Jump to content
TorGuard
  • 0
Xenstar

VyOS configuration for Torguard OpenVPN

Rate this question

Question

I recently spent quite a few hours getting Torguard OpenVPN set up on my VyOS router virtual machine, so I thought I would share the configuration with the forums in case anyone else runs into the same issues and is unable to find other guides online (as I did).

 

VyOS is a community fork of Vyatta (which is now Brocade vRouter). Ubiquiti's Edgerouters also use another fork of Vyatta called EdgeOS, so this configuration may be either close to or exactly what you need for one of those devices too (not able to test this as I don’t have one).

 

Credentials

On the VyOS shell, go to operational mode and use vi to create a file in /conf/auth containing the Torguard username on line 1 and password on line 2. Mine is called vpn-pass.txt.

 

Certificates

 

VyOS requires that you specify a CA cert file, a host cert file and the host private key file. Torguard don’t check for the latter two, but they still need to be valid files before you will be allowed to commit the openvpn interface configuration in VyOS.

 

Obtain the Torguard Global ca.crt file, which you can find in the ‘Standard UDP Configs’ zip file under Downloads. Upload that to /conf/auth using SFTP.

 

From the /config/auth directory, run the following commands to generate your self signed certificate and key file:

 

openssl genrsa -out host.key 2048

openssl req -new -key host.key -out csr.crt

openssl req -x509 -days 365 -key host.key -in csr.crt -out cert.crt

 

chmod 700 host.key

 

VPN Interface

 

Run the following commands in config mode:

 

set interfaces openvpn vtun1 encryption 'bf128'

set interfaces openvpn vtun1 mode 'client'

set interfaces openvpn vtun1 openvpn-option '--auth-user-pass /config/auth/vpn-pass.txt --persist-key --persist-tun --nobind --pull --route-nopull --comp-lzo --script-security 2'

set interfaces openvpn vtun1 protocol 'udp'

set interfaces openvpn vtun1 remote-host 'nl.torguardvpnaccess.com'

set interfaces openvpn vtun1 remote-port '443'

set interfaces openvpn vtun1 tls ca-cert-file '/config/auth/ca.crt'

set interfaces openvpn vtun1 tls cert-file '/config/auth/cert.crt'

set interfaces openvpn vtun1 tls key-file '/config/auth/host.key'

 

Firewall Rules

 

Create firewall rules:

 

set firewall name vtun1-inbound default-action 'drop'

set firewall name vtun1-inbound rule 1 action 'accept'

set firewall name vtun1-inbound rule 1 description 'Allow established and related'

set firewall name vtun1-inbound rule 1 state established 'enable'

set firewall name vtun1-inbound rule 1 state related 'enable'

set firewall name vtun1-inbound rule 2 action 'drop'

set firewall name vtun1-inbound rule 2 description 'Drop invalid'

set firewall name vtun1-inbound rule 2 state invalid 'enable'

 

set firewall name vtun1-local default-action 'drop'

set firewall name vtun1-local rule 1 action 'accept'

set firewall name vtun1-local rule 1 description 'Allow established and related'

set firewall name vtun1-local rule 1 state established 'enable'

set firewall name vtun1-local rule 1 state related 'enable'

set firewall name vtun1-local rule 2 action 'drop'

set firewall name vtun1-local rule 2 description 'Drop invalid'

set firewall name vtun1-local rule 2 state invalid 'enable'

 

Bind them to the vtun1 openvpn interface:

 

set interfaces openvpn vtun1 firewall in name 'vtun1-inbound'
set interfaces openvpn vtun1 firewall local name 'vtun1-local'

 

NAT

 

Create NAT masquerade rules for outbound traffic from internal network (192.168.20.0/24 in this example):

 

set nat source rule 200 outbound-interface 'vtun1'
set nat source rule 200 source address '192.168.20.0/24'
set nat source rule 200 translation address 'masquerade'

 

Checking connection

Commit all the of the above and then run show interfaces from operational mode to see if your vtun1 interface has picked up the 10.x IP address from the VPN server.

 

You can also run show log openvpn to view the details of the connection. If you don't get a connection, you will find the reasons here.

 

Routing

 

I use policy based routing to send traffic for only specified machines down the VPN tunnel. The example below sends all traffic for 192.168.20.101 only down the tunnel.

 

set policy route src-route rule 10 destination address '0.0.0.0/0'
set policy route src-route rule 10 set table '1'
set policy route src-route rule 10 source address '192.168.20.101/32'

set protocols static table 1 interface-route 0.0.0.0/0 next-hop-interface 'vtun1'
 

If you want to send all traffic down the tunnel, I guess you will need to set vtun1 as the default route interface, but have more specific routes allowing the router to lookup DNS and make the OpenVPN connection, so it can set the tunnel up initially.

 

Good luck!




 

  • Like 2

Share this post


Link to post
Share on other sites

3 answers to this question

Recommended Posts

  • 0

This was tremendously helpful! Thank you.

 

However, there were a couple of additional details I needed to get my config to work:

 

After you create a policy route, you have to apply it to an interface. In my case I applied it to the interface of my INSIDE network, eth1:  set interfaces ethernet eth1 policy route 'src-route'.

 

You also have to supply DNS and the default-router in your dhcp-server config.

 

Finally, the firewall config steps are optional. I omitted them and everything still works.

Share this post


Link to post
Share on other sites
  • 0

Glad you found it useful. The firewall rules are certainly optional, but I prefer to know I have a deny all inbound traffic rule from Torguard to myself. 

 

A while back I moved from VyOS to a Ubiquiti Edgerouter X SFP, and have it doing the same job with very similar config. I might post that too in case it helps.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×