Jump to content

Template:Networking rutos manual vpn: Difference between revisions

no edit summary
No edit summary
No edit summary
(29 intermediate revisions by 6 users not shown)
Line 1: Line 1:
<!-- Template uses {{{name}}}, {{{series}}}    -->
<!-- Template uses {{{name}}}, {{{series}}}    -->
{{Template:Networking_rutos_manual_fw_disclosure
{{Template: Networking_rutos_manual_fw_disclosure
| fw_version = {{{series}}}_R_00.02.06.1
| fw_version ={{Template: Networking_rutos_manual_latest_fw
| series    = {{{series}}}
| series = {{{series}}}
| name  = {{{name}}}
}}
}}
}}
{{#ifeq: {{{legacy}}} | 1 |<br><i><b>Note</b>: <b>[[{{{name}}} VPN (legacy WebUI)|click here]]</b> for the old style WebUI (FW version RUT9XX_R_00.06.08.2 and earlier) user manual page.</i>|}}
{{#ifeq: {{{series}}} | RUT9 |<br><i><b>Note</b>: <b>[[{{{name}}} VPN (legacy WebUI)|click here]]</b> for the old style WebUI (FW version {{Template: Networking_rutos_manual_latest_fw | series = RUT9XX}} and earlier) user manual page.</i>|}}
{{#ifeq: {{{series}}} | RUT2 |<br><i><b>Note</b>: <b>[[{{{name}}} VPN (legacy WebUI)|click here]]</b> for the old style WebUI (FW version {{Template: Networking_rutos_manual_latest_fw | series = RUT2XX}} and earlier) user manual page.</i>|}}
==Summary==
==Summary==


Line 20: Line 23:
<b>OpenVPN</b> is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It is often regarded as being the most universal VPN protocol because of its flexibility, support of SSL/TLS security, multiple encryption methods, many networking features and compatibility with most OS platforms.
<b>OpenVPN</b> is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It is often regarded as being the most universal VPN protocol because of its flexibility, support of SSL/TLS security, multiple encryption methods, many networking features and compatibility with most OS platforms.


{{{name}}} devices run OpenVPN version <b>2.4.5</b>.
{{{name}}} devices run OpenVPN version <b>2.5.3</b>.


===OpenVPN Client===
===OpenVPN Client===
Line 26: Line 29:
An <b>OpenVPN client</b> is an entity that initiates a connection to an OpenVPN server. To create a new client instance, go to the <i>Services → VPN → OpenVPN</i> section, select <i>Role: Client</i>, enter a custom name and click the 'Add' button. An OpenVPN client instance with the given name will appear in the "OpenVPN Configuration" list.
An <b>OpenVPN client</b> is an entity that initiates a connection to an OpenVPN server. To create a new client instance, go to the <i>Services → VPN → OpenVPN</i> section, select <i>Role: Client</i>, enter a custom name and click the 'Add' button. An OpenVPN client instance with the given name will appear in the "OpenVPN Configuration" list.


To begin configuration, click the button that looks liek a pencil next to the client instance. Refer to the figure and table below for information on the OpenVPN client's configuration fields:
To begin configuration, click the button that looks like a pencil next to the client instance. Refer to the figure and table below for information on the OpenVPN client's configuration fields:


[[File:Networking_trb2_vpn_openvpn_client_configuration_v2.png|border|class=tlt-border|]]
[[File:Networking_trb2_vpn_openvpn_client_configuration_v2.png|border|class=tlt-border|]]
Line 286: Line 289:
     <tr>
     <tr>
     <td>Protocol</td>
     <td>Protocol</td>
         <td>UDP {{!}} TCP{{#ifeq:{{{series}}}|RUTX| {{!}} UDP6 {{!}} TCP6}}; default: <b>UDP</b></td>
         <td>UDP {{!}} TCP{{#ifeq:{{{series}}}|RUTX| {{!}} <span style="color: #20C0D7;"><b>UDP6</b></span> {{!}} <span style="color: #20C0D7;"><b>TCP6</b></span>}}; default: <b>UDP</b></td>
         <td>Transfer protocol used by the OpenVPN connection.
         <td>Transfer protocol used by the OpenVPN connection.
             <ul>
             <ul>
Line 292: Line 295:
                 <li><b>User Datagram Protocol</b> (<b>UDP</b>) - packets are sent to the recipient without error-checking or back-and-forth quality control, meaning that when packets are lost, they are gone forever. This makes it less reliable but faster than TCP; therefore, it should be used when transfer speed is crucial (for example, video streaming, live calls).</li>
                 <li><b>User Datagram Protocol</b> (<b>UDP</b>) - packets are sent to the recipient without error-checking or back-and-forth quality control, meaning that when packets are lost, they are gone forever. This makes it less reliable but faster than TCP; therefore, it should be used when transfer speed is crucial (for example, video streaming, live calls).</li>
             </ul>
             </ul>
         </td>
         </td>Which SERVER LAN networks should be reachable from this client
     </tr>
     </tr>
     <tr>
     <tr>
Line 368: Line 371:
     <tr>
     <tr>
     <td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">TLS/Password:</span> Virtual network IP address</td>
     <td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">TLS/Password:</span> Virtual network IP address</td>
         <td>ip; default: <b>none</b></td>
         <td>ip4; default: <b>none</b></td>
         <td>IP address of the OpenVPN network.</td>
         <td>IPv4 address of the OpenVPN network.</td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 375: Line 378:
         <td>netmask; default: <b>none</b></td>
         <td>netmask; default: <b>none</b></td>
         <td>Subnet mask of the OpenVPN network.</td>
         <td>Subnet mask of the OpenVPN network.</td>
    </tr>
    <tr>
    <td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">TLS/Password:</span> <span style="color: #20C0D7;"><b>Virtual network IPv6 address</b></span></td>
        <td>ip6; default: <b>none</b></td>
        <td>IPv6 address of the OpenVPN network.</td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 446: Line 454:
The TLS Clients section can be found in the OpenVPN Server configuration window, provided that the OpenVPN server uses TLS or TLS/Password authentication methods. To create a new TLS client, type in the new client‘s name in the text field found bellow the TLS Clients tab and click the 'Add' button. Refer to the figure and table below for information on the TLS Clients' configuration fields:
The TLS Clients section can be found in the OpenVPN Server configuration window, provided that the OpenVPN server uses TLS or TLS/Password authentication methods. To create a new TLS client, type in the new client‘s name in the text field found bellow the TLS Clients tab and click the 'Add' button. Refer to the figure and table below for information on the TLS Clients' configuration fields:


[[File:Networking_rutx_vpn_openvpn_tls_clients_configuration_v2.png|border|class=tlt-border]]
[[File:Networking_rutos_vpn_openvpn_tls_clients.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 483: Line 491:
         <td>netmask; default: <b>none</b></td>
         <td>netmask; default: <b>none</b></td>
         <td>Client’s private network (LAN) IP netmask.</td>
         <td>Client’s private network (LAN) IP netmask.</td>
    </tr>
    <tr>
    <td>Covered Network</td>
        <td>network(); default: <b>none</b></td>
        <td>Selects which networks should be made accessible to this client.</td>
     </tr>
     </tr>
</table>
</table>
Line 635: Line 648:
     <tr>
     <tr>
     <td><span style="color:darkred">X.509:</span> Key</td>
     <td><span style="color:darkred">X.509:</span> Key</td>
         <td>.key file; default: <b>none</b></td>
         <td>.der file; default: <b>none</b></td>
         <td>A public key file.</td>
         <td>A public key file.</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td><span style="color:darkred">X.509:</span> Local Certificate</td>
     <td><span style="color:darkred">X.509:</span> Local Certificate</td>
         <td>.pem file; default: <b>none</b></td>
         <td>.der file; default: <b>none</b></td>
         <td>A local certificate file.</td>
         <td>A local certificate file.</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td><span style="color:darkred">X.509:</span> CA Certificate</td>
     <td><span style="color:darkred">X.509:</span> CA Certificate</td>
         <td>.crt file; default: <b>none</b></td>
         <td>.der file; default: <b>none</b></td>
         <td>A certificate authority file.</td>
         <td>A certificate authority file.</td>
     </tr>
     </tr>
Line 667: Line 680:
             </ul>
             </ul>
         </td>
         </td>
    </tr>
    <tr>
      <td>Multiple secrets</td>
      <td>off {{!}} on; default: <b>off</b></td>
      <td>Enable to show <b>Global Secret Settings</b> section for configuring multiple secrets.</td>
     </tr>
     </tr>
</table>
</table>
Line 679: Line 697:
     </li>
     </li>
</ul>
</ul>
====Global Secrets Settings====
----
This section is displayed when <b>Multiple secrets</b> is enabled in General settings. You can add new instances by pressing <b>Add</b>.
[[File:Networking_rutos_vpn_ipsec_ipsec_instance_general_settings_global_secrets_settings.png|border|class=tlt-border]]
<table class="nd-mantable">
    <tr>
        <th>Field</th>
      <th>Value</th>
      <th>Description</th>
    </tr>
    <tr>
    <td>ID Selector</td>
        <td>%any, IP or FQDN; default: <b>none</b></td>
        <td>Each secret can be preceded by a list of optional ID selectors. A selector is an IP address, a Fully Qualified Domain Name, user@FQDN or %any. When using IKEv1 use IP address.</br><b>NOTE:</b> IKEv1 only supports IP address ID selector.</td>
    </tr>
    <tr>
      <td>Type</td>
      <td>psk {{!}} xauth; default: <b>psk</b></td>
      <td>IPSec secret type.</br><b>NOTE:</b> XAUTH secrets are IKEv1 only.</td>
    </tr>
    <tr>
      <td>Secret</td>
      <td>string; default: <b>none</b></td>
      <td>A shared password to authenticate between the peers. Minimum length is 5 symbols. All characters are allowed except `.</td>
    </tr>
</table>


