Line 1: |
Line 1: |
| <h1>Introduction</h1> | | <h1>Introduction</h1> |
| | | |
− | In this example, we will configure an OpenVPN server, will let Client1 and Client2 communicate, while isolating Client3 to only be able to communicate with OpenVPN server | + | In this example, we will configure an OpenVPN server, will let Client1 and Client2 communicate, while isolating Client3 only to be able to communicate with OpenVPN server |
| | | |
| <h1>Generating certificates for an OpenVPN server</h1> | | <h1>Generating certificates for an OpenVPN server</h1> |
Line 15: |
Line 15: |
| 3) In Certificate Manager download Server certificate | | 3) In Certificate Manager download Server certificate |
| | | |
| + | There are multiple methods of how certificates could be generated, you could follow this tutorial instead: |
| + | [[How to generate TLS certificates (Windows)?]] |
| | | |
| [[File:Certificate download v2.png|none|thumb|alt=|1000x1000px]] | | [[File:Certificate download v2.png|none|thumb|alt=|1000x1000px]] |
Line 24: |
Line 26: |
| 1) Connect to WebUI and enable Advanced mode | | 1) Connect to WebUI and enable Advanced mode |
| | | |
− | [[File:Advanced mode toggle v2.png|none|thumb|alt=|1000x1000px]] | + | [[File:Networking rutos manual webui basic advanced mode 75.gif|none|thumb|alt=|1000x1000px]] |
| | | |
| 2) Navigate to '''Services -> VPN -> OpenVPN''' | | 2) Navigate to '''Services -> VPN -> OpenVPN''' |
Line 35: |
Line 37: |
| [[File:OpenVPN server settings v2.png|none|thumb|alt=|1000x1000px]] | | [[File:OpenVPN server settings v2.png|none|thumb|alt=|1000x1000px]] |
| | | |
− | Virtual network IP address – 10.0.0.0 | + | <ul> |
− | | + | <li>Virtual network IP address – 10.0.0.0</li> |
− | Virtual network netmask – 255.255.255.224 | + | <li>Virtual network netmask – 255.255.255.224</li> |
− | | + | <li>Client to client – disabled</li> |
− | Client to client – disabled | + | <li>Certificate files from device - on</li> |
− | | + | </ul> |
− | Certificate files from device - on | |
| | | |
| 5) Press '''"Save & Apply"''', enable OpenVPN server and check if the server is online | | 5) Press '''"Save & Apply"''', enable OpenVPN server and check if the server is online |
Line 57: |
Line 58: |
| [[File:OpenVPN Client1 v2.png|none|thumb|alt=|1000x1000px]] | | [[File:OpenVPN Client1 v2.png|none|thumb|alt=|1000x1000px]] |
| | | |
− | Remote host/IP address - Public IP of the OpenVPN server's router | + | <ul> |
− | | + | <li>Remote host/IP address - Public IP of the OpenVPN server's router</li> |
− | Remote network IP address - 10.0.0.0 | + | <li>Remote network IP address - 10.0.0.0</li> |
− | | + | <li>Remote network netmask - 255.255.255.224</li> |
− | Remote network netmask - 255.255.255.224 | + | <li>And add the certificates from the OpenVPN server - Certificate Authority, Client certificate, and Client key which we downloaded in the Certificate Generation step</li> |
− | | + | </ul> |
− | And add the certificates from the OpenVPN server - Certificate Authority, Client certificate, and Client key which we downloaded in the Certificate Generation step | |
− | | |
| 4) Press "Save & Apply", enable OpenVPN client and check if the connection is made | | 4) Press "Save & Apply", enable OpenVPN client and check if the connection is made |
| | | |
Line 73: |
Line 72: |
| <h1>Client to Client LAN network communication</h1> | | <h1>Client to Client LAN network communication</h1> |
| | | |
− | 1) On the OpenVPN server router, navigate to Services -> VPN -> OpenVPN, Press "Edit" on the server, scroll down and add TLS clients | + | 1) On the OpenVPN server router, navigate to '''Services -> VPN -> OpenVPN''', Press "'''Edit'''" on the server, scroll down and add TLS clients |
| | | |
| Add clients which LAN address You want to have access to, in our case, we add all 3 clients | | Add clients which LAN address You want to have access to, in our case, we add all 3 clients |
| | | |
− | [[File:TLS Client 1.png||none|thumb|alt=|1000x1000px]] | + | [[File:TLS Client 1 v2.png|none|thumb|alt=|1000x1000px]] |
