https://help.ui.com/hc/en-us/articles/115015971688-EdgeRouter-OpenVPN-Server
https://unbranched.tech/setup-openvpn-on-the-edgerouter-4/

We are going to setup an OpenVPN server on an Edgerouter behind an existing routing device. It will allow outside clients to connect and access the internal network(s). This document is based on the Edgerouter X since it has faster CPUs than the ERLite and is cheap. Optionally this will also run 2 different OpenVPN servers to allow for load balancing across the 2 CPUs of the ER-X, push DNS to clients so they can resolve internal hostnames via DNS and use OSPF to advertise routes of the internal LAN(s).

• Record the subnets that you'll be providing access to, e.g. 10.221.24.0/24, 10.221.25.0/24…
• Record the subnets that your VPN clients will be given, e.g. 10.222.24.0/24, 10.222.25.0/24…
• Record a static IP that will be assigned to the VPN server.
• Record the UDP port(s) you'll be using for the OpenVPN server
• Record the CA PEM pass phrase
• Record the temp client/server certificate pass phrase
• Record the public static IP or dynamic DNS name of the VPN server
• Optionally Setup a DNS entry on your public DNS servers to point external clients to your WAN IP, e.g. WPN01.company.domain.com → Public WAN IP

Example Documentation:

Role: OpenVPN server for roadwarriors
ETH0: LOCAL_LANS, IP 10.1.10.5
User: vpn_server_admin
Pass: somethingGood&Long
CA PEM pass phrase: somethingGooder&Longer
Temp client/server certificate pass phrase: 1234

VPN Accessible Subnets: 10.1.10.0/24
VPN Client Subnets: 10.1.99.0/24
OpenVPN Ports: 5119 UDP
Public FQDN: openvpnhost.somedomain.com
Public IP (unknown if static): 100.100.100.100 (as of 03/03/2022)

VPNCLIENT01 | 10.1.99.11 | Used by Firstname Lastname starting 12/18/2021
VPNCLIENT02 | 10.1.99.12
VPNCLIENT03 | 10.1.99.13
VPNCLIENT04 | 10.1.99.14
VPNCLIENT05 | 10.1.99.15

Note: to run an OpenVPN server behind an existing router, you will need to add a static route on said router pointing to the subnets of the OpenVPN client. In this example we'd use 10.4.1.247 (the IP of the E-RX) as the next hop for subnets 10.99.98.0/24 and 10.99.99.0/24.

Be sure to commit → save after each section (until you get the firewall setup).

• Get the default gateway of the LAN you want access to when dialing in, get the subnet and find an available static IP.
• Go to ubnt.com and download the latest firmware for the ER-X.
• Configure your network card with an IP address of 192.168.1.2 and a subnet of 255.255.255.0
• Connect an Ethernet cable to from your computer to ETH0 of the ER-X.
• Open a web browser and go to 192.168.1.1, the default username/password is ubnt/ubnt.
• Go to “System” then click on “Upgrade System Image” → “Upload a file” and browse to the firmware you just downloaded.
• After the reboot update the bootloader by logging into the cli and running

  add system boot-image

  then do a manual reboot.

• Via the web GUI go to “System” and reset the device to default.

(remember: configure → commit → save)

set system login user vpnadmin authentication plaintext-password SuperSecretPW

Logout out of default account, login again using the new account then delete default account.

delete system login user ubnt

(note, this is done at base login, don't use “configure”)

sudo su
set date mmddhhmmyyyy
exit

set protocols static route 0.0.0.0/0 next-hop 10.4.1.1

set system host-name wpnsec01
set system domain-name yourdomain.com
set system time-zone US/Pacific
set system name-server 208.67.220.220
set system name-server 8.8.4.4
set system ntp server pool.ntp.org
set system login banner pre-login "\n\n\n\tUNAUTHORIZED USE OF THIS SYSTEM\n\tIS STRICTLY PROHIBITED\n\n\t Please contact "support@domain.com" to gain\n\taccess to this equipment if you need authorization.\n\n\n"

On an ERX with 2.0.9 the default logging causes it to lock up. After disabling logging I'd recommend you add a remote syslog host.

set system syslog global facility all level emerg
set system syslog global facility protocols level emerg

set service ubnt-discover-server disable
set service ubnt-discover disable
set service unms disable
set system analytics-handler send-analytics-report false

set interfaces ethernet eth0 description "VPN_LANS"
set interfaces ethernet eth0 address 10.4.1.247/24
delete interfaces ethernet eth0 address 192.168.1.1/24
delete interfaces ethernet eth1 address dhcp
set interfaces ethernet eth1 description "MANAGEMENT_LAN"
set interfaces ethernet eth1 address 172.8.8.11/24
set interfaces ethernet eth2 disable
set interfaces ethernet eth3 disable
set interfaces ethernet eth4 disable

Now disconnect from ETH0 and plug into ETH1 (remember to set your static IP)

Login to the CLI as a user and stay in operational mode.

ssh user@Router1

Enable root level access

sudo su

Change directory location

cd /usr/lib/ssl/misc/

• Edit /usr/lib/ssl/openssl.cnf and change the default_bits from 2048 to 4096 and the default_days from 365 to 1825. Also change the defaults under [ req_distinguished_name ] for countryName_default, stateOrProvinceName_default, 0.organizationName_default and default_crl_days from 30 to 1825
• Edit /usr/lib/ssl/misc/CA.pl and change the CADAYS from 1095 to 3650 and DAYS from 365 to 1825

(note: you'll need to do this after each firmware update, before you issue any new certificates)

Generate Certificate Authority (check to make sure your date is correct 1st!)

./CA.pl -newca
CA certificate filename (or enter to create) #Press enter.
[Enter pem pass phrase:
###Create password.
Verifying - Enter PEM pass phrase:
###Verify created password.

Record this pass phrase for later use when additional VPN users are added, label it “CA Key PEM passphrase”.

Fill in information as needed following prompts

Country Name (2 letter code) [AU]:US
xxx State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:LEAVE BLANK
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company Name
Organizational Unit Name (eg, section) []:LEAVE BLANK
Common Name (DEVICE CA NAME, not public FQDN) []:WPN01-CA ###(don’t use domain name here, use a device name)
Email Address []:LEAVE BLANK

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:LEAVE BLANK
An optional company name []:LEAVE BLANK

This will create /usr/lib/ssl/misc/demoCA with associated files. (if you messed up or need to change something, just delete the contents of /usr/lib/ssl/misc/demoCA and start at step 4 again)

This is the key that will stay on the EdgeRouter
Note: Continued from step 1, you will be logged in as user and in the /usr/lib/ssl/misc/ directory.

Fill out prompts like above again with information as needed. “Common Name” must be unique, here use a simple temp password (e.g. 1234) since it will be removed later, record it though (use full domain name if available for “Common Name”, e.g. openvpn_obscured.domain.com)

./CA.pl -newreq

The password it asks for is your CA pem passphrase.

./CA.pl -sign
### This will create newreq.pem, newkey.pem, and newcert.pem in /usr/lib/ssl/misc/

Move and rename files to /config/auth/ for preservation during firmware upgrades and clarity. Note: Again, you will remain logged in as user in the /usr/lib/ssl/misc/ directory.

mkdir /config/auth/
cp demoCA/cacert.pem demoCA/private/cakey.pem /config/auth/

mv newcert.pem /config/auth/server.pem

mv newkey.pem /config/auth/server.key
### Note: the newkey.pem file extension changes to .key.

To confirm these files have transferred to the proper location with the proper name and extension you may type “ls /config/auth/“ to view files.

Note: Remain logged in as user with root privileges by entering “sudo su” and in the /usr/lib/ssl/misc/ directory.

openssl dhparam -out /config/auth/dhp.pem -2 2048
### This process will take some time and generate dhp.pem in /config/auth/

I'd recommend 4096 or more but it will take forever on an ERX. If you have access to a Linux based computer do this (it took 5 minutes on an i7-8550U):

openssl dhparam -out ~/dhp.pem -2 4096

Then open the pem file and copy and paste it into /config/auth/dhp.pem

(OpenVPN server will not respond to packets unless those packets have a valid signature from a pre-shared key)

openvpn --genkey --secret /config/auth/ta.key
chmod 644 /config/auth/ta.key

(note: this hasn't been tested to verify it works, now it has, sort of, see 2nd code block below)

echo 01 > /usr/lib/ssl/misc/demoCA/crlnumber
openssl ca -gencrl -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem -out demoCA/cacrl.pem
cp demoCA/cacrl.pem /config/auth/cacrl.pem

To revoke a certificate… you need the pem of the certificate you want to revoke, so keep a copy handy… I keep them in /config/auth

cd /usr/lib/ssl/misc
openssl ca -revoke /auth/config/<filename>.pem
openssl ca -gencrl -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem -out demoCA/cacrl.pem
cp demoCA/cacrl.pem /config/auth/cacrl.pem

Then remove the revoked certificate (.pem and .key) files from /config/auth so you don't accidentally use them again (cause they won't work). You can leave the client config in the openvpn server setup to be used again if it was a generic name otherwise delete that as well.

sudo su
### Create new .key with no password
openssl rsa -in /config/auth/server.key -out /config/auth/server-rmpass.key
### The password prompt here is the temp password you used when generating the key (here we used 1234)
### Move server-rmpass.key to server.key overwriting the original
mv /config/auth/server-rmpass.key /config/auth/server.key

Network variables:

• OpenVPN subnet for vtun0 clients is: 10.99.98.0/24
• OpenVPN subnet for vtun1 clients is: 10.99.99.0/24
• Internal subnet that OpenVPN clients will gain access to is: 10.4.1.0/24
• Internal DNS servers that will be pushed to OpenVPN clients are: 10.4.1.1, 8.8.8.8
• Omit the [set interfaces openvpn vtun0 openvpn-option “–push dhcp-option DNS ip.add.re.ss”] lines if you don't want internal DNS servers pushed to your clients. This can cause issues for some people so unless you really need to resolve via hostname internal resources (and have put the effort into properly managing internal DNS) then omit the option.
• Omit the [set interfaces openvpn vtun0 ip ospf network point-to-point] lines if you don't use OSPF or plan to.
• Omit all lines containing [vtun1] if you only need 1 OpenVPN server instance and don't care to manage 2.
• Note: change the default OpenVPN server port and pick one for each openvpn instance you want to create (e.g 5173 and 5174)

set interfaces openvpn vtun0 description "OpenVPN Server for Company Users and IT VTUN0"
set interfaces openvpn vtun0 local-port 5173
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 hash sha512
set interfaces openvpn vtun0 encryption aes256
set interfaces openvpn vtun0 openvpn-option "--ncp-ciphers AES-256-GCM"
set interfaces openvpn vtun0 openvpn-option "--auth SHA512"
set interfaces openvpn vtun0 openvpn-option "--tls-server"
set interfaces openvpn vtun0 openvpn-option "--tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
set interfaces openvpn vtun0 openvpn-option "--tls-version-min 1.2"
set interfaces openvpn vtun0 server subnet 10.99.98.0/24
set interfaces openvpn vtun0 openvpn-option "--push dhcp-option DNS 10.222.190.17"
set interfaces openvpn vtun0 openvpn-option "--push dhcp-option DNS 10.222.190.19"
set interfaces openvpn vtun0 server push-route 10.4.1.0/24
set interfaces openvpn vtun0 ip ospf network point-to-point
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem
set interfaces openvpn vtun0 tls key-file /config/auth/server.key
set interfaces openvpn vtun0 tls dh-file /config/auth/dhp.pem
set interfaces openvpn vtun0 openvpn-option "--tls-auth /config/auth/ta.key 0"
set interfaces openvpn vtun0 openvpn-option "--crl-verify /config/auth/cacrl.pem"
set interfaces openvpn vtun0 openvpn-option "--user nobody"
set interfaces openvpn vtun0 openvpn-option "--group nogroup"
set interfaces openvpn vtun0 openvpn-option --persist-key
set interfaces openvpn vtun0 openvpn-option --persist-tun
set interfaces openvpn vtun1 local-port 5174
set interfaces openvpn vtun1 mode server
set interfaces openvpn vtun1 hash sha512
set interfaces openvpn vtun1 encryption aes256
set interfaces openvpn vtun1 openvpn-option "--ncp-ciphers AES-256-GCM"
set interfaces openvpn vtun1 openvpn-option "--auth SHA512"
set interfaces openvpn vtun1 openvpn-option "--tls-server"
set interfaces openvpn vtun1 openvpn-option "--tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"
set interfaces openvpn vtun1 openvpn-option "--tls-version-min 1.2"
set interfaces openvpn vtun1 server subnet 10.99.98.0/24
set interfaces openvpn vtun1 openvpn-option "--push dhcp-option DNS 10.222.190.17"
set interfaces openvpn vtun1 openvpn-option "--push dhcp-option DNS 10.222.190.19"
set interfaces openvpn vtun1 server push-route 10.4.1.0/24
set interfaces openvpn vtun1 ip ospf network point-to-point
set interfaces openvpn vtun1 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun1 tls cert-file /config/auth/server.pem
set interfaces openvpn vtun1 tls key-file /config/auth/server.key
set interfaces openvpn vtun1 tls dh-file /config/auth/dhp.pem
set interfaces openvpn vtun1 openvpn-option "--tls-auth /config/auth/ta.key 0"
set interfaces openvpn vtun1 openvpn-option "--crl-verify /config/auth/cacrl.pem"
set interfaces openvpn vtun1 openvpn-option "--user nobody"
set interfaces openvpn vtun1 openvpn-option "--group nogroup"
set interfaces openvpn vtun1 openvpn-option --persist-key
set interfaces openvpn vtun1 openvpn-option --persist-tun

Do this only if you plan on using OSPF elsewhere in your network or already do, if you already do, modify accordingly.

set protocols ospf parameters router-id 10.4.1.247
set protocols ospf area 0.0.0.0 network 10.4.1.0/24
set protocols ospf redistribute connected
set interfaces ethernet eth0 ip ospf cost 10
set interfaces ethernet eth0 ip ospf dead-interval 40
set interfaces ethernet eth0 ip ospf hello-interval 10
set interfaces ethernet eth0 ip ospf priority 1
set interfaces ethernet eth0 ip ospf retransmit-interval 5
set interfaces ethernet eth0 ip ospf transmit-delay 1

set protocols ospf area 0.0.0.0 authentication md5
set interfaces ethernet eth0 ip ospf authentication md5 key-id 1 md5-key SomeSuperSecretPasswordForOSPF

Groups are preferred since for many reasons… figure them out.. add OSPF if needed…

echo ==IT OVPN Server Port Group UDP==
set firewall group port-group IT-OVPN-SVR-UDP description "OVPN Server UDP Ports used by Clients"
set firewall group port-group IT-OVPN-SVR-UDP port 5119

echo ==LOCAL Edgerouter Client Port Group TCP==
set firewall group port-group LOCAL-TCP description "LOCAL Ports used by Clients TCP"
set firewall group port-group LOCAL-TCP port 53

echo ==LOCAL Edgerouter Client Port Group UDP==
set firewall group port-group LOCAL-UDP description "LOCAL Ports used by Clients UDP"
set firewall group port-group LOCAL-UDP port 53
set firewall group port-group LOCAL-UDP port 67
set firewall group port-group LOCAL-UDP port 123
set firewall group port-group LOCAL-UDP port 5353

echo ==Basic Web Access Port Group TCP==
set firewall group port-group BASIC-WEB-TCP description "Basic Web Access Port Group TCP"
set firewall group port-group BASIC-WEB-TCP port 853
set firewall group port-group BASIC-WEB-TCP port 443
set firewall group port-group BASIC-WEB-TCP port 80

echo ==Basic Web Access Port Group UDP==
set firewall group port-group BASIC-WEB-UDP description "Basic Web Access Port Group UDP"
set firewall group port-group BASIC-WEB-UDP port 53
set firewall group port-group BASIC-WEB-UDP port 123

echo ==Local Admin Access Port Group TCP==
set firewall group port-group ADMIN-ACCESS-TCP description "Local Admin Access Port Group TCP"
set firewall group port-group ADMIN-ACCESS-TCP port 22
set firewall group port-group ADMIN-ACCESS-TCP port 443

Here we are setting up Zones with 2 different OpenVPN servers. 1 Zone will be for the VPN server itself which might be on the same subnet as the network you're trying to access or it might be on a separate subnet that is connected to other via routes, a management LAN is also included if you use one of those.

If you don't have a dedicated management LAN then skip that zone and add the SSH and HTTPS ports to the VPN_LANS to LOCAL zone.

(READ WHOLE SENTENCE) !!!!!and!!!!! set firewall rules AND zone pairs policy before committing or !!!!!we'll be locked out!!!!!!

Commit and save your previous changes before continuing, this way a power cycle will get you back in to this point to try again.

Don't commit again until you have all your rules in, or you have to zone pairs that will allow you to retain access to the router, otherwise you'll lose access and will have to power cycle the device and start again.

set zone-policy zone LOCAL description "this is the EdgeRouter or local device"
set zone-policy zone LOCAL default-action drop
set zone-policy zone LOCAL local-zone
set zone-policy zone B_IT_VPN description "LAN for IT VPN devices"
set zone-policy zone B_IT_VPN default-action drop
set zone-policy zone B_IT_VPN interface eth0
set zone-policy zone B_MGMT_LAN description "Management LAN"
set zone-policy zone B_MGMT_LAN default-action drop
set zone-policy zone B_MGMT_LAN interface eth1
set zone-policy zone B_MGMT_LAN interface eth2
set zone-policy zone VTUN0 description "VPN for IT (Primary)"
set zone-policy zone VTUN0 default-action drop
set zone-policy zone VTUN0 interface vtun0
set zone-policy zone VTUN1 description "VPN for IT (Secondary)"
set zone-policy zone VTUN1 default-action drop
set zone-policy zone VTUN1 interface vtun1

echo ==LOCAL to B_IT_VPN==
set firewall name LOCAL.B_IT_VPN description "filter traffic from LOCAL to B_IT_VPN zone"
set firewall name LOCAL.B_IT_VPN enable-default-log
set firewall name LOCAL.B_IT_VPN rule 100 description "Allow established/related"
set firewall name LOCAL.B_IT_VPN rule 100 action accept
set firewall name LOCAL.B_IT_VPN rule 100 state established enable
set firewall name LOCAL.B_IT_VPN rule 100 state related enable
set firewall name LOCAL.B_IT_VPN rule 100 log enable
set firewall name LOCAL.B_IT_VPN rule 200 description "Drop invalid"
set firewall name LOCAL.B_IT_VPN rule 200 action drop
set firewall name LOCAL.B_IT_VPN rule 200 state invalid enable
set firewall name LOCAL.B_IT_VPN rule 200 log enable
set firewall name LOCAL.B_IT_VPN rule 300 action accept
set firewall name LOCAL.B_IT_VPN rule 300 destination group port-group BASIC-WEB-TCP
set firewall name LOCAL.B_IT_VPN rule 300 protocol tcp
set firewall name LOCAL.B_IT_VPN rule 300 state new enable
set firewall name LOCAL.B_IT_VPN rule 300 log enable
set firewall name LOCAL.B_IT_VPN rule 301 action accept
set firewall name LOCAL.B_IT_VPN rule 301 destination group port-group BASIC-WEB-UDP
set firewall name LOCAL.B_IT_VPN rule 301 protocol udp
set firewall name LOCAL.B_IT_VPN rule 301 state new enable
set firewall name LOCAL.B_IT_VPN rule 301 log enable
set firewall name LOCAL.B_IT_VPN rule 1060 description "Allow OSPF"
set firewall name LOCAL.B_IT_VPN rule 1060 action accept
set firewall name LOCAL.B_IT_VPN rule 1060 protocol ospf
set firewall name LOCAL.B_IT_VPN rule 1060 state new enable
set firewall name LOCAL.B_IT_VPN rule 1060 log enable
set zone-policy zone B_IT_VPN from LOCAL firewall name LOCAL.B_IT_VPN

echo ==LOCAL to B_MGMT_LAN==
set firewall name LOCAL.B_MGMT_LAN description "filter traffic from LOCAL to B_MGMT_LAN zone"
set firewall name LOCAL.B_MGMT_LAN enable-default-log
set firewall name LOCAL.B_MGMT_LAN rule 100 description "Allow established/related"
set firewall name LOCAL.B_MGMT_LAN rule 100 action accept
set firewall name LOCAL.B_MGMT_LAN rule 100 state established enable
set firewall name LOCAL.B_MGMT_LAN rule 100 state related enable
set firewall name LOCAL.B_MGMT_LAN rule 100 log enable
set firewall name LOCAL.B_MGMT_LAN rule 200 description "Drop invalid"
set firewall name LOCAL.B_MGMT_LAN rule 200 action drop
set firewall name LOCAL.B_MGMT_LAN rule 200 state invalid enable
set firewall name LOCAL.B_MGMT_LAN rule 200 log enable
set zone-policy zone B_MGMT_LAN from LOCAL firewall name LOCAL.B_MGMT_LAN

echo ==LOCAL to VTUN0==
set firewall name LOCAL.VTUN0 description "filter traffic from LOCAL to VTUN0 zone"
set firewall name LOCAL.VTUN0 enable-default-log
set firewall name LOCAL.VTUN0 rule 100 description "Allow established/related"
set firewall name LOCAL.VTUN0 rule 100 action accept
set firewall name LOCAL.VTUN0 rule 100 state established enable
set firewall name LOCAL.VTUN0 rule 100 state related enable
set firewall name LOCAL.VTUN0 rule 100 log enable
set firewall name LOCAL.VTUN0 rule 200 description "Drop invalid"
set firewall name LOCAL.VTUN0 rule 200 action drop
set firewall name LOCAL.VTUN0 rule 200 state invalid enable
set firewall name LOCAL.VTUN0 rule 200 log enable
set zone-policy zone VTUN0 from LOCAL firewall name LOCAL.VTUN0

