Feb 052014
 February 5, 2014  Posted by at 2:20 pm documentation, networking, security, vpn Tagged with: , , ,  21 Responses »

OpenVPN Client/Server Implemenation

==== key signing ====
You can host the certificate authority on the vyos device itself. This is obviously not as secure as hosting it on a separate system. If someone was to get into the vyos they would have access to all your keys and would be able to sign new keys against the CA. Nonetheless, it is convenient and secure-enough for many sites. This is how it can be done.
From the VyOS, copy the easy-rsa directory into /config, where it won’t get lost on an upgrade.

cp -rv /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /config/easy-rsa2
vi /config/easy-rsa2/vars

edit the options at the bottom of /config/easy-rsa2/vars to personalize them. Increasing KEY_SIZE to 2048 is recommended. Also, you can increase the certificate authority and key expiration. These are the defaults:

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"

now load the variables

$ cd /config/easy-rsa2/
$ source ./vars

start fresh in case there is something old lingering around in there. This will delete all keys, etc.

$ ./clean-all

Build the certificate authority files

$ ./build-ca

Build the diffie-hellman key exchange

$ ./build-dh

Build the key for the server

$ ./build-key-server js-server

Copy the certs and keys into /config/auth

sudo cp /config/easy-rsa2/keys/ca.crt /config/auth/
sudo cp /config/easy-rsa2/keys/dh1024.pem /config/auth/
sudo cp /config/easy-rsa2/keys/js-server.key /config/auth/
sudo cp /config/easy-rsa2/keys/js-server.crt /config/auth/

Now you can build the key for the client and distribute to them
use ./build-key to generate a certificate that will connect to the vpn without a pass-phrase and ./build-key-pass if you want the user to enter a pass-phrase before connecting. ./build-key-pass is more secure in case someone steals your certificate and key they will still need to enter a password to connect.

$ ./build-key jimmy

answer all questions accordingly and be sure to answer yes to “Sign the certificate?” the “1 out of 1 certificate requests certified, commit?”
Now copy the keys and certs and create a config for Jimmy to remote in with. This is how I do it.
first make a directory for the client in /config/easy-rsa2/keys

cd /config/easy-rsa2/keys
mkdir jimmy
cp jimmy* jimmy/
cp ca.crt jimmy/

create a client config with your favorite text editor,

vi jimmy/jsvpnserver.ovpn

and add the following

proto udp
remote-cert-tls server
verb 2
dev tun0
cert jimmy.crt
key jimmy.key
ca ca.crt
remote [vpn-server host or ip] 1194

From your local computer download the config directory (jimmy) from the vpn server

$ scp -r vyos@ .

this copies the jimmy directory into the current directory on your computer (the period designates current directory). If your on MS Windows you will need to use cygwin or putty-scp to do this. Also, if using MS Windows you will need to run unix2dos on those files
from your computer where you downloaded the jimmy folder to.

unix2dos jimmy/*

I wrote a script to do all this for you -> http://jasonschaefer.com/stuff/easyrsa-user-setup-vyos.sh.txt

Setting up the OpenVPN Server

The server subnet needs to be a different subnet from your LAN. Set it to something unique that will be unlikely on any remote networks your clients will be on.
The “–push route” needs to be changed to the subnet on the LAN of the router. The one you will VPN in to reach.

set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 server subnet
set interfaces openvpn vtun0 server name-server
set interfaces openvpn vtun0 server domain-name jasonschaefer.com
set interfaces openvpn vtun0 server push-route
set service dns forwarding listen-on vtun0
set interfaces openvpn vtun0 tls cert-file /config/auth/js-server.crt
set interfaces openvpn vtun0 tls key-file /config/auth/js-server.key
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt
set interfaces openvpn vtun0 tls dh-file /config/auth/dh1024.pem

#Set the firewall to allow openvpn through

set firewall name wan-local rule 40 action accept
set firewall name wan-local rule 40 destination port openvpn
set firewall name wan-local rule 40 protocol udp


Thats it! Your done!


