Airin's Notes

Categories:
  🠪  General

Email
  🠪  Servers
  🠪  Testing
  🠪  Tips

Hardware
  🠪  3D Printing
  🠪  Apple
  🠪  Batteries
  🠪  Drives
  🠪  Edgerouter
  🠪  Electronics
  🠪  Laptop
  🠪  Modems
  🠪  Phone
  🠪  Printers
  🠪  Raspberry Pi
  🠪  Tablets
  🠪  Testing
  🠪  Virtualization

hidden
  🠪  General

Links
  🠪  Interesting
  🠪  Media

Network
  🠪  Data
  🠪  Testing
  🠪  VPN

Scripts
  🠪  Batch
  🠪  Linux
  🠪  Powershell

Servers
  🠪  Databases
  🠪  Misc
  🠪  Website

Software
  🠪  Other

Utilities
  🠪  Backup
  🠪  Fix Issues
  🠪  Recovery

Video
  🠪  Editing

Websites
  🠪  HTML
  🠪  Testing

Windows
  🠪  Adjustments
  🠪  Issues
  🠪  Remote Desktop
  🠪  Security
  🠪  Slow
  🠪  Software
  🠪  Startup

Submit Entry

Airin's Notes

Category: Hardware 🠪 Edgerouter
Create OpenVPN Configuration via script on Edgerouter

December 1, 2023

*** Consider using Wireguard instead!

https://notes.airinscomputers.com/?item=322

Thanks to Alex Jensen for creating this script:

https://www.cron.dk/easy-certificate-generation-for-openvpn/

To use:

1: Save this script to "/conf/openvpn/zmake.sh".

2: Change "EdgeOpenVPN" to be the IP address or hostname that clients should use to connect to the VPN. This will be put into every client OVPN file. You can also do this later to each OVPN file.

3: Execute it by opening Putty and entering:

bash /config/openvpn/zmake.sh

Give it 45 minutes or so (to generate Diffie Hellman).

4: Edit "Server.ovpn", the "push route" lines need to have the IP ranges you want to access from VPN if full gateway redirection is not enabled. If upstream network of Edgerouter is 192.168.1.1 (WAN of Edgerouter has a 192.168.1.xx IP) then adding a line with "192.168.1.0" will make it available from vpn, even if remote gateway redirect is disabled.

5: Open Putty, enter "configure" to go into configure mode, and paste in the contents of "zEdgeSetup.txt".

6: Copy ovpn files to computers, use OpenVPN to connect.



#!/bin/bash


cd /config/openvpn


#-----------------------------------------------------------------------------------------------


# Setup





CAname=CA-World


CAsubject="/C=US/ST=SomeCity/L=SomeCity/O=CAworld"


CAexpire=10000


CAkeyLength=2048





ServerName=EdgeOpenVPN


ServerSubject="/C=US/ST=SomeState/L=SomeCity/O=MyCompany/CN=${ServerName}"


ServerExpire=10000


ServerKeyLength=2048





ClientExpire=10000


ClientKeyLength=2048





DHkeyLength=2048





#-----------------------------------------------------------------------------------------------


# Functions





function makeCA () {


	CAname=$1


	CAexpire=$2


	CAsubject=$3


	CAkeyLength=$4


	printf "Generating Certificate Authority ${CAname}...\n\n"





	openssl genrsa -out ${CAname}.key ${CAkeyLength} 


	openssl req -x509 -new -nodes -key ${CAname}.key -sha256 -days ${CAexpire} -out ${CAname}.pem -subj $CAsubject 


}





function makeCert () {


	CAname=$1


	CertName=$2


	CertExpire=$3


	CertSubject=$4


	CertKeyLength=$5


	printf "\nGeneration certificate for ${CertName}...\n\n"





	ConfigFile=`mktemp`


	printf 'basicConstraints = CA:FALSE\nsubjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid' > ${ConfigFile}





	openssl genrsa -out ${CertName}.key ${CertKeyLength}


	openssl req  -new -key ${CertName}.key -out ${CertName}.csr -subj ${CertSubject} 


	openssl x509 -req -extfile ${ConfigFile} -in ${CertName}.csr -CA ${CAname}.pem -CAkey ${CAname}.key \


