OpenVPN Road Warrior Server with Zone Based Firewall on Edgerouter, Behind Existing Router
https://help.ui.com/hc/en-us/articles/115015971688-EdgeRouter-OpenVPN-Server
https://unbranched.tech/setup-openvpn-on-the-edgerouter-4/
We are going to setup an OpenVPN server on an Edgerouter behind an existing routing device. It will allow outside clients to connect and access the internal network(s). This document is based on the Edgerouter X since it has faster CPUs than the ERLite and is cheap. Optionally this will also run 2 different OpenVPN servers to allow for load balancing across the 2 CPUs of the ER-X, push DNS to clients so they can resolve internal hostnames via DNS and use OSPF to advertise routes of the internal LAN(s).
Plan and Record Info
- Record the subnets that you'll be providing access to, e.g. 10.221.24.0/24, 10.221.25.0/24…
- Record the subnets that your VPN clients will be given, e.g. 10.222.24.0/24, 10.222.25.0/24…
- Record a static IP that will be assigned to the VPN server.
- Record the UDP port(s) you'll be using for the OpenVPN server
- Record the CA PEM pass phrase
- Record the temp client/server certificate pass phrase
- Record the public static IP or dynamic DNS name of the VPN server
- Optionally Setup a DNS entry on your public DNS servers to point external clients to your WAN IP, e.g. WPN01.company.domain.com → Public WAN IP
Example Documentation:
Role: OpenVPN server for roadwarriors ETH0: LOCAL_LANS, IP 10.1.10.5 User: vpn_server_admin Pass: somethingGood&Long CA PEM pass phrase: somethingGooder&Longer Temp client/server certificate pass phrase: 1234 VPN Accessible Subnets: 10.1.10.0/24 VPN Client Subnets: 10.1.99.0/24 OpenVPN Ports: 5119 UDP Public FQDN: openvpnhost.somedomain.com Public IP (unknown if static): 100.100.100.100 (as of 03/03/2022) VPNCLIENT01 | 10.1.99.11 | Used by Firstname Lastname starting 12/18/2021 VPNCLIENT02 | 10.1.99.12 VPNCLIENT03 | 10.1.99.13 VPNCLIENT04 | 10.1.99.14 VPNCLIENT05 | 10.1.99.15
Note: to run an OpenVPN server behind an existing router, you will need to add a static route on said router pointing to the subnets of the OpenVPN client. In this example we'd use 10.4.1.247 (the IP of the E-RX) as the next hop for subnets 10.99.98.0/24 and 10.99.99.0/24.
Be sure to commit → save after each section (until you get the firewall setup).
Initial Setup
- Get the default gateway of the LAN you want access to when dialing in, get the subnet and find an available static IP.
- Go to ubnt.com and download the latest firmware for the ER-X.
- Configure your network card with an IP address of 192.168.1.2 and a subnet of 255.255.255.0
- Connect an Ethernet cable to from your computer to ETH0 of the ER-X.
- Open a web browser and go to 192.168.1.1, the default username/password is ubnt/ubnt.
- Go to “System” then click on “Upgrade System Image” → “Upload a file” and browse to the firmware you just downloaded.
- After the reboot update the bootloader by logging into the cli and running
add system boot-image
then do a manual reboot.
- Via the web GUI go to “System” and reset the device to default.
Create User and Configure Interfaces
(remember: configure → commit → save)
Configure user account
set system login user vpnadmin authentication plaintext-password SuperSecretPW
Delete Default ubnt Account
Logout out of default account, login again using the new account then delete default account.
delete system login user ubnt
Set Time and Date
(note, this is done at base login, don't use “configure”)
sudo su set date mmddhhmmyyyy exit
Add Static Route for Gateway
set protocols static route 0.0.0.0/0 next-hop 10.4.1.1
Configure Base System Settings
set system host-name wpnsec01 set system domain-name yourdomain.com set system time-zone US/Pacific set system name-server 208.67.220.220 set system name-server 8.8.4.4 set system ntp server pool.ntp.org set system login banner pre-login "\n\n\n\tUNAUTHORIZED USE OF THIS SYSTEM\n\tIS STRICTLY PROHIBITED\n\n\t Please contact "support@domain.com" to gain\n\taccess to this equipment if you need authorization.\n\n\n"
Disable Logging
On an ERX with 2.0.9 the default logging causes it to lock up. After disabling logging I'd recommend you add a remote syslog host.
set system syslog global facility all level emerg set system syslog global facility protocols level emerg
Disable Misc Ubiquiti Services
set service ubnt-discover-server disable set service ubnt-discover disable set service unms disable set system analytics-handler send-analytics-report false
Configure physical interfaces
set interfaces ethernet eth0 description "VPN_LANS" set interfaces ethernet eth0 address 10.4.1.247/24 delete interfaces ethernet eth0 address 192.168.1.1/24 delete interfaces ethernet eth1 address dhcp set interfaces ethernet eth1 description "MANAGEMENT_LAN" set interfaces ethernet eth1 address 172.8.8.11/24 set interfaces ethernet eth2 disable set interfaces ethernet eth3 disable set interfaces ethernet eth4 disable
Now disconnect from ETH0 and plug into ETH1 (remember to set your static IP)
Setup Certificate Authority
Login to the CLI as a user and stay in operational mode.
ssh user@Router1
Enable root level access
sudo su
Change directory location
cd /usr/lib/ssl/misc/
- Edit /usr/lib/ssl/openssl.cnf and change the default_bits from 2048 to 4096 and the default_days from 365 to 1825. Also change the defaults under [ req_distinguished_name ] for countryName_default, stateOrProvinceName_default, 0.organizationName_default and default_crl_days from 30 to 1825
- Edit /usr/lib/ssl/misc/CA.pl and change the CADAYS from 1095 to 3650 and DAYS from 365 to 1825
(note: you'll need to do this after each firmware update, before you issue any new certificates)
Generate Certificate Authority (check to make sure your date is correct 1st!)