echo ==LOCAL to VTUN1==
set firewall name LOCAL.VTUN1 description "filter traffic from LOCAL to VTUN1 zone"
set firewall name LOCAL.VTUN1 enable-default-log
set firewall name LOCAL.VTUN1 rule 100 description "Allow established/related"
set firewall name LOCAL.VTUN1 rule 100 action accept
set firewall name LOCAL.VTUN1 rule 100 state established enable
set firewall name LOCAL.VTUN1 rule 100 state related enable
set firewall name LOCAL.VTUN1 rule 100 log enable
set firewall name LOCAL.VTUN1 rule 200 description "Drop invalid"
set firewall name LOCAL.VTUN1 rule 200 action drop
set firewall name LOCAL.VTUN1 rule 200 state invalid enable
set firewall name LOCAL.VTUN1 rule 200 log enable
set zone-policy zone VTUN1 from LOCAL firewall name LOCAL.VTUN1

echo ==B_IT_VPN to LOCAL==
set firewall name B_IT_VPN.LOCAL description "filter traffic from B_IT_VPN to LOCAL zone"
set firewall name B_IT_VPN.LOCAL enable-default-log
set firewall name B_IT_VPN.LOCAL rule 100 description "Allow established/related"
set firewall name B_IT_VPN.LOCAL rule 100 action accept
set firewall name B_IT_VPN.LOCAL rule 100 state established enable
set firewall name B_IT_VPN.LOCAL rule 100 state related enable
set firewall name B_IT_VPN.LOCAL rule 100 log enable
set firewall name B_IT_VPN.LOCAL rule 200 description "Drop invalid"
set firewall name B_IT_VPN.LOCAL rule 200 action drop
set firewall name B_IT_VPN.LOCAL rule 200 state invalid enable
set firewall name B_IT_VPN.LOCAL rule 200 log enable
set firewall name B_IT_VPN.LOCAL rule 300 action accept
set firewall name B_IT_VPN.LOCAL rule 300 destination group port-group IT-OVPN-SVR-UDP
set firewall name B_IT_VPN.LOCAL rule 300 protocol udp
set firewall name B_IT_VPN.LOCAL rule 300 state new enable
set firewall name B_IT_VPN.LOCAL rule 300 log enable
set firewall name B_IT_VPN.LOCAL rule 1060 description "Allow OSPF"
set firewall name B_IT_VPN.LOCAL rule 1060 action accept
set firewall name B_IT_VPN.LOCAL rule 1060 protocol ospf
set firewall name B_IT_VPN.LOCAL rule 1060 state new enable
set firewall name B_IT_VPN.LOCAL rule 1060 log enable
set zone-policy zone LOCAL from B_IT_VPN firewall name B_IT_VPN.LOCAL

echo ==B_IT_VPN to VTUN0==
set firewall name B_IT_VPN.VTUN0 description "filter traffic from B_IT_VPN to VTUN0 zone"
set firewall name B_IT_VPN.VTUN0 enable-default-log
set firewall name B_IT_VPN.VTUN0 rule 100 description "Allow established/related"
set firewall name B_IT_VPN.VTUN0 rule 100 action accept
set firewall name B_IT_VPN.VTUN0 rule 100 state established enable
set firewall name B_IT_VPN.VTUN0 rule 100 state related enable
set firewall name B_IT_VPN.VTUN0 rule 100 log enable
set firewall name B_IT_VPN.VTUN0 rule 200 description "Drop invalid"
set firewall name B_IT_VPN.VTUN0 rule 200 action drop
set firewall name B_IT_VPN.VTUN0 rule 200 state invalid enable
set firewall name B_IT_VPN.VTUN0 rule 200 log enable
set zone-policy zone VTUN0 from B_IT_VPN firewall name B_IT_VPN.VTUN0

echo ==B_IT_VPN to VTUN1==
set firewall name B_IT_VPN.VTUN1 description "filter traffic from B_IT_VPN to VTUN1 zone"
set firewall name B_IT_VPN.VTUN1 enable-default-log
set firewall name B_IT_VPN.VTUN1 rule 100 description "Allow established/related"
set firewall name B_IT_VPN.VTUN1 rule 100 action accept
set firewall name B_IT_VPN.VTUN1 rule 100 state established enable
set firewall name B_IT_VPN.VTUN1 rule 100 state related enable
set firewall name B_IT_VPN.VTUN1 rule 100 log enable
set firewall name B_IT_VPN.VTUN1 rule 200 description "Drop invalid"
set firewall name B_IT_VPN.VTUN1 rule 200 action drop
set firewall name B_IT_VPN.VTUN1 rule 200 state invalid enable
set firewall name B_IT_VPN.VTUN1 rule 200 log enable
set zone-policy zone VTUN1 from B_IT_VPN firewall name B_IT_VPN.VTUN1

echo ==B_MGMT_LAN to LOCAL==
set firewall name B_MGMT_LAN.LOCAL description "filter traffic from B_MGMT_LAN to LOCAL zone"
set firewall name B_MGMT_LAN.LOCAL enable-default-log
set firewall name B_MGMT_LAN.LOCAL rule 80 description "Allow All"
set firewall name B_MGMT_LAN.LOCAL rule 80 action accept
set firewall name B_MGMT_LAN.LOCAL rule 80 log enable
set firewall name B_MGMT_LAN.LOCAL rule 100 description "Allow established/related"
set firewall name B_MGMT_LAN.LOCAL rule 100 action accept
set firewall name B_MGMT_LAN.LOCAL rule 100 state established enable
set firewall name B_MGMT_LAN.LOCAL rule 100 state related enable
set firewall name B_MGMT_LAN.LOCAL rule 100 log enable
set firewall name B_MGMT_LAN.LOCAL rule 200 description "Drop invalid"
set firewall name B_MGMT_LAN.LOCAL rule 200 action drop
set firewall name B_MGMT_LAN.LOCAL rule 200 state invalid enable
set firewall name B_MGMT_LAN.LOCAL rule 200 log enable
set zone-policy zone LOCAL from B_MGMT_LAN firewall name B_MGMT_LAN.LOCAL

echo ==B_MGMT_LAN to VTUN0==
set firewall name B_MGMT_LAN.VTUN0 description "filter traffic from B_MGMT_LAN to VTUN0 zone"
set firewall name B_MGMT_LAN.VTUN0 enable-default-log
set firewall name B_MGMT_LAN.VTUN0 rule 100 description "Allow established/related"
set firewall name B_MGMT_LAN.VTUN0 rule 100 action accept
set firewall name B_MGMT_LAN.VTUN0 rule 100 state established enable
set firewall name B_MGMT_LAN.VTUN0 rule 100 state related enable
set firewall name B_MGMT_LAN.VTUN0 rule 100 log enable
set firewall name B_MGMT_LAN.VTUN0 rule 200 description "Drop invalid"
set firewall name B_MGMT_LAN.VTUN0 rule 200 action drop
set firewall name B_MGMT_LAN.VTUN0 rule 200 state invalid enable
set firewall name B_MGMT_LAN.VTUN0 rule 200 log enable
set zone-policy zone VTUN0 from B_MGMT_LAN firewall name B_MGMT_LAN.VTUN0

echo ==B_MGMT_LAN to VTUN1==
set firewall name B_MGMT_LAN.VTUN1 description "filter traffic from B_MGMT_LAN to VTUN1 zone"
set firewall name B_MGMT_LAN.VTUN1 enable-default-log
set firewall name B_MGMT_LAN.VTUN1 rule 100 description "Allow established/related"
set firewall name B_MGMT_LAN.VTUN1 rule 100 action accept
set firewall name B_MGMT_LAN.VTUN1 rule 100 state established enable
set firewall name B_MGMT_LAN.VTUN1 rule 100 state related enable
set firewall name B_MGMT_LAN.VTUN1 rule 100 log enable
set firewall name B_MGMT_LAN.VTUN1 rule 200 description "Drop invalid"
set firewall name B_MGMT_LAN.VTUN1 rule 200 action drop
set firewall name B_MGMT_LAN.VTUN1 rule 200 state invalid enable
set firewall name B_MGMT_LAN.VTUN1 rule 200 log enable
set zone-policy zone VTUN1 from B_MGMT_LAN firewall name B_MGMT_LAN.VTUN1

echo ==VTUN0 to LOCAL==
set firewall name VTUN0.LOCAL description "filter traffic from VTUN0 to LOCAL zone"
set firewall name VTUN0.LOCAL enable-default-log
set firewall name VTUN0.LOCAL rule 80 description "Allow All"
set firewall name VTUN0.LOCAL rule 80 action accept
set firewall name VTUN0.LOCAL rule 80 log enable
set firewall name VTUN0.LOCAL rule 100 description "Allow established/related"
set firewall name VTUN0.LOCAL rule 100 action accept
set firewall name VTUN0.LOCAL rule 100 state established enable
set firewall name VTUN0.LOCAL rule 100 state related enable
set firewall name VTUN0.LOCAL rule 100 log enable
set firewall name VTUN0.LOCAL rule 200 description "Drop invalid"
set firewall name VTUN0.LOCAL rule 200 action drop
set firewall name VTUN0.LOCAL rule 200 state invalid enable
set firewall name VTUN0.LOCAL rule 200 log enable
set firewall name VTUN0.LOCAL rule 300 action accept
set firewall name VTUN0.LOCAL rule 300 destination group port-group LOCAL-TCP
set firewall name VTUN0.LOCAL rule 300 protocol tcp
set firewall name VTUN0.LOCAL rule 300 state new enable
set firewall name VTUN0.LOCAL rule 300 log enable
set firewall name VTUN0.LOCAL rule 301 action accept
set firewall name VTUN0.LOCAL rule 301 destination group port-group LOCAL-UDP
set firewall name VTUN0.LOCAL rule 301 protocol udp
set firewall name VTUN0.LOCAL rule 301 state new enable
set firewall name VTUN0.LOCAL rule 301 log enable
set zone-policy zone LOCAL from VTUN0 firewall name VTUN0.LOCAL

echo ==VTUN0 to B_IT_VPN==
set firewall name VTUN0.B_IT_VPN description "filter traffic from VTUN0 to VTUN0 zone"
set firewall name VTUN0.B_IT_VPN enable-default-log
set firewall name VTUN0.B_IT_VPN rule 80 description "Allow All"
set firewall name VTUN0.B_IT_VPN rule 80 action accept
set firewall name VTUN0.B_IT_VPN rule 80 log enable
set firewall name VTUN0.B_IT_VPN rule 100 description "Allow established/related"
set firewall name VTUN0.B_IT_VPN rule 100 action accept
set firewall name VTUN0.B_IT_VPN rule 100 state established enable
set firewall name VTUN0.B_IT_VPN rule 100 state related enable
set firewall name VTUN0.B_IT_VPN rule 100 log enable
set firewall name VTUN0.B_IT_VPN rule 200 description "Drop invalid"
set firewall name VTUN0.B_IT_VPN rule 200 action drop
set firewall name VTUN0.B_IT_VPN rule 200 state invalid enable
set firewall name VTUN0.B_IT_VPN rule 200 log enable
set zone-policy zone B_IT_VPN from VTUN0 firewall name VTUN0.B_IT_VPN

