Configure EgdeRouter OpenVPN

Lars Jönsson 2021-04-20

How to setup an OpenVPN server on EdgeRouter with password protected client keys using a separate CA. The CA uses the easy-rsa 3 script to ensure that the certificates suits hardened OpenVPN security.

This guide consists of three parts:

Overview

The OpenVPN server is setup according to the official guide EdgeRouter - OpenVPN Server, with the main difference that the Certificate Authority (CA) is outside the EdgeRouter. This makes it easier to improve the security.

The different key and certificate files, used by OpenVPN server and clients, are used as follows:

Filename Needed By Purpose Secret
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client1.crt client1 only Client1 Certificate NO
client1.key client1 only Client1 Key YES
client2.crt client2 only Client2 Certificate NO
client2.key client2 only Client2 Key YES
client3.crt client3 only Client3 Certificate NO
client3.key client3 only Client3 Key YES

All non-secret parts, as certificates, Diffie-Hellman key and Certification Revocation List, are generated on the CA. The secret parts are as follows:

Preparations

The CA is created on a Linux computer that runs Fedora 32. The easy-rsa 3 package (see OpenVPN/easy-rsa) will be used for managing the certificates. The entire CA will be stored on a safe storage (see Safe storage) that can be stored on a USB stick, but these instructions assumes that the safe storage is stored locally on the Linux computer.

Install the easy-rsa package.

sudo dnf install easy-rsa

Create the base of the OpenVPN CA at ~/OpenVPN-CA.

cd
mkdir OpenVPN-CA
cd ~/OpenVPN-CA

Create a safe storage for the pki.

dd if=/dev/zero bs=1M count=100 of=secret-device.img
sudo cryptsetup luksFormat secret-device.img
sudo cryptsetup open --type luks secret-device.img secret-device
sudo mkfs.ext4 /dev/mapper/secret-device
mkdir safe-storage
sudo mount /dev/mapper/secret-device safe-storage
sudo chown $USER:`id -gn` safe-storage

Create a link to the easyrsa script.

cd safe-storage
ln -s /usr/share/easy-rsa/3/easyrsa

Create CA

By default, the CA root certificate expires after 10 years and signed certificates expires after 2 years.

Initialize the pki.

cd ~/OpenVPN-CA/safe-storage
./easyrsa init-pki

Build the CA.

./easyrsa build-ca

Create OpenVPN server

Configuring the OpenVPN server follows the official guide EdgeRouter - OpenVPN Server with some modifications.

Create key and CSR on the EdgeRouter

Login to the EgdeRouter and create the key/CSR (Certificate Signing Request). Enter '.' in all fields, except the Common Name, to make them empty.

sudo su
cd /usr/lib/ssl/misc
./CA.pl -newreq
Common Name: server

Sign the CSR on the CA

Move and rename the server key file to the /config/auth directory and remove the password.

mv newkey.pem /config/auth/server.key
openssl rsa -in /config/auth/server.key -out /config/auth/server-no-pass.key
mv /config/auth/server-no-pass.key /config/auth/server.key 

Return to operational mode. There is no need to logout from the EdgeRouter at this point, as we will soon come back and configure the OpenVPN server.

exit

Return to the Linux computer to copy the CSR from the EdgeRouter and import it into the CA.

scp admin@192.168.0.1:/usr/lib/ssl/misc/newreq.pem .
./easyrsa import-req newreq.pem server
rm newreq.pem

Sign the CSR and copy the certificate to the EdgeRouter.

./easyrsa sign-req server server
scp pki/issued/server.crt admin@192.168.0.1:/config/auth/server.pem

Create the Certificate Revocation List (CRL) and copy it to the EdgeRouter.

./easyrsa gen-crl
scp pki/crl.pem admin@192.168.0.1:/config/auth/

Copy the CA certificate to the EdgeRouter.

scp pki/ca.crt admin@192.168.0.1:/config/auth/cacert.pem

The OpenVPN server uses a Diffie-Hellman key. I can be generated on the EdgeRouter, but it takes a very long time (more than 30 minutes). It is much faster (less than one minute) to generate it on the Linux computer and copy it to the EdgeRouter.

Generate the key and copy it to the EdgeRouter.

./easyrsa gen-dh
scp pki/dh.pem admin@192.168.0.1:/config/auth/

Lock up the safe storage if all CA work is done.

