OpenVPN on EdgeRouter Lite

Mainstay

Mainstay

Well-Known Member
Reaction score
747
I am attempting to setup OpenVPN on an EdgeRouter Lite running 1.9.1.1.

I have been following instructions on the configuration from: https://community.ubnt.com/t5/EdgeMAX/OpenVPN-server-with-PAM-and-OpenVPN-IOS-Client-configuration/t...

I have built the RSA key and set the interfaces and when I hit commit the EdgeRouter just locks up.

Is this normal? Was I too impatient and should have waited it out? I left it for 10 minutes but all network traffic ceased and the system was unresponsive. A reboot took me back to the pre-commit and all my settings were retained (except the OVPN server).

My entries are as follows. Any help is greatly appreciated.

Code: 
ubnt@ubnt# set interfaces openvpn vtun0
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 encryption aes128
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 mode server
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 openvpn-option "--tls-server"
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 openvpn-option "--proto udp"
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 openvpn-option "--port 1194"
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 openvpn-option "--push route 192.168.1.0 255.255.255.0"
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 openvpn-option "--tun-mtu 1400"
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 openvpn-option "--persist-key"
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 openvpn-option "--persist-tun"
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 openvpn-option "--persist-local-ip"
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 openvpn-option "--persist-remote-ip"
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 openvpn-option "--keepalive 8 30"
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 openvpn-option "--comp-lzo"
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 openvpn-option "--duplicate-cn"
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 openvpn-option "--user nobody --group nogroup"
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-pam.so login"
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 openvpn-option "--client-cert-not-required --username-as-common-name"
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 openvpn-option "--verb 1"
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 openvpn-option "--client-to-client"
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 server
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 server subnet 192.168.1.0/24
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 server topology subnet
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 tls ca-cert-file /config/auth/openvpn/keys/ca.crt
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 tls cert-file /config/auth/openvpn/keys/ovpn.mainstaycomputing.com.crt
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 tls dh-file /config/auth/openvpn/keys/dh2048.pem
[edit]
ubnt@ubnt# set interfaces openvpn vtun0 tls key-file /config/auth/openvpn/keys/ovpn.mainstaycomputing.com.key
[edit]
ubnt@ubnt# commit
 
Hi @Markverhyden - the unit is in production and responds to everything thrown at it.

I'm sure I must have something wrong as I am not well versed in the land of Linux. Just wasn't sure how long a commit for the above commands "should" take. The RSA key generation took approximately 10 minutes, which from reading is appropriate for a 2048 bit key.

But the rest, not sure....
 
Mainstay said:
Hi @Markverhyden - the unit is in production and responds to everything thrown at it.

I'm sure I must have something wrong as I am not well versed in the land of Linux. Just wasn't sure how long a commit for the above commands "should" take. The RSA key generation took approximately 10 minutes, which from reading is appropriate for a 2048 bit key.

But the rest, not sure....
Click to expand...

@Mainstay the reason why I suggested the piecemeal method is you'll see where it chokes. Did you use CLI to confirm if the requisite files are in the proper key subdir?
 
oh lord. I must be tired. I see what you mean now. For some reason I thought the whole interface had to be set / configured in one go, but doing it a line or two at a time makes perfect sense.

>>Did you use CLI to confirm if the requisite files are in the proper key subdir?

Yes - all files are present and accounted for.
 
No, don't need the full config at once. In my experience commit will tell you what is missing as you go along with commits. It's rare but I've had a couple of times where the OS had problem. Just like other systems a nuke and pave may be needed. In those cases I used the TFTP method.
 
awesome - thank you Mark. Will give this a shot when I am back in the office.
 
To add to the advice already given, I assume you are using some sort of terminal emulator and SSH'ing into the box. If so, you may want to adjust your line and character send delays so that the configs aren't "dropped" so fast. I work with Juniper routers day in/out their OS (Junos) is based in FreeBSD. I had to increase my delay as stated bc the router would miss config statements with default Putty or SecureCRT settings. My thought is that the router you are configuring may be getting overwhelmed, so to speak from receiving a bunch of configuration statements so quickly and as a result, locking up on you. Good luck!
 
You must log in or register to reply here.

Similar threads

Sky-Knight
Untangle 14.1 upgrade breaking some OpenVPN implementations
Replies
3
Views
1K
Sky-Knight
Sky-Knight
Knightsman
Help with with port forward on EdgeRouter Lite
Replies
2
Views
4K
Knightsman
Knightsman
S
Cisco PIX - Cannot Hit Mapped SSL From a device in outside interface's subnet
Replies
3
Views
2K
teksquad
T
Kitten Kong
Hirens 13 - Now released
2
Replies
31
Views
17K
eloria
E
D
XP faster setting
2
Replies
20
Views
8K
LunchBox
LunchBox
Back
Top