- 1 OpenVPN
- 2 OpenVPN Client/server
- 2.1 Certificates and keys
- 2.2 Certificates and keys: EasyRSA 3.0.5
- 2.3 Certificates and keys: 2cca Alternative
- 2.4 Server
- 2.5 Client
- 2.6 Static Client IPs
- 2.7 TLS Authentication
- 2.8 Other OpenVPN options
- 3 OpenVPN Site to site
- 4 References
- 5 Bridge VPN
- 6 OpenVPN parameters
- 7 Troubleshooting
OpenVPN's greatest strength is its extremely high degree of configuration flexibility. It is truly a "Swiss Army Knife" VPN tool that handily accomplishes pretty much any "VPNish" task.
- Routed or bridged VPN
- Running server with dynamic IP
- Connecting to an OpenVPN server via an HTTP proxy
- Windows 2000/XP and higher, Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris.
Traditionally, routers and firewalls have leveraged IPSec-based VPN solutions for site-to-site VPN functionality due to the ability to implement much of IPSec in hardware. As a software router and firewall, VyOS does not see a performance gain for IPSec, or rather, a performance penalty for SSL VPN solutions such as OpenVPN.
If building a VPN solution using VyOS exclusively, OpenVPN will generally provide the best results in terms of ease-of-use, stability, and performance; while maintaining strong encryption on par with IPSec VPN solutions.
Certificates and keys
VyOS CLI requires TLS Authentication for client/server implementation. You need to have your certificates and keys.
OpenVPN provides scripts to easily generate the PKI and all the certificates required : https://openvpn.net/index.php/open-source/documentation/howto.html#pki
These scripts are available in VyOS. You need to type linux commands in the VyOS CLI.
Here is a quick howto
Copy "easy rsa" folder and edit fields values to match your company
cp -rv /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /config/easy-rsa2-my vi /config/easy-rsa2-my/vars
cd /config/easy-rsa2-my/ source ./vars ./clean-all
Build ca, dh, keys and certs. !Do not set password for certs.
./build-ca ./build-dh ./build-key-server server ./build-key client
Copy server files to correct location. Under /config/auth/ is a good place.
sudo mkdir /config/auth/ovpn sudo cp keys/ca.crt /config/auth/ovpn/ sudo cp keys/dh1024.pem /config/auth/ovpn/ sudo cp keys/server.key /config/auth/ovpn/ sudo cp keys/server.crt /config/auth/ovpn/
Save files for the client instance : ca.crt, client.key and client.crt
To copy files to your VyOS you can use scp. As keys and certificates are text files, you can also copy and paste them.
Certificates and keys: EasyRSA 3.0.5
Here is a quick howto for implementing an EasyRSA 3.0 certificate authority on VyOS. This has been tested and verified on VyOS 1.1.8 and VyOS 1.2-rc6
- Download EasyRSA 3.0.x (link: https://github.com/OpenVPN/easy-rsa/releases)
- Extract and uncompress tar file.
- Become root user (sudo su -)
- Copy EasyRSA-3.0.5 to /config/auth/<ca directory>
- Best Practice #1: If you are planning or need to implement a multi-tenant OpenVPN server, then copy the EasyRSA files to separate directories (e.g. Accounting, Engineering, MIS, etc.)
- Best Practice #2: Check the permissions of the EasyRSA directory and files in /config/auth. I have found that the permission get a bit munged (chown -R root:vyattacfg <directory>)
wget <copy link address> tar -xzf <filename>
Change directory to the CA directory (e.g. cd /config/auth/<ca directory>
./easyrsa init-pki ./easyrsa build-ca <CA Name> nopass ./easyrsa build-server-full <OpenVPN Server Name> nopass ./easyrsa gen-dh
Create Client Key
./easyrsa build-client-full <OpenVPN Client Name> ./easyrsa export-p12 <OpenVPN Client Name>
Changes from EasyRSA 2.0
- It is no longer necessary to source vars file.
- EasyRSA 3.0 includes vars.example, copy to vars and edit as needed.
