Install, upgrade or remove OpenVPN-Radius-Auth (Debian/openvpn-auth-radius) on Ubiquiti hardware. By default, the installer caches the deb-package so that the same version of OpenVPN-Radius-Auth can be restored after a firmware upgrade.
The script is based on the work of Mathias Fredriksson (mafredri/vyatta-wireguard-installer).
The package was provided by the Debian community.
Installation
Generating DH Keys In my docker I was able to go to SSLForFree.net and create the certs necessary to get openvpn up and running. Seems the version that on my new firewall requires several different files to be uploaded. Trusted Certificate (CA Certificate) - Got it Server / Client Certificate - Got it Server / Client Key - Got it DH Key - Need it. The command below will generate the client’s private key and it’s Certificate Signing Request (CSR). The client in this tutorial is called Client2.The script will prompt for a password related to the client’s private that is used by OpenVPN when attempting to connect using the configuration file.
Simply copy the script onto your Ubiquiti router and run it.
Note: By placing this script in /config/scripts/post-config.d, the OpenVPN-Auth-Radius installation will persist across firmware upgrades.
Usage
Setup Road-Warrior OpenVPN
Install Vyatta-OpenVPN-Auth-Radius
See above.
Setup Client Configs
- Create client config dir:
- Create client configs if needed (filename equals RADIUS username), e. g. a static IP:
Configure OpenVPN-Server
- Minimal config needed by RADIUS plugin:
Configure Radius-Plugin
Adjust the following values to your environment:
- NAS-IP-Address (Note: Use a LAN IP address, when using the built-in RADIUS-server set to your default LAN IP address,
127.0.0.1won't work!) - name (Note: The address of your RADIUS-Server, when using the built-in RADIUS-server set to your default LAN IP address.)
- sharedsecret (Note: Use only alphanumeric characters
[A-Za-z0-9]in RADIUS server secret!)
Optional:
- NAS-Identifier
- subnet
- acctport
- authport
Install Easy-RSA
Create Certificates
- Generate
tls-authkey
Configure USG
- Check for existing remote user vpn networks:
Adapt the example config.gateway.json:
- if applicable merge with existing
config.gateway.json interfaces > openvpn > vtun0 > openvpn-optioninterfaces > openvpn > vtun0 > server > subnetfirewall > group > network-group > remote_user_vpn_network > network
- if applicable merge with existing
Transfer to controller and appropriate site (
/srv/unifi/data/sites/<site>/)Force provision USG in controller
Create Client Profile
Adapt the client.ovpn:
- YOUR_SERVER (FQDN or IP address)
- <ca> (the content of
/config/user-data/eays-rsa/keys/ca.crtgenerated above) - <tls-auth> (the content of
/config/user-data/openvpn/ta.keygenerated above)
Import into your client and connect
Monitoring & Troubleshooting
- Check config of USG
- Monitor VPN connections
- FreeRADIUS debugging
Resources
References:
Pre-requisites
Install openvpn. On Debian/Ubuntu, something like this should install all you need:
Certificate setup
Edit the variables in easy-rsa/vars and set appropriate key sizes, etc. Important vars:
KEY_SIZE: Size of certificate keys, etc. Set to 4096 or bigger (in 2016). I used 8196, but that’s probably overkill for now :-) Check Applied Crypto Hardening (ACH) for some advice.CA_EXPIRE: ACH mentions 5 years as a “sane value” (remember that you’ll have to switch all certs signed by the CA when it expires)KEY_EXPIRE: ACH recommends 1 yearKEY_COUNTRY,KEY_PROVINCE,KEY_CITY,KEY_ORG,KEY_EMAIL,KEY_OU: Set to whatever you want. This is certificate information and you’re only setting up a private VPN, not something mission critical, right?
Change into the easy-rsa directory and source the vars file, since those are used by most scripts:
Start with a clean slate:
Create the (self-signed) certificate authority (Use a password to protect the CA):
Generate the server’s certificate (no password, since we want the server to start automatically when restarting the computer).