====Advanced Settings====
====Advanced Settings====
Line 753: Line 800:
     <tr>
     <tr>
     <td><span style="color: purple;">Transport:</span> Bind to</td>
     <td><span style="color: purple;">Transport:</span> Bind to</td>
         <td>GRE interface; default: <b>none</b></td>
         <td>GRE interface; L2TP interface; default: <b>none</b></td>
         <td>Bind to GRE interface to create GRE over IPsec.</td>
         <td>Bind to GRE or L2TP interface to create GRE/L2TP over IPsec.</td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 780: Line 827:
====Advanced settings====
====Advanced settings====
----
----
[[File:Networking_rutos_vpn_ipsec_connection_settings_advanced_settings.png|border|class=tlt-border]]
[[File:Networking_rutos_vpn_ipsec_connection_settings_advanced_settings.png|border|class=tlt-border]]


Line 808: Line 854:
         <td>off {{!}} on; default: <b>on</b></td>
         <td>off {{!}} on; default: <b>on</b></td>
         <td>Adds necessary firewall rules to allow traffic of from the opposite IPsec instance on this device.</td>
         <td>Adds necessary firewall rules to allow traffic of from the opposite IPsec instance on this device.</td>
    </tr>
    <tr>
    <td>Compatibility mode</td>
        <td>off {{!}} on; default: <b>off</b></td>
        <td>Turns on compatibility mode to help deal with a 3rd party remote peer with multiple subnets.</td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 828: Line 879:
         <td>integer; default: <b>none</b></td>
         <td>integer; default: <b>none</b></td>
         <td>The frequency of sending R_U_THERE messages or INFORMATIONAL exchanges to peer.</td>
         <td>The frequency of sending R_U_THERE messages or INFORMATIONAL exchanges to peer.</td>
    </tr>
    <tr>
    <td><span style="color: #0054a6;">Dead Peer Detection:</span> DPD Timeout</td>
        <td>integer; default: <b>none</b></td>
        <td>Defines the timeout interval, after which all connections to a peer are deleted in case of inactivity.</td>
    </tr>
    <tr>
    <td>XAuth identity</td>
        <td>string; default: <b>none</b></td>
        <td>The identity/username the client uses to reply to an XAuth request. If not defined, the IKEv1 identity will be used as XAuth identity.</td>
     </tr>
     </tr>
     <tr>
     <tr>
Line 973: Line 1,034:
     <tr>
     <tr>
     <td>DH group</td>
     <td>DH group</td>
         <td>MODP768 {{!}} MODP1024 {{!}} MODP1536 {{!}} MODP2048 {{!}} MODP3072 {{!}} MODP4096 {{!}} ECP192 {{!}} ECP224 {{!}} ECP256 {{!}} ECP384 {{!}} ECP521; default: <b>MODP1536</b></td>
         <td>MODP768 {{!}} MODP1024 {{!}} MODP1536 {{!}} MODP2048 {{!}} MODP3072 {{!}} MODP4096 {{!}} ECP192 {{!}} ECP224 {{!}} ECP256 {{!}} ECP384 {{!}} ECP521 {{!}} No PFS; default: <b>MODP1536</b></td>
         <td>Diffie-Hellman (DH) group used in the key exchange process. Higher group numbers provide more security, but take longer and use more resources to compute the key. Must match with another incoming connection to establish IPSec. </td>
         <td>Diffie-Hellman (DH) group used in the key exchange process. Higher group numbers provide more security, but take longer and use more resources to compute the key. Must match with another incoming connection to establish IPSec. </td>
     </tr>
     </tr>
Line 1,000: Line 1,061:
     </tr>
     </tr>
     <tr>
     <tr>
     <td>Hash algorithm</td>
     <td>Encryption algorithm</td>
         <td>3DES {{!}} AES 128 {{!}} AES 192 {{!}} AES 256 {{!}} AES128 GCM8 {{!}} AES192 GCM8 {{!}} AES256 GCM8 {{!}} AES128 GCM12 {{!}} AES192 GCM12 {{!}} AES256 GCM12 {{!}} AES128 GCM16 {{!}} AES192 GCM16 {{!}} AES256 GCM16; default: <b>AES 128</b></td>
         <td>3DES {{!}} AES 128 {{!}} AES 192 {{!}} AES 256 {{!}} AES128 GCM8 {{!}} AES192 GCM8 {{!}} AES256 GCM8 {{!}} AES128 GCM12 {{!}} AES192 GCM12 {{!}} AES256 GCM12 {{!}} AES128 GCM16 {{!}} AES192 GCM16 {{!}} AES256 GCM16; default: <b>3DES</b></td>
         <td>Algorithm used for data encryption.</td>
         <td>Algorithm used for data encryption.</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td>Hash algorithm</td>
     <td>Hash algorithm</td>
         <td>MD5 {{!}} SHA1 {{!}} SHA256 {{!}} SHA384 {{!}} SHA512; default: <b>SHA1</b></td>
         <td>MD5 {{!}} SHA1 {{!}} SHA256 {{!}} SHA384 {{!}} SHA512; default: <b>MD5</b></td>
         <td>Algorithm used for exchanging authentication and hash information.</td>
         <td>Algorithm used for exchanging authentication and hash information.</td>
     </tr>
     </tr>
     <tr>
     <tr>
     <td>PFS group</td>
     <td>PFS group</td>
         <td>MODP768 {{!}} MODP1024 {{!}} MODP1536 {{!}} MODP2048 {{!}} MODP3072 {{!}} MODP4096 {{!}} ECP192 {{!}} ECP224 {{!}} ECP256 {{!}} ECP384 {{!}} ECP521; default: <b>MODP1536</b></td>
         <td>MODP768 {{!}} MODP1024 {{!}} MODP1536 {{!}} MODP2048 {{!}} MODP3072 {{!}} MODP4096 {{!}} ECP192 {{!}} ECP224 {{!}} ECP256 {{!}} ECP384 {{!}} ECP521 {{!}} No PFS; default: <b>MODP768</b></td>
         <td>The PFS (Perfect Forward Secrecy). Must match with another incoming connection to establish IPSec. </td>
         <td>The PFS (Perfect Forward Secrecy). Must match with another incoming connection to establish IPSec. </td>
     </tr>
     </tr>
Line 1,038: Line 1,099:
You should be redirected to the configuration page for the newly added PPTP Client which should look similar to this:
You should be redirected to the configuration page for the newly added PPTP Client which should look similar to this:


