11-29-2017 11:30 PM
Already have spent many hours browsing this forum and have gotten many helpful information from it.
I bought a Ubiquiti Edgerouter Lite, and has firmware version 1.9.7.HF4 installed. I have gone through the wan2lan2 wizard, and would now like to setup an OpenVPN server. I have a Synology NAS with a Radius server on it, which authenticates with the local Synology users.
I would like to use the OpenVPN because I fear that L2TP/IPSEC-vpn will be blocked at the remote connections I need for work. I think I already have spent about 40 hours on this, so some extra help/tricks would be appreciated.
Yesterday I finally managed to setup an OpenVPN server by using this guide:
But I was not able to connect simply due to not knowing how to create an .ovpn file. By the way, I have very much difficulty creating all those certificates. I also party tried the guides below, but it all was still not very clear to me. I think that I 'need' to have a Root CA, which then creates a server key, which is signed by the Root CA, and then a client certificate. In the scripts this guy is using I think I would need to still sign those certificates, but then my OpenSSL is still pointed at keys of default DemoCA's(?). I could not find where I could change this default locations. So I decided I will do this later in a virtual machine (which I think would be better anyway, because then I would have an offline root ca).
As for the Google Authentication OTP, I noticed that the Synology supports this authentication method natively. So I figured that if I just add that on the Synology, I can just have my OTP-authentication there. However I could imagine that it would be better if that authentication method would better before, because the IPSEC-connection is already established at that point.
I was advised by a network admin to put my ISP's router in bridging mode. The ISP's router has a DMZ functionality as well. When all of this is ready I intend to place the Ubiquiti in the DMZ of the ISP's router, so I won't put the ISP-router in bridging mode. ETH0 (which will be WAN), will then receive a 192.168.178.x IP (which I will make static ofcourse). But I wonder if this is safe enough. And in particular I mean that, does the router then still know which connections are from the internet (WAN) world? The reason I would like it this way is because the ISP router has WiFi and I would like for him to keep using that and not needing to buy a new wireless device. I was told that the WiFi and firewall and routing funcionality are lost after putting the router in bridged mode. And I also wonder if the other clients that are then connected via the ISP-router WiFi, (who will then still receive 192.168.178.x-addresses), are protected by some form or if I should consider that entire subnet as a DMZ now.
I would very much appreciate your help. Please note however that for my job I am not a network administrator (and a non-native-english-speaker ).
Again, I would appreciate help. I am doing this for a friend of mine, making no profit of it. Fun project, but soon I would like to have the time to, for instance, have a conversation with my wife again.
And I honestly believe this would be very helpful to other people as well, since Synology is a very common product owned by many people.
Bram de Vries
11-29-2017 11:53 PM