echo ==VTUN0 to B_MGMT_LAN==
set firewall name VTUN0.B_MGMT_LAN description "filter traffic from VTUN0 to B_MGMT_LAN zone"
set firewall name VTUN0.B_MGMT_LAN enable-default-log
set firewall name VTUN0.B_MGMT_LAN rule 80 description "Allow All"
set firewall name VTUN0.B_MGMT_LAN rule 80 action accept
set firewall name VTUN0.B_MGMT_LAN rule 80 log enable
set firewall name VTUN0.B_MGMT_LAN rule 100 description "Allow established/related"
set firewall name VTUN0.B_MGMT_LAN rule 100 action accept
set firewall name VTUN0.B_MGMT_LAN rule 100 state established enable
set firewall name VTUN0.B_MGMT_LAN rule 100 state related enable
set firewall name VTUN0.B_MGMT_LAN rule 100 log enable
set firewall name VTUN0.B_MGMT_LAN rule 200 description "Drop invalid"
set firewall name VTUN0.B_MGMT_LAN rule 200 action drop
set firewall name VTUN0.B_MGMT_LAN rule 200 state invalid enable
set firewall name VTUN0.B_MGMT_LAN rule 200 log enable
set zone-policy zone B_MGMT_LAN from VTUN0 firewall name VTUN0.B_MGMT_LAN

echo ==VTUN1 to LOCAL==
set firewall name VTUN1.LOCAL description "filter traffic from VTUN1 to LOCAL zone"
set firewall name VTUN1.LOCAL enable-default-log
set firewall name VTUN1.LOCAL rule 80 description "Allow All"
set firewall name VTUN1.LOCAL rule 80 action accept
set firewall name VTUN1.LOCAL rule 80 log enable
set firewall name VTUN1.LOCAL rule 100 description "Allow established/related"
set firewall name VTUN1.LOCAL rule 100 action accept
set firewall name VTUN1.LOCAL rule 100 state established enable
set firewall name VTUN1.LOCAL rule 100 state related enable
set firewall name VTUN1.LOCAL rule 100 log enable
set firewall name VTUN1.LOCAL rule 200 description "Drop invalid"
set firewall name VTUN1.LOCAL rule 200 action drop
set firewall name VTUN1.LOCAL rule 200 state invalid enable
set firewall name VTUN1.LOCAL rule 200 log enable
set firewall name VTUN1.LOCAL rule 300 action accept
set firewall name VTUN1.LOCAL rule 300 destination group port-group LOCAL-TCP
set firewall name VTUN1.LOCAL rule 300 protocol tcp
set firewall name VTUN1.LOCAL rule 300 state new enable
set firewall name VTUN1.LOCAL rule 300 log enable
set firewall name VTUN1.LOCAL rule 301 action accept
set firewall name VTUN1.LOCAL rule 301 destination group port-group LOCAL-UDP
set firewall name VTUN1.LOCAL rule 301 protocol udp
set firewall name VTUN1.LOCAL rule 301 state new enable
set firewall name VTUN1.LOCAL rule 301 log enable
set zone-policy zone LOCAL from VTUN1 firewall name VTUN1.LOCAL

echo ==VTUN1 to B_IT_VPN==
set firewall name VTUN1.B_IT_VPN description "filter traffic from VTUN1 to VTUN1 zone"
set firewall name VTUN1.B_IT_VPN enable-default-log
set firewall name VTUN1.B_IT_VPN rule 80 description "Allow All"
set firewall name VTUN1.B_IT_VPN rule 80 action accept
set firewall name VTUN1.B_IT_VPN rule 80 log enable
set firewall name VTUN1.B_IT_VPN rule 100 description "Allow established/related"
set firewall name VTUN1.B_IT_VPN rule 100 action accept
set firewall name VTUN1.B_IT_VPN rule 100 state established enable
set firewall name VTUN1.B_IT_VPN rule 100 state related enable
set firewall name VTUN1.B_IT_VPN rule 100 log enable
set firewall name VTUN1.B_IT_VPN rule 200 description "Drop invalid"
set firewall name VTUN1.B_IT_VPN rule 200 action drop
set firewall name VTUN1.B_IT_VPN rule 200 state invalid enable
set firewall name VTUN1.B_IT_VPN rule 200 log enable
set zone-policy zone B_IT_VPN from VTUN1 firewall name VTUN1.B_IT_VPN

echo ==VTUN1 to B_MGMT_LAN==
set firewall name VTUN1.B_MGMT_LAN description "filter traffic from VTUN1 to B_MGMT_LAN zone"
set firewall name VTUN1.B_MGMT_LAN enable-default-log
set firewall name VTUN1.B_MGMT_LAN rule 80 description "Allow All"
set firewall name VTUN1.B_MGMT_LAN rule 80 action accept
set firewall name VTUN1.B_MGMT_LAN rule 80 log enable
set firewall name VTUN1.B_MGMT_LAN rule 100 description "Allow established/related"
set firewall name VTUN1.B_MGMT_LAN rule 100 action accept
set firewall name VTUN1.B_MGMT_LAN rule 100 state established enable
set firewall name VTUN1.B_MGMT_LAN rule 100 state related enable
set firewall name VTUN1.B_MGMT_LAN rule 100 log enable
set firewall name VTUN1.B_MGMT_LAN rule 200 description "Drop invalid"
set firewall name VTUN1.B_MGMT_LAN rule 200 action drop
set firewall name VTUN1.B_MGMT_LAN rule 200 state invalid enable
set firewall name VTUN1.B_MGMT_LAN rule 200 log enable
set zone-policy zone B_MGMT_LAN from VTUN1 firewall name VTUN1.B_MGMT_LAN

Note: Logged in as user in operational mode in the /usr/lib/ssl/misc/ directory.

sudo su
cd /usr/lib/ssl/misc 
./CA.pl -newreq 
Fill out fields like above with unique Common Name for each Client (in this example we will use “VPNCLIENT01,VPNCLIENT02,...” as the Common Names) (use CompanyName.FirstnameLastname.CompanyTelephone for the Common Name format if you want it clearly attributed to a specific user; don’t add an E-Mail or optional company name, use the “1234 temp password”).