Generate Diffie-Hellman parameters. This makes it harder to crack keys en-masse over the Internet (explanation for this falls out of the scope of this tutorial. Check WeakDH). Warning: on iOS 9 with OpenVPN1.0.7, DH parameters of 8192 resulted in not being able to connect. Generating DH parameters takes a long time. Feel free to leave a terminal running this command and do the rest of the tutorial on another one (remember to cd to the proper directory and source vars).
This command takes a long time. 8192 takes days on a Raspberry Pi2 (even on a tricked out Mac Pro from 2014, it takes >24h). 4096 should take a while, but be tolerable. 4096 bit keys take ~8h on an RPi2. From experiments, it seems 8192 doesn't work on iOS OpenVPN app. Feel free to override KEY_SIZE for this command:
Generate a shared secret key, which is useful to protect against DoS attacks:
Create/edit the server configuration file. /etc/openvpn/server.conf is a good place. Example configuration for a UDP server (commented):
If desired, create a TCP config file by copying over the UDP version and editing the lines with the server (pick a different range) proto (tcp) and port (if you want) directives (Having a TCP server on port 80 or 443 is very useful to bypass firewalls, since those ports are usually open. Feel free to try UDP on port 53 (DNS) or 123 (NTP)).
Copy over files created with easy-rsa to /etc/openvpn to have everything in the same place (If you don’t want to copy, adjust the paths on the server configuration file):
Create a client template config file. I usually keep it in /etc/openvpn/clients/iOS-config-template.ovpn:
If you have completed developing your Android App and now wants to publish it on Playstore. Generating a signing key android mac book.
Write this script to /etc/openvpn/openvpn-unify (or somewhere else, it’s not sensitive). It turns a regular configuration file plus the certificates and keys into a “unified” configuration file, so we don’t need to copy over several files. This unified file will contain the shared secret between the server and the clients (same for every client), so should be protected.
Make it executable:
Create the unified config file for this server’s clients:
TODO
tls-verify and others, which allow the server/clients to verify parts of each other’s certificates before allowing the connection to go through.
systemd dealings:
OpenVPN installs /lib/systemd/system/[email protected] (at least on Debian)To get systemd to start the VPN server with a config file in /etc/openvpn/myconfigfile.conf, do:
Ftp Auth Tls
systemd extracts the part after the @ and before .service, and uses that to find the config file (check out the [email protected] file)
For server.conf and server-tcp.conf:
Feel free to start the servers now:
To be able to route everything through the VPN you’ll need to enable IP forwarding and tell the firewall to forward traffic.
Add these lines to /etc/rc.local or your favourite boot up script:
Openvpn Tls Auth Key
Write this (after substituting the IP range and network interface) to /etc/iptables-saved:
Add the OpenVPN user:
Set up the chroot directory (needs a tmp directory inside it):
@steveayre is mostly wrong. Generate public key from private key openssl. To every one using rsa and openssl and wanting to encrypt a large file like 5 Kbyte. I told whom i know in openssl about the flaw, and that they should just make it loop on it self otherwise you will use a lot of time figuring out why it complain about the size.–May 29 '13 at 12:22. Please remeber that the public key should be proportional or bigger in size to what you want to encrypt otherwise you will get a 'file to big to be encrypted fault.' I summarize that you generate a rather large and serious private key and from that make your private keys so that you have a lot of data to work with.
Adding VPN clients
To add a VPN client, you’ll need to generate a certificate and sign it with the server CA. Ideally, the client will provide a certificate request, but this tutorial doesn’t do that. Each client should have their own certificate so we can revoke them one by one if needed.
Generate a PKCS#12 file with client-name as the common name, and sign it with the server’s certificate:
Provide a strong password. Take the client-name.p12 file and store it somewhere safe.
Get the client-name.p12 file onto the iOS device. Easiest ways are:
- Create a temporary web server on your local network and use Safari to get the PKCS#12
- Email it to yourself and open the attachment
Get the iOS-config.ovpn file onto the OpenVPN app on your iOS device using iTunes (safer), or email/Safari (OpenVPN should get the file when you open it).
Open the OpenVPN iOS app, import the configuration, and connect. All should be good :-) If not:
Generate Tls-auth Key Openvpn Mac
- Did you add the DNS entry, or double-check the IP?
- Check the logs (on the iOS app or with
journalctl -xfon the server (yes, assuming Linux and system))