Template:Networking rut manual vpn: Difference between revisions
Template:Networking rut manual vpn (view source)
Revision as of 11:09, 24 October 2023
, 24 October 2023Text replacement - "\{\{Template: Networking_rutos_manual_fw_disclosure (.*) (.*) (.*) (.*) \}\}" to "{{Template: Networking_device_manual_fw_disclosure | series = {{{series}}} | name = {{{name}}} | fw_version ={{Template: Networking_device_manual_latest_fw | series = {{{series}}} | name = {{{name}}} }} }}"
No edit summary |
Gytispieze (talk | contribs) m (Text replacement - "\{\{Template: Networking_rutos_manual_fw_disclosure (.*) (.*) (.*) (.*) \}\}" to "{{Template: Networking_device_manual_fw_disclosure | series = {{{series}}} | name = {{{name}}} | fw_version ={{Template: Networking_device_manual_latest_fw | series = {{{series}}} | name = {{{name}}} }} }}") |
||
(87 intermediate revisions by 10 users not shown) | |||
Line 1: | Line 1: | ||
{{Template: Networking_device_manual_fw_disclosure | |||
| series = {{{series}}} | |||
| name = {{{name}}} | |||
| fw_version ={{Template: Networking_device_manual_latest_fw | |||
| series = {{{series}}} | |||
| name = {{{name}}} | |||
}} | |||
}} | |||
==Summary== | ==Summary== | ||
<b>Virtual Private Network</b> (<b>VPN</b>) is a method of connecting multiple private networks across the Internet. VPNs can serve to achieve many different goals, but some of its main purposes are: | <b>Virtual Private Network</b> (<b>VPN</b>) is a method of connecting multiple private networks across the Internet. VPNs can serve to achieve many different goals, but some of its main purposes are: | ||
<ul> | <ul> | ||
<li>access between remote private networks;</li> | <li>providing access between remote private networks;</li> | ||
<li>data encryption | <li>providing data encryption and anonymity when browsing the Internet.</li> | ||
</ul> | </ul> | ||
This | This chapter of the user manual provides an overview of the Firewall page for {{{name}}} devices. | ||
==OpenVPN== | ==OpenVPN== | ||
Line 18: | Line 26: | ||
===OpenVPN client=== | ===OpenVPN client=== | ||
---- | ---- | ||
An <b>OpenVPN client</b> is an entity that initiates a connection to an OpenVPN server. To create a new client instance, go to the <i>Services → VPN → OpenVPN</i> section, select <i>Role: Client</i>, enter a custom name and click the 'Add New' button. An OpenVPN client instance with the given name will appear in the "OpenVPN Configuration" list. A maximum of six OpenVPN client instances are allowed to be added. | An <b>OpenVPN client</b> is an entity that initiates a connection to an OpenVPN server. To create a new client instance, go to the '''<i>Services → VPN → OpenVPN</i>''' section, select '''<i>Role: Client</i>''', enter a custom name and click the 'Add New' button. An OpenVPN client instance with the given name will appear in the "OpenVPN Configuration" list. A maximum of six OpenVPN client instances are allowed to be added. | ||
To begin configuration, click the 'Edit' button next to the client instance. Refer to the figure and table below for information on the OpenVPN client's configuration fields: | To begin configuration, click the 'Edit' button next to the client instance. Refer to the figure and table below for information on the OpenVPN client's configuration fields: | ||
[[File:{{{file_openvpn_client_config}}}]] | [[File:{{{file_openvpn_client_config}}}|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 29: | Line 37: | ||
<th>Value</th> | <th>Value</th> | ||
<th>Description</th> | <th>Description</th> | ||
</tr> | |||
<tr> | |||
<td>Enable OpenVPN config from file</td> | |||
<td>yes | no; default: <b>no</b></td> | |||
<td>Enables custom OpenVPN configuration from file.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 64: | Line 77: | ||
<td>yes | no; default: <b>no</b></td> | <td>yes | no; default: <b>no</b></td> | ||
<td>Turns LZO data compression on or off.</td> | <td>Turns LZO data compression on or off.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 87: | Line 95: | ||
