dbiers.me - IPFire Site-to-Site VPN (OpenVPN) with Edgerouter-X EdgeOS / Vyatta

IPFire Site-to-Site VPN (OpenVPN) with Edgerouter-X EdgeOS / Vyatta - David Biers

Dbiers.me Spined HTML

IPFire Site-to-Site VPN (OpenVPN) with Edgerouter-X EdgeOS / Vyatta - David Biers David Biers Configuration Architecture Security CustomizationWritLine Scripting Helpful Tricks Notes Subscribe Home David Biers The only one that seems to be having fun. Configuration Architecture Security CustomizationWritLine Scripting Helpful Tricks Notes Subscribe Architecture / Configuration / Scripting 0 IPFire Site-to-Site VPN (OpenVPN) with Edgerouter-X EdgeOS / Vyatta by David · April 5, 2016 What led up to this VPN? Recently I was playing virtually with a deject network that I *normally* would VPN into so that I could connect. The OpenVPN Server was managed and packaged with IPFire, a minimally-sized but full-length packaged software firewall distribution. It's similar to Untangle, pfSense, and a few others. I like it considering I've heard of many people that have issues with pfSense. Also, I have a preference to stay yonder from BSD (I literally spent a majority of my time compiling software than I did using it). I moreover recently ran into some issues with my 6 year old router running DDWRT that was holding me when but the final breaking point for me switching routers was that pinging my DDWRT router (directly unfluctuating to it and its LAN) was that pings were spiking to 104ms ON THE LAN. Not acceptable. I bought an Ubiquiti Edgerouter-X router on Amazon for $50 (seems the price has gone up to $70 at this time). I really like the equipment from Ubiquiti: the interface(s), hardware, etc all seems really nice and well put together. I wish I had increasingly to play with but, having two kids puts you on a upkeep for your own toys. Pre-requisites You need to know the network(s) that will be connecting together. My home network runs on a 10.10.10.0/24 with the router stuff 10.10.10.1 and my server stuff 10.10.10.2. The private LAN overdue IPFire resides on a 192.168.200.0/24 with the IPFire server/FW stuff 192.168.200.1, web servers as 192.168.200.11-19, etc. Creating the VPN Profile Navigate to OpenVPN Config on IPFire (Services > OpenVPN) Connection Status andTenancy"Add" ButtonSegregate"Net-to-Net Virtual Private Network" Options Chosen: Name: home-to-WANLAN Act As: OpenVPN Server (I wanted IPFire to be the server, not the client) Local Subnet: 192.168.200.0/255.255.255.0 (this is the private network that is stuff controlled by IPFire) OpenVPN Subnet: 192.168.25.0/255.255.255.0 (this is the subnet that the tunnel gets. You really only need a single IP for it.) Destination port: 1200 (as OpenVPN was once using the default 1194) Remote Host IP: 10.10.10.1 (but is optional) Remote Subnet: 10.10.10.0/255.255.255.0 (as this is what my home network runs on) Protocol: UDP Management Port: The rest is up to you Once you are when at the main OpenVPN area, go superiority and download the vendee document package (*.zip). Integrating Certificates Into Configuration This was a fun part considering I didn't want to use the P12 (pkcs12) that was given in the vendee package. I went superiority and extracted all the certificates and keys needed using the pursuit confluence page from UIowa (University of Iowa). In a quick run-down: Extract CA from P12: # openssl pkcs12 -nokeys -cacerts -in openvpnN2N.p12 -out ca-cert.pem ExtractVendeeCertificate from P12: # openssl pkcs12 -nokeys -clcerts -in openvpnN2N.p12 -out client-cert.pem ExtractVendeeKey from P12: # openssl pkcs12 -nocerts -in openvpnN2N.p12 -out client-key-protected.pem Remove Password fromVendeeKey: # openssl rsa -in client-key-protected.pem -out client-key.pem Add Certificates and Keys to OpenVPN Configuration I used the pursuit page at Brainfart on embedding the certificates right into the VPN configuration file. At the end of your configuration file, add the pursuit tags withal with their respective certificates and keys (NOTE: Do *not* include any of the document information at the throne of the extracted document contents!) <ca> -----BEGIN CERTIFICATE----- !!! ca-cert.pem contents !!! -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- !!! client-cert.pem