VPN and VLAN with Ubiquity EdgeRouterX en

By redfox314 on Wednesday 7 September 2016 23:43 - Comments (3)
Category: -, Views: 1.537

Introduction

After moving into a new house I needed to adapt my network to a larger area to cover with WIFI and a different physical layout. This time I'm documenting it so I won't forget what I learned.

One of the features of this house is the presence of ethernet cables to each room of import that start from the utility closet. Unfortunately there is only one cable to each room. I want a main network, a VPN and a guest network isolated from the main network. This is how I did it.

Physical setup

Physically my network has a basic two tier star layout a central node, connecting to Telenet's cable modem, which distributes to a device in each room/floor. The figure below contains more detail.

The central node is an Ubiquity Edgerouter X. Both of my room/floor devices are TP-Link devices running OpenWRT. Strictly speaking they both could function as the Edgerouter X does. Being refurbished, however, they been demoted to switch/access point role.

Home network

Logical setup

The general aim is to have the single connection to the internet with a NAT with multiple networks behind it.
  • Main network: 192.168.2.0/24
  • Guest network: 192.168.42.0/24
  • VPN network: 10.10.10.0/24
Evidently not all of these networks can communicate freely with each other. The guest network can only access the internet but the main and VPN network should not have any firewall between them.

Getting there

Basic setup
I started from the basic setup wizard that comes with EdgeOS. This will allow you to select the internet side of your connection and setup a subnet behind a NAT (masquerading). It also sets up IPv6 prefix delegation for you. This worked out of the box on my Telenet modem only setup.

This will result in a dashboard looking like this:

Dashboard


Note the LAN ip being applied to the 'switch0' interface.
Firewall
As the default firewall looked somewhat clunky I decided to go for the fully fledged zone based firewall. Unfortunately this is not fully supported in the GUI of EdgeOS so we'll have to connect to SSH and configure it there. There's an added advantage to using the cli to configure the Edgerouter. In the process of figuring out the firewall I locked myself out several times. Luckily the cli has a two phase save. First you make your changes active by executing the 'commit' command, then you persist your changes accross reboots by executing 'save'. If you lock yourself out you can simply reboot the router and fix the problem.

The basic firewall setup has two zones: WAN and LAN. There is a third zone for the device itself.

We will first establish some behaviours that we will later use to attach to each zone.

Let's start by establishing the first primitive: a rule that drops everything except for traffic to already established connections. We need to do this both for ipv4 as for ipv6.


code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
configure
edit firewall name allow-est-drop-inv
set default-action drop
set enable-default-log
set rule 1 action accept
set rule 1 state established enable
set rule 1 state related enable
set rule 2 action drop
set rule 2 log enable
set rule 2 state invalid enable
top
edit firewall ipv6-name allow-est-drop-inv-6
set default-action drop
set enable-default-log
set rule 1 action accept
set rule 1 state established enable
set rule 1 state related enable
set rule 2 action drop
set rule 2 log enable
set rule 2 state invalid enable
set rule 100 action accept
set rule 100 protocol ipv6-icmp
top




The next primitive allows all connections.


code:
1
2
3
4
5
6
7
8
9
10
11
edit firewall
copy name allow-est-drop-inv to name allow-all
set name allow-all default-action accept
delete name allow-all enable-default-log
top

edit firewall
copy ipv6-name allow-est-drop-inv-6 to ipv6-name allow-all-6
set ipv6-name allow-all-6 default-action accept
delete ipv6-name allow-all-6 enable-default-log
top



The last primitive allows icmp, dns and dhcp only.


code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
edit firewall
copy name allow-est-drop-inv to name lan-local-out
edit name lan-local-out
set rule 100 action accept
set rule 100 protocol icmp
set rule 600 description "Allow DNS"
set rule 600 action accept
set rule 600 destination port 53
set rule 600 protocol tcp_udp
set rule 700 description "Allow DHCP"
set rule 700 action accept
set rule 700 destination port 67,68
set rule 700 protocol udp
top

edit firewall
copy ipv6-name allow-est-drop-inv6 to ipv6-name lan-local-out6
edit ipv6-name lan-local-out6
set rule 100 action accept
set rule 100 protocol ipv6-icmp
set rule 600 description "Allow DNS"
set rule 600 action accept
set rule 600 destination port 53
set rule 600 protocol tcp_udp
set rule 700 description "Allow DHCP"
set rule 700 action accept
set rule 700 destination port 67,68
set rule 700 protocol udp
top




We can now attach the appropriate primitive to each zone.