</ul> | </ul> | ||
</td> | </td> | ||
</tr> | |||
<tr> | |||
<td>Encryption</td> | |||
<td>DES-CBC 64 | RC2-CBC 128 | DES-EDE-CBC 128 | DES-EDE3-CBC 192 | DESX-CBC 192 | RC2-40-CBC 40 | CAST5-CBC 128 | RC2-64-CBC 64 | AES-128-CFB 128 | AES-128-CFB1 128 | AES-128-CFB8 128 | AES-128-OFB 128 | AES-128-CBC 128 | AES-128-GCM 128 | AES-192-CFB 192 | AES-192-CFB1 192 | AES-192-CFB8 192 | AES-192-OFB 192 | AES-192-CBC 192 | AES-192-GCM 192 | AES-256-CFB 256 | AES-256-CFB1 256 | AES-256-CFB8 256 | AES-256-OFB 256 | AES-256-CBC 256 | AES-256-GCM 256 | none ; default: <b>BF-CBC 128</b></td> | |||
<td>Algorithm used for packet encryption.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 147: | Line 160: | ||
<td>string; default: <b>none</b></td> | <td>string; default: <b>none</b></td> | ||
<td>Extra OpenVPN options to be used by the OpenVPN instance.</td> | <td>Extra OpenVPN options to be used by the OpenVPN instance.</td> | ||
</tr> | |||
<tr> | |||
<td>Use PKCS #12 format</td> | |||
<td>yes | no; default: <b>no</b></td> | |||
<td>Use PKCS #12 archive file format to bundle all the members of a chain of trust.</td> | |||
</tr> | |||
<tr> | |||
<td>PKCS #12 passphrase</td> | |||
<td>string; default: <b>none</b></td> | |||
<td>Passphrase to decrypt PKCS #12 certificates.</td> | |||
</tr> | |||
<tr> | |||
<td>PKCS #12 certificate chain</td> | |||
<td>string; default: <b>none</b></td> | |||
<td>Uploads PKCS #12 certificate chain file.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 155: | Line 183: | ||
<tr> | <tr> | ||
<td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">Password:</span> Additional HMAC authentication</td> | <td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">Password:</span> Additional HMAC authentication</td> | ||
<td> | <td>none | Authentication only (tls-auth) | Authentication and encryption (tls-crypt); default: <b>none</b></td> | ||
<td>An additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks.</td> | <td>An additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks.</td> | ||
</tr> | </tr> | ||
Line 171: | Line 199: | ||
<td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">Password:</span> Certificate authority</td> | <td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">Password:</span> Certificate authority</td> | ||
<td>.ca file; default: <b>none</b></td> | <td>.ca file; default: <b>none</b></td> | ||
<td>Certificate authority is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate.</td> | <td>Certificate authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 215: | Line 243: | ||
To begin configuration, click the 'Edit' button next to the server instance. Refer to the figure and table below for information on the OpenVPN server's configuration fields: | To begin configuration, click the 'Edit' button next to the server instance. Refer to the figure and table below for information on the OpenVPN server's configuration fields: | ||
[[File:{{{file_openvpn_server_config}}}]] | [[File:{{{file_openvpn_server_config}}}|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 222: | Line 250: | ||
<th>Value</th> | <th>Value</th> | ||
<th>Description</th> | <th>Description</th> | ||
</tr> | |||
<tr> | |||
<td>Enable OpenVPN config from file</td> | |||
<td>yes | no; default: <b>no</b></td> | |||
<td>Enables custom OpenVPN configuration from file.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 257: | Line 290: | ||
<td>yes | no; default: <b>no</b></td> | <td>yes | no; default: <b>no</b></td> | ||
<td>Turns LZO data compression on or off.</td> | <td>Turns LZO data compression on or off.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 279: | Line 307: | ||
</ul> | </ul> | ||
</td> | </td> | ||
</tr> | |||
<tr> | |||
<td>Encryption</td> | |||
<td>DES-CBC 64 | RC2-CBC 128 | DES-EDE-CBC 128 | DES-EDE3-CBC 192 | DESX-CBC 192 | RC2-40-CBC 40 | CAST5-CBC 128 | RC2-64-CBC 64 | AES-128-CFB 128 | AES-128-CFB1 128 | AES-128-CFB8 128 | AES-128-OFB 128 | AES-128-CBC 128 | AES-128-GCM 128 | AES-192-CFB 192 | AES-192-CFB1 192 | AES-192-CFB8 192 | AES-192-OFB 192 | AES-192-CBC 192 | AES-192-GCM 192 | AES-256-CFB 256 | AES-256-CFB1 256 | AES-256-CFB8 256 | AES-256-OFB 256 | AES-256-CBC 256 | AES-256-GCM 256 | none ; default: <b>BF-CBC 128</b></td> | |||
