Line 5: |
Line 5: |
| <h1>Generating certificates for an OpenVPN server</h1> | | <h1>Generating certificates for an OpenVPN server</h1> |
| | | |
− | 1)Navigate to System -> Administration -> Certificates | + | 1)Navigate to '''System -> Administration -> Certificates''' |
| | | |
| 2)Generate 2 certificates with a keysize 1024: | | 2)Generate 2 certificates with a keysize 1024: |
Line 26: |
Line 26: |
| [[File:Advanced mode toggle v2.png|none|thumb|alt=|1000x1000px]] | | [[File:Advanced mode toggle v2.png|none|thumb|alt=|1000x1000px]] |
| | | |
− | 2) Navigate to Services -> VPN -> OpenVPN | + | 2) Navigate to '''Services -> VPN -> OpenVPN''' |
| | | |
| 3) Add a new OpenVPN instance with a Server role | | 3) Add a new OpenVPN instance with a Server role |
Line 43: |
Line 43: |
| Certificate files from device - on | | Certificate files from device - on |
| | | |
− | 5) Press "Save & Apply", enable OpenVPN server and check if the server is online | + | 5) Press '''"Save & Apply"''', enable OpenVPN server and check if the server is online |
| | | |
| [[File:OpenVPN server is online v2.png|none|thumb|alt=|1000x1000px]] | | [[File:OpenVPN server is online v2.png|none|thumb|alt=|1000x1000px]] |
Line 49: |
Line 49: |
| <h1>Connecting clients to the OpenVPN server</h1> | | <h1>Connecting clients to the OpenVPN server</h1> |
| | | |
− | 1) Navigate to Services -> VPN -> OpenVPN | + | 1) Navigate to '''Services -> VPN -> OpenVPN''' |
| | | |
| 2) Add a new OpenVPN instance with a Client role | | 2) Add a new OpenVPN instance with a Client role |
Line 55: |
Line 55: |
| 3) Create an OpenVPN client with these settings | | 3) Create an OpenVPN client with these settings |
| | | |
− | [[File:OpenVPN Client1.png|none|thumb|alt=|1000x1000px]] | + | [[File:OpenVPN Client1 v2.png|none|thumb|alt=|1000x1000px]] |
| | | |
| Remote host/IP address - Public IP of the OpenVPN server's router | | Remote host/IP address - Public IP of the OpenVPN server's router |
− | .
| + | |
| Remote network IP address - 10.0.0.0 | | Remote network IP address - 10.0.0.0 |
| | | |
− | Remote network netmask - 255.255.255.240 | + | Remote network netmask - 255.255.255.224 |
| | | |
− | And add the certificates from the OpenVPN server - Certificate Authority, Client certificate and Client key which we downloaded in Certificate Generation step | + | And add the certificates from the OpenVPN server - Certificate Authority, Client certificate, and Client key which we downloaded in the Certificate Generation step |
| | | |
| 4) Press "Save & Apply", enable OpenVPN client and check if the connection is made | | 4) Press "Save & Apply", enable OpenVPN client and check if the connection is made |
| | | |
− | [[File:OpenVPN Client1 connected.png|none|thumb|alt=|1000x1000px]] | + | [[File:OpenVPN Client1 connected v2.png|none|thumb|alt=|1000x1000px]] |
| | | |
| 5) Repeat this step for as many clients as You need. For this example, we will have 3 clients | | 5) Repeat this step for as many clients as You need. For this example, we will have 3 clients |
| | | |
| <h1>Client to Client LAN network communication</h1> | | <h1>Client to Client LAN network communication</h1> |
| + | |
| 1) On the OpenVPN server router, navigate to Services -> VPN -> OpenVPN, Press "Edit" on the server, scroll down and add TLS clients | | 1) On the OpenVPN server router, navigate to Services -> VPN -> OpenVPN, Press "Edit" on the server, scroll down and add TLS clients |
| | | |
Line 80: |
Line 81: |
| | | |
| Common name - common name of the certificate which was generated previously | | Common name - common name of the certificate which was generated previously |
− | Virtual local endpoint - client’s local address in the virtual network. | + | |
− | Virtual remote endpoint - client’s remote address in the virtual network. | + | Virtual local endpoint - client’s local address in the virtual network |
| + | |
| + | Virtual remote endpoint - client’s remote address in the virtual network |
| + | |
| Private network - client's LAN subnet | | Private network - client's LAN subnet |
| + | |
| Covered network - Which LAN subnet should clients be able to communicate with in the OpenVPN server | | Covered network - Which LAN subnet should clients be able to communicate with in the OpenVPN server |
| | | |
Line 88: |
Line 93: |
| This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets | | This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets |
| | | |
− | 1) Navigate to Network -> Firewall -> General settings -> Zones and set OpenVPN zone to forward traffic to LAN | + | 1) Navigate to '''Network -> Firewall -> General settings -> Zones''' and set OpenVPN zone to forward traffic to LAN |
| + | |
| + | [[File:OpenVPN to LAN zone forward.png|none|thumb|alt=|1000x1000px]] |
| + | |
| | | |
| This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets | | This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets |
| + | |
| | | |
| 1) Create a route to other client LAN networks using WebUI or CLI. To create route from client 1's LAN to client 2's LAN using CLI use this command | | 1) Create a route to other client LAN networks using WebUI or CLI. To create route from client 1's LAN to client 2's LAN using CLI use this command |
| | | |
− | ip route add 192.168.20.0/24 via 10.0.0.6 | + | ip route add 192.168.20.0/24 via 10.0.0.6 |
| | | |
| <h1>Controlling access with firewall</h1> | | <h1>Controlling access with firewall</h1> |
Line 101: |
Line 110: |
| | | |
| 2) Create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks | | 2) Create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks |
| + | |
| + | [[File:Deny Client3 rule.png|none|thumb|alt=|1000x1000px]] |
| + | |
| | | |
| Source interface - OpenVPN | | Source interface - OpenVPN |
Line 109: |
Line 121: |
| | | |
| Destination IP - other client OpenVPN remote endpoints and LAN subnets | | Destination IP - other client OpenVPN remote endpoints and LAN subnets |
| + | |
| + | Action - Deny |
| | | |
| This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet | | This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet |