Wie richte ich OpenVPN auf einem UBIQUITI EdgeRouter ein?

Kurz vorne weg, der UBIQUITI EdgeRouter ist ein kleiner Hardware Router der als Basis Debian mit Vyatta verwendet. Ich hab mehrere UbiQuiti EdgeRouter Lite, 3-port Router im Einsatz.

In diesem Beitrag gehe ich auf die Konfiguration des EdgeRouters ein und setze OpenVPN Kenntnisse voraus.

Als erstes benötigen wir eine CA sowie die Keys für den Server und den ersten Client. Wir benutzen dafür die von OpenVPN mitgebrachten easyca Scripte. Als erstes wird die „vars“ Datei bearbeitet damit alle Basiswerte stimmen. Erstellen wir den Diffie Hellman key und die Certificate Authority.

/schoenbloed# touch index.txt
/schoenbloed# echo 01 > serial

Erstellen des DH Keys

/schoenbloed# ../build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
..................+.................................................

Erstellen der CA

/schoenbloed # ../build-ca
Generating a 1024 bit RSA private key
...........++++++
...........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AT]:
State or Province Name (full name) []:
Locality Name (eg, city) [Vienna]:
Organization Name (eg, company) [schoenbloed ]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [schoenbloed  CA]:
Name []:
Email Address [ich.bin@schoen-bloed.at]:

Erstellen des Server Keys

/schoenbloed # ../build-key-server gwschoenbloed
Generating a 2048 bit RSA private key
..............................+++
...............................................+++
writing new private key to 'gwschoenbloed.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AT]:
State or Province Name (full name) []:
Locality Name (eg, city) [Vienna]:
Organization Name (eg, company) [schoenbloed]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [gwschoenbloed]:
Name []:
Email Address [ich.bin@schoen-bloed.at]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from ../openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'AT'
localityName :PRINTABLE:'Vienna'
organizationName :PRINTABLE:'schoenbloed'
commonName :PRINTABLE:'gwschoenbloed'
emailAddress :IA5STRING:'ich.bin@schoen-bloed.at'
Certificate is to be certified until Mar 6 15:59:19 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Erstellen des Client Keys

/schoenbloed# ../build-key client
Generating a 2048 bit RSA private key
.................................................................+++
..............................+++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AT]:
State or Province Name (full name) []:
Locality Name (eg, city) [Vienna]:
Organization Name (eg, company) [schoenbloed]:Client
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client]:
Name []:
Email Address [ich.bin@schoen-bloed.at]:

Please enter the following ‚extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from ../openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’AT‘
localityName :PRINTABLE:’Vienna‘
organizationName :PRINTABLE:’schoenbloed‘
commonName :PRINTABLE:’client‘
emailAddress :IA5STRING:’ich.bin@schoen-bloed.at‘
Certificate is to be certified until Mar 6 16:29:01 2025 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Zur Konfiguration des Routers

Da der UBIQUITI EdgeRouters noch kein Webinterface zur Konfiguration von OpenVPN hat (Stand FW 1.6.0), müssen wir uns über ssh mit dem Router verbinden. Eingeloggt müssen wir zu erst den DH, die CA sowie den Server Key übertragen.

ssh 192.168.1.1 -l ubnt
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
RSA key fingerprint is 35:98:71:9d:ce:2b:e5:2a:2c:87:8a:59:5f:fe:22:64.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.
Welcome to EdgeOS
By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default,
http://192.168.1.1) and agree to be bound by its terms.

ubnt@192.168.1.1’s password:
Linux ubnt 3.10.20-UBNT #1 SMP Thu Oct 16 16:29:39 PDT 2014 mips64
Welcome to EdgeOS
Last login: Sun Jun 1 11:46:20 2014
ubnt@ubnt:~$ cd /config/auth
ubnt@ubnt:/config/auth$ mkdir schoenbloed
ubnt@ubnt:/config/auth$ cd schoenbloed
ubnt@ubnt:/config/auth/schoenbloed$ cat > dh1024.pem
—–BEGIN DH PARAMETERS—–
……
—–END DH PARAMETERS—–<strg+d>
ubnt@ubnt:/config/auth/schoenbloed$ cat > ca.crt
—–BEGIN CERTIFICATE—–
……
—–END CERTIFICATE—–<strg+d>
ubnt@ubnt:/config/auth/schoenbloed$ cat > gwschoenbloed.key
—–BEGIN PRIVATE KEY—–
……
—–END PRIVATE KEY—–
ubnt@ubnt:/config/auth/schoenbloed$ cat > gwschoenbloed.crt
Certificate:
……
—–BEGIN CERTIFICATE—–
……
—–END CERTIFICATE—–
ubnt@ubnt:/config/auth/schoenbloed$ configure
set interfaces openvpn vtun0 encryption aes256
set interfaces openvpn vtun0 local-port 1194
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 openvpn-option –comp-lzo
set interfaces openvpn vtun0 protocol udp
set interfaces openvpn vtun0 server client gwschoenbloed ip 192.168.61.10
set interfaces openvpn vtun0 server push-route /24
set interfaces openvpn vtun0 server subnet 192.168.61.0/24
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/schoenbloed/ca.crt
set interfaces openvpn vtun0 tls cert-file /config/auth/schoenbloed/gwschoenbloed.crt
set interfaces openvpn vtun0 tls dh-file /config/auth/schoenbloed/dh1024.pem
set interfaces openvpn vtun0 tls key-file /config/auth/schoenbloed/gwschoenbloed.key
commit

Damit ist die Konfiguration des Routers abgeschlossen. Jetzt ist nur noch die Konfiguration des Clients notwendig

Diese ist reduziert gesehen nur diese Konfigurationsdatei und die Zertifikate, ca.crt, client.key, client.crt

client
dev tun
proto udp
remote 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
cipher AES-256-CBC
comp-lzo
verb 3

Notice: This work is licensed under a BY-NC-SA. Permalink: Wie richte ich OpenVPN auf einem UBIQUITI EdgeRouter ein?

Comments are closed.