add OpenVPN client configuration

Timo Stankowitz · Timo Stankowitz · commit f77e2e1a4747 · 2020-04-07T12:55:36.000+02:00
diff --git a/OpenVPN-client.md b/OpenVPN-client.md
@@ -0,0 +1,99 @@
+# OpenVPN config (Client)
+This tutorial describes how to configure the EdgeRouter as a OpenVPN Client.
+
+Usefull links:
+- [Youtube: EdgeRouter OpenVPN to Private Internet Access!](https://www.youtube.com/watch?v=B9dXiKhDVl0) 
+- [Youtube: Dedicated Private Internet VLAN and Wireless Network](https://www.youtube.com/watch?v=_TBj5MYmgQc)
+
+## Basic setup
+First you need to ssh into your EdgeRouter. Then create a directory where you store your OpenVPN files.
+
+```
+sudo su
+mkdir -p /config/auth/example
+```
+
+In this example I have the following files:
+- ca.crt (Root CA)
+- client.key (User private key)
+- client.crt (User certificate)
+- openvpn-static-key-v1.key (for tls-auth)
+- example.ovpn (OpenVPN client configuration (see below))
+
+Make sure that `key.pem` has `chmod 600`
+
+## Example of the OpenVPN config-file
+This file could differ depending on your openvpn server setup.
+```
+client
+dev tun 
+proto udp
+remote vpn.example.com
+resolv-retry infinite
+nobind
+persist-key
+persist-tun
+key-direction 1
+remote-cert-tls server
+auth-nocache
+auth SHA512
+cipher AES-256-GCM
+
+# files
+ca /config/auth/example/ca.crt
+cert /config/auth/example/client.crt
+key /config/auth/example/key.pem
+tls-auth /config/auth/example/openvpn-static-key-v1.key 1
+
+```
+
+## Setup the interface
+If you already configured you EdgeRouter as a OpenVPN server then you need to change the network inteface from `vtun0` to something else (e.g. `vtun1`)
+
+```
+configure
+set interfaces openvpn vtun0 description 'example vpn'
+set interfaces openvpn vtun0 config-file /config/auth/example/example.ovpn
+commit
+save
+```
+
+
+
+## Setup an extra VLAN for clients
+```
+# create a new vlan (VLAN 10)
+set interfaces switch switch0 vif 10 address 192.168.40.1/24
+set interfaces switch switch0 vif 10 description 'example VLAN'
+set interfaces switch switch0 vif 10 mtu 1500
+```
+
+## Setup a DHCP server
+```
+set service dhcp-server shared-network-name EXAMPLE-LAN authoritative disable
+set service dhcp-server shared-network-name EXAMPLE-LAN subnet 192.168.40.0/24 default-router 192.168.40.1
+set service dhcp-server shared-network-name EXAMPLE-LAN subnet 192.168.40.0/24 dns-server 1.1.1.1
+set service dhcp-server shared-network-name EXAMPLE-LAN subnet 192.168.40.0/24 domain-name example.com
+set service dhcp-server shared-network-name EXAMPLE-LAN subnet 192.168.40.0/24 lease 86400
+set service dhcp-server shared-network-name EXAMPLE-LAN subnet 192.168.40.0/24 start 192.168.40.10 stop 192.168.40.100
+```
+
+## Setup NAT & routing
+```
+# setup NAT
+set service nat rule 5020 description NAT-EXAMPLE-VPN
+set service nat rule 5020 log disable
+set service nat rule 5020 outbound-interface vtun0
+set service nat rule 5020 source address 192.168.40.0/24 
+set service nat rule 5020 type masquerade
+
+# setup routing
+set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface vtun0
+
+set firewall modify VPN_EXAMPLE_ROUTE rule 10 description 'Subnet to VPN'
+set firewall modify VPN_EXAMPLE_ROUTE rule 10 source address 192.168.40.0/24
+set firewall modify VPN_EXAMPLE_ROUTE rule 10 modify table 1
+
+# apply the firewall route to VLAN 10
+set interfaces switch switch0 vif 10 firewall in modify VPN_EXAMPLE_ROUTE
+```
diff --git a/OpenVPN-server.md b/OpenVPN-server.md
@@ -1,7 +1,8 @@
-# OpenVPN config
+# OpenVPN config (Server)
+This tutorial describes how to setup a OpenVPN server on a EdgeRouter.
 
-## create Certificates
-You need to create the following files. You can use the Software XCA for that
+## Create certificates
+Here is a list with files that you need. You can use the Software XCA for that
 - ca.crt (Root CA)
 - server.crt (Server Certificate)
   - To prevent MITM Attacks make sure you set 
@@ -15,7 +16,7 @@ After you create the files copy all of them into `/config/auth/`
 
 For you client config: Make sure `remote-cert-tls server` is set.
 
-## configure Basic
+## Basic OpenVPN configuration
 ```
 configure
 set interfaces openvpn vtun0
@@ -28,8 +29,8 @@ set interfaces openvpn vtun0 server push-route 192.168.178.0/24
 set interfaces openvpn vtun0 server subnet 192.168.177.0/24
 ```
 
-## configure Files
-As described above. Make sure you private key has `chmod 400`.
+## Certificate setup
+As described above. Make sure you private key has `chmod 600`.
 
 ```
 set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt
@@ -40,15 +41,14 @@ set interfaces openvpn vtun0 tls key-file /config/auth/server.key
 set interfaces openvpn vtun0 tls crl-file /config/auth/revocation-list.crl
 ```
 
-## config Log
-
+## Configure logging
 ```
 set interfaces openvpn vtun0 openvpn-option "--log /var/log/openvpn.log"
 set interfaces openvpn vtun0 openvpn-option "--status /var/log/openvpn-status.log"
 set interfaces openvpn vtun0 openvpn-option "--verb 7"
 ```
 
-## configure Firewall
+## Firewall configuration
 Don't forget to set NAT for the openvpn clients
 
 ```
diff --git a/README.md b/README.md
@@ -1,2 +1,4 @@
 # EdgeRouter-Stuff
 Some Information about the Ubiquiti's EdgeOS
+
+If you have comments / find errors /suggestions feel free to contact me / create a merge request. Thanks.
diff --git a/dual-wan.md b/dual-wan.md
@@ -1,5 +1,6 @@
 # set nat for both interfaces
 
+```
 set load-balance group LB-GROUP interface eth3 failover-only
 set load-balance group LB-GROUP interface eth3 route-test initial-delay 60
 set load-balance group LB-GROUP interface eth3 route-test interval 10
@@ -11,3 +12,4 @@ set load-balance group LB-GROUP interface pppoe0 route-test type ping target 8.8
 
 set load-balance group LB-GROUP lb-local enable
 set load-balance group LB-GROUP lb-local-metric-change disable
+```
diff --git a/example-dhcp.md b/example-dhcp.md
@@ -1,6 +1,10 @@
+# Example DHCP configuration
+
+```
 set service dhcp-server shared-network-name CLIENT-LAN authoritative disable
 set service dhcp-server shared-network-name CLIENT-LAN subnet 172.22.1.0/24 default-router 172.22.1.1
 set service dhcp-server shared-network-name CLIENT-LAN subnet 172.22.1.0/24 dns-server 172.21.7.147
 set service dhcp-server shared-network-name CLIENT-LAN subnet 172.22.1.0/24 lease 86400
 set service dhcp-server shared-network-name CLIENT-LAN subnet 172.22.1.0/24 domain-name example.com
 set service dhcp-server shared-network-name CLIENT-LAN subnet 172.22.1.0/24 start 172.22.1.10 stop 172.22.1.100
+```