<td>Algorithm used for packet encryption.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 339: | Line 372: | ||
<td>yes | no; default: <b>no</b></td> | <td>yes | no; default: <b>no</b></td> | ||
<td>When enabled allows multiple clients to connect using the same certificates.</td> | <td>When enabled allows multiple clients to connect using the same certificates.</td> | ||
</tr> | |||
<tr> | |||
<td>Use PKCS #12 format</td> | |||
<td>yes | no; default: <b>no</b></td> | |||
<td>Use PKCS #12 archive file format to bundle all the members of a chain of trust.</td> | |||
</tr> | |||
<tr> | |||
<td>PKCS #12 passphrase</td> | |||
<td>string; default: <b>none</b></td> | |||
<td>Passphrase to decrypt PKCS #12 certificates.</td> | |||
</tr> | |||
<tr> | |||
<td>PKCS #12 certificate chain</td> | |||
<td>string; default: <b>none</b></td> | |||
<td>Uploads PKCS #12 certificate chain file.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 379: | Line 427: | ||
<td>.pem file | .crl file; default: <b>none</b></td> | <td>.pem file | .crl file; default: <b>none</b></td> | ||
<td>A certificate revocation list (CRL) file is a list of certificates that have been revoked by the certificate authority (CA). It indicates which certificates are no longer acccepted by the CA and therefore cannot be authenticated to the server.</td> | <td>A certificate revocation list (CRL) file is a list of certificates that have been revoked by the certificate authority (CA). It indicates which certificates are no longer acccepted by the CA and therefore cannot be authenticated to the server.</td> | ||
</tr> | |||
<tr> | |||
<td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">TLS/Password:</span> Enable manual ccd upload</td> | |||
<td>yes | no; default: <b>no</b></td> | |||
<td>Enable manual upload of client-config-dir files.</td> | |||
</tr> | </tr> | ||
</table> | </table> | ||
Line 400: | Line 453: | ||
The TLS Clients section can be found in the OpenVPN Server configuration window, provided that the OpenVPN server uses TLS or TLS/Password authentication methods. To create a new TLS client, type in the new client‘s name in the text field found bellow the TLS Clients tab and click the 'Add' button. Refer to the figure and table below for information on the TLS Clients' configuration fields: | The TLS Clients section can be found in the OpenVPN Server configuration window, provided that the OpenVPN server uses TLS or TLS/Password authentication methods. To create a new TLS client, type in the new client‘s name in the text field found bellow the TLS Clients tab and click the 'Add' button. Refer to the figure and table below for information on the TLS Clients' configuration fields: | ||
[[File:{{{file_openvpn_tls_clients_config}}}]] | [[File:{{{file_openvpn_tls_clients_config}}}|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 407: | Line 460: | ||
<th>Value</th> | <th>Value</th> | ||
<th>Description</th> | <th>Description</th> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 445: | Line 493: | ||
</table> | </table> | ||
== | {{#ifeq:{{{series}}}|RUT9XX||{{Template:Networking_rut2xx_manual_vpn_ipsec | ||
| file_ipsec_config = {{{file_ipsec_config}}} | |||
| file_ipsec_phase = {{{file_ipsec_phase}}} | |||
| file_ipsec_main_mode = {{{file_ipsec_main_mode}}} | |||
| file_ipsec_aggressive_mode = {{{file_ipsec_aggressive_mode}}} | |||
| file_ipsec_psk = {{{file_ipsec_psk}}} | |||
}}}} | |||
{{#ifeq:{{{series}}}|RUT2XX||{{Template:Networking_rut9xx_manual_vpn_ipsec | |||
| file_ipsec_config = {{{file_ipsec_config}}} | |||
| file_ipsec_phase = {{{file_ipsec_phase}}} | |||
| file_ipsec_main_mode = {{{file_ipsec_main_mode}}} | |||
| file_ipsec_aggressive_mode = {{{file_ipsec_aggressive_mode}}} | |||
| file_ipsec_psk = {{{file_ipsec_psk}}} | |||
}}}} | |||
