Reply
New Member
Posts: 2
Registered: ‎11-29-2017

Edgerouter Lite with OpenVPN & Radius & Google Authenticator & certificate based authentication

Dear all,

 

Already have spent many hours browsing this forum and have gotten many helpful information from it.

 

I bought a Ubiquiti Edgerouter Lite, and has firmware version 1.9.7.HF4 installed. I have gone through the wan2lan2 wizard, and would now like to setup an OpenVPN server. I have a Synology NAS with a Radius server on it, which authenticates with the local Synology users.

 

I would like to use the OpenVPN because I fear that L2TP/IPSEC-vpn will be blocked at the remote connections I need for work. I think I already have spent about 40 hours on this, so some extra help/tricks would be appreciated.

 

Yesterday I finally managed to setup an OpenVPN server by using this guide:

https://help.ubnt.com/hc/en-us/articles/217569187-EdgeRouter-OpenVPN-Server-with-TLS-and-Multiple-WA...

 

But I was not able to connect simply due to not knowing how to create an .ovpn file. By the way, I have very much difficulty creating all those certificates. I also party tried the guides below, but it all was still not very clear to me. I think that I 'need' to have a Root CA, which then creates a server key, which is signed by the Root CA, and then a client certificate. In the scripts this guy is using I think I would need to still sign those certificates, but then my OpenSSL is still pointed at keys of default DemoCA's(?). I could not find where I could change this default locations. So I decided I will do this later in a virtual machine (which I think would be better anyway, because then I would have an offline root ca).

 

https://www.cron.dk/edgerouter-security-part5

https://www.cron.dk/easy-certificate-generation-for-openvpn

 

As for the Google Authentication OTP, I noticed that the Synology supports this authentication method natively. So I figured that if I just add that on the Synology, I can just have my OTP-authentication there. However I could imagine that it would be better if that authentication method would better before, because the IPSEC-connection is already established at that point.

 

I was advised by a network admin to put my ISP's router in bridging mode. The ISP's router has a DMZ functionality as well. When all of this is ready I intend to place the Ubiquiti in the DMZ of the ISP's router, so I won't put the ISP-router in bridging mode. ETH0 (which will be WAN), will then receive a 192.168.178.x IP (which I will make static ofcourse). But I wonder if this is safe enough. And in particular I mean that, does the router then still know which connections are from the internet (WAN) world? The reason I would like it this way is because the ISP router has WiFi and I would like for him to keep using that and not needing to buy a new wireless device. I was told that the WiFi and firewall and routing funcionality are lost after putting the router in bridged mode. And I also wonder if the other clients that are then connected via the ISP-router WiFi, (who will then still receive 192.168.178.x-addresses), are protected by some form or if I should consider that entire subnet as a DMZ now.

 

I would very much appreciate your help. Please note however that for my job I am not a network administrator (and a non-native-english-speaker Man Wink).

 

Again, I would appreciate help. I am doing this for a friend of mine, making no profit of it. Fun project, but soon I would like to have the time to, for instance, have a conversation with my wife again.

 

And I honestly believe this would be very helpful to other people as well, since Synology is a very common product owned by many people.

 

Yours sincerely,

 

Bram de Vries

New Member
Posts: 2
Registered: ‎11-29-2017

Re: Edgerouter Lite with OpenVPN & Radius & Google Authenticator & certificate based aut

lol, I forgot to mention that yeaterday I realized that I expect most difficulties for the Radius in combination with OpenVPN. Does anybody have experience with that?
Reply