{"id":425,"date":"2015-03-09T18:44:14","date_gmt":"2015-03-09T17:44:14","guid":{"rendered":"http:\/\/www.schoen-bloed.at\/blog\/?p=425"},"modified":"2018-05-06T09:14:29","modified_gmt":"2018-05-06T08:14:29","slug":"wie-richte-ich-openvpn-auf-einem-ubiquiti-edgerouter-ein","status":"publish","type":"post","link":"https:\/\/www.schoen-bloed.at\/blog\/2015\/03\/wie-richte-ich-openvpn-auf-einem-ubiquiti-edgerouter-ein\/","title":{"rendered":"Wie richte ich OpenVPN auf einem UBIQUITI EdgeRouter ein?"},"content":{"rendered":"

Kurz vorne weg, der UBIQUITI<\/a> EdgeRouter ist ein kleiner Hardware Router der als Basis Debian<\/a> mit Vyatta<\/a> verwendet. Ich hab\u00a0mehrere\u00a0UbiQuiti EdgeRouter Lite, 3-port Router<\/a> im Einsatz.<\/p>\n

In diesem Beitrag gehe ich auf die Konfiguration des EdgeRouters ein und setze OpenVPN Kenntnisse voraus.<\/p>\n

<\/p>\n

Als erstes ben\u00f6tigen wir eine CA sowie die Keys f\u00fcr den Server und den ersten Client. Wir benutzen daf\u00fcr die von OpenVPN mitgebrachten easyca Scripte. Als erstes wird die „vars“ Datei bearbeitet damit alle Basiswerte stimmen. Erstellen wir den Diffie Hellman key und die Certificate Authority.<\/p>\n

\/schoenbloed# touch index.txt
\n\/schoenbloed# echo 01 > serial<\/code><\/p>\n

Erstellen des DH Keys<\/p>\n

\/schoenbloed# ..\/build-dh
\nGenerating DH parameters, 1024 bit long safe prime, generator 2
\nThis is going to take a long time
\n..................+.................................................<\/code><\/p>\n

Erstellen der CA<\/p>\n

\/schoenbloed # ..\/build-ca
\nGenerating a 1024 bit RSA private key
\n...........++++++
\n...........++++++
\nwriting new private key to 'ca.key'
\n-----
\nYou are about to be asked to enter information that will be incorporated
\ninto your certificate request.
\nWhat you are about to enter is what is called a Distinguished Name or a DN.
\nThere are quite a few fields but you can leave some blank
\nFor some fields there will be a default value,
\nIf you enter '.', the field will be left blank.
\n-----
\nCountry Name (2 letter code) [AT]:
\nState or Province Name (full name) []:
\nLocality Name (eg, city) [Vienna]:
\nOrganization Name (eg, company) [schoenbloed ]:
\nOrganizational Unit Name (eg, section) []:
\nCommon Name (eg, your name or your server's hostname) [schoenbloed\u00a0 CA]:
\nName []:
\nEmail Address [ich.bin@schoen-bloed.at]:<\/code><\/p>\n

Erstellen des Server Keys<\/p>\n

\/schoenbloed # ..\/build-key-server gwschoenbloed
\nGenerating a 2048 bit RSA private key
\n..............................+++
\n...............................................+++
\nwriting new private key to 'gwschoenbloed.key'
\n-----
\nYou are about to be asked to enter information that will be incorporated
\ninto your certificate request.
\nWhat you are about to enter is what is called a Distinguished Name or a DN.
\nThere are quite a few fields but you can leave some blank
\nFor some fields there will be a default value,
\nIf you enter '.', the field will be left blank.
\n-----
\nCountry Name (2 letter code) [AT]:
\nState or Province Name (full name) []:
\nLocality Name (eg, city) [Vienna]:
\nOrganization Name (eg, company) [schoenbloed]:
\nOrganizational Unit Name (eg, section) []:
\nCommon Name (eg, your name or your server's hostname) [gwschoenbloed]:
\nName []:
\nEmail Address [ich.bin@schoen-bloed.at]:
\nPlease enter the following 'extra' attributes
\nto be sent with your certificate request
\nA challenge password []:
\nAn optional company name []:
\nUsing configuration from ..\/openssl-1.0.0.cnf
\nCheck that the request matches the signature
\nSignature ok
\nThe Subject's Distinguished Name is as follows
\ncountryName :PRINTABLE:'AT'
\nlocalityName :PRINTABLE:'Vienna'
\norganizationName :PRINTABLE:'schoenbloed'
\ncommonName :PRINTABLE:'gwschoenbloed'
\nemailAddress :IA5STRING:'ich.bin@schoen-bloed.at'
\nCertificate is to be certified until Mar 6 15:59:19 2025 GMT (3650 days)
\nSign the certificate? [y\/n]:y
\n1 out of 1 certificate requests certified, commit? [y\/n]y
\nWrite out database with 1 new entries
\nData Base Updated<\/code><\/p>\n

