Configuring OpenVPN cloud on VYOS/Vyetta.
I needed to configure a connection to OpenVPN cloud on a VYOS 1.3 router this evening, this was a little challenging as I'm not super up to date on OpenVPN as a whole.
Here is the baseline configuration needed to setup OpenVPN Cloud.
1. Setup a new connector, once you reach the step to download the profile, download the profile and open it in your favorite text editor. I'm using VSCode
2. Find the host-name of your gateway this is the only variable you will need in the vyos config, the remaining steps will be completed with a text editor. This will look something like us-nyc.gw.openvpn.com
3. you will need to extract the x509 certificate from the open VPN configuration profile. We will start with the ca.crt
on the vyos host type
nano /config/auth/ovpn/ca.crtExtract all the contents between the "<ca></ca>" tag from the openVPN profile
Paste this into the nano editor on the vyos host. The first line should be
-----BEGIN CERTIFICATE-----The "tags" should not be copied from the configuration profile. Repeat the above steps for the remaining three components of the X.509 certificate.
<cert> </cert> goes into /config/auth/ovpn/cert.crt
<key></key> goes into /config/auth/ovpn/client.key
<tls-auth></tls-auth> goes into /config/auth/ovpn/auth.key
4. Once these files are in place you can enter configure mode and paste the following boiler plate below, this will create an interface named vtun10
set interfaces openvpn vtun10 description 'OpenVPN Cloud'
set interfaces openvpn vtun10 encryption cipher 'aes256'
set interfaces openvpn vtun10 hash 'sha256'
set interfaces openvpn vtun10 mode 'client'
set interfaces openvpn vtun10 openvpn-option 'nobind'
set interfaces openvpn vtun10 openvpn-option 'remote-cert-tls server'
set interfaces openvpn vtun10 openvpn-option 'socket-flags TCP_NODELAY'
set interfaces openvpn vtun10 openvpn-option 'key-direction 1'
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol 'udp'
set interfaces openvpn vtun10 remote-port '1194'
set interfaces openvpn vtun10 tls auth-file '/config/auth/ovpn/auth.key'
set interfaces openvpn vtun10 tls ca-cert-file '/config/auth/ovpn/ca.crt'
set interfaces openvpn vtun10 tls cert-file '/config/auth/ovpn/cert.crt'
set interfaces openvpn vtun10 tls key-file '/config/auth/ovpn/client.key'
The only configuration variable that must be modified currently is the host name.
set interfaces openvpn vtun10 remote-host '<OPEN_VPN_GATEWAY>'In the case of new york, this would look like
set interfaces openvpn vtun10 remote-host 'us-nyc.gw.openvpn.com'once this is done, commit your configuration and test the connection with the OpenVPN cloud interface. You can also check the tunnel status by running
show interfaces openvpn vtun10