| + | [[File:TLS Client 2.png|none|thumb|alt=|1000x1000px]] |
| + | [[File:TLS Client 3.png|none|thumb|alt=|1000x1000px]] |
| | | |
| | | |
− | Common name - common name of the certificate which was generated previously | + | <ul> |
− | | + | <li>Common name - common name of the certificate which was generated previously</li> |
− | Virtual local endpoint - client’s local address in the virtual network | + | <li>Virtual local endpoint - client’s local address in the virtual network</li> |
− | | + | <li>Virtual remote endpoint - client’s remote address in the virtual network</li> |
− | Virtual remote endpoint - client’s remote address in the virtual network | + | <li>Private network - client's LAN subnet</li> |
− | | + | <li>Covered network - Which LAN subnet should clients be able to communicate with in the OpenVPN server</li> |
− | Private network - client's LAN subnet | + | </ul> |
− | | |
− | Covered network - Which LAN subnet should clients be able to communicate with in the OpenVPN server | |
− | | |
| | | |
| This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets | | This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets |
Line 98: |
Line 96: |
| | | |
| | | |
− | This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets
| |
| | | |
| + | Create a route to other client LAN networks using WebUI. This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets |
| | | |
− | 1) Create a route to other client LAN networks using WebUI or CLI. To create route from client 1's LAN to client 2's LAN using CLI use this command | + | 1) Navigate to '''Services -> VPN -> OpenVPN''' press '''"Edit"''' on the OpenVPN client and add routes to other client LAN subnets. In this image, we are editing Client 1's configuration, to add routes to Client 2's (192.168.20.0/24) and Client 3's (192.168.30.0/24) LAN subnets. |
| | | |
− | ip route add 192.168.20.0/24 via 10.0.0.6
| + | [[File:OpenVPN client routes.png|none|thumb|alt=|1000x1000px]] |
| | | |
| <h1>Controlling access with firewall</h1> | | <h1>Controlling access with firewall</h1> |
| | | |
− | 1) Navigate to Network -> Firewall -> Access Control | + | 1) Navigate to '''Network -> Firewall -> Access Control''' |
| | | |
| 2) Create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks | | 2) Create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks |
| | | |
| [[File:Deny Client3 rule.png|none|thumb|alt=|1000x1000px]] | | [[File:Deny Client3 rule.png|none|thumb|alt=|1000x1000px]] |
| + | |
| + | <ul> |
| + | <li>Source interface - OpenVPN</li> |
| + | <li>Destination interface - OpenVPN</li> |
| + | <li>Source IP - OpenVPN remote IP and LAN subnet of client 3</li> |
| + | <li>Destination IP - other client OpenVPN remote endpoints and LAN subnets</li> |
| + | <li>Action - Deny</li> |
| + | </ul> |
| + | This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet |
| + | |
| + | |
| + | <h1>Testing</h1> |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| | | |
| | | |
− | Source interface - OpenVPN
| |
| | | |
− | Destination interface - OpenVPN
| |
| | | |
− | Source IP - OpenVPN remote IP and LAN subnet of client 3
| |
| | | |
− | Destination IP - other client OpenVPN remote endpoints and LAN subnets
| |
| | | |
− | Action - Deny
| |
| | | |
− | This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet
| + | |
| + | |
| + | |
| + | |
| + | |
| + | |
| + | <h1>See also</h1> |
| + | <ul> |
| + | <li>[[OpenVPN_configuration_examples_RUT_R_00.07]]</li> |
| + | <li>[[How to generate TLS certificates (Windows)?]]</li> |
| + | <li>[[OpenVPN client on Windows]]</li> |
| + | <li>[[OpenVPN client on Linux]]</li> |
| + | <li>[[OpenVPN server on Windows]]</li> |
| + | <li>[[OpenVPN traffic split]]</li> |
| + | <li>[[Configuration file .ovpn upload tutorial]]</li> |
| + | </ul> |
| + | |
| + | |
| + | <h1>External links</h1> |
| + | |
| + | https://openvpn.net/index.php/open-source/documentation/howto.html - some additional information on OpenVPNs |