Picture

Hi, I'm Ben Harris.

Operations Coordinator @ Clair Global. Programmer. Designer. Engineer.

EdgeRouter and Vyos: Site-to-Site OpenVPN

So, after moving back to the east coast, I found myself working on researching and deciding on an east coast based datacenter to house my production servers a little closer to home. I settled on a DC located about 45 minutes away and went about getting the hardware and software ready to deploy.

I’ve been using Vyos as my production routing system for the past two years and am still very impressed with it’s reliability. There are few things I really like about the Vyos platform. 1) It’s super solid. 2) It’s easy to configure. 3) It supposed almost every routing and VPN protocol out of the box. 4) It’s based off of Vyatta. One of the reasons this is so appealing is because the Ubiquiti EdgeMax series is also built off the Vyatta platform. I have recently switched all of my branch office routing systems onto the Ubiquiti EdgeMax platform. This makes the config files and syntax very easy to maintain between locations.

Being first in a series of tutorials on configuration and deployment of these two platforms, I decided to put together a few blog posts outling and documenting the process to setup these two systems. Now, a lot of these principals can be applied to other platforms, my particular application just happens to focus on Vyos and EdgeOS.

Setting up Certificates

You can go about doing this one of two ways, via shared key or with certificates. For security reasons, I decided to implement my configuration with certificates. Now, it’s not generally considered best practice for one of your routers to also act as the certificate authority. If someone would gain access into your router they now have access to all of keys, as well as the ability to sign new keys. It is however, the most convenient, and for the sake of this article, we will keep the CA on one of the routers.

Setting up the Certificate Authority

The default directory for Easy RSA on both platforms is usr/share/doc/openvpn/examples/easy-rsa/2.0/. Because of the way Vyos and EdgeOS store their configurations, we will want to move our working directory in order to maintain VPN functionality across upgrades. So let’s start by moving the contents of Easy RSA to a non-volatile directory. We’ve chosen /config/easy-rsa as our working directory.

cp -rv /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /config/easy-rsa2

Once we complete the copy, we need to update the ‘vars’ file to set some predefined variables. Go ahead and open it in your favorite editor. We prefer nano.

nano /config/easy-rsa2/vars

Now let’s edit the file and change the following variables to values appropriate to your installation.

...
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"

We will now prep the host to be the certificate authority. We’re going to set cd to our working directory and set the variable source

$ cd /config/easy-rsa2/
$ source ./vars

We’re going to clean out the keys and existing CA files to insure there are no old files laying around that could trip us up down the road

$ ./clean-all