./CA.pl -newca CA certificate filename (or enter to create) #Press enter. [Enter pem pass phrase: ###Create password. Verifying - Enter PEM pass phrase: ###Verify created password.
Record this pass phrase for later use when additional VPN users are added, label it “CA Key PEM passphrase”.
Fill in information as needed following prompts
Country Name (2 letter code) [AU]:US xxx State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:LEAVE BLANK Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company Name Organizational Unit Name (eg, section) []:LEAVE BLANK Common Name (DEVICE CA NAME, not public FQDN) []:WPN01-CA ###(don’t use domain name here, use a device name) Email Address []:LEAVE BLANK Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:LEAVE BLANK An optional company name []:LEAVE BLANK
This will create /usr/lib/ssl/misc/demoCA with associated files. (if you messed up or need to change something, just delete the contents of /usr/lib/ssl/misc/demoCA and start at step 4 again)
Create Server Certificate and Key
This is the key that will stay on the EdgeRouter
Note: Continued from step 1, you will be logged in as user and in the /usr/lib/ssl/misc/ directory.
Fill out prompts like above again with information as needed. “Common Name” must be unique, here use a simple temp password (e.g. 1234) since it will be removed later, record it though (use full domain name if available for “Common Name”, e.g. openvpn_obscured.domain.com)
Generate Certificate
./CA.pl -newreq
Sign Certificate
The password it asks for is your CA pem passphrase.
./CA.pl -sign ### This will create newreq.pem, newkey.pem, and newcert.pem in /usr/lib/ssl/misc/
Move and rename files to /config/auth/ for preservation during firmware upgrades and clarity. Note: Again, you will remain logged in as user in the /usr/lib/ssl/misc/ directory.
Move cacert.pem
mkdir /config/auth/ cp demoCA/cacert.pem demoCA/private/cakey.pem /config/auth/
Move and Rename newcert.pem
mv newcert.pem /config/auth/server.pem
Move and Rename newkey.pem
mv newkey.pem /config/auth/server.key ### Note: the newkey.pem file extension changes to .key.
To confirm these files have transferred to the proper location with the proper name and extension you may type “ls /config/auth/“ to view files.
Create Diffie-Helman Parameter File
Note: Remain logged in as user with root privileges by entering “sudo su” and in the /usr/lib/ssl/misc/ directory.
openssl dhparam -out /config/auth/dhp.pem -2 2048 ### This process will take some time and generate dhp.pem in /config/auth/
I'd recommend 4096 or more but it will take forever on an ERX. If you have access to a Linux based computer do this (it took 5 minutes on an i7-8550U):
openssl dhparam -out ~/dhp.pem -2 4096
Then open the pem file and copy and paste it into /config/auth/dhp.pem
Generate Additional TLS Auth key
(OpenVPN server will not respond to packets unless those packets have a valid signature from a pre-shared key)
openvpn --genkey --secret /config/auth/ta.key chmod 644 /config/auth/ta.key
Add certificate revocation list (CRL)
(note: this hasn't been tested to verify it works, now it has, sort of, see 2nd code block below)
echo 01 > /usr/lib/ssl/misc/demoCA/crlnumber openssl ca -gencrl -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem -out demoCA/cacrl.pem cp demoCA/cacrl.pem /config/auth/cacrl.pem
To revoke a certificate… you need the pem of the certificate you want to revoke, so keep a copy handy… I keep them in /config/auth
cd /usr/lib/ssl/misc openssl ca -revoke /auth/config/<filename>.pem openssl ca -gencrl -keyfile demoCA/private/cakey.pem -cert demoCA/cacert.pem -out demoCA/cacrl.pem cp demoCA/cacrl.pem /config/auth/cacrl.pem
Then remove the revoked certificate (.pem and .key) files from /config/auth so you don't accidentally use them again (cause they won't work). You can leave the client config in the openvpn server setup to be used again if it was a generic name otherwise delete that as well.
Remove Passwords from Key Files
sudo su ### Create new .key with no password openssl rsa -in /config/auth/server.key -out /config/auth/server-rmpass.key ### The password prompt here is the temp password you used when generating the key (here we used 1234) ### Move server-rmpass.key to server.key overwriting the original mv /config/auth/server-rmpass.key /config/auth/server.key
Configure OpenVPN interfaces
Network variables:
- OpenVPN subnet for vtun0 clients is: 10.99.98.0/24
- OpenVPN subnet for vtun1 clients is: 10.99.99.0/24
- Internal subnet that OpenVPN clients will gain access to is: 10.4.1.0/24
- Internal DNS servers that will be pushed to OpenVPN clients are: 10.4.1.1, 8.8.8.8
- Omit the [set interfaces openvpn vtun0 openvpn-option “–push dhcp-option DNS ip.add.re.ss”] lines if you don't want internal DNS servers pushed to your clients. This can cause issues for some people so unless you really need to resolve via hostname internal resources (and have put the effort into properly managing internal DNS) then omit the option.
- Omit the [set interfaces openvpn vtun0 ip ospf network point-to-point] lines if you don't use OSPF or plan to.
- Omit all lines containing [vtun1] if you only need 1 OpenVPN server instance and don't care to manage 2.
