Skip to content

VPN

OpenVPN

OpenVPN is an open-source software that can be used to access the Internet securely when connected to an untrusted network. OpenVPN allows you to keep your online data safe by tunneling them through encrypted servers. It uses SSL/TLS for key exchange and capable of traversing network address translators.

The eManager can be configured either as VPN server or client thanks to the openvpn package. Below you can find all the details about how to do it.

1. eManager configured as an VPN client.

In this section will be detailed how to configure the eManager as an OpenVPN client and a Debian or Ubuntu device as an OpenVPN server.

1.1 Server configuration

Note

The server configuration process detailed below has been tested with Debian 10 and Ubuntu 20.04.

Step 1. Install OpenVPN

First, you will need to enable IP forwarding to forward network packets properly. You can do this by editing /etc/sysctl.conf file:

sudo nano /etc/sysctl.conf

Change the following line:

net.ipv4.ip_forward=1

Save and close the file, when you are finished.

Then, apply the new settings by running the following command:

sudo sysctl -p

Next, install OpenVPN package by just running the following command:

sudo apt-get install openvpn

Step 2. Generate server certificate and key

First, you will need to copy the easy-rsa directory to /etc/openvpn/. You can do it with the following command:

sudo cp -r /usr/share/easy-rsa /etc/openvpn/

Next, change the directory to easy-rsa and rename the vars.example file:

cd /etc/openvpn/easy-rsa
sudo mv vars.example vars

Then, open the vars file using sudo nano vars and add the following lines:

export KEY_COUNTRY="SPAIN"
export KEY_PROVINCE="BCN"
export KEY_CITY="Viladecavalls"
export KEY_ORG="PickData by Circutor"
export KEY_EMAIL="admin@example.com"
export KEY_OU="OpenVPN"

Save and close the file when you are finished. Then, initialize PKI with the following command:

sudo ./easyrsa init-pki

Next, build the CA without a password as shown below:

sudo ./easyrsa build-ca nopass

The output must be as shown in the image below.

Ca nopass

Next, generate the server key with the following command:

sudo ./easyrsa gen-req server nopass

The output must be as shown in the image below.

server nopass

Next, sign the server certificate with the following command:

sudo ./easyrsa sign-req server server

The output must be as shown in the image below.

server server

Next, build a Diffie-Hellman key exchange with the following command:

sudo ./easyrsa gen-dh

The output must be as shown in the image below.

gendh

Next, generate a HMAC signature with the following command:

sudo openvpn --genkey --secret ta.key

Finally, copy all the certificate and key to the /etc/openvpn directory:

sudo cp ta.key /etc/openvpn/
sudo cp pki/ca.crt /etc/openvpn/
sudo cp pki/private/server.key /etc/openvpn/
sudo cp pki/issued/server.crt /etc/openvpn/
sudo cp pki/dh.pem /etc/openvpn/

Step 3. Generate client certificate and key

Next, generate client certificate with the following command:

sudo ./easyrsa gen-req client nopass

You should see the following output:

client nopass

Next, sign the client certificate with the following command:

sudo ./easyrsa sign-req client client

You should see the following output:

client sign

Next, copy all client certificate and key to /etc/openvpn/client/ directory:

sudo cp pki/ca.crt /etc/openvpn/client/
sudo cp pki/issued/client.crt /etc/openvpn/client/
sudo cp pki/private/client.key /etc/openvpn/client/

Note

You must generate as many certificates as clients you want to connect to the same server.

Step 4. Configure OpenVPN server

All the required certificate and key for server and client are now generated. Next, you will need to create an OpenVPN configuration file. You can create it with the following command:

sudo nano /etc/openvpn/server.conf

Add the following content:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1

Save and close the file. Then, restart OpenVPN service with the following command:

systemctl restart openvpn@server


1.2 Client configuration

The openvpn package is already pre-installed in the eManager.

To configure OpenVPN client, an VPN service provider must give us the client certificates, server key and server IP.

The required files are shown below:

ca.crt
client.crt
client.key
ta.key

Step 1. Create OpenVPN configuration directory

mkdir /etc/openvpn/

Step 2. Edit OpenVPN configuration file

nano /etc/openvpn/client.conf

Define your server IP address and client certificate file as shown below:

client
dev tun
proto udp
remote <VPN_SERVER_IP> 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
remote-cert-tls server
tls-auth /etc/openvpn/ta.key 1
cipher AES-256-CBC
verb 3

Replace <VPN_SERVER_IP> by provider server public IP.

Note

This public IP of the server is the one that will be used for the connection between client and server. For example, if your eManager is connected to the server through the default Ethernet configuration, <VPN_SERVER_IP> will be 10.1.10.1.

Save and exit: Ctrl+X. Confirm save with Y.

Step 3. Copy client certificates files to eManager

Copy following files:

ca.crt
client.crt
client.key
ta.key

to the /etc/openvpn/ directory, inside the eManager.