The local-zone i.e. the device itself:


code:
1
2
3
4
5
6
7
8
edit zone-policy zone local
set default-action drop
set local-zone
set from WAN firewall name lan-local-out
set from WAN firewall ipv6-name lan-local-out6
set from LAN firewall name allow-all
set from LAN firewall ipv6-name allow-all-6
top



LAN is allowed to connect to anything on the router. WAN is only allowed to icmp, dns and dhcp. DHCP is necessary to acquire an IP address from your ISP. DNS is necessary for name resolution and ICMP is necessary for IPv6 prefix delegation.

The next zone is the WAN zone.

code:
1
2
3
4
5
6
7
8
edit zone-policy zone WAN
set default-action drop
set interface eth0
set from LAN firewall name allow-all
set from LAN firewall ipv6-name allow-all-6
set from local firewall name allow-all
set from local firewall ipv6-name allow-all-6
top



This configures the WAN zone to receive traffic from freely from both LAN and the router itself. It also binds the WAN zone to eth0.

The last zone (for now) is the LAN zone.


code:
1
2
3
4
5
6
7
8
edit zone-policy zone LAN
set default-action drop
set interface switch0
set from WAN firewall name allow-est-drop-inv
set from WAN firewall ipv6-name allow-est-drop-inv-6
set from local firewall name allow-all
set from local firewall ipv6-name allow-all-6
top



This configures the LAN zone only to receive traffic from WAN which is related to a traffic that a LAN member sent initially. The router itself is allowed to connect to the LAN without restrictions.

Now we have the new firewall rules in place we can delete the old ones.


code:
1
2
3
4
5
delete interfaces ethernet eth0 firewall
delete firewall name WAN_IN
delete firewall name WAN_LOCAL
delete firewall ipv6-name WAN_IN
delete firewall ipv6-name WAN_LOCAL



Now test your changes by running

code:
1
commit



If everything keeps working persist accross boot by running

code:
1
save



It's important to be conservative when using save. I managed to lock myself out several times when setting this up. Reboot because I didn't save yet saved my bacon many times.
VPN
The next step is to add a vpn so I can access my network from the outside.

There's a myriad of articles on how to setup an OpenVPN instance with certificates so I'm only focussing on the challenges on doing so on an EdgeRouter X.

The setup for the server side is like this:


code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
configure
set interfaces openvpn vtun1
set interfaces openvpn vtun1 description "OpenVPN server"
set interfaces openvpn vtun1 mode server
set interfaces openvpn vtun1 encryption aes256
set interfaces openvpn vtun1 hash sha256
set interfaces openvpn vtun1 server topology subnet
set interfaces openvpn vtun1 server subnet 10.10.10.0/24
set interfaces openvpn vtun1 server push-route 192.168.2.0/24
set interfaces openvpn vtun1 server name-server 192.168.2.1
set interfaces openvpn vtun1 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun1 tls cert-file /config/auth/host.pem
set interfaces openvpn vtun1 tls key-file /config/auth/host-decrypted.key
set interfaces openvpn vtun1 tls dh-file /config/auth/dh2048.pem
set interfaces openvpn vtun1 openvpn-option "--port 1194"
set interfaces openvpn vtun1 openvpn-option --tls-server
set interfaces openvpn vtun1 openvpn-option "--comp-lzo yes"
set interfaces openvpn vtun1 openvpn-option --persist-key
set interfaces openvpn vtun1 openvpn-option --persist-tun
set interfaces openvpn vtun1 openvpn-option "--keepalive 10 120"
set interfaces openvpn vtun1 openvpn-option "--user nobody"
set interfaces openvpn vtun1 openvpn-option "--group nogroup"
commit



The default encryption of OpenVPN is rather weak, as is the default hashing algorithm. An upgrade is in order hence the aes256 and sha256.

The certificate files are placed deliberately in /config because in that case they are included in the backup mechanism that the EdgeRouter supports.

If you were to connect like this it wouldn't work because the firewall still needs to be configured.

The first step is a modification to the incoming connections on the router itself. Port 1194 on UDP needs to be allowed.


code:
1
2
3
4
5
6
edit firewall
edit ipv6-name lan-local-out6
set rule 800 description "Allow OpenVpn"
set rule 800 action accept
set rule 800 destination port 1194
set rule 800 protocol udp



Now we can connect but we won't be able to do much because everything is still firewalled.