- Note: change the default OpenVPN server port and pick one for each openvpn instance you want to create (e.g 5173 and 5174)
set interfaces openvpn vtun0 description "OpenVPN Server for Company Users and IT VTUN0" set interfaces openvpn vtun0 local-port 5173 set interfaces openvpn vtun0 mode server set interfaces openvpn vtun0 hash sha512 set interfaces openvpn vtun0 encryption aes256 set interfaces openvpn vtun0 openvpn-option "--ncp-ciphers AES-256-GCM" set interfaces openvpn vtun0 openvpn-option "--auth SHA512" set interfaces openvpn vtun0 openvpn-option "--tls-server" set interfaces openvpn vtun0 openvpn-option "--tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384" set interfaces openvpn vtun0 openvpn-option "--tls-version-min 1.2" set interfaces openvpn vtun0 server subnet 10.99.98.0/24 set interfaces openvpn vtun0 openvpn-option "--push dhcp-option DNS 10.222.190.17" set interfaces openvpn vtun0 openvpn-option "--push dhcp-option DNS 10.222.190.19" set interfaces openvpn vtun0 server push-route 10.4.1.0/24 set interfaces openvpn vtun0 ip ospf network point-to-point set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem set interfaces openvpn vtun0 tls key-file /config/auth/server.key set interfaces openvpn vtun0 tls dh-file /config/auth/dhp.pem set interfaces openvpn vtun0 openvpn-option "--tls-auth /config/auth/ta.key 0" set interfaces openvpn vtun0 openvpn-option "--crl-verify /config/auth/cacrl.pem" set interfaces openvpn vtun0 openvpn-option "--user nobody" set interfaces openvpn vtun0 openvpn-option "--group nogroup" set interfaces openvpn vtun0 openvpn-option --persist-key set interfaces openvpn vtun0 openvpn-option --persist-tun set interfaces openvpn vtun1 local-port 5174 set interfaces openvpn vtun1 mode server set interfaces openvpn vtun1 hash sha512 set interfaces openvpn vtun1 encryption aes256 set interfaces openvpn vtun1 openvpn-option "--ncp-ciphers AES-256-GCM" set interfaces openvpn vtun1 openvpn-option "--auth SHA512" set interfaces openvpn vtun1 openvpn-option "--tls-server" set interfaces openvpn vtun1 openvpn-option "--tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384" set interfaces openvpn vtun1 openvpn-option "--tls-version-min 1.2" set interfaces openvpn vtun1 server subnet 10.99.98.0/24 set interfaces openvpn vtun1 openvpn-option "--push dhcp-option DNS 10.222.190.17" set interfaces openvpn vtun1 openvpn-option "--push dhcp-option DNS 10.222.190.19" set interfaces openvpn vtun1 server push-route 10.4.1.0/24 set interfaces openvpn vtun1 ip ospf network point-to-point set interfaces openvpn vtun1 tls ca-cert-file /config/auth/cacert.pem set interfaces openvpn vtun1 tls cert-file /config/auth/server.pem set interfaces openvpn vtun1 tls key-file /config/auth/server.key set interfaces openvpn vtun1 tls dh-file /config/auth/dhp.pem set interfaces openvpn vtun1 openvpn-option "--tls-auth /config/auth/ta.key 0" set interfaces openvpn vtun1 openvpn-option "--crl-verify /config/auth/cacrl.pem" set interfaces openvpn vtun1 openvpn-option "--user nobody" set interfaces openvpn vtun1 openvpn-option "--group nogroup" set interfaces openvpn vtun1 openvpn-option --persist-key set interfaces openvpn vtun1 openvpn-option --persist-tun
Setup OSPF for VPN_LANS
Do this only if you plan on using OSPF elsewhere in your network or already do, if you already do, modify accordingly.
set protocols ospf parameters router-id 10.4.1.247 set protocols ospf area 0.0.0.0 network 10.4.1.0/24 set protocols ospf redistribute connected set interfaces ethernet eth0 ip ospf cost 10 set interfaces ethernet eth0 ip ospf dead-interval 40 set interfaces ethernet eth0 ip ospf hello-interval 10 set interfaces ethernet eth0 ip ospf priority 1 set interfaces ethernet eth0 ip ospf retransmit-interval 5 set interfaces ethernet eth0 ip ospf transmit-delay 1
Add md5 authentication to OSPF
set protocols ospf area 0.0.0.0 authentication md5 set interfaces ethernet eth0 ip ospf authentication md5 key-id 1 md5-key SomeSuperSecretPasswordForOSPF
Create Zone Policies and Firewall Rules
Firewall Groups
Groups are preferred since for many reasons… figure them out.. add OSPF if needed…
echo ==IT OVPN Server Port Group UDP== set firewall group port-group IT-OVPN-SVR-UDP description "OVPN Server UDP Ports used by Clients" set firewall group port-group IT-OVPN-SVR-UDP port 5119 echo ==LOCAL Edgerouter Client Port Group TCP== set firewall group port-group LOCAL-TCP description "LOCAL Ports used by Clients TCP" set firewall group port-group LOCAL-TCP port 53 echo ==LOCAL Edgerouter Client Port Group UDP== set firewall group port-group LOCAL-UDP description "LOCAL Ports used by Clients UDP" set firewall group port-group LOCAL-UDP port 53 set firewall group port-group LOCAL-UDP port 67 set firewall group port-group LOCAL-UDP port 123 set firewall group port-group LOCAL-UDP port 5353 echo ==Basic Web Access Port Group TCP== set firewall group port-group BASIC-WEB-TCP description "Basic Web Access Port Group TCP" set firewall group port-group BASIC-WEB-TCP port 853 set firewall group port-group BASIC-WEB-TCP port 443 set firewall group port-group BASIC-WEB-TCP port 80 echo ==Basic Web Access Port Group UDP== set firewall group port-group BASIC-WEB-UDP description "Basic Web Access Port Group UDP" set firewall group port-group BASIC-WEB-UDP port 53 set firewall group port-group BASIC-WEB-UDP port 123 echo ==Local Admin Access Port Group TCP== set firewall group port-group ADMIN-ACCESS-TCP description "Local Admin Access Port Group TCP" set firewall group port-group ADMIN-ACCESS-TCP port 22 set firewall group port-group ADMIN-ACCESS-TCP port 443
Firewall Zones
Here we are setting up Zones with 2 different OpenVPN servers. 1 Zone will be for the VPN server itself which might be on the same subnet as the network you're trying to access or it might be on a separate subnet that is connected to other via routes, a management LAN is also included if you use one of those.
