Generate Diffie Hellman parameters (This is necessary to set up the encryption) build-dh Generate a shared-secret key (Required when using tls-auth) 'C: Program Files OpenVPN bin openvpn.exe' -genkey -secret 'C: Program Files OpenVPN easy-rsa keys ta.key' Configuration Files. The sample configuration files can be easily found using the start. Sep 28, 2016 Organization Name (eg, company) OpenVPN: Organizational Unit Name (eg, section) : Common Name (eg, your name or your server's hostname) :OpenVPN-CA Email Address [email protected]: Building Server Certificates. The server certificate and key: Run the following command and it will create the server1.crt and server1.key files in the keys directory.
- If using only OpenVPN v2.4 server and clients, consider to use -tls-crypt instead of -tls-auth Don't set -tls-cipher yourself. The default in recent OpenVPN versions are mostly up-to-date to what is needed, and it removes the need to update this if the official recommendations changes later on.
- Install, upgrade or remove OpenVPN-Radius-Auth (Debian/openvpn-auth-radius) on Ubiquiti hardware.By default, the installer caches the deb-package so that the same version of OpenVPN-Radius-Auth can be restored after a firmware upgrade.
Install, upgrade or remove OpenVPN-Radius-Auth (Debian/openvpn-auth-radius) on Ubiquiti hardware. By default, the installer caches the deb-package so that the same version of OpenVPN-Radius-Auth can be restored after a firmware upgrade.
Generate cert and key from pem. The script is based on the work of Mathias Fredriksson (mafredri/vyatta-wireguard-installer).
The package was provided by the Debian community.
Installation
Simply copy the script onto your Ubiquiti router and run it.
Note: By placing this script in
/config/scripts/post-config.d
, the OpenVPN-Auth-Radius installation will persist across firmware upgrades.Usage
Setup Road-Warrior OpenVPN
Install Vyatta-OpenVPN-Auth-Radius
See above.
Setup Client Configs
- Create client config dir:
- Create client configs if needed (filename equals RADIUS username), e. g. a static IP:
Configure OpenVPN-Server
- Minimal config needed by RADIUS plugin:
Generate Tls-auth Key Openvpn Password
Configure Radius-Plugin
Adjust the following values to your environment: How to generate ssh key pair.
- NAS-IP-Address (Note: Use a LAN IP address, when using the built-in RADIUS-server set to your default LAN IP address,
127.0.0.1
won't work!) - name (Note: The address of your RADIUS-Server, when using the built-in RADIUS-server set to your default LAN IP address.)
- sharedsecret (Note: Use only alphanumeric characters
[A-Za-z0-9]
in RADIUS server secret!)
Optional:
- NAS-Identifier
- subnet
- acctport
- authport
Install Easy-RSA
Create Certificates
- Generate
tls-auth
key
Configure USG
- Check for existing remote user vpn networks:
- Adapt the example config.gateway.json:
- if applicable merge with existing
config.gateway.json
interfaces > openvpn > vtun0 > openvpn-option
interfaces > openvpn > vtun0 > server > subnet
firewall > group > network-group > remote_user_vpn_network > network
- if applicable merge with existing
- Transfer to controller and appropriate site (
/srv/unifi/data/sites/<site>/
) Generate a rsa crypto key packet tracer. - Force provision USG in controller
Create Client Profile
Openvpn Tls Auth
- Adapt the client.ovpn:
- YOUR_SERVER (FQDN or IP address)
- <ca> (the content of
/config/user-data/eays-rsa/keys/ca.crt
generated above) - <tls-auth> (the content of
/config/user-data/openvpn/ta.key
generated above)
- Import into your client and connect https://creationsheavy.weebly.com/mac-os-x-public-key-generation.html.
Monitoring & Troubleshooting
- Check config of USG
- Monitor VPN connections
Generate Tls-auth Key Openvpn Number
- FreeRADIUS debugging