- By default EasyRSA 3.0 creates crt, key and other files in pki directory
- root of pki - this is where ca.crt and dh.pem are located
- private - location of private keys
- issued - location of issued public certificates
- reqs - location of certificate requests
Certificates and keys: 2cca Alternative
The Examples Directory no longer ships with Vyos images. A safer and more useful alternative to Easy-RSA is 2cca. This example places all of your key material on your Vyos machine. This is not a good practice from a security perspective.
Installations is accomplished by copying 2cca.py to your Vyos install. I placed my copy in
/config/auth, and I removed the '.py' extension.
cd /config/auth openssl dhparam -outform PEM -out /config/auth/dh1024.pem 1024 python 2cca root cn=MyDomain.Net python 2cca server cn=gl1.MyDomain.Net python 2cca server cn=gl1.MyDomain.Net ca=MyDomain.Net
This will create the root CA Key and Cert, "MyDomain.Net.crt", and "MyDomain.Net.key". It also sets up the OpenVPN server certificate and key 'gl1.MyDomain.Net.crt' and '..key'.
python 2cca client cn=david.MyDomain.Net ca=MyDomain.Net python 2cca client cn=joshua.MyDomain.Net ca=MyDomain.Net
This creates two user keys and certs which can be distributed to clients.
set interfaces openvpn vtun0 mode 'server' set interfaces openvpn vtun0 server subnet '192.168.10.0/24' set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ovpn/ca.crt' set interfaces openvpn vtun0 tls cert-file '/config/auth/ovpn/server.crt' set interfaces openvpn vtun0 tls dh-file '/config/auth/ovpn/dh1024.pem' set interfaces openvpn vtun0 tls key-file '/config/auth/ovpn/server.key'
set interfaces openvpn vtun0 use-lzo-compression
This change is recommended, since the default is Blowfish with a 64-bit blocksize, which is considered insecure.
set interfaces openvpn vtun0 encryption aes256
Valid options are:
des DES algorithm 3des DES algorithm with triple encryption bf128 Blowfish algorithm with 128-bit key bf256 Blowfish algorithm with 256-bit key aes128 AES algorithm with 128-bit key aes192 AES algorithm with 192-bit key aes256 AES algorithm with 256-bit key
set interfaces openvpn vtun0 keep-alive interval 10 set interfaces openvpn vtun0 keep-alive failure-count 3
The above settings will send a keepalive packet every 10 seconds, and reset the tunnel after 30 seconds (interval * failure-count).
Push route to client
set interfaces openvpn vtun0 server push-route 192.168.2.0/24
By default, a client would only route the traffic to the router and other OpenVPN clients via OpenVPN. This setting will tell client to route all traffic to sub-net 192.168.2.0/24 to pass through this VyOS router.
set interfaces openvpn vtun0 mode 'client' set interfaces openvpn vtun0 remote-host <server ip> set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ovpn/ca.crt' set interfaces openvpn vtun0 tls cert-file '/config/auth/ovpn/client.crt' set interfaces openvpn vtun0 tls key-file '/config/auth/ovpn/client.key'
To enable compression and stronger encryption, as in the above server example:
set interfaces openvpn vtun0 use-lzo-compression set interfaces openvpn vtun0 encryption aes256
Static Client IPs
By default, the OpenVPN server can assign any open IP address from the server OpenVPN subnet to connecting clients. To reserve specific IPs for specific clients, so they will always be assigned the same IP, add a client section to your tunnel. The client name should match the name of the generated certificates ("client1" in the below example).
On OpenVPN server:
set interfaces openvpn vtun0 server client client1 set interfaces openvpn vtun0 server client client1 ip 192.168.10.100
As an extra security measure, you can add TLS authentication to the control channel. This can also prevent some types of DoS attacks.
