Jump to content

OpenVPN Access Control: Difference between revisions

m
Edit with screenshots
m (Edit with screenshots)
m (Edit with screenshots)
Line 5: Line 5:
<h1>Generating certificates for an OpenVPN server</h1>
<h1>Generating certificates for an OpenVPN server</h1>


1)Navigate to System -> Administration -> Certificates
1)Navigate to '''System -> Administration -> Certificates'''


2)Generate 2 certificates with a keysize 1024:
2)Generate 2 certificates with a keysize 1024:
Line 26: Line 26:
[[File:Advanced mode toggle v2.png|none|thumb|alt=|1000x1000px]]
[[File:Advanced mode toggle v2.png|none|thumb|alt=|1000x1000px]]


2) Navigate to Services -> VPN -> OpenVPN
2) Navigate to '''Services -> VPN -> OpenVPN'''


3) Add a new OpenVPN instance with a Server role
3) Add a new OpenVPN instance with a Server role
Line 43: Line 43:
Certificate files from device - on
Certificate files from device - on


5) Press "Save & Apply", enable OpenVPN server and check if the server is online
5) Press '''"Save & Apply"''', enable OpenVPN server and check if the server is online


[[File:OpenVPN server is online v2.png|none|thumb|alt=|1000x1000px]]
[[File:OpenVPN server is online v2.png|none|thumb|alt=|1000x1000px]]
Line 49: Line 49:
<h1>Connecting clients to the OpenVPN server</h1>
<h1>Connecting clients to the OpenVPN server</h1>


1) Navigate to Services -> VPN -> OpenVPN
1) Navigate to '''Services -> VPN -> OpenVPN'''


2) Add a new OpenVPN instance with a Client role
2) Add a new OpenVPN instance with a Client role
Line 55: Line 55:
3) Create an OpenVPN client with these settings
3) Create an OpenVPN client with these settings


[[File:OpenVPN Client1.png|none|thumb|alt=|1000x1000px]]
[[File:OpenVPN Client1 v2.png|none|thumb|alt=|1000x1000px]]


Remote host/IP address - Public IP of the OpenVPN server's router
Remote host/IP address - Public IP of the OpenVPN server's router
.
 
Remote network IP address - 10.0.0.0
Remote network IP address - 10.0.0.0


Remote network netmask - 255.255.255.240
Remote network netmask - 255.255.255.224


And add the certificates from the OpenVPN server - Certificate Authority, Client certificate and Client key which we downloaded in Certificate Generation step
And add the certificates from the OpenVPN server - Certificate Authority, Client certificate, and Client key which we downloaded in the Certificate Generation step


4) Press "Save & Apply", enable OpenVPN client and check if the connection is made
4) Press "Save & Apply", enable OpenVPN client and check if the connection is made


[[File:OpenVPN Client1 connected.png|none|thumb|alt=|1000x1000px]]
[[File:OpenVPN Client1 connected v2.png|none|thumb|alt=|1000x1000px]]


5) Repeat this step for as many clients as You need. For this example, we will have 3 clients
5) Repeat this step for as many clients as You need. For this example, we will have 3 clients


<h1>Client to Client LAN network communication</h1>
<h1>Client to Client LAN network communication</h1>
1) On the OpenVPN server router, navigate to Services -> VPN -> OpenVPN, Press "Edit" on the server, scroll down and add TLS clients
1) On the OpenVPN server router, navigate to Services -> VPN -> OpenVPN, Press "Edit" on the server, scroll down and add TLS clients


Line 80: Line 81:


Common name - common name of the certificate which was generated previously
Common name - common name of the certificate which was generated previously
Virtual local endpoint - client’s local address in the virtual network.
 
Virtual remote endpoint - client’s remote address in the virtual network.
Virtual local endpoint - client’s local address in the virtual network
 
Virtual remote endpoint - client’s remote address in the virtual network
 
Private network - client's LAN subnet
Private network - client's LAN subnet
Covered network - Which LAN subnet should clients be able to communicate with in the OpenVPN server
Covered network - Which LAN subnet should clients be able to communicate with in the OpenVPN server


Line 88: Line 93:
This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets
This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets


1) Navigate to Network -> Firewall -> General settings -> Zones and set OpenVPN zone to forward traffic to LAN
1) Navigate to '''Network -> Firewall -> General settings -> Zones''' and set OpenVPN zone to forward traffic to LAN
 
[[File:OpenVPN to LAN zone forward.png|none|thumb|alt=|1000x1000px]]
 


This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets
This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets


1) Create a route to other client LAN networks using WebUI or CLI. To create route from client 1's LAN to client 2's LAN using CLI use this command
1) Create a route to other client LAN networks using WebUI or CLI. To create route from client 1's LAN to client 2's LAN using CLI use this command


ip route add 192.168.20.0/24 via 10.0.0.6
ip route add 192.168.20.0/24 via 10.0.0.6


<h1>Controlling access with firewall</h1>
<h1>Controlling access with firewall</h1>
Line 101: Line 110:


2) Create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks
2) Create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks
[[File:Deny Client3 rule.png|none|thumb|alt=|1000x1000px]]


Source interface - OpenVPN
Source interface - OpenVPN
Line 109: Line 121:


Destination IP - other client OpenVPN remote endpoints and LAN subnets
Destination IP - other client OpenVPN remote endpoints and LAN subnets
Action - Deny


This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet
This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet