Configure Site to Site OpenVPN connection with EdgeMax
-
OpenVPN is currently a 100% command line setup process on EdgeOS (as of EdgeOS 1.8.0).
But, setting up a site-to-site OpenVPN connection with an EdgeOS device is quite straightforward.
Connet to the router located at Site A and perform the following.
First you need to make a directory in the
config
folder as this is the location designed to survive firmware updates.ubnt@ubnt:~$ sudo mkdir /config/openvpn ubnt@ubnt:~$ sudo mkdir /config/openvpn/keys
Generate the key (or keys if you need/want more than one)
ubnt@ubnt:~$ generate vpn openvpn-key /config/openvpn/keys/siteA_2_siteB_key Generating OpenVPN key to /config/openvpn/keys/siteA_2_siteB_key Your new local OpenVPN key has been generated
Use
cat
to display the newly created key (repeat if you made more keys) and then copy it from the terminal. You will need to enter this into the other router shortly.ubnt@ubnt:~$ sudo cat /config/openvpn/keys/siteA_2_siteB_key # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- 9e220773778ae59275fe105747c2ba65 845c36faf1274960a49999524a3d4cd9 96d6998b47647eb0f3c2ee7966246f9c 63bc3ed5dfd8c62d215024f38087eb9c d92d6ada0ccf5b9d37c785c2a03b47eb 49404878da44877038a9f3cb7c757e4b fdc53abe0574ebfe78f3567e6f9b0678 54d2982f2d349c8bc1efff1dcb25e52c f036175126aa755b9539785162334b2a 135745ac58f0947f9e936d55487f1338 64bad026090eb741e2278b09776502ff 50c4b1eb6695842e544b88db1996e5d3 6a438dd9a336a394761b925dc596046d b2e634167ee6e183aa12f5e2b3f0ea2f a9681b8481378d5a639776277625c9e0 f866e43cb59d60cecdbad76829ae8c55 -----END OpenVPN Static key V1----- ubnt@ubnt:~$
Enter the normal EdgeOS configuration mode
configure
Now edit this block to reflect the information for your site and then paste it into your SSH session.
set interfaces openvpn vtun0 set interfaces openvpn vtun0 description "Site A to Site B" set interfaces openvpn vtun0 mode site-to-site # I use port 1195 because port 1194 is the default OpenVPN port. # If you are planning to use a Client/Server OpenVPN also, leave that open for it. set interfaces openvpn vtun0 local-port 1195 set interfaces openvpn vtun0 remote-port 1195 # Pick a pair of addresses that make sense for your environment. # In this case, the sites use 10.202.0.0/23 and 10.202.10.0/24. # So I chose to use 10.202.254.X addresses for any site-to-site tunnels set interfaces openvpn vtun0 local-address 10.202.254.1 set interfaces openvpn vtun0 remote-address 10.202.254.2 set interfaces openvpn vtun0 remote-host siteb.domain.com set interfaces openvpn vtun0 shared-secret-key-file /config/openvpn/keys/siteA_2_siteB_key set interfaces openvpn vtun0 openvpn-option "--comp-lzo"
Add a route tot he Site B network.
set protocols static interface-route 10.202.10.0/24 next-hop-interface vtun0
Commit and save the changes then exist the configuration mode.
commit save exit
Congratulations you are done with Site A and it is now attempting to connect to Site B.
Now we need to connect to the router at Site B and configure it. The process is nearly identical.
Again you need to make a directory in the
config
folder as this is the location designed to survive firmware updates.ubnt@ubnt:~$ sudo mkdir /config/openvpn ubnt@ubnt:~$ sudo mkdir /config/openvpn/keys
Instead of generating the key you will paste in the key from Site A with
vi
.ubnt@ubnt:~$ sudo vi /config/openvpn/keys/siteA_2_siteB_key
Change the security on the key to prevent unauthorized access to it.
ubnt@ubnt:~$ sudo chmod 600 /config/openvpn/keys/siteA_2_siteB_key
Enter the normal EdgeOS configuration mode
configure
This time the block is going to be identical but reverse. What was local is now remote and what was remote is now local
set interfaces openvpn vtun0 set interfaces openvpn vtun0 description "Site A to Site B" set interfaces openvpn vtun0 mode site-to-site # I use port 1195 because port 1194 is the default OpenVPN port. # If you are planning to use a Client/Server OpenVPN also, leave that open for it. set interfaces openvpn vtun0 local-port 1195 set interfaces openvpn vtun0 remote-port 1195 # Pick a pair of addresses that make sense for your environment. # In this case, the sites use 10.202.0.0/23 and 10.202.10.0/24. # So I chose to use 10.202.254.X addresses for any site-to-site tunnels set interfaces openvpn vtun0 local-address 10.202.254.2 set interfaces openvpn vtun0 remote-address 10.202.254.1 set interfaces openvpn vtun0 remote-host sitea.domain.com set interfaces openvpn vtun0 shared-secret-key-file /config/openvpn/keys/siteA_2_siteB_key set interfaces openvpn vtun0 openvpn-option "--comp-lzo"
Add a route to the Site A network
set protocols static interface-route 10.202.0.0/23 next-hop-interface vtun0
Commit and save the changes then exist the configuration mode.
commit save exit
Congratulations, your OpenVPN tunnel should be up.
-
Awesome, straightforward guide. Thanks! i've been playing with my ERX at home and am liking the interface and structure of the CLI. Next up will be attempting the OpenVPN server/client setup. If I can get that working consistently, I might switch my office to EdgeOS as well.
-
@fuznutz04 said:
Awesome, straightforward guide. Thanks! i've been playing with my ERX at home and am liking the interface and structure of the CLI. Next up will be attempting the OpenVPN server/client setup. If I can get that working consistently, I might switch my office to EdgeOS as well.
Client/Server setup is more complicated, but not by much. Mostly, it depends on if you want user/device certificates or only passwords.
You can even add 2FA with Google Authenticator and a custom package if so desired.
-
Good to know. I'm planning on starting this later this week. If I can get this working, I'm going to replace a PFSense firewall with an ERX or lite. Right now, this is the only thing that I dont have setup for ERX yet.