Create a TLS authentication key:
openvpn --genkey --secret ta.key
Upload the key to your OpenVPN server and all clients, below examples store key in /config/auth/ovpn/.
set interfaces openvpn vtun0 openvpn-option 'tls-auth /config/auth/ovpn/ta.key 0'
set interfaces openvpn vtun0 openvpn-option 'tls-auth /config/auth/ovpn/ta.key 1'
Other OpenVPN options
OpenVPN has many options that can be passed to the VyOS OpenVPN process. See https://openvpn.net/community-resources/reference-manual-for-openvpn-2-3/
To pass OpenVPN options not already covered by the VyOS openvpn syntax, use the openvpn-option setting.
set interfaces openvpn vtun0 openvpn-option "$OPTION"
OpenVPN Site to site
While many are aware of OpenVPN as a Client VPN solution, it is often overlooked as a site-to-site VPN solution due to lack of router and firewall support.
In this example, we'll configure a simple site-to-site OpenVPN tunnel using a 2048-bit pre-shared key.
First, one one of the systems generate the key using the operational command
generate openvpn key <filename>. This will generate a key with the name provided in the
/config/auth/ directory. Once generated, you will need to copy this key to the remote router.
In our example, we used the filename
openvpn-1.key which we will reference in our configuration.
- The public IP address of the local side of the VPN will be 198.51.100.10
- The remote will be 203.0.113.11
- The tunnel will use 10.255.1.1 for the local IP and 10.255.1.2 for the remote.
- OpenVPN allows for either TCP or UDP. UDP will provide the lowest latency, while TCP will work better for lossy connections; generally UDP is preferred when possible.
- The official port for OpenVPN is 1194, which we reserve for client VPN; we will use 1195 for site-to-site VPN.
persistent-tunneldirective will allow us to configure tunnel-related attributes, such as firewall policy as we would on any normal network interface.
- If known, the IP of the remote router can be configured using the
remote-hostdirective; if unknown, it can be omitted. We will assume a dynamic IP for our remote router.
set interfaces openvpn vtun1 mode site-to-site set interfaces openvpn vtun1 protocol udp set interfaces openvpn vtun1 persistent-tunnel set interfaces openvpn vtun1 remote-port '1195' set interfaces openvpn vtun1 remote-address '10.255.1.2' set interfaces openvpn vtun1 remote-host '198.51.100.10' set interfaces openvpn vtun1 local-host '198.51.100.10' set interfaces openvpn vtun1 local-port '1195' set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key' set interfaces openvpn vtun1 local-address '10.255.1.1'
set interfaces openvpn vtun1 mode site-to-site set interfaces openvpn vtun1 protocol udp set interfaces openvpn vtun1 persistent-tunnel set interfaces openvpn vtun1 remote-host '198.51.100.10' set interfaces openvpn vtun1 remote-address '10.255.1.1' set interfaces openvpn vtun1 remote-port '1195' set interfaces openvpn vtun1 shared-secret-key-file '/config/auth/openvpn-1.key' set interfaces openvpn vtun1 local-address '10.255.1.2' set interfaces openvpn vtun1 local-port '1195' set interfaces openvpn vtun1 local-host '203.0.113.11'
The configurations above will default to using 128-bit Blowfish in CBC mode for encryption and SHA-1 for HMAC authentication. These are both considered weak, but a number of other encryption and hashing algorithms are available:
vyos@vyos# set interfaces openvpn vtun1 encryption Possible completions: des DES algorithm 3des DES algorithm with triple encryption bf128 Blowfish algorithm with 128-bit key bf256 Blowfish algorithm with 256-bit key aes128 AES algorithm with 128-bit key aes192 AES algorithm with 192-bit key aes256 AES algorithm with 256-bit key
vyos@vyos# set interfaces openvpn vtun1 hash Possible completions: md5 MD5 algorithm sha1 SHA-1 algorithm sha256 SHA-256 algorithm sha512 SHA-512 algorithm
If you change the default encryption and hashing algorithms, be sure that the local and remote ends have matching configurations, otherwise the tunnel will not come up.
Static routes can be configured referencing the tunnel interface; for example, the local router will use a network of 10.0.0.0/16, while the remote has a network of 10.1.0.0/16:
set protocols static interface-route 10.1.0.0/16 next-hop-interface vtun1
set protocols static interface-route 10.0.0.0/16 next-hop-interface vtun1
Firewall policy can also be applied to the tunnel interface for
out directions and function identically to ethernet interfaces.
