To always remain connected to the services running in my home lab, I use an OpenVPN connection from my mobile and laptop devices to the OpenVPN server running inside the Vyos Virtual Machine deployed in one of the Proxmox nodes in my lab.

Configuration of OpenVPN in Vyos involves the installation of keys and certificates in both the server and the clients for mutual authentication. In this document we discuss the commands in Vyos, to generate and install the required certificates. After this step, we will configure the server and the client with the required configuration.

Generation of keys and certificates

To configure openVPN we will need the following keys and certificates:

• Server certificate and private key
• Client certificate and private key
• CA certificate and private key (If server certificate is signed signed by self signed CA)

Here we will be generating our own CA for signing server and client certificates and install the CA certificate as trusted CA certificate in devices that need to verify the signed certificates.

Generate Self Signed CA

Generate a self signed CA certificate and install it in the Vyos VM:

run generate pki ca install ca-1

You will be presented with a dialog which you need to fill as per your requirements. Following this commit the changes and get the ca certificate in .pem format. This certificate need to be installed on your mobile phone to verify the server certificate that the server will present to the mobile device. Save this in file using the following command:

run show pki certificate ca-1 > ca-1.cert.pem

We have named it ca-1 and will use this name to sign server and client certificates.

Generate Server Certificate

The openVPN server in Vyos need to be configured with a server certificate. So the next step is to use the our CA to sign the server certificate. We don’t have a private/public key pair ready so we will generate and sign using the following command:

run generate pki certificate sign ca-1 install server-1

This will present a dialogue which you need to fill as per your requirements. One thing need to be ensured that the server host-name (or IP address), which is used to connect to the server by the clients, is used in the common name and optionally the subject alternative name.

test@vyos:~$ config
[edit]
test@vyos# run generate pki certificate sign ca-1 install server-1
Enter CA private key passphrase: **********
Do you already have a certificate request? [y/N] 
Enter private key type: [rsa, dsa, ec] (Default: rsa) 
Enter private key bits: (Default: 2048) 
Enter country code: (Default: GB) IN
Enter state: (Default: Some-State) test
Enter locality: (Default: Some-City) test
Enter organization name: (Default: VyOS) test
Enter common name: (Default: vyos.io) test.com
Do you want to configure Subject Alternative Names? [y/N] 
Enter how many days certificate will be valid: (Default: 365) 
Enter certificate type: (client, server) (Default: server) server
Note: If you plan to use the generated key on this router, do not encrypt the private key.
Do you want to encrypt the private key with a passphrase? [y/N] 
2 value(s) installed. Use "compare" to see the pending changes, and "commit" to apply.
[edit]
test@vyos#

Next we need to commit the changes.

Generate Client Certificate

The client needs to prove its identity to the server with a certificate that is signed by the CA trusted by the server. So in this step we will create the following files:

• client-1.cert.pem
• client-1.key

And from the above two files we will create a PKCS12 file (client-1.p12) to safely package and transport the above to files to the client.

For this we follow the same steps as we did for generation of the server certificate:

run generate pki certificate sign ca-1 install client-1

Then we save the certificate using the same command as we did while saving the CA certificate:

run show pki certificate client-1 > client-1.cert.pem

We also need to save the private key of the client, to install it in the client mobile phone. For this use the following command in the config mode:

show pki certificate client-1 

Copy the key material and save it in a file client-1.key. The single line key need to be converted to proper pem format. For this we run the following command to split the single line into multiple lines and then prepend and append the key with the expected headers:

sed -i -e "s/\S\{70\}/&\n/g" client-1.key
sed -i '1s;^;-----BEGIN RSA PRIVATE KEY-----\n;' test.key
echo '-----END RSA PRIVATE KEY-----' | tee -a test.key

Create PKCS12 file using following command:

openssl pkcs12 -export -inkey client-1.key -in client-1.cert.pem -out client-1.p12

Configuration of server

We configure OpenVPN server using the following commands:

set interfaces openvpn vtun1 local-port '1194'
set interfaces openvpn vtun1 mode 'server'
set interfaces openvpn vtun1 persistent-tunnel
set interfaces openvpn vtun1 protocol 'tcp-passive'
set interfaces openvpn vtun1 server client client-0 ip '10.23.1.10'
set interfaces openvpn vtun1 server client client-0 subnet '10.23.1.0/24'
set interfaces openvpn vtun1 server push-route 192.168.50.0/24
set interfaces openvpn vtun1 server subnet '10.23.1.0/24'
set interfaces openvpn vtun1 server topology 'subnet'
set interfaces openvpn vtun1 tls ca-certificate 'ca-1'
set interfaces openvpn vtun1 tls certificate 'server-1'
set interfaces openvpn vtun1 use-lzo-compression

The client IP and subnet are configured along with a route is pushed to the client to allow the client to access the subnet 192.168.50.0/24 on the server side. We also configure the tunnel interface vtun1 with the IP address in the same sub-net as the client:

set protocols static route 10.23.1.0/24 interface vtun1

Configuration of Android Client

We use the following configuration saved in a file named config.ovpn to configure the OpenVPN client in the Android mobile.

client
dev tun                             
proto tcp                 
remote <server-ip/domain> <server-port>       
default port     
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
compress lzo
ns-cert-type server

Also we need to install the ca-1.cert.pem by visiting Settings > Password & Security > Encryption & credentials > Install a certificate > CA certificate and then selecting the ca-1.cert.pem file.

Further we need to install the client certificate and key, which we had packaged into the client-1.p12 file in the [Generate Client Certificate] section. This can be done by visiting Settings > Password & Security > Encryption & credentials > Install a certificate > VPN & app user certificate and selecting the client-1.p12 file.

Following this we add the config.ovpn configuration in the OpenVPN Android application and then when we try to connect to the server for the first time we will be presented with the option to select the client key to be used. We select the client-1 key details from the presented list.

---