NetworkUbiquiti Edgerouter Create OpenVPN Configuration via script on Edgerouter Updated August 11 2024
*** Consider using Wireguard instead!






Thanks to Alex Jensen for creating this script:

https://www.cron.dk/easy-certificate-generation-for-openvpn/




To use:

1: Save this script to "/conf/openvpn/zmake.sh".

2: Change "EdgeOpenVPN" to be the IP address or hostname that clients should use to connect to the VPN. This will be put into every client OVPN file. You can also do this later to each OVPN file.

3: Execute it by opening Putty and entering:

      bash /config/openvpn/zmake.sh

     Give it 45 minutes or so (to generate Diffie Hellman).

4: Edit "Server.ovpn", the "push route" lines need to have the IP ranges you want to access from VPN if full gateway redirection is not enabled. If upstream network of Edgerouter is 192.168.1.1 (WAN of Edgerouter has a 192.168.1.xx IP) then adding a line with "192.168.1.0" will make it available from vpn, even if remote gateway redirect is disabled.

5: Open Putty, enter "configure" to go into configure mode, and paste in the contents of "zEdgeSetup.txt".

6: Copy ovpn files to computers, use OpenVPN to connect.



Copy to Clipboard #!/bin/bash cd /config/openvpn #----------------------------------------------------------------------------------------------- # Setup CAname=CA-World CAsubject="/C=US/ST=SomeCity/L=SomeCity/O=CAworld" CAexpire=10000 CAkeyLength=2048 ServerName=EdgeOpenVPN ServerSubject="/C=US/ST=SomeState/L=SomeCity/O=MyCompany/CN=${ServerName}" ServerExpire=10000 ServerKeyLength=2048 ClientExpire=10000 ClientKeyLength=2048 DHkeyLength=2048 #----------------------------------------------------------------------------------------------- # Functions function makeCA () { CAname=$1 CAexpire=$2 CAsubject=$3 CAkeyLength=$4 printf "Generating Certificate Authority ${CAname}...\n\n" openssl genrsa -out ${CAname}.key ${CAkeyLength} openssl req -x509 -new -nodes -key ${CAname}.key -sha256 -days ${CAexpire} -out ${CAname}.pem -subj $CAsubject } function makeCert () { CAname=$1 CertName=$2 CertExpire=$3 CertSubject=$4 CertKeyLength=$5 printf "\nGeneration certificate for ${CertName}...\n\n" ConfigFile=`mktemp` printf 'basicConstraints = CA:FALSE\nsubjectKeyIdentifier=hash\nauthorityKeyIdentifier=keyid' > ${ConfigFile} openssl genrsa -out ${CertName}.key ${CertKeyLength} openssl req -new -key ${CertName}.key -out ${CertName}.csr -subj ${CertSubject} openssl x509 -req -extfile ${ConfigFile} -in ${CertName}.csr -CA ${CAname}.pem -CAkey ${CAname}.key \ -CAcreateserial -out ${CertName}.crt -days ${CertExpire} -sha256 rm ${CertName}.csr rm ${ConfigFile} } function makeOvpnFile () { CAname=$1 ClientName=$2 HostName=$3 echo client > ${ClientName}.ovpn echo dev tun >> ${ClientName}.ovpn echo proto udp >> ${ClientName}.ovpn echo route 192.168.1.0 255.255.255.0 echo remote ${HostName} 1194 >> ${ClientName}.ovpn echo cipher AES-256-CBC >> ${ClientName}.ovpn echo auth SHA256 >> ${ClientName}.ovpn echo resolv-retry infinite >> ${ClientName}.ovpn echo #redirect-gateway def1 >> ${ClientName}.ovpn echo persist-key >> ${ClientName}.ovpn echo persist-tun >> ${ClientName}.ovpn echo user nobody >> ${ClientName}.ovpn echo group nogroup >> ${ClientName}.ovpn echo verb 3 >> ${ClientName}.ovpn echo '' >> ${ClientName}.ovpn echo '<ca>' >>> ${ClientName}.ovpn cat ${CAname}.pem >> ${ClientName}.ovpn echo '</ca>' >> ${ClientName}.ovpn echo '<cert>' >> ${ClientName}.ovpn cat ${ClientName}.crt >> ${ClientName}.ovpn echo '</cert>' >> ${ClientName}.ovpn echo '<key>' >> ${ClientName}.ovpn cat ${ClientName}.key >> ${ClientName}.ovpn echo '</key>' >> ${ClientName}.ovpn } function showConfGuide () { CAname=$1 ServerName=$2 CurrentPath=`pwd` echo server 10.20.30.0 255.255.255.0> Server.ovpn echo # Copy push route below to have LAN subnets above router>> Server.ovpn echo #push "route 10.20.30 255.255.255.0">> Server.ovpn echo topology subnet>> Server.ovpn echo mode server>> Server.ovpn echo tls-server>> Server.ovpn echo port 1194 >> Server.ovpn echo proto udp>> Server.ovpn echo dev tun>> Server.ovpn echo cipher AES-256-CBC>> Server.ovpn echo auth SHA256>> Server.ovpn echo ca ${CurrentPath}/${CAname}.pem>> Server.ovpn echo cert ${CurrentPath}/${ServerName}.crt>> Server.ovpn echo key ${CurrentPath}/${ServerName}.key>> Server.ovpn echo dh ${CurrentPath}/dh.pem>> Server.ovpn echo #client-config-dir /config/ccd>> Server.ovpn echo keepalive 10 30 >> Server.ovpn echo persist-key>> Server.ovpn echo persist-tun>> Server.ovpn echo user nobody>> Server.ovpn echo group nogroup>> Server.ovpn echo verb 3 >> Server.ovpn echo set interfaces openvpn vtun0 config-file /config/openvpn/Server.ovpn> zEdgeSetup.txt echo >> zEdgeSetup.txt echo >> zEdgeSetup.txt echo edit firewall name WAN_LOCAL>> zEdgeSetup.txt echo set rule 67 action accept>> zEdgeSetup.txt echo set rule 67 description "OpenVPN">> zEdgeSetup.txt echo set rule 67 destination port 1194 >> zEdgeSetup.txt echo set rule 67 protocol tcp_udp>> zEdgeSetup.txt echo set rule 67 log disable>> zEdgeSetup.txt } function makeDH () { DHkeyLength=$1 printf "\nMaking diffie-hellman keypair for perfect forward secrecy...\n\n" openssl dhparam -out dh.pem -2 ${DHkeyLength} } function makeClientCert () { CAname=$1 Clientname=$2 ClientExpire=$3 ClientKeyLength=$4 ServerName=$5 printf "\n\nMaking Client certificate for ${Clientname}\n" makeCert ${CAname} ${Clientname} ${ClientExpire} "/C=US/ST=SomeState/L=SomeCity/O=${Clientname}/CN=${Clientname}" ${ClientKeyLength} makeOvpnFile ${CAname} ${Clientname} ${ServerName} } #----------------------------------------------------------------------------------------------- # Make everything makeCA ${CAname} ${CAexpire} ${CAsubject} ${CAkeyLength} makeCert ${CAname} ${ServerName} ${ServerExpire} ${ServerSubject} ${ServerKeyLength} for i in {1..10} do makeClientCert ${CAname} "User${i}" ${ClientExpire} ${ClientKeyLength} ${ServerName} done makeDH ${DHkeyLength} showConfGuide ${CAname} ${ServerName} printf "\nScript is done!\n" printf "\nYou need to open '/config/openvpn/zEdgeSetup.txt' and run those commands\n\n" ls '/config/openvpn/'








To make more client certificates, comment out all of the makeXX lines except the ones containing usernames like "User01". Rename them as appropriate.

makeCert ${CAname} ${ClientName} ${ClientExpire} ${ClientSubject} ${ClientKeyLength}


Run and repeat to make multiple clients.




©2024 - Some portions of this website are Copyrighted.
Your IP: 3.145.16.81     Referring URL:
Browser: Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)
Terms and Conditions, Privacy Policy, and Security Policy