Configure the OpenVPN server

The OpenVPN server is now ready to be configured. Go back to the EgdeRouter and login, if needed.

Enter configuration mode.

configure

Add a firewall rule for the OpenVPN traffic to the WAN_LOCAL firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description openvpn
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp

Configure the OpenVPN virtual tunnel interface. Ensure that name-server and push-route corresponds to the used addresses.

set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 172.16.1.0/24
set interfaces openvpn vtun0 server push-route 192.168.0.0/24
set interfaces openvpn vtun0 server name-server 192.168.0.1

Setup aes256 encryption to improve security.

set interfaces openvpn vtun0 encryption aes256

Link the server certificate/keys and DH key to the virtual tunnel interface.

set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem
set interfaces openvpn vtun0 tls key-file /config/auth/server.key
set interfaces openvpn vtun0 tls crl-file /config/auth/crl.pem
set interfaces openvpn vtun0 tls dh-file /config/auth/dh.pem

Add the virtual tunnel interface to the DNS forwarding interface list.

set service dns forwarding listen-on vtun0

Commit the changes and save the configuration.

commit ; save

Return to operational mode.

exit

The OpenVPN server is now up and running. Logout from the EdgeRouter and go ahead to create client configuration(s).

Create OpenVPN Client configuration

First Open the safe storage, if needed.

For convenience, the OpenVPN server name and client name, are set in environment variables.

Note: Replace example.com with the name of the name of the OpenVPN server and client1 with an appropriate client name.

ovpn_server=example.com
ovpn_client=client1

Change to the OpenVPN CA directory.

cd ~/OpenVPN-CA/safe-storage

Generate the certificate and key files for the client. Remember the password of the private key as it needs to entered when the client connects to the server.

./easyrsa gen-req $ovpn_client

Sign the certificate.

./easyrsa sign-req client $ovpn_client

Create the OpenVPN client file.

{
echo "client"
echo "dev tun"
echo "proto udp"
echo "remote $ovpn_server 1194"
echo "float"
echo "resolv-retry infinite"
echo "nobind"
echo "persist-key"
echo "persist-tun"
echo "verb 3"
echo "cipher AES-256-CBC"
echo "auth-nocache"
echo "remote-cert-tls server"
echo "<ca>"
openssl x509 -in pki/ca.crt
echo "</ca>"
echo "<cert>"
openssl x509 -in pki/issued/$ovpn_client.crt
echo "</cert>"
echo "<key>"
cat pki/private/$ovpn_client.key
echo "</key>"
} > $ovpn_client.ovpn

An .ovpn file similar to this should be created:

client
dev tun
proto udp
remote example.com 1194
float
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
cipher AES-256-CBC
auth-nocache
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
MIIDvTCCAqWgAwIBAgIJANvkOPYA/0TTMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV
  ...
pg==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIID4jCCAsqgAwIBAgIJANvkOPYA/0TVMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV
  ...
ULQvAqMyg3hvUoMU2PUwvh0wCUoKjZ7ewv3kXYZZ6KJcGJ+B610=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIcjdGY+dkxccCAggA
  ...
xIk=
-----END ENCRYPTED PRIVATE KEY-----
</key>

Import the .ovpn file to the OpenVPN client software. Use the clients private key password when connecting to the server.

Lock up the safe storage if all CA work is done.

Revoke certificates

Sometimes certificates needs to be revoked. Typical reasons for wanting to revoke a certificate include:

First Open the safe storage, if needed.

NOTE Replace client1 with the name of your certificate

cd ~/OpenVPN-CA/safe-storage
./easyrsa revoke client1

Rebuild the crl file and copy it to the OpenVPN server.

./easyrsa gen-crl
scp pki/crl.pem admin@192.168.0.1:/config/auth/

There is no need to restart the OpenVPN server, because the uploaded crl file will be used at the next connection attempt.

Lock up the safe storage if all CA work is done.

Safe storage usage

Open safe storage

Before the CA can be used, the safe storage needs to opened.

cd ~/OpenVPN-CA
sudo cryptsetup open --type luks secret-device.img secret-device
sudo mount /dev/mapper/secret-device safe-storage

Lock up safe storage

When all certificates are created, the safe storage can be locked up (and optionally stored in a safe place).

cd ~/OpenVPN-CA
sudo umount safe-storage
sudo cryptsetup close secret-device