		     -CAcreateserial -out ${CertName}.crt -days ${CertExpire} -sha256





	rm ${CertName}.csr


	rm ${ConfigFile}


}





function makeOvpnFile () {


	CAname=$1


	ClientName=$2


	HostName=$3





	echo client > ${ClientName}.ovpn


	echo dev tun >> ${ClientName}.ovpn


	echo proto udp >> ${ClientName}.ovpn


        echo route 192.168.1.0 255.255.255.0


	echo remote ${HostName} 1194 >> ${ClientName}.ovpn


	echo cipher AES-256-CBC >> ${ClientName}.ovpn


	echo auth SHA256 >> ${ClientName}.ovpn


	echo resolv-retry infinite >> ${ClientName}.ovpn


	echo #redirect-gateway def1 >> ${ClientName}.ovpn


	echo persist-key >> ${ClientName}.ovpn


	echo persist-tun >> ${ClientName}.ovpn


	echo user nobody >> ${ClientName}.ovpn


	echo group nogroup >> ${ClientName}.ovpn


	echo verb 3 >> ${ClientName}.ovpn


	echo '' >> ${ClientName}.ovpn


	echo '<ca>' >>> ${ClientName}.ovpn


	cat ${CAname}.pem >> ${ClientName}.ovpn


	echo '</ca>' >> ${ClientName}.ovpn


	echo '<cert>' >> ${ClientName}.ovpn


	cat ${ClientName}.crt >> ${ClientName}.ovpn


	echo '</cert>' >> ${ClientName}.ovpn


	echo '<key>' >> ${ClientName}.ovpn


	cat ${ClientName}.key >> ${ClientName}.ovpn


	echo '</key>' >> ${ClientName}.ovpn


}





function showConfGuide () {


	CAname=$1


	ServerName=$2


	CurrentPath=`pwd`


	





	echo server 10.20.30.0 255.255.255.0> Server.ovpn


	echo # Copy push route below to have LAN subnets above router>> Server.ovpn


	echo #push "route 10.20.30 255.255.255.0">> Server.ovpn


	echo topology subnet>> Server.ovpn


	echo mode server>> Server.ovpn


	echo tls-server>> Server.ovpn


	echo port 1194 >> Server.ovpn


	echo proto udp>> Server.ovpn


	echo dev tun>> Server.ovpn


	echo cipher AES-256-CBC>> Server.ovpn


	echo auth SHA256>> Server.ovpn


	echo ca   ${CurrentPath}/${CAname}.pem>> Server.ovpn


	echo cert ${CurrentPath}/${ServerName}.crt>> Server.ovpn


	echo key  ${CurrentPath}/${ServerName}.key>> Server.ovpn


	echo dh   ${CurrentPath}/dh.pem>> Server.ovpn


	echo #client-config-dir /config/ccd>> Server.ovpn


	echo keepalive 10 30 >> Server.ovpn


	echo persist-key>> Server.ovpn


	echo persist-tun>> Server.ovpn


	echo user nobody>> Server.ovpn


	echo group nogroup>> Server.ovpn


	echo verb 3 >> Server.ovpn





	echo set interfaces openvpn vtun0 config-file /config/openvpn/Server.ovpn> zEdgeSetup.txt


	echo >> zEdgeSetup.txt


	echo >> zEdgeSetup.txt


	echo edit firewall name WAN_LOCAL>> zEdgeSetup.txt


	echo set rule 67 action accept>> zEdgeSetup.txt


	echo set rule 67 description "OpenVPN">> zEdgeSetup.txt


	echo set rule 67 destination port 1194 >> zEdgeSetup.txt


	echo set rule 67 protocol tcp_udp>> zEdgeSetup.txt


	echo set rule 67 log disable>> zEdgeSetup.txt


}





function makeDH () {


	DHkeyLength=$1


	printf "\nMaking diffie-hellman keypair for perfect forward secrecy...\n\n"





	openssl dhparam -out dh.pem -2 ${DHkeyLength}


}





function makeClientCert () {


	CAname=$1


	Clientname=$2


	ClientExpire=$3


	ClientKeyLength=$4


	ServerName=$5


	printf "\n\nMaking Client certificate for ${Clientname}\n"


	makeCert ${CAname} ${Clientname} ${ClientExpire} "/C=US/ST=SomeState/L=SomeCity/O=${Clientname}/CN=${Clientname}" ${ClientKeyLength}


	makeOvpnFile ${CAname} ${Clientname} ${ServerName} 


}





#-----------------------------------------------------------------------------------------------


# Make everything





makeCA ${CAname} ${CAexpire} ${CAsubject} ${CAkeyLength}


makeCert ${CAname} ${ServerName} ${ServerExpire} ${ServerSubject} ${ServerKeyLength}


for i in {1..10}


do


  makeClientCert ${CAname} "User${i}" ${ClientExpire} ${ClientKeyLength} ${ServerName}


done





makeDH ${DHkeyLength}


showConfGuide ${CAname} ${ServerName}





printf "\nScript is done!\n"


printf "\nYou need to open '/config/openvpn/zEdgeSetup.txt' and run those commands\n\n"


ls '/config/openvpn/'

To make more client certificates, comment out all of the makeXX lines except the ones containing usernames like "User01". Rename them as appropriate.

makeCert ${CAname} ${ClientName} ${ClientExpire} ${ClientSubject} ${ClientKeyLength}

Run and repeat to make multiple clients.

This site is meant to be used as a reference for myself, although others may find it useful. I use it to keep track of certain fixes, software, and other solutions which I may need while assisting customers. The page layout is pure HTML/CSS and is kept simple to optimize loading time and fast results.

Return to Airin's Computers