The Summit Open Source Development Group

User Tools

Site Tools

You are here: Welcome! » EdgeRouter Configuration Snippets » EdgeRouter + OpenVPN Road Warrior Example
edgerouter:openvpn-roadwarrior

This is an old revision of the document!

Table of Contents

EdgeRouter + OpenVPN Road Warrior Example

Generate Certificates With EasyRSA 3

You'll need to generate server, client, and DH certificates using the instructions here.

Once you do that, copy the server certs (ca.crt, server.crt, dh.pem, and server.key) to: 

/config/auth/openvpn/

On the EdgeRouter.

Also generate some client certs either now or later. You'll need them to put the contents inside of the client ovpn file.

EdgeRouter Configuration

On the EdgeRouter, make changes where appropriate. Subnet 192.168.0.0/24 should be whatever your LAN subnet behind the EdgeRouter is. If your subnet is one of the common ones that is by default (like 192.168.0.0/24), there's a good chance your clients may have issues if their LAN also matches yours.

You can use NETMAP rules to avoid having to change your LAN addressing scheme. 

set interfaces openvpn vtun0 firewall in name OpenVPN-Mobile
set interfaces openvpn vtun0 local-host xx.xx.xx.xx
set interfaces openvpn vtun0 local-port xxxxx
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 openvpn-option --mssfix
set interfaces openvpn vtun0 openvpn-option '--cipher AES-128-CBC'
set interfaces openvpn vtun0 openvpn-option '--auth SHA256'
set interfaces openvpn vtun0 openvpn-option --float
set interfaces openvpn vtun0 openvpn-option --duplicate-cn
set interfaces openvpn vtun0 openvpn-option '--fragment 1400'
set interfaces openvpn vtun0 protocol udp
set interfaces openvpn vtun0 server max-connections 10
set interfaces openvpn vtun0 server push-route 10.10.10.0/24
set interfaces openvpn vtun0 server push-route 192.168.0.0/24
set interfaces openvpn vtun0 server subnet 10.10.10.0/24
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/openvpn/ca.crt
set interfaces openvpn vtun0 tls cert-file /config/auth/openvpn/server.crt
set interfaces openvpn vtun0 tls dh-file /config/auth/openvpn/dh.pem
set interfaces openvpn vtun0 tls key-file /config/auth/openvpn/server.key

OpenVPN .ovpn Config File For Clients

client
tls-client
remote remote.hostname.here
port xxxx
proto udp
dev tun
pull
cipher AES-128-CBC
auth SHA256
fragment 1400
mssfix
float
<ca>
ca certificate file contents here
</ca>
<cert>
pem certificate file contents here
</cert>
<key>
pem key file contents here
</key>

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki