Configure EdgeRouter OpenVPN with extra authentication
Lars Jönsson 2021-01-06
This guide shows how to setup an OpenVPN Server on an EdgeRouter where the clients uses username and password in addition to the standard certificate authentication.
Prepare server
Setup the OpenVPN Server according to this Ubiquiti
guide,
but skip the client configuration part. They will be setup in the next
chapter. Ensure that name-server and push-route corresponds to the
used addresses.
Setup the username/password authentication and aes256 encryption
configure
set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-pam.so login"
set interfaces openvpn vtun0 encryption aes256
commit
saveReturn to operational mode.
exitCreate client configuration
The following steps are needed for each client.
Note: Replace
client1with an appropriate client name.
Create key and certificate
Log in as the root user.
sudo suChange the current directory.
cd /usr/lib/ssl/miscGenerate the certificate and key files for the client.
./CA.pl -newreq
Common Name: client1Sign the certificate.
./CA.pl -sign
Certificate Details:
Validity
Not Before: Jan 21 13:05:03 2019 GMT
Not After : Jan 21 13:05:03 2020 GMT
Subject:
countryName = US
stateOrProvinceName = New York
localityName = New York
organizationName = Ubiquiti
organizationalUnitName = Support
commonName = client1
emailAddress = support@ubnt.com
Certificate is to be certified until Jan 21 13:05:03 2020 GMT (365 days)
Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n] yMove the certificate and key files.
mv newcert.pem /config/auth/client1.pem
mv newkey.pem /config/auth/client1.keyRemove the password from the client and server key files.
openssl rsa -in /config/auth/client1.key -out /config/auth/client1-no-pass.keyOverwrite the existing keys with the no-pass versions.
mv /config/auth/client1-no-pass.key /config/auth/client1.key Add read permission for non-root users to the client key files.
chmod 644 /config/auth/client1.keyReturn to operational mode.
exitCreate the user account
Create a user account for the client. Include the plaintext password on the command line. This password will be encrypted at commit.
configure
set system login user client1 authentication plaintext-password <password>
set system login user client1 level operator
commit ; save
exitCreate client configuration file
Create the OpenVPN client file.
Note: Replace
example.comwith the name of the name of the OpenVPN server
{
echo "client"
echo "dev tun"
echo "proto udp"
echo "remote example.com 1194"
echo "float"
echo "resolv-retry infinite"
echo "nobind"
echo "persist-key"
echo "persist-tun"
echo "verb 3"
echo "cipher AES-256-CBC"
echo "auth-nocache"
echo "auth-user-pass"
echo "<ca>"
openssl x509 -in /config/auth/cacert.pem -out .tmp
cat .tmp
echo "</ca>"
echo "<cert>"
openssl x509 -in /config/auth/client1.pem -out .tmp
cat .tmp
echo "</cert>"
echo "<key>"
openssl pkey -in /config/auth/client1.key -out .tmp
cat .tmp
echo "</key>"
rm -f .tmp
} > client1.ovpnA client1.ovpn file similar to this should be created:
client
dev tun
proto udp
remote example.com 1194
float
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
cipher AES-256-CBC
auth-nocache
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
MIIDvTCCAqWgAwIBAgIJANvkOPYA/0TTMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV
...
pg==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIID4jCCAsqgAwIBAgIJANvkOPYA/0TVMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV
...
ULQvAqMyg3hvUoMU2PUwvh0wCUoKjZ7ewv3kXYZZ6KJcGJ+B610=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIcjdGY+dkxccCAggA
...
xIk=
-----END ENCRYPTED PRIVATE KEY-----
</key>Import the client1.ovpn file to the OpenVPN client software. Use the server side configured username and password when connecting to the server.