If you don't have a dedicated management LAN then skip that zone and add the SSH and HTTPS ports to the VPN_LANS to LOCAL zone.
(READ WHOLE SENTENCE) !!!!!and!!!!! set firewall rules AND zone pairs policy before committing or !!!!!we'll be locked out!!!!!!
Commit and save your previous changes before continuing, this way a power cycle will get you back in to this point to try again.
Don't commit again until you have all your rules in, or you have to zone pairs that will allow you to retain access to the router, otherwise you'll lose access and will have to power cycle the device and start again.
Setup Zones
set zone-policy zone LOCAL description "this is the EdgeRouter or local device" set zone-policy zone LOCAL default-action drop set zone-policy zone LOCAL local-zone set zone-policy zone B_IT_VPN description "LAN for IT VPN devices" set zone-policy zone B_IT_VPN default-action drop set zone-policy zone B_IT_VPN interface eth0 set zone-policy zone B_MGMT_LAN description "Management LAN" set zone-policy zone B_MGMT_LAN default-action drop set zone-policy zone B_MGMT_LAN interface eth1 set zone-policy zone B_MGMT_LAN interface eth2 set zone-policy zone VTUN0 description "VPN for IT (Primary)" set zone-policy zone VTUN0 default-action drop set zone-policy zone VTUN0 interface vtun0 set zone-policy zone VTUN1 description "VPN for IT (Secondary)" set zone-policy zone VTUN1 default-action drop set zone-policy zone VTUN1 interface vtun1 echo ==LOCAL to B_IT_VPN== set firewall name LOCAL.B_IT_VPN description "filter traffic from LOCAL to B_IT_VPN zone" set firewall name LOCAL.B_IT_VPN enable-default-log set firewall name LOCAL.B_IT_VPN rule 100 description "Allow established/related" set firewall name LOCAL.B_IT_VPN rule 100 action accept set firewall name LOCAL.B_IT_VPN rule 100 state established enable set firewall name LOCAL.B_IT_VPN rule 100 state related enable set firewall name LOCAL.B_IT_VPN rule 100 log enable set firewall name LOCAL.B_IT_VPN rule 200 description "Drop invalid" set firewall name LOCAL.B_IT_VPN rule 200 action drop set firewall name LOCAL.B_IT_VPN rule 200 state invalid enable set firewall name LOCAL.B_IT_VPN rule 200 log enable set firewall name LOCAL.B_IT_VPN rule 300 action accept set firewall name LOCAL.B_IT_VPN rule 300 destination group port-group BASIC-WEB-TCP set firewall name LOCAL.B_IT_VPN rule 300 protocol tcp set firewall name LOCAL.B_IT_VPN rule 300 state new enable set firewall name LOCAL.B_IT_VPN rule 300 log enable set firewall name LOCAL.B_IT_VPN rule 301 action accept set firewall name LOCAL.B_IT_VPN rule 301 destination group port-group BASIC-WEB-UDP set firewall name LOCAL.B_IT_VPN rule 301 protocol udp set firewall name LOCAL.B_IT_VPN rule 301 state new enable set firewall name LOCAL.B_IT_VPN rule 301 log enable set firewall name LOCAL.B_IT_VPN rule 1060 description "Allow OSPF" set firewall name LOCAL.B_IT_VPN rule 1060 action accept set firewall name LOCAL.B_IT_VPN rule 1060 protocol ospf set firewall name LOCAL.B_IT_VPN rule 1060 state new enable set firewall name LOCAL.B_IT_VPN rule 1060 log enable set zone-policy zone B_IT_VPN from LOCAL firewall name LOCAL.B_IT_VPN echo ==LOCAL to B_MGMT_LAN== set firewall name LOCAL.B_MGMT_LAN description "filter traffic from LOCAL to B_MGMT_LAN zone" set firewall name LOCAL.B_MGMT_LAN enable-default-log set firewall name LOCAL.B_MGMT_LAN rule 100 description "Allow established/related" set firewall name LOCAL.B_MGMT_LAN rule 100 action accept set firewall name LOCAL.B_MGMT_LAN rule 100 state established enable set firewall name LOCAL.B_MGMT_LAN rule 100 state related enable set firewall name LOCAL.B_MGMT_LAN rule 100 log enable set firewall name LOCAL.B_MGMT_LAN rule 200 description "Drop invalid" set firewall name LOCAL.B_MGMT_LAN rule 200 action drop set firewall name LOCAL.B_MGMT_LAN rule 200 state invalid enable set firewall name LOCAL.B_MGMT_LAN rule 200 log enable set zone-policy zone B_MGMT_LAN from LOCAL firewall name LOCAL.B_MGMT_LAN echo ==LOCAL to VTUN0== set firewall name LOCAL.VTUN0 description "filter traffic from LOCAL to VTUN0 zone" set firewall name LOCAL.VTUN0 enable-default-log set firewall name LOCAL.VTUN0 rule 100 description "Allow established/related" set firewall name LOCAL.VTUN0 rule 100 action accept set firewall name LOCAL.VTUN0 rule 100 state established enable set firewall name LOCAL.VTUN0 rule 100 state related enable set firewall name LOCAL.VTUN0 rule 100 log enable set firewall name LOCAL.VTUN0 rule 200 description "Drop invalid" set firewall name LOCAL.VTUN0 rule 200 action drop set firewall name LOCAL.VTUN0 rule 200 state invalid enable set firewall name LOCAL.VTUN0 rule 200 log enable set zone-policy zone VTUN0 from LOCAL firewall name LOCAL.VTUN0 echo ==LOCAL to VTUN1== set firewall name LOCAL.VTUN1 description "filter traffic from LOCAL to VTUN1 zone" set firewall name LOCAL.VTUN1 enable-default-log set firewall name LOCAL.VTUN1 rule 100 description "Allow established/related" set firewall name LOCAL.VTUN1 rule 100 action accept set firewall name LOCAL.VTUN1 rule 100 state established enable set firewall name LOCAL.VTUN1 rule 100 state related enable set firewall name LOCAL.VTUN1 rule 100 log enable set firewall name LOCAL.VTUN1 rule 200 description "Drop invalid" set firewall name LOCAL.VTUN1 rule 200 action drop set firewall name LOCAL.VTUN1 rule 200 state invalid enable set firewall name LOCAL.VTUN1 rule 200 log enable set zone-policy zone VTUN1 from LOCAL firewall name LOCAL.VTUN1 echo ==B_IT_VPN to LOCAL== set firewall name B_IT_VPN.LOCAL description "filter traffic from B_IT_VPN to LOCAL zone" set firewall name B_IT_VPN.LOCAL enable-default-log set firewall name B_IT_VPN.LOCAL rule 100 description "Allow established/related" set firewall name B_IT_VPN.LOCAL rule 100 action accept set firewall name B_IT_VPN.LOCAL rule 100 state established enable set firewall name B_IT_VPN.LOCAL rule 100 state related enable set firewall name B_IT_VPN.LOCAL rule 100 log enable set firewall name B_IT_VPN.LOCAL rule 200 description "Drop invalid" set firewall name B_IT_VPN.LOCAL rule 200 action drop set firewall name B_IT_VPN.LOCAL rule 200 state invalid enable set firewall name B_IT_VPN.LOCAL rule 200 log enable set firewall name B_IT_VPN.LOCAL rule 300 action accept set firewall name B_IT_VPN.LOCAL rule 300 destination group port-group IT-OVPN-SVR-UDP set firewall name B_IT_VPN.LOCAL rule 300 protocol udp set firewall name B_IT_VPN.LOCAL rule 300 state new enable set firewall name B_IT_VPN.LOCAL rule 300 log enable set firewall name B_IT_VPN.LOCAL rule 1060 description "Allow OSPF" set firewall name B_IT_VPN.LOCAL rule 1060 action accept set firewall name B_IT_VPN.LOCAL rule 1060 protocol ospf set firewall name B_IT_VPN.LOCAL rule 1060 state new enable set firewall name B_IT_VPN.LOCAL rule 1060 log enable set zone-policy zone LOCAL from B_IT_VPN firewall name B_IT_VPN.LOCAL echo ==B_IT_VPN to VTUN0== set firewall name B_IT_VPN.VTUN0 description "filter traffic from B_IT_VPN to VTUN0 zone" set firewall name B_IT_VPN.VTUN0 enable-default-log set firewall name B_IT_VPN.VTUN0 rule 100 description "Allow established/related" set firewall name B_IT_VPN.VTUN0 rule 100 action accept set firewall name B_IT_VPN.VTUN0 rule 100 state established enable set firewall name B_IT_VPN.VTUN0 rule 100 state related enable set firewall name B_IT_VPN.VTUN0 rule 100 log enable set firewall name B_IT_VPN.VTUN0 rule 200 description "Drop invalid" set firewall name B_IT_VPN.VTUN0 rule 200 action drop set firewall name B_IT_VPN.VTUN0 rule 200 state invalid enable set firewall name B_IT_VPN.VTUN0 rule 200 log enable set zone-policy zone VTUN0 from B_IT_VPN firewall name B_IT_VPN.VTUN0 echo ==B_IT_VPN to VTUN1== set firewall name B_IT_VPN.VTUN1 description "filter traffic from B_IT_VPN to VTUN1 zone" set firewall name B_IT_VPN.VTUN1 enable-default-log set firewall name B_IT_VPN.VTUN1 rule 100 description "Allow established/related" set firewall name B_IT_VPN.VTUN1 rule 100 action accept set firewall name B_IT_VPN.VTUN1 rule 100 state established enable set firewall name B_IT_VPN.VTUN1 rule 100 state related enable set firewall name B_IT_VPN.VTUN1 rule 100 log enable set firewall name B_IT_VPN.VTUN1 rule 200 description "Drop invalid" set firewall name B_IT_VPN.VTUN1 rule 200 action drop set firewall name B_IT_VPN.VTUN1 rule 200 state invalid enable set firewall name B_IT_VPN.VTUN1 rule 200 log enable set zone-policy zone VTUN1 from B_IT_VPN firewall name B_IT_VPN.VTUN1 echo ==B_MGMT_LAN to LOCAL== set firewall name B_MGMT_LAN.LOCAL description "filter traffic from B_MGMT_LAN to LOCAL zone" set firewall name B_MGMT_LAN.LOCAL enable-default-log set firewall name B_MGMT_LAN.LOCAL rule 80 description "Allow All" set firewall name B_MGMT_LAN.LOCAL rule 80 action accept set firewall name B_MGMT_LAN.LOCAL rule 80 log enable set firewall name B_MGMT_LAN.LOCAL rule 100 description "Allow established/related" set firewall name B_MGMT_LAN.LOCAL rule 100 action accept set firewall name B_MGMT_LAN.LOCAL rule 100 state established enable set firewall name B_MGMT_LAN.LOCAL rule 