{{#ifeq:{{{series}}}|RUT9XX||{{Template:Networking_rutxxx_manual_vpn_gre | |||
| file_gre_config_main = {{{file_gre_config_main}}} | |||
| file_gre_config_routing = {{{file_gre_config_routing}}} | |||
}}}} | |||
{{#ifeq:{{{series}}}|RUT2XX||{{Template:Networking_rut9xx_manual_vpn_gre | |||
| file_gre_config_main = {{{file_gre_config_main}}} | |||
| file_gre_config_routing = {{{file_gre_config_routing}}} | |||
}}}} | |||
= | |||
==PPTP== | ==PPTP== | ||
Line 884: | Line 568: | ||
</tr> | </tr> | ||
</table> | </table> | ||
===PPTP server=== | ===PPTP server=== | ||
Line 925: | Line 607: | ||
<tr> | <tr> | ||
<td>User name</td> | <td>User name</td> | ||
<td>string; default: <b> | <td>string; default: <b>youruser</b></td> | ||
<td>Username used for authentication to this PPTP server.</td> | <td>Username used for authentication to this PPTP server.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Password</td> | <td>Password</td> | ||
<td>string; default: <b> | <td>string; default: <b>yourpass</b></td> | ||
<td>Password used for authentication to this PPTP server.</td> | <td>Password used for authentication to this PPTP server.</td> | ||
</tr> | </tr> | ||
Line 942: | Line 624: | ||
==L2TP== | ==L2TP== | ||
In computer networking, <b>Layer 2 Tunneling Protocol</b> (<b>L2TP</b>) is a tunneling protocol used to support virtual private networks (VPNs). It is more secure than PPTP but, because it encapsulates the transferred data twice, but it is slower and uses more CPU power. | In computer networking, <b>Layer 2 Tunneling Protocol</b> (<b>L2TP</b>) is a tunneling protocol | ||
used to support virtual private networks (VPNs). It is more secure than PPTP but, because | |||
it encapsulates the transferred data twice, but it is slower and uses more CPU power. | |||
===L2TP client=== | ===L2TP client=== | ||
---- | ---- | ||
An <b>L2TP client</b> is an entity that initiates a connection to an L2TP server. To create a new client instance, go to the <i>Services → VPN → L2TP</i> section, select <i>Role: Client</i>, enter a custom name and click the 'Add New' button. An L2TP client instance with the given name will appear in the "L2TP Configuration" list. | An <b>L2TP client</b> is an entity that initiates a connection to an L2TP server. To | ||
create a new client instance, go to the <i>Services → VPN → L2TP</i> section, select | |||
<i>Role: Client</i>, enter a custom name and click the 'Add New' button. An L2TP client | |||
instance with the given name will appear in the "L2TP Configuration" list. | |||
To begin configuration, click the 'Edit button located next to the client instance. Refer to the figure and table below for information on the L2TP client's configuration fields: | To begin configuration, click the 'Edit button located next to the client instance. Refer | ||
to the figure and table below for information on the L2TP client's configuration fields: | |||
[[File:{{{ | [[File:Networking_{{lc:{{{series}}}}}_vpn_l2tp_client_configuration_v1.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 971: | Line 659: | ||
<td>Username</td> | <td>Username</td> | ||
<td>string; default: <b>none</b></td> | <td>string; default: <b>none</b></td> | ||
<td>Username used | <td>Username used in authorization to the L2TP server.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Password</td> | <td>Password</td> | ||
<td>string; default: <b>none</b></td> | <td>string; default: <b>none</b></td> | ||
<td>Password used | <td>Password used in authorization to the L2TP server.</td> | ||
</tr> | |||
<tr> | |||
<td>Authentication</td> | |||
<td>string; default: <b>none</b></td> | |||
<td>Optional. Password used in L2TP tunnel CHAP authentication.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 989: | Line 682: | ||
</tr> | </tr> | ||
</table> | </table> | ||
===L2TP server=== | ===L2TP server=== | ||
Line 1,000: | Line 691: | ||
