This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
edgerouter:openvpn-roadwarrior [2017/09/18 15:30] – brielle | edgerouter:openvpn-roadwarrior [2017/09/18 15:46] (current) – brielle | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== EdgeRouter + OpenVPN Road Warrior Example ====== | ====== EdgeRouter + OpenVPN Road Warrior Example ====== | ||
- | On the EdgeRouter, make changes where appropriate... | + | ===== Generate Certificates With EasyRSA 3 ===== |
+ | You'll need to generate server, client, and DH certificates using the instructions [[https:// | ||
+ | |||
+ | Once you do that, copy the server certs (ca.crt, server.crt, dh.pem, and server.key) to: | ||
+ | |||
+ | < | ||
+ | |||
+ | On the EdgeRouter. | ||
+ | |||
+ | Also generate some client certs either now or later. | ||
+ | |||
+ | ===== EdgeRouter Configuration ===== | ||
+ | On the EdgeRouter, make changes where appropriate. | ||
+ | |||
+ | You can use NAT rules to avoid having to change your LAN addressing scheme. | ||
< | < | ||
set interfaces openvpn vtun0 local-host xx.xx.xx.xx | set interfaces openvpn vtun0 local-host xx.xx.xx.xx | ||
Line 15: | Line 30: | ||
set interfaces openvpn vtun0 server max-connections 10 | set interfaces openvpn vtun0 server max-connections 10 | ||
set interfaces openvpn vtun0 server push-route 10.10.10.0/ | set interfaces openvpn vtun0 server push-route 10.10.10.0/ | ||
+ | set interfaces openvpn vtun0 server push-route 192.168.0.0/ | ||
set interfaces openvpn vtun0 server subnet 10.10.10.0/ | set interfaces openvpn vtun0 server subnet 10.10.10.0/ | ||
set interfaces openvpn vtun0 tls ca-cert-file / | set interfaces openvpn vtun0 tls ca-cert-file / | ||
Line 22: | Line 38: | ||
</ | </ | ||
- | Example client config file... | + | ===== OpenVPN |
< | < | ||
client | client | ||
Line 45: | Line 61: | ||
pem key file contents here | pem key file contents here | ||
</ | </ | ||
+ | </ | ||
+ | |||
+ | ===== NAT Rules To Work Around Same Subnets On Both Ends ===== | ||
+ | If you have a subnet on your LAN side that is one of the common default ones on most consumer networks (like 192.168.0.0/ | ||
+ | |||
+ | Example: | ||
+ | < | ||
+ | Client Range: 10.10.10.0/ | ||
+ | NETMAP Range: 172.30.254.0/ | ||
+ | </ | ||
+ | |||
+ | The NETMAP range is the IP range that will be directly mapped to your LAN range and the range your clients will use to connect to devices on your LAN (aka, if your clients need to access 192.168.0.5, | ||
+ | |||
+ | < | ||
+ | set service nat rule 1000 description OpenVPN-Mobile-vtun0 | ||
+ | set service nat rule 1000 destination address 172.30.254.0/ | ||
+ | set service nat rule 1000 inbound-interface vtun0 | ||
+ | set service nat rule 1000 inside-address address 192.168.0.0/ | ||
+ | set service nat rule 1000 log disable | ||
+ | set service nat rule 1000 protocol all | ||
+ | set service nat rule 1000 type destination | ||
</ | </ |