We first need to create a VPN zone.


code:
1
2
3
4
5
6
7
8
9
10
edit zone-policy zone VPN
set default-action drop
set interface vtun1
set from WAN firewall name allow-est-drop-inv
set from WAN firewall ipv6-name allow-est-drop-inv-6
set from local firewall name allow-all
set from local firewall ipv6-name allow-all-6
set from LAN firewall name allow-all
set from LAN firewall ipv6-name allow-all-6
top



Basically the VPN zone is the same as a LAN zone. In addition it accepts traffic from LAN.

The other zones need tweaking to accept traffic from VPN.


code:
1
2
3
edit zone-policy zone LAN
set from VPN firewall name allow-all
set from VPN firewall ipv6-name allow-all-6




code:
1
2
3
edit zone-policy zone local
set from VPN firewall name allow-all
set from VPN firewall ipv6-name allow-all-6



Commit, test and save et voila VPN.

Guest network

Now I want to add a guest network spanning both my access points that is distinct and isolated from my main network.

The solution will create a VLAN with id 3 over the network.
Wireless router config
The first job is to create an additional SSID on one of the radios.

All my wireless radios are on OpenWRT devices but the DHCP and the routing to WAN will live on the Edgerouter.

In LUCI on the OpenWRT routers creating a new SSID pretty easy.

New SSID

Enter the new SSID and a network name in the create box e.g. guest . Afterwards the configuration looks something like the screenshot (with an SSID).

This will create a new interface which we will modify.

Select the interface and go to the Physical settings tab.

Network PHY settings

We'll create a bridge over the wireless adapter and the eth0.3 interface.

In the main tab the interface should either have no address or receive one through DHCP.

In the Advanced tab make sure to uncheck Use default route otherwise if the interface has an address any packets received on the other interface (which you are currently configureing your device on) will be routed through the guest network. You may be locked out of the device.

Advanced Settings
Routing config
VLAN
On the dashboard you can add a VLAN interface on switch0 with id 3.

VLAN Config

Next we make switch0 vlan aware and make eth2 and eth4 accept traffic for VLAN id 4. Don't configure any pvid.

VLAN Config
Firewall
We need another zone for the guest LAN.


code:
1
2
3
4
5
6
7
8
edit zone-policy zone LAN2
set default-action drop
set interface switch0.3
set from WAN firewall name allow-est-drop-inv
set from WAN firewall ipv6-name allow-est-drop-inv-6
set from local firewall name allow-all
set from local firewall ipv6-name allow-all-6
top



Then we will need to allow traffic to wan.


code:
1
2
3
4
edit zone-policy zone WAN
set from LAN2 firewall name allow-all
set from LAN2 firewall ipv6-name allow-all-6
top



Local should treat LAN2 as WAN and only allow DNS and dhcp.


code:
1
2
3
4
edit zone-policy zone local
set from LAN2 firewall name lan-local-out
set from LAN2 firewall ipv6-name lan-local-out6
top

Conclusion

We have setup a basic a basic internet connection, an OpenVPN service and a guest network on a constellation of an Ubiquiti EdgeRouterX and two TP-Link routers running OpenWRT.

The next challenge is to configure the VLAN to allow the Digibox to be directly connected to the Telenet modem. I am still working on that.

Comments


By Tweakers user analog_, Friday 9 September 2016 00:14

transparent firewall bridge or igmp-proxy

[Comment edited on Friday 9 September 2016 00:14]


By Tweakers user antartic, Monday 12 September 2016 15:13

What is the reason for using a completely different network for VPN instead of sharing the main network?

By Tweakers user redfox314, Monday 12 September 2016 15:59

antartic wrote on Monday 12 September 2016 @ 15:13:
What is the reason for using a completely different network for VPN instead of sharing the main network?
Are you asking about the segmentation into IP ranges and not the firewall settings.

The IP segmentation:

The vpn is an OpenVPN routed (tun) setup for several reasons.
On Android you need root to setup a bridged (tap) vpn. Furthermore on the Ubiquity router bridges are completely achieved in software which would disable hardware acceleration of the switch. For something that is only used occasionally that would be a serious performance hit.
Lastly on my Macbook using Tunnelblick I have found that using routed mode is somewhat more robust. I have to restart my tunnel less often, ...

Firewall settings: I didn't have time to find out if I could add multiple interfaces to the same network. That would simplify the setup somewhat.

[Comment edited on Wednesday 14 September 2016 07:56]


Comments are closed