basic instructions:

generate the passive key for head office from inside the easyrsa folder

source ./vars
./build-key-server site2site_server-passive
scp keys/site2site_server-passive.* user@vpn-server-passive-host:/config/auth/

#active key for branch office, this side initiates the vpn handshakes

./build-key site2site_active
scp keys/site2site_active.* user@vpn-server-active-host:/config/auth/

active site files in /config/auth/

passive site files in /config/auth/


#site to site openvpn

set interfaces openvpn vtun9
set interfaces openvpn vtun9 local-address 172.16.9.[1 | 2]
set interfaces openvpn vtun9 remote-address 172.16.9.[1 | 2]
set interfaces openvpn vtun9 remote-host [remote-vpn-host]

#standard openvpn port is 1194, best used for client/server mode. prevents ovpn config from needing port setting

set interfaces openvpn vtun9 local-port 1195
set interfaces openvpn vtun9 remote-port 1195
set interfaces openvpn vtun9 mode site-to-site
set interfaces openvpn vtun9 tls ca-cert-file /root/ca.crt
#the passive site cert/key needs to be signed as a server!
set interfaces openvpn vtun9 tls key-file /root/[passive.key | active.key ]
set interfaces openvpn vtun9 tls cert-file /root/[passive.crt | active.crt]
set interfaces openvpn vtun9 tls role [active | passive]
#dh1024.pem is required on passive host only!
set interfaces openvpn vtun9 tls dh-file /root/dh1024.pem

#open firewall for openvpn

set firewall name wan-local rule 20 action accept
set firewall name wan-local rule 20 destination port 1195
set firewall name wan-local rule 20 protocol tcp_udp

#set static routes to networks on other side of vpn, if any

set protocols static route next-hop 172.16.9.[1 | 2]
set protocols static route next-hop 172.16.9.[1 | 2]



How to reach your vpn server and avoid using a static ip. We will be using afraid.org to automatically update a hostname’s A record with the public ip of your Vyos VPN server.

You will need to register for an account at https://freedns.afraid.org. Then create a subdomain, for this example it will be myvpnserver.mooo.com. Go to the “Dynamic DNS” section and copy the “Direct URL”.

Create a script under /config/scripts on your Vyos.
vi /config/scripts/myvpnserver.mooo.com.sh

/usr/bin/curl -k [paste your direct url here]

Make it executable
chmod 755 /config/scripts/myvpnserver.mooo.com.sh

Now tell Vyos to run this with cron.
set system task-scheduler task dynamicDNS executable path /config/scripts/myvpnserver.mooo.com.sh
set system task-scheduler task dynamicDNS interval 15m



vyos@router:~$ cd /config/easy-rsa2/

vyos@router:/config/easy-rsa2$ ./revoke-full jimmy

Using configuration from /config/easy-rsa2/openssl.cnf
Revoking Certificate 0E.
Data Base Updated
Using configuration from /config/easy-rsa2/openssl.cnf
jimmy.crt: /C=US/ST=NM/L=SantaFe/O=Blah/CN=jimmy/emailAddress=jimmy@localhost.local
error 23 at 0 depth lookup:certificate revoked

The error 23 at 0 … is normal and expected.

Now copy the updated CRL (certificate revocation list) to /config/auth
vyos@router:/config/easy-rsa2$ cp keys/crl.pem /config/auth/

If this is the first revocation you need to add it to the config as well:

vyos@router:~$ configure
vyos@router# set interfaces openvpn vtun0 tls crl-file /config/auth/crl.pem
vyos@router# save; commit; exit
Saving configuration to ‘/config/config.boot’…
No configuration changes to commit



You can verify the revoked keys with the openssl command
vyos@router:~$ openssl crl -in /config/auth/crl.pem -text

Revoked Certificates:
    Serial Number: 08
        Revocation Date: Jan 30 00:19:24 2016 GMT
    Serial Number: 0E
        Revocation Date: Jul 13 22:51:50 2016 GMT

In the above example keys 08 and 0E have been revoked
vyos@router:~$ cat /config/easy-rsa2/keys/index.txt

