Highlighted
New Member
Posts: 28
Registered: ‎06-17-2013
Kudos: 14
Solutions: 2
Accepted Solution

How to configure OpenVPN ?

I'm considering to use OpenVPN, but I can't find any relevant information about the configuration. I've search the web to find a complete how-to without any luck. On the forum, their's only scattered information.

 

Do you have any documentation related to configuration of OpenVPN ?


Accepted Solutions
New Member
Posts: 28
Registered: ‎06-17-2013
Kudos: 14
Solutions: 2

Re: How to configure OpenVPN ?

After trial and error, I manage to get the OpenVPN server working. This post was very helpful to setup a username/password authentication instead of certificate authentication.

 

Generate Certs

sudo bash
cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
. vars
./clean-all
./build-ca

Give it a sensible common-name, something like: “OpenVPN CA”

./build-key-server server

Set the common name to “server”
Answer yes to signing the certificate and commiting it.

./build-dh

Copy the generated files

mkdir /config/auth/keys/
cp keys/* /config/auth/keys/

Configure OpenVPN

 

Create a new group to run openvpn service

sudo addgroup nobody


Sets openvpn configuration:

configure
# Sets OpenVPN configuration
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 192.168.16.0/24
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/keys/ca.crt
set interfaces openvpn vtun0 tls cert-file /config/auth/keys/server.crt
set interfaces openvpn vtun0 tls key-file /config/auth/keys/server.key
set interfaces openvpn vtun0 tls dh-file /config/auth/keys/dh1024.pem
set interfaces openvpn vtun0 encryption aes128
set interfaces openvpn vtun0 openvpn-option "--keepalive 8 30"
set interfaces openvpn vtun0 openvpn-option "--comp-lzo"
set interfaces openvpn vtun0 openvpn-option "--duplicate-cn"
set interfaces openvpn vtun0 openvpn-option "--user nobody --group nobody"
set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-pam.so login"
set interfaces openvpn vtun0 openvpn-option "--client-cert-not-required --username-as-common-name"
set interfaces openvpn vtun0 openvpn-option "--verb 1"
set interfaces openvpn vtun0 openvpn-option "--client-to-client"
commit
save

You may also want to push a route to the client to allow access to the network.

set interfaces openvpn vtun0 openvpn-option "--push route 192.168.14.0 255.255.255.0"

Create firewall rule

Create a new firewall rule in WAN_LOCAL

rule 7 {
    action accept
    description "allow openvpn 1194"
    destination {
        port 1194
    }
    log enable
    protocol tcp_udp
}

 

ref.: http://wiki.ubnt.com/OpenVPN_Site-to-Site_-_CLI_Commands
ref.: http://community.ubnt.com/t5/EdgeMAX/OpenVPN-server-config-help/m-p/446385/highlight/true#M7558
ref.: http://blog.sumostyle.net/2010/02/ovpn-server/
ref.: http://community.ubnt.com/t5/EdgeMAX/OpenVPN-server-with-PAM-and-OpenVPN-IOS-Client-configuration/m-...

 

 

 

View solution in original post

New Member
Posts: 31
Registered: ‎09-12-2013
Solutions: 1

Re: How to configure OpenVPN ?

Another dumb mistake on my part. The issue I was having is I assigned the tunnel to port 1195, but I didn't include this in my config on the client.

View solution in original post


All Replies
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5480
Solutions: 1656
Contributions: 2

Re: How to configure OpenVPN ?

The Wiki page (for site-to-site) might have some useful information. As you said there's been quite a bit of forum discussions on OpenVPN. If you can't find anything helpful, post the specific requirements and what you've tried so that people can take a look.

New Member
Posts: 28
Registered: ‎06-17-2013
Kudos: 14
Solutions: 2

Re: How to configure OpenVPN ?

After trial and error, I manage to get the OpenVPN server working. This post was very helpful to setup a username/password authentication instead of certificate authentication.

 

Generate Certs

sudo bash
cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
. vars
./clean-all
./build-ca

Give it a sensible common-name, something like: “OpenVPN CA”

./build-key-server server

Set the common name to “server”
Answer yes to signing the certificate and commiting it.

./build-dh

Copy the generated files

mkdir /config/auth/keys/
cp keys/* /config/auth/keys/

Configure OpenVPN

 

Create a new group to run openvpn service

sudo addgroup nobody


Sets openvpn configuration:

configure
# Sets OpenVPN configuration
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 192.168.16.0/24
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/keys/ca.crt
set interfaces openvpn vtun0 tls cert-file /config/auth/keys/server.crt
set interfaces openvpn vtun0 tls key-file /config/auth/keys/server.key
set interfaces openvpn vtun0 tls dh-file /config/auth/keys/dh1024.pem
set interfaces openvpn vtun0 encryption aes128
set interfaces openvpn vtun0 openvpn-option "--keepalive 8 30"
set interfaces openvpn vtun0 openvpn-option "--comp-lzo"
set interfaces openvpn vtun0 openvpn-option "--duplicate-cn"
set interfaces openvpn vtun0 openvpn-option "--user nobody --group nobody"
set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-pam.so login"
set interfaces openvpn vtun0 openvpn-option "--client-cert-not-required --username-as-common-name"
set interfaces openvpn vtun0 openvpn-option "--verb 1"
set interfaces openvpn vtun0 openvpn-option "--client-to-client"
commit
save