If making use of multiple tunnels, OpenVPN must have a way to distinguish between different tunnels aside from the pre-shared-key. This is either by referencing IP address or port number. One option is to dedicate a public IP to each tunnel. Another option is to dedicate a port number to each tunnel (e.g. 1195,1196,1197...)
OpenVPN status can be verified using the
show openvpn operational commands. See the built-in help for a complete list of options.
- You have to create a PKI like for client/server
- One end point will have the passive (server) role for authentication
- The other one will have the active (client) role
Certificate generation (take over from certificate generation in client/server)
source ./vars ./build-key-server site2site_passive ./build-key site2site_active
Active site configuration
files in /config/auth/
set interfaces openvpn vtun0 mode site-to-site set interfaces openvpn vtun0 tls role active set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt set interfaces openvpn vtun0 tls key-file /config/auth/site2site_active.key set interfaces openvpn vtun0 tls cert-file /config/auth/site2site_active.crt
Passive site configuration
files in /config/auth/
set interfaces openvpn vtun0 mode site-to-site set interfaces openvpn vtun0 tls role passive set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt set interfaces openvpn vtun0 tls key-file /config/auth/site2site_passive.key set interfaces openvpn vtun0 tls cert-file /config/auth/site2site_passive.crt set interfaces openvpn vtun0 tls dh-file /config/auth/dh1024.pem
To create a Bridge (L2) VPN simply integrate the tunnel into a bridge :
set interfaces bridge br0 address '192.168.0.1' set interfaces bridge br0 description 'Bridge VPN'
set interfaces openvpn vtun0 bridge-group bridge 'br0' set interfaces openvpn vtun0 mode 'server' set interfaces openvpn vtun0 server subnet '192.168.1.10/24' set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ovpn/ca.crt' set interfaces openvpn vtun0 tls cert-file '/config/auth/ovpn/server.crt' set interfaces openvpn vtun0 tls dh-file '/config/auth/ovpn/dh1024.pem' set interfaces openvpn vtun0 tls key-file '/config/auth/ovpn/server.key'
Note: As of 1.1.7, the
server subnet parameter is useless for bridge VPN but required by the CLI to commit.
OpenVPN is highly configurable. The VyOS CLI focus on:
- Integration with VyOS (firewall, policy...)
- Minimal subset of parameters to set OpenVPN in standard configuration (Client/Server, Site-to-site, bridged...) with basic settings.
All other OpenVPN parameters have to be set through the
Possible completions: > bridge-group Interface to be added to a bridge group description Description for the interface device-type OpenVPN interface device-type disable Interface to be disabled encryption Data encryption algorithm option > firewall Firewall options hash Hashing algorithm option > ip IPv4 routing parameters > ipv6 IPv6 routing parameters +> local-address Local IP address of tunnel local-host Local IP address to accept connections (all if not set) local-port Local port number to accept connections mode OpenVPN mode of operation + openvpn-option Additional OpenVPN options persistent-tunnel Do not close and reopen interface (TUN/TAP device) on client restarts > policy Policy route options protocol OpenVPN communication protocol redirect Incoming packet redirection destination remote-address IP address of remote end of tunnel + remote-host Remote host to connect to (dynamic if not set) remote-port Remote port number to connect to > replace-default-route OpenVPN tunnel to be used as the default route > server Server-mode options shared-secret-key-file File containing the secret key shared with remote end of tunnel > tls Transport Layer Security (TLS) options > traffic-policy Traffic-policy for interface
Refer to OpenVPN man page for a list of parameters.
Example: to disable encryption and compression
set interfaces openvpn vtun0 openvpn-option "cipher none" set interfaces openvpn vtun0 openvpn-option "comp-lzo no"
Use the show openvpn command to show server, client or site-to-site openvpn instances. For server instances:
show openvpn server status
To restart openvpn (server side)
reset openvpn interface vtun0
reset openvpn client <client_name>
Display openvpn command line:
show configuration commands | grep openvpn ps -ef | grep openvpn
monitor openvpn to monitor events or directly dump /var/log/messages:
monitor openvpn & grep openvpn /var/log/messages