- Sat 29 October 2022
- misc
At ClueTrust for better or worse we've standardized on Ubiquiti Edgerouters (mostly ER4s) for SOHO use.
While we like sshuttle as a "good enough for most stuff" substitute for a VPN, that only works on laptops. For situations where you need to use a "real" VPN, EdgeOS supports OpenVPN. I use the Screens app on my iPad to remote control the Mac that runs the ham shack, for instance.
Here's a config snippet for setting up OpenVPN server for laptops (not site to site) on EdgeOS along with some commentary. This example is for EdgeOS v1.10.11. Version 2.x and VyOS may require some tweaking.:
set interfaces openvpn vtun0 description 'laptop vpn'
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server name-server 172.30.250.126
set interfaces openvpn vtun0 server push-route 172.30.250.0/24
set interfaces openvpn vtun0 server push-route 172.30.251.0/24
set interfaces openvpn vtun0 server subnet 172.28.252.0/24
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ssl/ovpn0-cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/ssl/ovpn0-server.pem
set interfaces openvpn vtun0 tls dh-file /config/auth/ssl/ovpn0-dh.pem
set interfaces openvpn vtun0 tls key-file /config/auth/ssl/ovpn0-server.key
Commentary:
This server listens on udp/1194. You'll need to open that up in your external firewall. Something like this ought to do:
set firewall name InternetInbound rule 130 action accept
set firewall name InternetInbound rule 130 description 'openvpn remote laptops'
set firewall name InternetInbound rule 130 destination port 1194
set firewall name InternetInbound rule 130 protocol udp
The vtun0
stanzas above set up, for lack of a better term, a "fake
lan" interface with a subnet as described in the "subnet" stanza.
Make sure any internal firewall/segmentation rules take this into
account.
Note the plurality of "push-route" rules. There seemed to be a bug on v1.10.11 that kept a /23 route from being handled properly. This is for split tunnel vpn. If you wanted everything to go through the VPN (like if you were on some dodgy hotspot in a place where you didn't want all your metadata logged by whomever)... you could do 0.0.0.0/0
After any changes, you may have to reset openvpn interface vtun0
The command shell in VyOS is kinda crummy and it's not really a full
shell. You can sudo bash
though and get a real shell (you'll likely
have to in order to set up your certs properly.
You likely want to set up your own standalone CA for creating server and client certs. Note that CNs don't matter for the server in this ecosystem, just that the server cert chains back to the same CA as the client cert with the proper use constraints. You should have a unique CN for each client device that you want active at the same time as IP addresses are sticky to the client CN (i.e., do a different cert for your laptop, your ipad, and your cell phone if you want all three online at the same time).
I did a set of wrappers around easyrsa3 for "insert coin receive .ovpn file" operation. Please be careful what you check into github and don't send me PRs with NPI in them!