100 state related enable set firewall name B_MGMT_LAN.LOCAL rule 100 log enable set firewall name B_MGMT_LAN.LOCAL rule 200 description "Drop invalid" set firewall name B_MGMT_LAN.LOCAL rule 200 action drop set firewall name B_MGMT_LAN.LOCAL rule 200 state invalid enable set firewall name B_MGMT_LAN.LOCAL rule 200 log enable set zone-policy zone LOCAL from B_MGMT_LAN firewall name B_MGMT_LAN.LOCAL echo ==B_MGMT_LAN to VTUN0== set firewall name B_MGMT_LAN.VTUN0 description "filter traffic from B_MGMT_LAN to VTUN0 zone" set firewall name B_MGMT_LAN.VTUN0 enable-default-log set firewall name B_MGMT_LAN.VTUN0 rule 100 description "Allow established/related" set firewall name B_MGMT_LAN.VTUN0 rule 100 action accept set firewall name B_MGMT_LAN.VTUN0 rule 100 state established enable set firewall name B_MGMT_LAN.VTUN0 rule 100 state related enable set firewall name B_MGMT_LAN.VTUN0 rule 100 log enable set firewall name B_MGMT_LAN.VTUN0 rule 200 description "Drop invalid" set firewall name B_MGMT_LAN.VTUN0 rule 200 action drop set firewall name B_MGMT_LAN.VTUN0 rule 200 state invalid enable set firewall name B_MGMT_LAN.VTUN0 rule 200 log enable set zone-policy zone VTUN0 from B_MGMT_LAN firewall name B_MGMT_LAN.VTUN0 echo ==B_MGMT_LAN to VTUN1== set firewall name B_MGMT_LAN.VTUN1 description "filter traffic from B_MGMT_LAN to VTUN1 zone" set firewall name B_MGMT_LAN.VTUN1 enable-default-log set firewall name B_MGMT_LAN.VTUN1 rule 100 description "Allow established/related" set firewall name B_MGMT_LAN.VTUN1 rule 100 action accept set firewall name B_MGMT_LAN.VTUN1 rule 100 state established enable set firewall name B_MGMT_LAN.VTUN1 rule 100 state related enable set firewall name B_MGMT_LAN.VTUN1 rule 100 log enable set firewall name B_MGMT_LAN.VTUN1 rule 200 description "Drop invalid" set firewall name B_MGMT_LAN.VTUN1 rule 200 action drop set firewall name B_MGMT_LAN.VTUN1 rule 200 state invalid enable set firewall name B_MGMT_LAN.VTUN1 rule 200 log enable set zone-policy zone VTUN1 from B_MGMT_LAN firewall name B_MGMT_LAN.VTUN1 echo ==VTUN0 to LOCAL== set firewall name VTUN0.LOCAL description "filter traffic from VTUN0 to LOCAL zone" set firewall name VTUN0.LOCAL enable-default-log set firewall name VTUN0.LOCAL rule 80 description "Allow All" set firewall name VTUN0.LOCAL rule 80 action accept set firewall name VTUN0.LOCAL rule 80 log enable set firewall name VTUN0.LOCAL rule 100 description "Allow established/related" set firewall name VTUN0.LOCAL rule 100 action accept set firewall name VTUN0.LOCAL rule 100 state established enable set firewall name VTUN0.LOCAL rule 100 state related enable set firewall name VTUN0.LOCAL rule 100 log enable set firewall name VTUN0.LOCAL rule 200 description "Drop invalid" set firewall name VTUN0.LOCAL rule 200 action drop set firewall name VTUN0.LOCAL rule 200 state invalid enable set firewall name VTUN0.LOCAL rule 200 log enable set firewall name VTUN0.LOCAL rule 300 action accept set firewall name VTUN0.LOCAL rule 300 destination group port-group LOCAL-TCP set firewall name VTUN0.LOCAL rule 300 protocol tcp set firewall name VTUN0.LOCAL rule 300 state new enable set firewall name VTUN0.LOCAL rule 300 log enable set firewall name VTUN0.LOCAL rule 301 action accept set firewall name VTUN0.LOCAL rule 301 destination group port-group LOCAL-UDP set firewall name VTUN0.LOCAL rule 301 protocol udp set firewall name VTUN0.LOCAL rule 301 state new enable set firewall name VTUN0.LOCAL rule 301 log enable set zone-policy zone LOCAL from VTUN0 firewall name VTUN0.LOCAL echo ==VTUN0 to B_IT_VPN== set firewall name VTUN0.B_IT_VPN description "filter traffic from VTUN0 to VTUN0 zone" set firewall name VTUN0.B_IT_VPN enable-default-log set firewall name VTUN0.B_IT_VPN rule 80 description "Allow All" set firewall name VTUN0.B_IT_VPN rule 80 action accept set firewall name VTUN0.B_IT_VPN rule 80 log enable set firewall name VTUN0.B_IT_VPN rule 100 description "Allow established/related" set firewall name VTUN0.B_IT_VPN rule 100 action accept set firewall name VTUN0.B_IT_VPN rule 100 state established enable set firewall name VTUN0.B_IT_VPN rule 100 state related enable set firewall name VTUN0.B_IT_VPN rule 100 log enable set firewall name VTUN0.B_IT_VPN rule 200 description "Drop invalid" set firewall name VTUN0.B_IT_VPN rule 200 action drop set firewall name VTUN0.B_IT_VPN rule 200 state invalid enable set firewall name VTUN0.B_IT_VPN rule 200 log enable set zone-policy zone B_IT_VPN from VTUN0 firewall name VTUN0.B_IT_VPN echo ==VTUN0 to B_MGMT_LAN== set