V	230804225528Z		        02	unknown	/C=US/ST=NM/L=SantaFe/O=SITC/CN=jason/emailAddress=jason@local
R	230806213443Z	160130001924Z	08	unknown	/C=US/ST=NM/L=SantaFe/O=Blah/CN=john/emailAddress=john@localhost
R	260711225142Z	160713225150Z	0E	unknown	/C=US/ST=NM/L=SantaFe/O=Blah/CN=jimmy/emailAddress=jimmy@localhost.local

From this file index.txt, you can ascertain which serial numbers belong to which users!

Oct 032013
 October 3, 2013  Posted by at 4:15 pm documentation, vpn Tagged with: , , ,  No Responses »

This outlines a typical VPN implementation with server, clients and routing. Using Attitude Adjustment 12.09

Set a password in LuCI web interface to enable ssh access. Then ssh to device and do the following.

opkg update
opkg install openvpn-openssl openvpn-easy-rsa

It is recommended to create the certificate authority on another computer, even one that is not connected to any network! Although, that requires more work than I usually care to do.

Because I have done an upgrade accidentally and overwritten my easy-rsa directory, and thus all keys/certs along with it, I now move this directory into /etc/config/openvpn-config.

mkdir /etc/config/openvpn-config
mv /etc/easy-rsa/ /etc/config/openvpn-config/
cd /etc
ln -s config/openvpn-config/easy-rsa

(this creates a relative symlink)

edit the following or don’t if you want to enter it manually on certificate creation.
At the end of the /etc/easy-rsa/vars file:

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US" <-*edit*
export KEY_PROVINCE="CA" <-*edit*
export KEY_CITY="SanFrancisco" <-*edit*
export KEY_ORG="Fort-Funston" <-*edit*
export KEY_EMAIL="me@myhost.mydomain"
export KEY_EMAIL=mail@host.domain
export KEY_CN=changeme <-*edit - servers hostname*
export KEY_NAME=changeme
export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234

(run this to ensure your starting with a clean slate)
build-key-server servername_server
(don’t set a challenge password, Answer yes to sign the certificate and yes to commit.)

Instead of using UCI syntax (that I struck out below) we can break this out to be more openvpn standard and troubleshooting friendly. Also, I have added the ability to set static ip’s for the openvpn clients.

Overwrite /etc/config/openvpn with the following config

config openvpn server_openvpn
option enabled 1
option config /etc/config/openvpn-config/server.conf

config openvpn lan
option enable 1
option port 1194
option proto udp
option dev tun
option ca /etc/easy-rsa/keys/ca.crt
option cert /etc/easy-rsa/keys/servername_server.crt
option key /etc/easy-rsa/keys/servername_server.key
option dh /etc/easy-rsa/keys/dh1024.pem
option ifconfig_pool_persist /tmp/ipp.txt
option keepalive "10 120"
option comp_lzo yes
option persist_key 1
option persist_tun 1
option status /var/log/openvpn-status.log
#option log /tmp/openvpn.log
option verb 3
option server ""
option topology subnet
option client_to_client 1
list push "dhcp-option DOMAIN lan"
list push "dhcp-option DNS"
list push "route"

The following is the openvpn server config (that is called by /etc/config/openvpn) in /etc/config/openvpn-config/server.conf

port 1194
proto udp
dev tun
comp-lzo yes
ifconfig-pool-persist /tmp/ipp.txt
status /var/log/openvpn-status.log
mute 5
log /tmp/openvpn.log
keepalive 10 120

dh   /etc/config/openvpn-config/easy-rsa/keys/dh2048.pem
ca   /etc/config/openvpn-config/easy-rsa/keys/ca.crt
key  /etc/config/openvpn-config/easy-rsa/keys/server.key
cert /etc/config/openvpn-config/easy-rsa/keys/server.crt

mode server
topology subnet
push "topology subnet"
push "route-gateway"
push "route"
push "dhcp-option DNS"