Erstellen des Client Keys<\/p>\n

\/schoenbloed# ..\/build-key client
\nGenerating a 2048 bit RSA private key
\n.................................................................+++
\n..............................+++
\nwriting new private key to 'client.key'
\n-----
\nYou are about to be asked to enter information that will be incorporated
\ninto your certificate request.
\nWhat you are about to enter is what is called a Distinguished Name or a DN.
\nThere are quite a few fields but you can leave some blank
\nFor some fields there will be a default value,
\nIf you enter '.', the field will be left blank.
\n-----
\nCountry Name (2 letter code) [AT]:
\nState or Province Name (full name) []:
\nLocality Name (eg, city) [Vienna]:
\nOrganization Name (eg, company) [schoenbloed]:Client
\nOrganizational Unit Name (eg, section) []:
\nCommon Name (eg, your name or your server's hostname) [client]:
\nName []:
\nEmail Address [ich.bin@schoen-bloed.at]:<\/code><\/p>\n

Please enter the following ‚extra‘ attributes
\nto be sent with your certificate request
\nA challenge password []:
\nAn optional company name []:
\nUsing configuration from ..\/openssl-1.0.0.cnf
\nCheck that the request matches the signature
\nSignature ok
\nThe Subject’s Distinguished Name is as follows
\ncountryName :PRINTABLE:’AT‘
\nlocalityName :PRINTABLE:’Vienna‘
\norganizationName :PRINTABLE:’schoenbloed‘
\ncommonName :PRINTABLE:’client‘
\nemailAddress :IA5STRING:’ich.bin@schoen-bloed.at‘
\nCertificate is to be certified until Mar 6 16:29:01 2025 GMT (3650 days)
\nSign the certificate? [y\/n]:y<\/p>\n

1 out of 1 certificate requests certified, commit? [y\/n]y
\nWrite out database with 1 new entries
\nData Base Updated<\/p>\n

Zur Konfiguration des Routers<\/h1>\n

Da der UBIQUITI EdgeRouters noch kein Webinterface zur Konfiguration von OpenVPN hat (Stand FW 1.6.0), m\u00fcssen wir uns \u00fcber ssh mit dem Router verbinden. Eingeloggt m\u00fcssen wir zu erst den DH, die CA sowie den Server Key \u00fcbertragen.<\/p>\n

ssh 192.168.1.1 -l ubnt
\nThe authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
\nRSA key fingerprint is 35:98:71:9d:ce:2b:e5:2a:2c:87:8a:59:5f:fe:22:64.
\nAre you sure you want to continue connecting (yes\/no)? yes
\nWarning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.
\nWelcome to EdgeOS
\nBy logging in, accessing, or using the Ubiquiti product, you
\nacknowledge that you have read and understood the Ubiquiti
\nLicense Agreement (available in the Web UI at, by default,
\nhttp:\/\/192.168.1.1) and agree to be bound by its terms.<\/code><\/p>\n

ubnt@192.168.1.1’s password:
\nLinux ubnt 3.10.20-UBNT #1 SMP Thu Oct 16 16:29:39 PDT 2014 mips64
\nWelcome to EdgeOS
\nLast login: Sun Jun 1 11:46:20 2014
\nubnt@ubnt:~$ cd \/config\/auth
\nubnt@ubnt:\/config\/auth$ mkdir schoenbloed
\nubnt@ubnt:\/config\/auth$ cd schoenbloed
\nubnt@ubnt:\/config\/auth\/schoenbloed$ cat > dh1024.pem
\n—–BEGIN DH PARAMETERS—–
\n……
\n—–END DH PARAMETERS—–<strg+d>
\nubnt@ubnt:\/config\/auth\/schoenbloed$ cat > ca.crt
\n—–BEGIN CERTIFICATE—–
\n……
\n—–END CERTIFICATE—–<strg+d>
\nubnt@ubnt:\/config\/auth\/schoenbloed$ cat > gwschoenbloed.key
\n—–BEGIN PRIVATE KEY—–
\n……
\n—–END PRIVATE KEY—–
\nubnt@ubnt:\/config\/auth\/schoenbloed$ cat > gwschoenbloed.crt
\nCertificate:
\n……
\n—–BEGIN CERTIFICATE—–
\n……
\n—–END CERTIFICATE—–
\nubnt@ubnt:\/config\/auth\/schoenbloed$ configure
\nset interfaces openvpn vtun0 encryption aes256
\nset interfaces openvpn vtun0 local-port 1194
\nset interfaces openvpn vtun0 mode server
\nset interfaces openvpn vtun0 openvpn-option –comp-lzo
\nset interfaces openvpn vtun0 protocol udp
\nset interfaces openvpn vtun0 server client gwschoenbloed ip 192.168.61.10
\nset interfaces openvpn vtun0 server push-route \/24
\nset interfaces openvpn vtun0 server subnet 192.168.61.0\/24
\nset interfaces openvpn vtun0 tls ca-cert-file \/config\/auth\/schoenbloed\/ca.crt
\nset interfaces openvpn vtun0 tls cert-file \/config\/auth\/schoenbloed\/gwschoenbloed.crt
\nset interfaces openvpn vtun0 tls dh-file \/config\/auth\/schoenbloed\/dh1024.pem
\nset interfaces openvpn vtun0 tls key-file \/config\/auth\/schoenbloed\/gwschoenbloed.key
\ncommit<\/p>\n

Damit ist die Konfiguration des Routers abgeschlossen. Jetzt ist nur noch die Konfiguration des Clients notwendig<\/p>\n

Diese ist reduziert gesehen nur diese Konfigurationsdatei und die Zertifikate, ca.crt, client.key, client.crt<\/p>\n

client
\ndev tun
\nproto udp
\nremote 1194
\nresolv-retry infinite
\nnobind
\nuser nobody
\ngroup nogroup
\npersist-key
\npersist-tun
\nca ca.crt
\ncert client.crt
\nkey client.key
\ncipher AES-256-CBC
\ncomp-lzo
\nverb 3
\n<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"

Kurz vorne weg, der UBIQUITI EdgeRouter ist ein kleiner Hardware Router der als Basis Debian mit Vyatta verwendet. Ich hab\u00a0mehrere\u00a0UbiQuiti EdgeRouter Lite, 3-port Router im Einsatz. In diesem Beitrag gehe ich auf die Konfiguration des EdgeRouters ein und setze OpenVPN Kenntnisse voraus.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,26,25],"tags":[],"_links":{"self":[{"href":"https:\/\/www.schoen-bloed.at\/blog\/wp-json\/wp\/v2\/posts\/425"}],"collection":[{"href":"https:\/\/www.schoen-bloed.at\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.schoen-bloed.at\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.schoen-bloed.at\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.schoen-bloed.at\/blog\/wp-json\/wp\/v2\/comments?post=425"}],"version-history":[{"count":15,"href":"https:\/\/www.schoen-bloed.at\/blog\/wp-json\/wp\/v2\/posts\/425\/revisions"}],"predecessor-version":[{"id":541,"href":"https:\/\/www.schoen-bloed.at\/blog\/wp-json\/wp\/v2\/posts\/425\/revisions\/541"}],"wp:attachment":[{"href":"https:\/\/www.schoen-bloed.at\/blog\/wp-json\/wp\/v2\/media?parent=425"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.schoen-bloed.at\/blog\/wp-json\/wp\/v2\/categories?post=425"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.schoen-bloed.at\/blog\/wp-json\/wp\/v2\/tags?post=425"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}