IPFire Site-to-Site VPN (OpenVPN) with Edgerouter-X EdgeOS / Vyatta
What led up to this VPN?
Recently I was playing around with a cloud network that I *normally* would VPN into so that I could connect. The OpenVPN Server was managed and packaged with IPFire, a minimally-sized but feature packaged software firewall distribution.
It's similar to Untangle, pfSense, and a few others. I like it because I've heard of many people that have issues with pfSense. Also, I have a preference to stay away from BSD (I literally spent a majority of my time compiling software than I did using it).
I also recently ran into some issues with my 6 year old router running DDWRT that was holding me back but the final breaking point for me switching routers was that pinging my DDWRT router (directly connected to it and its LAN) was that pings were spiking to 104ms ON THE LAN. Not acceptable.
I bought an Ubiquiti Edgerouter-X router on Amazon for $50 (seems the price has gone up to $70 at this time). I really like the equipment from Ubiquiti: the interface(s), hardware, etc all seems really nice and well put together. I wish I had more to play with but, having two kids puts you on a budget for your own toys.
You need to know the network(s) that will be connecting together. My home network runs on a 10.10.10.0/24 with the router being 10.10.10.1 and my server being 10.10.10.2.
The private LAN behind IPFire resides on a 192.168.200.0/24 with the IPFire server/FW being 192.168.200.1, web servers as 192.168.200.11-19, etc.
Creating the VPN Profile
- Navigate to OpenVPN Config on IPFire (Services > OpenVPN)
- Connection Status and Control
- "Add" Button
- Choose "Net-to-Net Virtual Private Network"
- Options Chosen:
- Name: home-to-WANLAN
- Act As: OpenVPN Server (I wanted IPFire to be the server, not the client)
- Local Subnet: 192.168.200.0/255.255.255.0 (this is the private network that is being controlled by IPFire)
- OpenVPN Subnet: 192.168.25.0/255.255.255.0 (this is the subnet that the tunnel gets. You really only need a single IP for it.)
- Destination port: 1200 (as OpenVPN was already using the default 1194)
- Remote Host IP: 10.10.10.1 (but is optional)
- Remote Subnet: 10.10.10.0/255.255.255.0 (as this is what my home network runs on)
- Protocol: UDP
- Management Port:
- The rest is up to you
Once you are back at the main OpenVPN area, go ahead and download the client certificate package (*.zip).
Integrating Certificates Into Configuration
This was a fun part because I didn't want to use the P12 (pkcs12) that was given in the client package. I went ahead and extracted all the certificates and keys needed using the following confluence page from UIowa (University of Iowa). In a quick run-down:
Extract CA from P12:
# openssl pkcs12 -nokeys -cacerts -in openvpnN2N.p12 -out ca-cert.pem
Extract Client Certificate from P12:
# openssl pkcs12 -nokeys -clcerts -in openvpnN2N.p12 -out client-cert.pem
Extract Client Key from P12:
# openssl pkcs12 -nocerts -in openvpnN2N.p12 -out client-key-protected.pem
Remove Password from Client Key:
# openssl rsa -in client-key-protected.pem -out client-key.pem
Add Certificates and Keys to OpenVPN Configuration
I used the following page at Brainfart on embedding the certificates right into the VPN configuration file.
At the end of your configuration file, add the following tags along with their respective certificates and keys (NOTE: Do *not* include any of the certificate information at the head of the extracted certificate contents!)
<ca> -----BEGIN CERTIFICATE----- !!! ca-cert.pem contents !!! -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- !!! client-cert.pem contents !!! -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- !!! client-key.pem contents !!! -----END PRIVATE KEY----- </key>
One more edit to make; comment out the line referencing the PKCS12 (*.p12) file. As the certificates are embedded, there's no need to look for a file to use for authentication.
# pkcs12 /path/to/openvpn-n2n.p12
Once this has been completed and saved, get ready to connect.
Adding configuration to EdgeOS
This is probably the easiest part. Find a way to get the configuration from OpenVPN that you've just finished editing. You can go about this several ways, off the top of my head.
- Upload via SFTP to the Edgerouter.
- SSH to Edgerouter, create new "vpn.conf" file in vi and just paste it in.
However you choose to do it, it's a minimal effort deal. Just make sure it is some where outside of the /home/ subfolders as these get wiped out with each upgrade/update and you will lose the configuration if you don't keep it out of there.
Log into your Edgerouter over SSH or just using the built-in CLI tools inside the EdgeOS web interface and run the following with your preferred naming convention:
configure save /root/rollback.conf set interfaces openvpn vtun5 config-file /path/to/altered-config.conf commit save
The above will create a new OpenVPN interface named "vtun5" and reference the configuration in the path you've provided. Don't worry, the first "save" command will back up your current running-config just in case you need/want to roll back.
After the commit, your vtun5 interface should come online. You can check your routes to see if everything has correctly been passed. Next thing is to test pings from another workstation or server. I tested from my server in the house (10.10.10.2) and was able to ping 192.168.200.11 (one of the webservers behind IPFire) and vice-versa.
Only thing I can't *really* figure out is that the Edgerouter is unable to ping 192.168.25.1 which was an IP address given to IPFire's OpenVPN endpoint for this particular VPN connection (my Edgerouter received 192.168.25.2):
23:33_dave@eoshub ~ $> sudo mtr --report -c 20 192.168.200.11 HOST: eoshub.home Loss% Snt Last Avg Best Wrst StDev 1. 10.10.10.1 0.0% 20 0.4 0.4 0.3 0.5 0.0 2. 192.168.25.1 0.0% 20 71.8 71.5 65.5 77.8 3.5 3. 192.168.200.11 0.0% 20 68.2 72.1 66.9 79.6 3.6
It's been fun getting this configured. I previously tried with an ASUS router but it does not have SSH, SNMP, or anything special to it so it was quite a disappointment, especially on ASUS's part as I've always liked their hardware but it seems they are trying to hard to make everything look cool instead of functionally sound.
If I figure out the whole "router-to-router" thing where my Edgerouter is unable to ping the VPN endpoint(s) on IPFire, I will update the post.
In addition to this, I've been playing around a lot with collectd, InfluxDB, and Grafana. I have a gardening project coming up soon that I've been looking forward to so if all goes well, I should have some nice graphs put together with humidity and soil moisture sensors and what-not.