Automating OpenVPN Tunnels

Important

This guide assumes your OpenWrt firmware has the openvpn-mbedtls package (or equivalent versions like openvpn-wolfssl or openvpn-openssl) installed. If this package is not present, you will need to install it.

In this guide, we will explore how to set up the automatic provisioning and management of OpenVPN tunnels.

Setting up the OpenVPN Server

The first step is to install the OpenVPN server. In this tutorial, to perform this step we will use Ansible.

If you already have experience installing an OpenVPN server, feel free to use any method you prefer.

Important

If you have already set up your OpenVPN server or prefer to install the OpenVPN server using a different method, you can skip forward to Import the CA and the Server Certificate in OpenWISP.

For simplicity, the OpenVPN server must be installed on the same server where OpenWISP is also installed.

While it is possible to install the OpenVPN server on a different server, it requires additional steps not covered in this tutorial.

1. Install Ansible and Required Ansible Roles

Install Ansible on your local machine (please ensure that you do not install it on the server).

To install Ansible, we suggest following the official Ansible installation guide.

After installing Ansible, you need to install Git (example for Linux Debian/Ubuntu systems):

sudo apt-get install git

After installing both Ansible and Git, install the required roles:

ansible-galaxy install git+https://github.com/Stouts/Stouts.openvpn,3.0.0 nkakouros.easyrsa

2. Create Inventory File and Playbook YAML

Create an Ansible inventory file named inventory on your local machine (not on the server) with the following contents:

[openvpn]
your_server_domain_or_ip

For example, if your server IP is 192.168.56.2:

[openvpn]
192.168.56.2

In the same directory where you created the inventory file, create a file named playbook.yml with the following content:

- hosts: openvpn
  vars:
    # EasyRSA
    easyrsa_generate_dh: true
    easyrsa_servers:
      - name: server
    easyrsa_clients: []
    easyrsa_pki_dir: /etc/easyrsa/pki

    # OpenVPN
    openvpn_keydir: "{{ easyrsa_pki_dir }}"
    openvpn_clients: []
    openvpn_use_pam: false
  roles:
    - role: nkakouros.easyrsa
    - role: Stouts.openvpn

Hint

You can further customize the configuration using the role variables. Read more about other options in EasyRSA and OpenVPN.

3. Run the Playbook

Run the Ansible playbook:

ansible-playbook -i inventory playbook.yml -b -k -K --become-method=su

Import the CA and the Server Certificate in OpenWISP

Important

If you chose an alternative installation method for OpenVPN and you did not create the CA and certificate yet, you can create the certificates from scratch via the OpenWISP web interface instead of importing them.

Follow the instructions below and instead of selecting Import Existing as Operation Type, select Create new.

You also won't need to copy any file from the server as OpenWISP generates the x509 certificates automatically.

To import the CA and Server Certificate into OpenWISP, you need to access your server via ssh or any other method that suits you.

Change your directory to /etc/easyrsa/pki/.

Note

If you incur in the following error: -bash: cd: /etc/easyrsa/pki: Permission denied, you may need to log in as the root user.

Import the CA

In your OpenWISP dashboard, go to /admin/pki/ca/add/.

In Operation Type, choose Import Existing.

Get your CA certificate from the ca.crt file and the private key from the private/ca.key file, then enter them in the respective fields.

Import the Server Certificate

In your OpenWISP dashboard, go to /admin/pki/cert/add/.

In Operation Type, choose Import Existing and in CA, choose the CA you just created.

Get your server certificate from the issued/server.crt file and the server private key from the private/server.key file, then enter them in the respective fields.

Create the VPN Server in OpenWISP

In the OpenWISP dashboard, go to /admin/config/vpn/add/.

In the Host field, enter your server IP address. In the Certification Authority and X509 Certificate fields, select the CA and certificate you created in the previous step.

Under Configuration, click on Configuration Menu, then change Server (Bridged) to Server (Routed).

Setting up a Bridged Server is similar to setting up a Routed Server but is not covered in this tutorial.

Adjust the rest of the VPN configuration to match the settings in /etc/openvpn/server.conf.

Tip

You can verify if your VPN configuration matches the server.conf file by using the Preview Configuration button at the top right corner of the page.

Create the VPN-Client Template in OpenWISP

In your OpenWISP dashboard, go to /admin/config/template/add/.

Set the Type to VPN-client.

Once the VPN field appears, select the VPN you created in the previous step.

Ensure the Automatic tunnel provisioning flag remains enabled.

If this template is for your management VPN or the default VPN option, we recommend checking the Enabled by default flag. For more information about this flag, refer to Default Templates.

Now, save the template.

After saving the template, you can tweak the VPN Client configuration, which is automatically generated to be compatible with the server configuration.

Finally you can add the new template to your devices.

Tip

If you need to troubleshoot any issue, increase the verbosity of the OpenVPN logging, both on the server and the clients, and check both logs (on the server and on the client).

See also

You may also want to explore other automated VPN tunnel provisioning options:

• Wireguard

• Wireguard over VXLAN

• Zerotier