We had been using pptp and l2tp for VPN services on our corporate router to allow remote users to access our network. This works quite well on Mac OSX, but is a bit annoying on Windows and Linux workstations. What to do? OpenVPN. It is built in to the EdgeMax, it just needs to be configured.
Here are my deployment steps:
Create a CA
ssh admin@router sudo -i cd /usr/lib/ssl/misc CA.sh -newca
Fill out the requested information including the signing passphrase. You will need this passphrase to sign certificates later on. It will create cakey.pem and cacert.pem files for the CA.
Edit /usr/lib/ssl/openssl.cnf ; locate default_days, the default is 365, I upped this to 1095 to match the CA because I don’t want to deal with renewing keys next year.
Create a Server Cert for the VPN server
sudo -i cd /usr/lib/ssl/misc CA.sh -newreq CA.sh -sign
The request will ask a bunch of questions including subject data, hostname, and for a certificate passphrase. You will end up with a request file in the ssl/misc directory named newreq.pem.
The sign command will ask for the CA passphrase from and will confirm that you want to sign this key. Because of the edit you made to the config file, the key should expire in about 3 years.
Create a Diffie-Helman file
openssl dhparam -out /config/auth/dhp.pem -2 2048
Note: this will take some time. It also puts it directly into the config directory so we don’t have to move it later.
Copy the certs to the needed locations
cp demoCA/cacert.pem /config/auth/openvpn.cacert.pem cp demoCA/private/cakey.pem /config/auth/openvpn.cakey.pem mv newcert.pem /config/auth/vpn.host.pem mv newkey.pem /config/auth/vpn.host.key
Update the Server Key
You need to remove the passphrase from the Server Cert so the OpenVPN service can start non-interactively:
openssl rsa -in /config/auth/vpn.host.key -out /config/auth/vpn.host-rmpass.key mv /config/auth/vpn.host-rmpass.key /config/auth/vpn.host.key
Configure the Router
configure edit interfaces openvpn vtun0 set description OpenVPN set hash sha256 set mode server set openvpn-option "--port 1194" set openvpn-option --tls-server set openvpn-option "--comp-lzo yes" set openvpn-option --persist-key set openvpn-option --persist-tun set openvpn-option "--keepalive 10 120" set server name-server 10.1.1.10 set server push-route 10.1.1.0/24 set server subnet 10.2.1.0/24 set tls ca-cert-file /config/auth/openvpn.cacert.pem set tls cert-file /config/auth/vpn.host.pem set tls dh-file /config/auth/dhp.pem set tls key-file /config/auth/vpn.host.key commit exit
Configure the Firewall
Only one additional firewall rule is needed:
edit firewall name WAN_LOCAL rule <#> set description OpenVPN set action accept set destination port 1194 set log disable set protocol udp commit exit
Create a Client Key
You can use the built in CA.sh script to create client keys, or you can run the openssl command yourself. Since I am not a big fan of re-entering the same data multiple times, I have opted to use the openssl command so it can be automated. The process of creating a client certificate and key is basically the same as the server key. First you need to create a request, then you need to sign the request.
sudo -i cd /usr/lib/ssl/misc openssl req -new \ -days 1095 \ -subj "/C=US/ST=MyState/L=MyCity/O=MyCompanyName/CN=Full Username" \ -keyout full.username.key \ -out full.username.cert
openssl ca -policy policy_anything -out full.username.pem -infiles full.username.cert
During the request you will have to provide a certificate passphrase. This is the passphrase is what the end-use will type in when the connect to the VPN. We are not going to be removing that passphrase. During the signing part, you will have to provide the CA signing key. Otherwise, you should not have to provide any additional information.
Create an OpenVPN content bundle
When a client installs the OpenVPN client and starts configuration they will need some files including the ovpn config file and the needed keys and certs. Here is my example ovpn client configuration file (note there are customizations required here for each company and each client):
client dev tun proto udp persist-tun persist-key auth SHA256 tls-client resolv-retry infinite remote vpn.mycompany.example.com 1194 ca openvpn.cacert.pem cert full.username.pem key full.username.key comp-lzo verb 3
My distribution model is to create a directory with the ovpn configuration file, the cacert, and the two user specific files. I then create a zip file of the directory and its contents.
Save and Backup
You can make sure openvpn is running by checking the process list (ps -ef | grep openvpn). Then test to make sure a client can connect and can access your internal services. Your VPN is ready to go. Be sure to commit your changes:
Also, now that it is not just /config/config.boot (which you are backing up right?) You need to make sure to save your certs and keys. I recommend getting the files in here: /config/auth and in /usr/lib/ssl/misc/demoCA. Archive them off the router and put them someplace that gets backed up.
Revoke a Client
What happens when a client is no longer valid? You need to revoke their cert. These steps are bit incomplete and I am trying to get them as accurate as possible. The revocation is fairly easy, locate the correct certificate ID and issue the revoke command.
sudo -i cd /usr/lib/ssl/misc less demoCA/index.txt [ locate the key you want to revoke, it will have an ID that looks something like: A24C7101DACBCF83 ] openssl ca -revoke /usr/lib/ssl/misc/demoCA/newcerts/[certificate id].pem
Even though this particular cert is technically revoked, OpenVPN will not understand or respect that. Getting OpenVPN to understand and respect the revocation list is the missing piece.