How to set up OpenVPN on EdgeRouter Lite router

#ssh til router 

user@iipadrsserouter

#bliv root

sudo su

#gå til biblotek

cd /usr/lib/ssl/misc/

#lav ny CA certificate

./CA.sh -newca

#udfyld Land DK, BY Ribe, password, Common Name

# server certificate husk unik Common Name

./CA.sh -newreq

#signer certificate

./CA.sh -sign

#flyt filerne til et sted hvor de ikke bliver slettet af firmware upgrade

cp /usr/lib/ssl/misc/demoCA/cacert.pem /config/auth/

cp /usr/lib/ssl/misc/demoCA/private/cakey.pem /config/auth/

mv /usr/lib/ssl/misc/newcert.pem /config/auth/host.pem

mv /usr/lib/ssl/misc/newkey.pem /config/auth/host.key

#Generer DH 2048 fil tager lang tid 20 til 30 min

openssl dhparam -out /config/auth/dh2048.pem -2 2048

 

#lav bruger certificate, opret alle de client filer der skal bruges med forskellige navne

./CA.sh -newreq

./CA.sh -sign

#flyt filerne til som før og om døb dem mv

newcert.pem /config/auth/client1.pem

mv newkey.pem /config/auth/client1.key

#dekrypterer filerne for password

openssl rsa -in /config/auth/host.key -out /config/auth/host-decrypted.key

openssl rsa -in /config/auth/client1.key -out /config/auth/client1-decrypted.key

 

#exit root

exit

setup interface

configure

set interfaces openvpn vtun0

set interfaces openvpn vtun0 description "OpenVPN server"

set interfaces openvpn vtun0 mode server

set interfaces openvpn vtun0 encryption aes256

set interfaces openvpn vtun0 hash sha256

set interfaces openvpn vtun0 server subnet 10.10.10.0/24 #setter netværk til vpn client 

set interfaces openvpn vtun0 server push-route 10.10.2.0/24  #ip lokal lan eks 192.168.0.0

set interfaces openvpn vtun0 server name-server 10.10.2.1 #gateway local lan eks 192.168.0.1

set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem

set interfaces openvpn vtun0 tls cert-file /config/auth/host.pem

set interfaces openvpn vtun0 tls key-file /config/auth/host-decrypted.key

set interfaces openvpn vtun0 tls dh-file /config/auth/dh2048.pem

set interfaces openvpn vtun0 openvpn-option "--port 1194"

set interfaces openvpn vtun0 openvpn-option --tls-server

set interfaces openvpn vtun0 openvpn-option "--comp-lzo yes"

set interfaces openvpn vtun0 openvpn-option --persist-key

set interfaces openvpn vtun0 openvpn-option --persist-tun

set interfaces openvpn vtun0 openvpn-option "--keepalive 10 120"

set interfaces openvpn vtun0 openvpn-option "--user nobody"

set interfaces openvpn vtun0 openvpn-option "--group nogroup"

commit

save

#opsat med fuld adgang til local netværk og tundler alt trafik

 

#setup firewall

configure

set firewall name WAN_LOCAL rule 50 action accept

set firewall name WAN_LOCAL rule 50 description "OpenVPN"

set firewall name WAN_LOCAL rule 50 destination port 1194 #standart er 1194 ændre den til 443

set firewall name WAN_LOCAL rule 50 log enable

set firewall name WAN_LOCAL rule 50 protocol udp

commit

save

opsæt DNS

configure

set service dns forwarding listen-on vtun0

commit

save

opsæt client ovpn fil

echo "client" >> /config/auth/client1.ovpn

echo "dev tun" >> /config/auth/client1.ovpn

echo "proto udp" >> /config/auth/client1.ovpn

echo "remote yourhostname.dyndns.com 1194" >> /config/auth/client1.ovpn

echo "cipher AES-256-CBC" >> /config/auth/client1.ovpn

echo "auth SHA256" >> /config/auth/client1.ovpn

echo "resolv-retry infinite" >> /config/auth/client1.ovpn

echo "redirect-gateway def1" >> /config/auth/client1.ovpn

echo "nobind" >> /config/auth/client1.ovpn

echo "comp-lzo yes" >> /config/auth/client1.ovpn

echo "persist-key" >> /config/auth/client1.ovpn

echo "persist-tun" >> /config/auth/client1.ovpn

echo "user nobody" >> /config/auth/client1.ovpn

echo "group nogroup" >> /config/auth/client1.ovpn

echo "verb 3" >> /config/auth/client1.ovpn

echo "ca cacert.pem" >> /config/auth/client1.ovpn

echo "cert client1.pem" >> /config/auth/client1.ovpn

echo "key client1-decrypted.key" >> /config/auth/client1.ovpn

# client skal bruge følgende filer 

cacert.pem (CA certificate)

client1.pem (client1 certificate)

client1-decrypted.key (client1 key)

client1.ovpn (client1 configuration)

#filerne kan koperes med følgende metode 

sudo scp Denne e-mail adresse bliver beskyttet mod spambots. Du skal have JavaScript aktiveret for at vise den..0.1:/config/auth/client1.ovpn  /Users/mkp/vpn/

 

har lånt lidt opsætning fra https://loganmarchione.com/2016/05/edgerouter-lite-openvpn-setup/ Thanks Logan four the great guide