You may also want to push a route to the client to allow access to the network.

set interfaces openvpn vtun0 openvpn-option "--push route 192.168.14.0 255.255.255.0"

Create firewall rule

Create a new firewall rule in WAN_LOCAL

rule 7 {
    action accept
    description "allow openvpn 1194"
    destination {
        port 1194
    }
    log enable
    protocol tcp_udp
}

 

ref.: http://wiki.ubnt.com/OpenVPN_Site-to-Site_-_CLI_Commands
ref.: http://community.ubnt.com/t5/EdgeMAX/OpenVPN-server-config-help/m-p/446385/highlight/true#M7558
ref.: http://blog.sumostyle.net/2010/02/ovpn-server/
ref.: http://community.ubnt.com/t5/EdgeMAX/OpenVPN-server-with-PAM-and-OpenVPN-IOS-Client-configuration/m-...

 

 

 

New Member
Posts: 5
Registered: ‎08-07-2013

Re: How to configure OpenVPN ?

Could you please post an example of a client-side config file for this setup?

Thanks.

New Member
Posts: 33
Registered: ‎07-18-2008
Kudos: 3

Re: How to configure OpenVPN ?

[ Edited ]

are this settings enough for an entire openvpn client to server connection?

 

New Member
Posts: 28
Registered: ‎06-17-2013
Kudos: 14
Solutions: 2

Re: How to configure OpenVPN ?

I don't have the client config file since I'm using network-manager (on debian). It's a GUI to configure network related stuff like VPN. I may take screenshot of the GUI, but it's really straight foward. Enter the gateway/hostname, username, password. Keep the default config and it' ok.

New Member
Posts: 31
Registered: ‎09-12-2013
Solutions: 1

Re: How to configure OpenVPN ?

I'm trying to implement both a site-to-site and a remote access tunnels, but am having problems. I was able to get the site-to-site tunnel working using the wiki. I've followed the above instructions for creating a username/password remote access tunnel, but I'm unable to access it from my client. Both tunnels appear to be up:

ubnt@ubnt:~$ show interfaces openvpn
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface    IP Address                        S/L  Description
---------    ----------                        ---  -----------
vtun0        172.1.100.1                       u/u
vtun1        10.0.1.1/24                       u/u

 I may be missing something fundamental, as I understand using the PAM authorization I should be able to enter by edgemax router username/password (ie. ubnt/ubnt), though I may not be understanding the properly. When I try to connect using the Windows client from the OpenVPN site, I just get an error stating "Not an Access Server". I guess I'm wondering if what I'm attempting is possible, and if so what I may be missing.

Below is are my openvpn interfaces:

ubnt@ubnt# show interfaces openvpn
 openvpn vtun0 {
     local-address 172.1.100.1 {
     }
     local-address 172.1.100.2 {
     }
     local-port 1194
     mode site-to-site
     remote-address 172.1.100.2
     shared-secret-key-file /config/auth/secret
 }
 openvpn vtun1 {
     encryption aes128
     local-port 1195
     mode server
     openvpn-option "--keepalive 8 30"
     openvpn-option --comp-lzo
     openvpn-option --duplicate-cn
     openvpn-option "--user nobody --group nobody"
     openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-pam.so login"
     openvpn-option "--client-cert-not-required --username-as-common-name"
     openvpn-option "--verb 1"
     openvpn-option --client-to-client
     openvpn-option "--push route 10.0.1.0 255.255.255.0"
     server {
         subnet 10.0.1.0/24
     }
     tls {
         ca-cert-file /config/auth/keys/ca.crt
         cert-file /config/auth/keys/server.crt
         dh-file /config/auth/keys/dh1024.pem
         key-file /config/auth/keys/server.key
     }
 }

 

 

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5480
Solutions: 1656
Contributions: 2

Re: How to configure OpenVPN ?

You can check the log file (/var/log/messages) to see if there's any output while client is connecting that may indicate problems. Also you might want to change the "--verb 1" to "--verb 4" for example to see more output.

New Member
Posts: 31
Registered: ‎09-12-2013
Solutions: 1

Re: How to configure OpenVPN ?

Another dumb mistake on my part. The issue I was having is I assigned the tunnel to port 1195, but I didn't include this in my config on the client.

New Member
Posts: 17
Registered: ‎06-20-2014

Re: How to configure OpenVPN ?

Would this work if my EdgeRouter is BEHIND nat?