Step 4. Restart OpenVPN client service

systemctl restart openvpn@client

Now, you can see the new IP address assigned by OpenVPN server with the following command:

ip addr

The output should be something similar as in the following image.

interfaces

Note

New interface tun0 should now appear in the interfaces list.

You can also check OpenVPN log:

journalctl -f -u openvpn@client

2. eManager configured as an VPN Server

As the eManager can be configured either as VPN server or client, in this section will be detailed how to configure it for each option.

Note

A device with Ubuntu 20.04 or Debian 10 will be needed to generate the keys, as in the previos section.

2.1 Server configuration

Step 1. Install OpenVPN

To install the OpenVPN in your eManager you can use the following commands:

opkg update
opkg install openvpn

Step 2. Generate server certificate and key

Follow the process detailed for Debian 10 & Ubuntu 20.04.

Keys and certificates must be generated in a Debian 10 or Ubuntu 20.04 operating system, and copied into eManager /etc/openvpn folder.

Step 3. Generate client certificate and key

Follow the process detailed for Debian 10 & Ubuntu 20.04.

Step 4. Configure OpenVPN server

In the server.conf file, the content must be the following:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log         /var/log/openvpn.log
log-append  /var/log/openvpn.log
verb 3
explicit-exit-notify 1

2.2 Client configuration

You can configure eManager as a client as explained here.

WireGuard

1. Server configuration

Note

The server configuration process detailed below has been tested with Debian 10 and Ubuntu 20.04.

Step 1. Install WireGuard

First, you will need to enable IP forwarding to forward network packets properly. You can do this by editing /etc/sysctl.conf file:

sudo nano /etc/sysctl.conf

Change the following line:

net.ipv4.ip_forward=1

Note

If you are using IPv6 add net.ipv6.conf.all.forwarding=1 at the bottom of the file.

Save and close the file, when you are finished. Then, apply the new settings by running the following command:

sudo sysctl -p

Next, install WireGuard package by just running the following command:

sudo apt-get update
sudo apt-get install wireguard-tools

Step 2. Generating server private and public keys

To get started with generating the keys for the server, generate a new key pair with the command below:

wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Step 3. Generate server config

First, choose an IPv4 or IPv6 address. Any of the following ranges of private IPv4 addresses can be used:

  • Class A: 10.0.0.0 to 10.255.255.255 (10/8 prefix)
  • Class B: 172.16.0.0 to 172.31.255.255 (172.16/12 prefix)
  • Class C: 192.168.0.0 to 192.168.255.255 (192.168/16 prefix)

In this example, we'll use 10.8.0.1/24.

The config files are generally stored in /etc/wireguard folder. Create a new configuration file called wg0.conf in that folder:

sudo nano /etc/wireguard/wg0.conf

Add the following directives to the configuration file:

[Interface]
PrivateKey = <base64_encoded_server_private_key>
Address = 10.8.0.1/24
ListenPort = 51820
SaveConfig = true

You can get the <base64_encoded_server_private_key> using sudo cat /etc/wireguard/private.key on the server.

Step 4. Start WireGuard

You can use the following commands:

sudo systemctl enable wg-quick@wg0.service
sudo systemctl start wg-quick@wg0.service
systemctl status wg-quick@wg0.service

2. Client configuration

To install WireGuard in your eManager you can use the following commands:

opkg update
opkg install wireguard-tools

Step 1. Generating client private and public keys

To get started with generating the keys for the client, generate a new key pair with the command below:

mkdir ~/client_keys
wg genkey | tee ~/client_keys/private.key
chmod go= ~/client_keys/private.key
cat ~/client_keys/private.key | wg pubkey | tee ~/client_keys/public.key

Step 2. Generate client config

Create a new configuration file in the /etc/wireguard directory:

nano /etc/wireguard/wg0.conf

Then, replace the content file with the following:

[Interface]
Address = 10.8.0.2/24
PrivateKey = <base64_encoded_client_private_key>

[Peer]
PublicKey = <base64_encoded_server_public_key>
Endpoint = <server-ip>:51820
AllowedIPs = 10.8.0.0/24

You can get the <base64_encoded_client_private_key> using cat ~/client_keys/private.key on the client.

The <base64_encoded_server_public_key> can be found at sudo cat /etc/wireguard/public.key on the server.

Step 3. Start WireGuard

You can use it to start your configuration using the following command:

systemctl start wg-quick@wg0

If you want to start the service each time the eManager is turned on, use systemctl enable wg-quick@wg0.

Step 4. Add Peer's public key to the Wireguard server

To do so, you need to execute the following command in the Wireguard server:

sudo wg set wg0 peer <base64_encoded_client_public_key> allowed-ips 10.8.0.2
systemctl restart wg-quick@wg0.service

You can get the <base64_encoded_client_public_key> using:

cat ~/client_keys/public.key

on the client.