OpenVPN Server on Ubiquity EdgeMax

We had been using pptp and l2tp for VPN services on our corporate router to allow remote users to access our network.  This works quite well on Mac OSX, but is a bit annoying on Windows and Linux workstations.  What to do?  OpenVPN.  It is built in to the EdgeMax, it just needs to be configured.

I used these two guides to give me a majority of the information I needed ForShee OpenVPN on EdgeMax and EdgeMAX – OpenVPN Server with TLS

Here are my deployment steps:

Create a CA
ssh admin@router
sudo -i
cd /usr/lib/ssl/misc
CA.sh -newca

Fill out the requested information including the signing passphrase.  You will need this passphrase to sign certificates later on.  It will create cakey.pem and cacert.pem files for the CA.

Edit /usr/lib/ssl/openssl.cnf ; locate default_days, the default is 365, I upped this to 1095 to match the CA because I don’t want to deal with renewing keys next year.

Create a Server Cert for the VPN server
sudo -i
cd /usr/lib/ssl/misc
CA.sh -newreq
CA.sh -sign

The request will ask a bunch of questions including subject data, hostname, and for a certificate passphrase. You will end up with a request file in the ssl/misc directory named newreq.pem.

The sign command will ask for the CA passphrase from and will confirm that you want to sign this key. Because of the edit you made to the config file, the key should expire in about 3 years.

Create a Diffie-Helman file
openssl dhparam -out /config/auth/dhp.pem -2 2048

Note: this will take some time. It also puts it directly into the config directory so we don’t have to move it later.

Copy the certs to the needed locations
cp demoCA/cacert.pem /config/auth/openvpn.cacert.pem
cp demoCA/private/cakey.pem /config/auth/openvpn.cakey.pem
mv newcert.pem /config/auth/vpn.host.pem
mv newkey.pem /config/auth/vpn.host.key
Update the Server Key

You need to remove the passphrase from the Server Cert so the OpenVPN service can start non-interactively:

openssl rsa -in /config/auth/vpn.host.key -out /config/auth/vpn.host-rmpass.key
mv /config/auth/vpn.host-rmpass.key /config/auth/vpn.host.key
Configure the Router
configure
edit interfaces openvpn vtun0
set description OpenVPN
set hash sha256
set mode server
set openvpn-option "--port 1194"
set openvpn-option --tls-server
set openvpn-option "--comp-lzo yes"
set openvpn-option --persist-key
set openvpn-option --persist-tun
set openvpn-option "--keepalive 10 120"
set server name-server 10.1.1.10
set server push-route 10.1.1.0/24
set server subnet 10.2.1.0/24
set tls ca-cert-file /config/auth/openvpn.cacert.pem
set tls cert-file /config/auth/vpn.host.pem
set tls dh-file /config/auth/dhp.pem
set tls key-file /config/auth/vpn.host.key
commit
exit
Configure the Firewall

Only one additional firewall rule is needed:

edit firewall name WAN_LOCAL rule <#>
set description OpenVPN
set action accept
set destination port 1194
set log disable
set protocol udp
commit
exit
Create a Client Key

You can use the built in CA.sh script to create client keys, or you can run the openssl command yourself. Since I am not a big fan of re-entering the same data multiple times, I have opted to use the openssl command so it can be automated. The process of creating a client certificate and key is basically the same as the server key. First you need to create a request, then you need to sign the request.

sudo -i
cd /usr/lib/ssl/misc
openssl req -new \
    -days 1095 \
    -subj "/C=US/ST=MyState/L=MyCity/O=MyCompanyName/CN=Full Username" \
    -keyout full.username.key \
    -out full.username.cert

openssl ca -policy policy_anything -out full.username.pem -infiles full.username.cert

During the request you will have to provide a certificate passphrase. This is the passphrase is what the end-use will type in when the connect to the VPN. We are not going to be removing that passphrase. During the signing part, you will have to provide the CA signing key. Otherwise, you should not have to provide any additional information.

Create an OpenVPN content bundle

When a client installs the OpenVPN client and starts configuration they will need some files including the ovpn config file and the needed keys and certs. Here is my example ovpn client configuration file (note there are customizations required here for each company and each client):

client
dev tun
proto udp
persist-tun
persist-key
auth SHA256
tls-client
resolv-retry infinite
remote vpn.mycompany.example.com 1194
ca openvpn.cacert.pem
cert full.username.pem
key full.username.key
comp-lzo
verb 3

My distribution model is to create a directory with the ovpn configuration file, the cacert, and the two user specific files. I then create a zip file of the directory and its contents.

Save and Backup

You can make sure openvpn is running by checking the process list (ps -ef | grep openvpn). Then test to make sure a client can connect and can access your internal services. Your VPN is ready to go. Be sure to commit your changes:

configure
commit

Also, now that it is not just /config/config.boot (which you are backing up right?) You need to make sure to save your certs and keys. I recommend getting the files in here: /config/auth and in /usr/lib/ssl/misc/demoCA. Archive them off the router and put them someplace that gets backed up.

Revoke a Client

What happens when a client is no longer valid? You need to revoke their cert. These steps are bit incomplete and I am trying to get them as accurate as possible. The revocation is fairly easy, locate the correct certificate ID and issue the revoke command.

sudo -i
cd /usr/lib/ssl/misc
less demoCA/index.txt [ locate the key you want to revoke, it will have an ID that looks something like: A24C7101DACBCF83 ]
openssl ca -revoke /usr/lib/ssl/misc/demoCA/newcerts/[certificate id].pem

Even though this particular cert is technically revoked, OpenVPN will not understand or respect that. Getting OpenVPN to understand and respect the revocation list is the missing piece.