Configure EdgeRouter OpenVPN with extra authentication

Lars J├Ânsson 2021-01-06

This guide shows how to setup an OpenVPN Server on an EdgeRouter where the clients uses username and password in addition to the standard certificate authentication.

Prepare server

Setup the OpenVPN Server according to this Ubiquiti guide, but skip the client configuration part. They will be setup in the next chapter. Ensure that name-server and push-route corresponds to the used addresses.

Setup the username/password authentication and aes256 encryption

configure
set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-pam.so login"
set interfaces openvpn vtun0 encryption aes256
commit
save

Return to operational mode.

exit

Create client configuration

The following steps are needed for each client.

Note: Replace client1 with an appropriate client name.

Create key and certificate

Log in as the root user.

sudo su

Change the current directory.

cd /usr/lib/ssl/misc

Generate the certificate and key files for the client.

./CA.pl -newreq
Common Name: client1

Sign the certificate.

./CA.pl -sign
Certificate Details:
        Validity
            Not Before: Jan 21 13:05:03 2019 GMT
            Not After : Jan 21 13:05:03 2020 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = New York
            localityName              = New York
            organizationName          = Ubiquiti
            organizationalUnitName    = Support
            commonName                = client1
            emailAddress              = support@ubnt.com

Certificate is to be certified until Jan 21 13:05:03 2020 GMT (365 days)
Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

Move the certificate and key files.

mv newcert.pem /config/auth/client1.pem
mv newkey.pem /config/auth/client1.key

Remove the password from the client and server key files.

openssl rsa -in /config/auth/client1.key -out /config/auth/client1-no-pass.key

Overwrite the existing keys with the no-pass versions.

mv /config/auth/client1-no-pass.key /config/auth/client1.key 

Add read permission for non-root users to the client key files.

chmod 644 /config/auth/client1.key

Return to operational mode.

exit

Create the user account

Create a user account for the client. Include the plaintext password on the command line. This password will be encrypted at commit.

configure
set system login user client1 authentication plaintext-password <password>
set system login user client1 level operator
commit ; save
exit

Create client configuration file

Create the OpenVPN client file.

Note: Replace example.com with the name of the name of the OpenVPN server

{
echo "client"
echo "dev tun"
echo "proto udp"
echo "remote example.com 1194"
echo "float"
echo "resolv-retry infinite"
echo "nobind"
echo "persist-key"
echo "persist-tun"
echo "verb 3"
echo "cipher AES-256-CBC"
echo "auth-nocache"
echo "auth-user-pass"
echo "<ca>"
openssl x509 -in /config/auth/cacert.pem -out .tmp
cat .tmp
echo "</ca>"
echo "<cert>"
openssl x509 -in /config/auth/client1.pem -out .tmp
cat .tmp
echo "</cert>"
echo "<key>"
openssl pkey -in /config/auth/client1.key -out .tmp
cat .tmp
echo "</key>"
rm -f .tmp
} > client1.ovpn

A client1.ovpn file similar to this should be created:

client
dev tun
proto udp
remote example.com 1194
float
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
cipher AES-256-CBC
auth-nocache
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
MIIDvTCCAqWgAwIBAgIJANvkOPYA/0TTMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV
  ...
pg==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIID4jCCAsqgAwIBAgIJANvkOPYA/0TVMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV
  ...
ULQvAqMyg3hvUoMU2PUwvh0wCUoKjZ7ewv3kXYZZ6KJcGJ+B610=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIcjdGY+dkxccCAggA
  ...
xIk=
-----END ENCRYPTED PRIVATE KEY-----
</key>

Import the client1.ovpn file to the OpenVPN client software. Use the server side configured username and password when connecting to the server.