Sign Certificate

./CA.pl -sign

mv newcert.pem /config/auth/VPNCLIENT01.pem
mv newkey.pem /config/auth/VPNCLIENT01.key

openssl rsa -in /config/auth/VPNCLIENT01.key -out /config/auth/VPNCLIENT01-rmpass.key 
###Enter password

mv /config/auth/VPNCLIENT01-rmpass.key /config/auth/VPNCLIENT01.key

Repeat this process for each client using a unique Common Name for each, don't add a challenge password.

Record the clienthostname and assigned IP

exit
configure
set interfaces openvpn vtun0 server client VPNCLIENT01 ip 10.99.99.X
commit
save

sudo su
cd /tmp
tar -czf OpenVPN-CA_dir-Config_dir-Date.tar.gz /config /usr/lib/ssl

Then use either WinSCP on Windows or SFTP in a Linux file manager to login and copy the file from the /tmp folder to your computer. Be sure to keep it in a safe place, also extract it because we'll need it to create the opvn config files.

http://blog.iopsl.com/openvpn-configuration-in-a-single-file/

The benefit of a single configuration file is that it can be used on mobile devices where OpenVPN Connect is the official client (or imported in OSX tunnelier or a Linux network manager UI).

Insert file contents into following parts accordingly, namely ca.crt, client.crt, client.key and ta.key.

Base opvn config file without keys

client
float
resolv-retry infinite
nobind
mute-replay-warnings
verb 5
persist-key
persist-tun
explicit-exit-notify 1
dev tun
proto udp
cipher AES-256-GCM
auth SHA512
key-direction 1
#cert VPNCLIENT01.pem
#key VPNCLIENT01.key
#ca cacert.pem
#tls-auth ta.key 1
remote vpn.server.domain.name.com 5187
##the 3 options below made a connection on a Win7 client go from 200KB/s to 1000KB/s, though a Win10 client didn't need it
#mssfix 1200
#sndbuf 2000000
#rcvbuf 2000000

And the key files. You should be able to gather which is which based on the file names saved and their commented out references in the area above.

<ca>
…
</ca>
<cert>
…
</cert>
<key>
…
</key>
<tls-auth>
…
</tls-auth>

./CA.pl -newreq
VPNCLIENT01
./CA.pl -sign

mv newcert.pem /config/auth/VPNCLIENT01.pem
mv newkey.pem /config/auth/VPNCLIENT01.key
openssl rsa -in /config/auth/VPNCLIENT01.key -out /config/auth/VPNCLIENT01-rmpass.key

mv /config/auth/VPNCLIENT01-rmpass.key /config/auth/VPNCLIENT01.key 
---------------------

./CA.pl -newreq
VPNCLIENT02
./CA.pl -sign

mv newcert.pem /config/auth/VPNCLIENT02.pem
mv newkey.pem /config/auth/VPNCLIENT02.key
openssl rsa -in /config/auth/VPNCLIENT02.key -out /config/auth/VPNCLIENT02-rmpass.key

mv /config/auth/VPNCLIENT02-rmpass.key /config/auth/VPNCLIENT02.key 
---------------------

./CA.pl -newreq
VPNCLIENT03
./CA.pl -sign

mv newcert.pem /config/auth/VPNCLIENT03.pem
mv newkey.pem /config/auth/VPNCLIENT03.key
openssl rsa -in /config/auth/VPNCLIENT03.key -out /config/auth/VPNCLIENT03-rmpass.key

mv /config/auth/VPNCLIENT03-rmpass.key /config/auth/VPNCLIENT03.key 
---------------------

./CA.pl -newreq
VPNCLIENT04
./CA.pl -sign

mv newcert.pem /config/auth/VPNCLIENT04.pem
mv newkey.pem /config/auth/VPNCLIENT04.key
openssl rsa -in /config/auth/VPNCLIENT04.key -out /config/auth/VPNCLIENT04-rmpass.key

mv /config/auth/VPNCLIENT04-rmpass.key /config/auth/VPNCLIENT04.key 
---------------------

./CA.pl -newreq
VPNCLIENT05
./CA.pl -sign

mv newcert.pem /config/auth/VPNCLIENT05.pem
mv newkey.pem /config/auth/VPNCLIENT05.key
openssl rsa -in /config/auth/VPNCLIENT05.key -out /config/auth/VPNCLIENT05-rmpass.key

mv /config/auth/VPNCLIENT05-rmpass.key /config/auth/VPNCLIENT05.key


set interfaces openvpn vtun0 server client VPNCLIENT01 ip 10.100.199.11
set interfaces openvpn vtun0 server client VPNCLIENT02 ip 10.100.199.12
set interfaces openvpn vtun0 server client VPNCLIENT03 ip 10.100.199.13
set interfaces openvpn vtun0 server client VPNCLIENT04 ip 10.100.199.14
set interfaces openvpn vtun0 server client VPNCLIENT05 ip 10.100.199.15

5118-5119, 5121-5132, 5138-5144, 5147-5149, 5158-5160, 5169-5171, 5173-5189, 5198-5199, 5204-5208, 5210-5214, 5210-5214, 5216-5220, 5238-5244, 5255-5263, 5266-5268, 5273-5279, 5283-5297