a Linux network manager UI).
Insert file contents into following parts accordingly, namely ca.crt, client.crt, client.key and ta.key.
Base opvn config file without keys
client float resolv-retry infinite nobind mute-replay-warnings verb 5 persist-key persist-tun explicit-exit-notify 1 dev tun ####comp-lzo compress lz4 proto udp cipher AES-256-CBC auth SHA256 key-direction 1 #cert VPNCLIENT01.pem #key VPNCLIENT01.key #ca cacert.pem #tls-auth ta.key 1 remote vpn.server.domain.name.com 5187
And the key files. You should be able to gather which is which based on the file names saved and their commented out references in the area above.
<ca> … </ca> <cert> … </cert> <key> … </key> <tls-auth> … </tls-auth>