#client-config-dir /etc/config/openvpn-config/clients

If you want to enable the static client ip assignments be sure to uncomment the client-config-dir above and make a directory as such.
mkdir /etc/config/openvpn-config/clients
write a file inside the clients directory with the same name as the common name of the openvpn client certificate.
For example, in a file /etc/config/openvpn-config/clients/jason

/etc/init.d/openvpn enable
/etc/init.d/openvpn restart

cd /etc/config/openvpn-config/
openvpn --config server.config

check for errors
cat /tmp/openvpn.log

Check for errors in the openvpn config syntax using uci show
uci show openvpn
The following will be displayed if there are no syntax issues. Use of the quotes are common mistakes.
openvpn.lan.keepalive=10 120
openvpn.lan.push=dhcp-option DOMAIN lan dhcp-option DNS route


Now lets setup the tun interface so that we can add zones
in /etc/config/network or in LuCI.

config interface 'vpn0'
	option proto 'none'
	option ifname 'tun0'




Create a zone called openvpn_zone with vpn0 network.

in /etc/config/firewall

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'openvpn_zone'
	option network 'vpn0'
	option forward 'REJECT'


We now explicitly declare the forwards like this.
openvpn_zone to lan zone allow

config forwarding
	option dest 'lan'
	option src 'openvpn_zone'

openvpn_zone to wan allow, if you want openvpn clients to use the wan for example if using redirect-gateway

config forwarding
	option dest 'wan'
	option src 'openvpn_zone'

openvpn_zone to lan allow

config forwarding
	option dest 'openvpn_zone'
	option src 'lan'



Allow the openvpn server to accept connections from clients out in the world.

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '1194'
	option name 'openvpn2device'
	option enabled '0'

An overview of traffic rules







** NOTE: Occasionally, I have had to reboot for the above zone’s to work **

== Optional firewall rules to use, instead of using the zones. Not recommended ==
in /etc/firewall.user

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Allow all traffic in and out of the tun interface.
iptables -A input_rule      -i tun+ -j ACCEPT
iptables -A output_rule     -o tun+ -j ACCEPT
# This rule will allow traffic towards internet from tun
iptables -A forwarding_rule -i tun+ -j ACCEPT
iptables -A forwarding_rule -o tun+ -j ACCEPT


build-key jason
or you can run build-key-pass to issue a key that asks the user to enter the password before it is used (more secure).
Once you have completed the build-key, being sure to answer yes to signing the certificate and commit.

Now you need to get the keys for jimmy and the ca.crt (not ca.key!). Each client needs these files to connect.
scp /etc/easy-rsa/keys/jason.* jason@
scp /etc/easy-rsa/keys/ca.crt jason@

Then create the client config in the same directory as the crt’s and keys. If your installing this on a windows box then you should run unix2dos on all the files.
Create a file called jason.ovpn in jason-vpn directory as such

dev tun
remote hostname-to-server 1194 udp
ca ca.crt
cert jason.crt
key jason.key
remote-cert-tls server
mute 5
resolv-retry infinite
keepalive 10 60
#redirect-gateway def1

I have a script to help with client config http://jasonschaefer.com/stuff/easyrsa-user-setup-openwrt.sh.txt

Test the server by connecting from off-site.
cd into your local config directory where your certs, keys and .ovpn config are.
sudo openvpn jason.ovpn
enter your sudo password

You should see something like this at the end of the openvpn output:

Fri Feb 28 22:19:01 2014 /sbin/ifconfig tun0 netmask mtu 1500 broadcast
Fri Feb 28 22:19:01 2014 /sbin/route add -net netmask gw
Fri Feb 28 22:19:01 2014 Initialization Sequence Completed

and you will see a tun interface

# ip a
38: tun0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
inet brd scope global tun0
valid_lft forever preferred_lft forever

and the correct route has been pushed to you

# ip r via dev tun0


add the following line to /etc/config/openvpn:
option crl_verify /etc/easy-rsa/keys/crl.pem

run “revoke-full” with users key as argument:

revoke-full [key-to-revoke]

restart openvpn:

/etc/init.d/openvpn restart

Apr 262013
 April 26, 2013  Posted by at 12:45 pm Tutorial, vpn Tagged with: , , ,  2 Responses »

DON”T USE PPTP ITS INSECURE!! USE OPENVPN INSTEAD. HERE IS A TUTORIAL -> http://jasonschaefer.com/openvpn-on-the-openwrt

That said, if you want to setup pptp on the openwrt here is a guide.
The router is Backfire 10.03.1 at address This configuration will setup the PPtP VPN server and it should be pointed out that its not a very secure VPN. Basically, it requires that someone capture the authentication handshake of a pptp connection. Then extract the keys and crack the hashes or bruteforce. There is a service that was released last year that will crack these keys and produce the authentication hash, that can auth as the password. This was done to encourage people to stop using this lame technology. Here is a great write up that will answer all questions https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

With the above insecurity disclaimer and a note that this really shouldn’t be used for anything requiring real security. I proceed..

opkg install pptpd kmod-mppe

== /etc/pptpd.conf ==

option /etc/ppp/options.pptpd
speed 115200
stimeout 10

== /etc/ppp/options.pptpd ==

logfile /tmp/pptp-server.log
name "pptp-server"
lcp-echo-failure 3
lcp-echo-interval 60
mtu 1482
mru 1482
proxyarp #required to be able to connect to the lan subnet without being directly connected.
mppe required,no40,no56,stateless

== /etc/ppp/chap-secrets ==

jason * testypass *

== /etc/firewall.user ==

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Allow all traffic in and out of the ppp interface. No reason to specify nets.
iptables -A input_rule -i ppp+ -j ACCEPT
iptables -A output_rule -o ppp+ -j ACCEPT
# This rule will allow traffic towards internet
iptables -A forwarding_rule -i ppp+ -j ACCEPT

== /etc/config/firewall ==

config 'rule'
option 'target' 'ACCEPT'
option '_name' 'pptpd'
option 'src' 'wan'
option 'proto' 'tcpudp'
option 'dest_port' '1723'
Oct 282010
 October 28, 2010  Posted by at 12:20 pm documentation, Tutorial, vpn Tagged with: , ,  No Responses »

These are the manual instructions for installing and configuring OpenVPN client.

After having many problems over the years with openvpn gui breaking, I have devised a reliable work around. Create the following batch script, name it something like ovpnConnect.bat, and right click to “Run as Administrator”. This does require the openvpn gui from openvpn.net to be installed. It calls the openvpn.exe. You can also add multiple vpn client connections!

@echo off

net session >nul 2>&1
if %errorLevel% == 0 (
    echo Success: Administrative permissions confirmed.
) else (
    echo Failure: Please right click and "Run as administrator"
exit 0

cd "c:\Program Files\OpenVPN\config\" && "c:\Program Files\OpenVPN\bin\openvpn.exe" [userconfig].ovpn

Download openvpn gui at http://openvpn.net/index.php/open-source/downloads.html#latest-stable

Run installer

Leave the components section as default.

Accept the TAP driver install

Right click on OpenVPN GUI and select properties

Go to Compatibility tab and select “run this program as administrator”
(It requires admin priviledges because it needs to write routes for the new VPN tunnel. Without, it will connect but won’t know how to reach the other network.)

Get your OpenVPN configuration files from the system administrator. Copy and paste them into C:\Program Files\OpenVPN\config

ca.crt (certificate authority)
jason.crt (client certificate)
jason.key (client secret key)
jason.ovpn (client configuration). Here are the contents of jason.ovpn:

dev tun0
cert jason.crt
key jason.key
ca ca.crt
remote vpn.server 1194

Now you can launch OpenVPN GUI by double clicking the icon on the desktop (the one we just set to run as admin). This will launch the OpenVPN GUI into the system tray.

Click on system tray, right click on OpenVPN GUI, left click “Connect”.

If all goes well, you will successfully connect. The OpenVPN GUI systray icon turns green. Now you are on the Virtual Private Network!