contents !!! -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- !!! client-key.pem contents !!! -----END PRIVATE KEY----- </key> One increasingly edit to make; scuttlebutt out the line referencing the PKCS12 (*.p12) file. As the certificates are embedded, there's no need to squint for a file to use for authentication. # pkcs12 /path/to/openvpn-n2n.p12 Once this has been completed and saved, get ready to connect. Adding configuration to EdgeOS This is probably the easiest part. Find a way to get the configuration from OpenVPN that you've just finished editing. You can go well-nigh this several ways, off the top of my head. Upload via SFTP to the Edgerouter. SSH to Edgerouter, create new "vpn.conf" file in vi and just paste it in. However you segregate to do it, it's a minimal effort deal. Just make sure it is some where outside of the /home/ subfolders as these get wiped out with each upgrade/update and you will lose the configuration if you don't alimony it out of there. Log into your Edgerouter over SSH or just using the seated CLI tools inside the EdgeOS web interface and run the pursuit with your preferred naming convention: configure save /root/rollback.conf set interfaces openvpn vtun5 config-file /path/to/altered-config.conf commit save The whilom will create a new OpenVPN interface named "vtun5" and reference the configuration in the path you've provided. Don't worry, the first "save" writ will when up your current running-config just in specimen you need/want to roll back. After the commit, your vtun5 interface should come online. You can trammels your routes to see if everything has correctly been passed. Next thing is to test pings from flipside workstation or server. I tested from my server in the house (10.10.10.2) and was worldly-wise to ping 192.168.200.11 (one of the webservers overdue IPFire) and vice-versa. Only thing I can't *really* icon out is that the Edgerouter is unable to ping 192.168.25.1 which was an IP write given to IPFire's OpenVPN endpoint for this particular VPN connection (my Edgerouter received 192.168.25.2): 23:33_dave@eoshub ~ $> sudo mtr --report -c 20 192.168.200.11 HOST: eoshub.home Loss% Snt Last Avg Best Wrst StDev 1. 10.10.10.1 0.0% 20 0.4 0.4 0.3 0.5 0.0 2. 192.168.25.1 0.0% 20 71.8 71.5 65.5 77.8 3.5 3. 192.168.200.11 0.0% 20 68.2 72.1 66.9 79.6 3.6 Conclusion It's been fun getting this configured. I previously tried with an ASUS router but it does not have SSH, SNMP, or anything special to it so it was quite a disappointment, expressly on ASUS's part as I've unchangingly liked their hardware but it seems they are trying to nonflexible to make everything squint tomfool instead of functionally sound. If I icon out the whole "router-to-router" thing where my Edgerouter is unable to ping the VPN endpoint(s) on IPFire, I will update the post. In wing to this, I've been playing virtually a lot with collectd, InfluxDB, and Grafana. I have a gardening project coming up soon that I've been looking forward to so if all goes well, I should have some nice graphs put together with humidity and soil moisture sensors and what-not. Tags: edgeosedgeouterIPFireubiquitivpnvyatta You may moreover like... 0 Risk Management, Mitigation, and Recovery October 15, 2014 14 AddingSpareDisk Drives to CentOS 5/6 October 12, 2012 0 Plesk mailman setup – Unable to execute listmng utillity: listmng May 2, 2013 Leave a Reply Cancel reply Your email write will not be published. Required fields are marked *Comment Name * Email * Website  −  four  =  three Follow: Next story Setup Grafana, InfluxDB, and collectd on CentOS 7.x Previous story Monitoring Software RAID1 with mdadm Find Something? Hosted At.. SpamObstructed110,727 spam obstructed by Akismet Common Tagsadding spare software triggerman Bash chmod cli collectd connections tenancy panels corrections cpanel custom repo data databases escalate file systems Firewall forwarding game Games grafana hack nonflexible momentum httpd influxdb mdadm mysql networking Notes owner permissions plesk raid1 repositories root rpmforge scan Script security software ssh Steam tricks vpn vyatta Configuration Architecture Security CustomizationWritLine Scripting Helpful Tricks Notes Subscribe David Biers © 2018. All Rights Reserved.