- General Setup
- Enable Hardware Offloading
- Create DNS Entries for Static Hosts
- Configure as OpenVPN Server
- Configure as OpenVPN Client
General Setup
System Settings
set system host-name <hostname>
set system domain-name <name.domain>
set system name-server 1.1.1.1
set system time-zone America/New_York
Update the firmware
# show version information
show version
# show storage information
show system storage
show system image storage
# show installed firmware images
show system image
# remove old system image (free up some space)
delete system image
# download new firmware image
add system image https://dl.ubnt.com/firmwares/edgemax/v1.10.x/ER-e50.v1.10.9.5166958.tar
# set default boot image, if required
set system image default-boot
Basic LAN Setup (configure eth2, dns forwarding and dhcp to vlan)
set interfaces ethernet eth2 address 192.168.10.1/24
set service dhcp-server shared-network-name vlan10 subnet 192.168.10.1/24 default-router 192.168.10.1
set service dhcp-server shared-network-name vlan10 subnet 192.168.10.1/24 dns-server 192.168.10.1
set service dhcp-server shared-network-name vlan10 subnet 192.168.10.1/24 start 192.168.10.10 stop 192.168.10.100
set service dns forwarding listen-on eth2
Basic WAN Setup (configure eth0 via DHCP)
# setup eth0 to use dhcp
set interfaces ethernet eth0 address dhcp
set interfaces ethernet eth0 description 'WAN_Internet'
# verify the eth0 IP was acquired from DHCP:
show dhcp client leases
# we also need to setup outbound NAT to translate all internal traffic thru eth0:
set service nat rule 5000 description 'Outbound NAT'
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 protocol all
set service nat rule 5000 type masquerade
Restrict Management Portals (SSH and WebUI)
set service ssh listen-address 192.168.10.1/24
set service gui listen-address 192.168.10.1/24
Basic Firewall Configuration
- WAN_IN: matches on established/related and invalid traffic that is passed thru the router (WAN TO LAN) - WAN_LOCAL: matches on established/related and invalid traffic that is destined for the router itself (WAN to LOCAL)
WAN to Internal
set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal'
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description 'Drop invalid state'
set firewall name WAN_IN rule 20 state invalid enable
set interfaces ethernet eth0 firewall in name WAN_IN
WAN to Router
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 20 state invalid enable
set interfaces ethernet eth0 firewall local name WAN_LOCAL
Enable Hardware Offloading
reference: https://help.ubnt.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading#3
- type the following commands at the terminal to enable ipsec and hwnat offloading
configure set system offload hwnat enable set system offload ipsec enable commit save - check that offloading was enabled
show ubnt offload
Create DNS Entries for Static Hosts
set system static-host-mapping host-name host1 inet 10.10.10.10
Configure as OpenVPN Server
reference: https://help.ubnt.com/hc/en-us/articles/115015971688-EdgeRouter-OpenVPN-Server
Generate certificate + keys
- Generate root certificate
# check the date/time before beginning show date # switch to root sudo su # generate a diffie-hellman key file and place it in /config/auth/ openssl dhparam -out /config/auth/dh.pem -2 2048 # generate a root certificate cd /usr/lib/ssl/misc ./CA.sh -newca # copy the cert+key to /config/auth/ cp demoCA/cacert.pem /config/auth cp demoCA/private/cakey.pem /config/auth - Generate server certificate
# generate the server certificate ./CA.pl -newreq # sign the server certificate ./CA.pl -sign # move and rename the server cert+key files to /config/auth/ mv newcert.pem /config/auth/server.pem mv newkey.pem /config/auth/server.key - Generate client certificate
# generate, sign and move the certificate+key files for a client ./CA.pl -newreq common name: should be client name :) ./CA.pl -sign mv newcert.pem /config/auth/client1.pem mv newkey.key /config/auth/client1.key - Remove passwords from the client and server key files
openssl rsa -in /config/auth/server.key -out /config/auth/server-no-pass.key openssl rsa -in /config/auth/client1.key -out /config/auth/client1-no-pass.key mv /config/auth/server-no-pass.key /config/auth/server.key mv /config/auth/client1-no-pass.key /config/auth/client1.key # add read permissions for non-root users to the client key chmod 644 /config/auth/client1.key -
That’s it! Copy all necessary client files (client1.key, client1.pem and cacert.pem)
- Create a client ovpn file from the template below
client dev tun proto udp remote <server-ip> 1194 float resolv-retry infinite nobind persist-key persist-tun verb 3 ca cacert.pem cert client1.pem key client1.key
interface and firewall rules
# add a firewall rule for the openvpn traffic to the WAN_LOCAL firewall policy
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description openvpn
set firewall name WAN_LOCAL rule 30 destination port 1194
set firewall name WAN_LOCAL rule 30 protocol udp
# configure the openvpn virtual tunnel interface
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet 172.16.1.0/24
set interfaces openvpn vtun0 server push-route 192.168.1.0/24
set interfaces openvpn vtun0 server name-server 192.168.1.1
# link the server certificate+keys to the virtual tunnel interface
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/server.pem
set interfaces openvpn vtun0 tls key-file /config/auth/server.key
set interfaces openvpn vtun0 tls dh-file /config/auth/dh.pem
# add the virtual tunnel interface to the DNS forwarding interface list
set service dns forwarding listen-on vtun0
# commit and save
commit ; save
Configure as OpenVPN Client
- copy the ovpn file to /config/auth/ on the router
- make sure you have
route-nopullspecified in the config
- and then perform the following commands:
# here i create a new openvpn tunnel "vtun1" with the ovpn config file
set interfaces openvpn vtun1 config-file /config/auth/america-vpn.ovpn
set interfaces openvpn vtun1 description 'America VPN Tunnel Out'
# additionally, you can add more tunnels:
set interfaces openvpn vtun02 config-file /config/auth/turkey-vpn.ovpn
set interfaces openvpn vtun02 description 'Turkey VPN Tunnel Out'
# commit and now the new interfaces should display in the dashboard
commit
- Next, perform the following to setup host-specific access to the VPN tunnel:
- Add a NAT rule with the virtual tunnel as the outbound interface. Source address will be the client host or subnet IP. (i.e. 192.168.10.0/24 or 192.168.10.101/32)
# NAT rules can also be added using the WebUI, it may be easier set service nat rule 5100 description 'Outbound NAT to VPN Tunnel' set service nat rule 5100 log enable set service nat rule 5100 outbound-interface vtun1 set service nat rule 5100 source address 192.168.10.0/24 set service nat rule 5100 protocol all set service nat rule 5100 type masquerade commit && save - Create a static route using the openvpn tunnel interface as next hop
set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun1 # it is also possible to add more routes for additional vpn tunnels, like so set protocols static table 2 interface-route 0.0.0.0/0 next-hop-interface vtun02 - Create firewall modify rule for each host you want to route through the vpn
set firewall modify OPENVPN_ROUTE rule 10 description 'traffic from 192.168.10.1/24 to vtun1' set firewall modify OPENVPN_ROUTE rule 10 source address 192.168.10.0/24 set firewall modify OPENVPN_ROUTE rule 10 modify table 1 # add additional rules for additional hosts - Apply the firewall modify rule “in” to your LAN interface. This example is applied in interface switch0:
set interfaces switch switch0 firewall in modify OPENVPN_ROUTE - FINISHED!
- Add a NAT rule with the virtual tunnel as the outbound interface. Source address will be the client host or subnet IP. (i.e. 192.168.10.0/24 or 192.168.10.101/32)