To begin configuration, click the 'Edit' button located next to the server instance. Refer to the figure and table below for information on the L2TP server's configuration fields: | To begin configuration, click the 'Edit' button located next to the server instance. Refer to the figure and table below for information on the L2TP server's configuration fields: | ||
[[File: | [[File:Networking_rutxxx_vpn_l2tp_server_configuration_v1.png]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 1,045: | Line 736: | ||
</table> | </table> | ||
== | ==SSTP== | ||
<b> | <b>Secure Socket Tunneling Protocol</b> (<b>SSTP</b>) is a VPN protocol designed to transport PPP traffic via a secure SSL/TLS channel. | ||
===SSTP configuration=== | |||
---- | |||
To create a new SSTP instance, go to the <i>Services → VPN → SSTP</i> section, enter a custom name and click the 'Add' button. An SSTP instance with the given name will appear in the "SSTP Configuration" list. | |||
To begin configuration, click the 'Edit' button located next to the instance. Refer to the figure and table below for information on the SSTP instance's configuration fields: | |||
[[File:{{{ | [[File:{{{file_sstp_config}}}]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
<tr> | <tr> | ||
<th>Field | <th>Field</th> | ||
<th>Value</th> | <th>Value</th> | ||
<th>Description</th> | <th>Description</th> | ||
Line 1,066: | Line 757: | ||
<td>Enabled</td> | <td>Enabled</td> | ||
<td>yes | no; default: <b>no</b></td> | <td>yes | no; default: <b>no</b></td> | ||
<td>Turns the | <td>Turns the SSTP instance on or off.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td>Use as default gateway</td> | ||
<td>yes | no; default: <b>no</b></td> | <td>yes | no; default: <b>no</b></td> | ||
<td> | <td>When turned on, this connection will become the router's default route. This means that all traffic directed to the Internet will go through the L2TP server and the server's IP address will be seen as this device's source IP to other hosts on the Internet.<br><b>NOTE</b>: this can only be used when [[{{{name}}} _WAN#Operation_Modes|WAN Failover]] is turned off.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
< | <td>Server IP address</td> | ||
< | <td>ip | host; default: <b>none</b></td> | ||
< | <td>IP address or hostname of an SSTP server.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td>Username</td> | ||
<td>string; default: <b>none</b></td> | <td>string; default: <b>none</b></td> | ||
<td> | <td>Username used for authentication to the SSTP server.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td>Password</td> | ||
<td>string; default: <b>none</b></td> | <td>string; default: <b>none</b></td> | ||
<td> | <td>Password used for authentication to the SSTP server.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td>CA cert</td> | ||
<td>.crt file; default: <b>none</b></td> | <td>.crt file; default: <b>none</b></td> | ||
<td> | <td>Uploads a Certificate authority (CA) file.</td> | ||
</tr> | </tr> | ||
</table> | </table> | ||
{{#ifeq:{{{series}}}| | {{#ifeq:{{{series}}}|RUT2XX||{{Template:Networking_rut9xx_manual_vpn_stunnel | ||
| file_stunnel_globals = {{{file_stunnel_globals}}} | |||
| file_stunnel_client_server_config = {{{file_stunnel_client_server_config}}} | |||
| name = {{{name}}} | |||
}}}} | |||
{{#ifeq:{{{series}}}|RUT9XX||{{Template:Networking_rut2xx_manual_vpn_stunnel | |||
| file_stunnel_globals = {{{file_stunnel_globals}}} | |||
| file_stunnel_client_server_config = {{{file_stunnel_client_server_config}}} | |||
| name = {{{name}}} | |||
}}}} | |||
{{#ifeq:{{{series}}}|RUT2XX||{{Template:Networking_rutxxx_manual_vpn_dmvpn | |||
| file_dmvpn_config = {{{file_dmvpn_config}}} | | file_dmvpn_config = {{{file_dmvpn_config}}} | ||
| file_dmvpn_gre_config = {{{file_dmvpn_gre_config}}} | | file_dmvpn_gre_config = {{{file_dmvpn_gre_config}}} | ||
Line 1,189: | Line 805: | ||
}}}} | }}}} | ||
[[Category:{{{name}}} | {{Template:Networking_rutxxx_manual_vpn_zerotier | ||
| name = {{{name}}} | |||
| file_zerotier_general = {{{file_zerotier_general}}} | |||
| file_zerotier_vpn = {{{file_zerotier_vpn}}} | |||
}} | |||
[[Category:{{{name}}} Services section]] |