firewall name VTUN0.B_MGMT_LAN description "filter traffic from VTUN0 to B_MGMT_LAN zone" set firewall name VTUN0.B_MGMT_LAN enable-default-log set firewall name VTUN0.B_MGMT_LAN rule 80 description "Allow All" set firewall name VTUN0.B_MGMT_LAN rule 80 action accept set firewall name VTUN0.B_MGMT_LAN rule 80 log enable set firewall name VTUN0.B_MGMT_LAN rule 100 description "Allow established/related" set firewall name VTUN0.B_MGMT_LAN rule 100 action accept set firewall name VTUN0.B_MGMT_LAN rule 100 state established enable set firewall name VTUN0.B_MGMT_LAN rule 100 state related enable set firewall name VTUN0.B_MGMT_LAN rule 100 log enable set firewall name VTUN0.B_MGMT_LAN rule 200 description "Drop invalid" set firewall name VTUN0.B_MGMT_LAN rule 200 action drop set firewall name VTUN0.B_MGMT_LAN rule 200 state invalid enable set firewall name VTUN0.B_MGMT_LAN rule 200 log enable set zone-policy zone B_MGMT_LAN from VTUN0 firewall name VTUN0.B_MGMT_LAN echo ==VTUN1 to LOCAL== set firewall name VTUN1.LOCAL description "filter traffic from VTUN1 to LOCAL zone" set firewall name VTUN1.LOCAL enable-default-log set firewall name VTUN1.LOCAL rule 80 description "Allow All" set firewall name VTUN1.LOCAL rule 80 action accept set firewall name VTUN1.LOCAL rule 80 log enable set firewall name VTUN1.LOCAL rule 100 description "Allow established/related" set firewall name VTUN1.LOCAL rule 100 action accept set firewall name VTUN1.LOCAL rule 100 state established enable set firewall name VTUN1.LOCAL rule 100 state related enable set firewall name VTUN1.LOCAL rule 100 log enable set firewall name VTUN1.LOCAL rule 200 description "Drop invalid" set firewall name VTUN1.LOCAL rule 200 action drop set firewall name VTUN1.LOCAL rule 200 state invalid enable set firewall name VTUN1.LOCAL rule 200 log enable set firewall name VTUN1.LOCAL rule 300 action accept set firewall name VTUN1.LOCAL rule 300 destination group port-group LOCAL-TCP set firewall name VTUN1.LOCAL rule 300 protocol tcp set firewall name VTUN1.LOCAL rule 300 state new enable set firewall name VTUN1.LOCAL rule 300 log enable set firewall name VTUN1.LOCAL rule 301 action accept set firewall name VTUN1.LOCAL rule 301 destination group port-group LOCAL-UDP set firewall name VTUN1.LOCAL rule 301 protocol udp set firewall name VTUN1.LOCAL rule 301 state new enable set firewall name VTUN1.LOCAL rule 301 log enable set zone-policy zone LOCAL from VTUN1 firewall name VTUN1.LOCAL echo ==VTUN1 to B_IT_VPN== set firewall name VTUN1.B_IT_VPN description "filter traffic from VTUN1 to VTUN1 zone" set firewall name VTUN1.B_IT_VPN enable-default-log set firewall name VTUN1.B_IT_VPN rule 80 description "Allow All" set firewall name VTUN1.B_IT_VPN rule 80 action accept set firewall name VTUN1.B_IT_VPN rule 80 log enable set firewall name VTUN1.B_IT_VPN rule 100 description "Allow established/related" set firewall name VTUN1.B_IT_VPN rule 100 action accept set firewall name VTUN1.B_IT_VPN rule 100 state established enable set firewall name VTUN1.B_IT_VPN rule 100 state related enable set firewall name VTUN1.B_IT_VPN rule 100 log enable set firewall name VTUN1.B_IT_VPN rule 200 description "Drop invalid" set firewall name VTUN1.B_IT_VPN rule 200 action drop set firewall name VTUN1.B_IT_VPN rule 200 state invalid enable set firewall name VTUN1.B_IT_VPN rule 200 log enable set zone-policy zone B_IT_VPN from VTUN1 firewall name VTUN1.B_IT_VPN echo ==VTUN1 to B_MGMT_LAN== set firewall name VTUN1.B_MGMT_LAN description "filter traffic from VTUN1 to B_MGMT_LAN zone" set firewall name VTUN1.B_MGMT_LAN enable-default-log set firewall name VTUN1.B_MGMT_LAN rule 80 description "Allow All" set firewall name VTUN1.B_MGMT_LAN rule 80 action accept set firewall name VTUN1.B_MGMT_LAN rule 80 log enable set firewall name VTUN1.B_MGMT_LAN rule 100 description "Allow established/related" set firewall name VTUN1.B_MGMT_LAN rule 100 action accept set firewall name VTUN1.B_MGMT_LAN rule 100 state established enable set firewall name VTUN1.B_MGMT_LAN rule 100 state related enable set firewall name VTUN1.B_MGMT_LAN rule 100 log enable set firewall name VTUN1.B_MGMT_LAN rule 200 description "Drop invalid" set firewall name VTUN1.B_MGMT_LAN rule 200 action drop set firewall name VTUN1.B_MGMT_LAN rule 200 state invalid enable set firewall name VTUN1.B_MGMT_LAN rule 200 log enable set zone-policy zone B_MGMT_LAN from VTUN1 firewall name VTUN1.B_MGMT_LAN
Generate Client Certificates
Note: Logged in as user in operational mode in the /usr/lib/ssl/misc/ directory.
Generate Certificates
sudo su cd /usr/lib/ssl/misc ./CA.pl -newreq Fill out fields like above with unique Common Name for each Client (in this example we will use “VPNCLIENT01,VPNCLIENT02,...” as the Common Names) (use CompanyName.FirstnameLastname.CompanyTelephone for the Common Name format if you want it clearly attributed to a specific user; don’t add an E-Mail or optional company name, use the “1234 temp password”).
Sign Certificate
./CA.pl -sign
Move and Rename Client Certificates
mv newcert.pem /config/auth/VPNCLIENT01.pem mv newkey.pem /config/auth/VPNCLIENT01.key
Create new .key with No Password
openssl rsa -in /config/auth/VPNCLIENT01.key -out /config/auth/VPNCLIENT01-rmpass.key ###Enter password
Move VPNCLIENT01-rmpass.key to VPNCLIENT01.key
mv /config/auth/VPNCLIENT01-rmpass.key /config/auth/VPNCLIENT01.key
Repeat this process for each client using a unique Common Name for each, don't add a challenge password.
Add static IPs for each VPN client
Record the clienthostname and assigned IP
exit configure set interfaces openvpn vtun0 server client VPNCLIENT01 ip 10.99.99.X commit save
Backup the SSL and Config Directories to Your Computer
sudo su cd /tmp tar -czf OpenVPN-CA_dir-Config_dir-Date.tar.gz /config /usr/lib/ssl
Then use either WinSCP on Windows or SFTP in a Linux file manager to login and copy the file from the /tmp folder to your computer. Be sure to keep it in a safe place, also extract it because we'll need it to create the opvn config files.
VPN Client Config and Certificates in Single File
http://blog.iopsl.com/openvpn-configuration-in-a-single-file/
The benefit of a single configuration file is that it can be used on mobile devices where OpenVPN Connect is the official client (or imported in OSX tunnelier or a Linux network manager UI).
Insert file contents into following parts accordingly, namely ca.crt, client.crt, client.key and ta.key.
Base opvn config file without keys
client float resolv-retry infinite nobind mute-replay-warnings verb 5 persist-key persist-tun explicit-exit-notify 1 dev tun proto udp cipher AES-256-GCM auth SHA512 key-direction 1 #cert VPNCLIENT01.pem #key VPNCLIENT01.key #ca cacert.pem #tls-auth ta.key 1 remote vpn.server.domain.name.com 5187 ##the 3 options below made a connection on a Win7 client go from 200KB/s to 1000KB/s, though a Win10 client didn't need it #mssfix 1200 #sndbuf 2000000 #rcvbuf 2000000
And the key files. You should be able to gather which is which based on the file names saved and their commented out references in the area above.
<ca> … </ca> <cert> … </cert> <key> … </key> <tls-auth> … </tls-auth>
Cheat for Multiple Client Certificates
./CA.pl -newreq VPNCLIENT01 ./CA.pl -sign mv newcert.pem /config/auth/VPNCLIENT01.pem mv newkey.pem /config/auth/VPNCLIENT01.key openssl rsa -in /config/auth/VPNCLIENT01.key -out /config/auth/VPNCLIENT01-rmpass.key mv /config/auth/VPNCLIENT01-rmpass.key /config/auth/VPNCLIENT01.key --------------------- ./CA.pl -newreq VPNCLIENT02 ./CA.pl -sign mv newcert.pem /config/auth/VPNCLIENT02.pem mv newkey.pem /config/auth/VPNCLIENT02.key openssl rsa -in /config/auth/VPNCLIENT02.key -out /config/auth/VPNCLIENT02-rmpass.key mv /config/auth/VPNCLIENT02-rmpass.key /config/auth/VPNCLIENT02.key --------------------- ./CA.pl -newreq VPNCLIENT03 ./CA.pl -sign mv newcert.pem /config/auth/VPNCLIENT03.pem mv newkey.pem /config/auth/VPNCLIENT03.key openssl rsa -in /config/auth/VPNCLIENT03.key -out /config/auth/VPNCLIENT03-rmpass.key mv /config/auth/VPNCLIENT03-rmpass.key /config/auth/VPNCLIENT03.key --------------------- ./CA.pl -newreq VPNCLIENT04 ./CA.pl -sign mv newcert.pem /config/auth/VPNCLIENT04.pem mv newkey.pem /config/auth/VPNCLIENT04.key openssl rsa -in /config/auth/VPNCLIENT04.key -out /config/auth/VPNCLIENT04-rmpass.key mv /config/auth/VPNCLIENT04-rmpass.key /config/auth/VPNCLIENT04.key --------------------- ./CA.pl -newreq VPNCLIENT05 ./CA.pl -sign mv newcert.pem /config/auth/VPNCLIENT05.pem mv newkey.pem /config/auth/VPNCLIENT05.key openssl rsa -in /config/auth/VPNCLIENT05.key -out /config/auth/VPNCLIENT05-rmpass.key mv /config/auth/VPNCLIENT05-rmpass.key /config/auth/VPNCLIENT05.key set interfaces openvpn vtun0 server client VPNCLIENT01 ip 10.100.199.11 set interfaces openvpn vtun0 server client VPNCLIENT02 ip 10.100.199.12 set interfaces openvpn vtun0 server client VPNCLIENT03 ip 10.100.199.13 set interfaces openvpn vtun0 server client VPNCLIENT04 ip 10.100.199.14 set interfaces openvpn vtun0 server client VPNCLIENT05 ip 10.100.199.15
5118-5119, 5121-5132, 5138-5144, 5147-5149, 5158-5160, 5169-5171, 5173-5189, 5198-5199, 5204-5208, 5210-5214, 5210-5214, 5216-5220, 5238-5244, 5255-5263, 5266-5268, 5273-5279, 5283-5297