[[File:Networking_rutos_vpn_pptp_client.png|border|class=tlt-border]]
[[File:Networking_rutos_vpn_pptp_client_v2.png|border|class=tlt-border]]


<table class="nd-mantable">
<table class="nd-mantable">
Line 1,065: Line 1,126:
       <td>string; default: <b>none</b></td>
       <td>string; default: <b>none</b></td>
       <td>Password used for authentication to the PPTP server.</td>
       <td>Password used for authentication to the PPTP server.</td>
     </tr><tr>
     </tr>
    <tr>
      <td>Client to client</td>
      <td>off {{!}} on; default: <b>off</b></td>
      <td>Adds route to make other PPTP clients reachable.</td>
    </tr>
    <tr>
       <td>Default route</td>
       <td>Default route</td>
       <td>off {{!}} on; default: <b>off</b></td>
       <td>off {{!}} on; default: <b>off</b></td>
Line 1,125: Line 1,192:
</table>
</table>
----
----
The <b>User List</b> section is used to user authentication settings required to successfully connect to this server. The list is empty by default. Click the 'Add' button to create a new PPTP User:
The <b>User List</b> section is used to keep authentication settings required to successfully connect to this server. The list is empty by default. Click the 'Add' button to create a new PPTP User:


[[File:Networking_rutos_vpn_pptp_server_user_list_add_button.png|border|class=tlt-border]]
[[File:Networking_rutos_vpn_pptp_server_user_list_add_button.png|border|class=tlt-border]]
Line 1,154: Line 1,221:
</table>
</table>


<b>Note:</b> there can only one PPTP Server configuration on the device.
<b>Note:</b> there can only be one PPTP Server configuration on the device.


==SSTP==
==SSTP==


<b>Secure Socket Tunneling Protocol</b> (SSTP) is a VPN protocol designed to transport PPP traffic via a secure SSL/TLS channel.
<b>Secure Socket Tunneling Protocol</b> (SSTP) is a VPN protocol designed to transport PPP traffic via a secure SSL/TLS channel.
{{#ifeq: TRB1 | RUTX | |  
{{#ifeq: {{{series}}} | RUTX | |  
</br><u><b>Note:</b> SSTP is additional software that can be installed from the <b>Services → [[{{{name}}} Package Manager|Package Manager]]</b> page.</u>
</br><u><b>Note:</b> SSTP is additional software that can be installed from the <b>Services → [[{{{name}}} Package Manager|Package Manager]]</b> page.</u>
}}
}}
Line 1,771: Line 1,838:
     </tr>
     </tr>
     <tr>
     <tr>
       <td>Networks/td>
       <td>Networks</td>
       <td>hex string; default: <b>none</b></td>
       <td>hex string; default: <b>none</b></td>
       <td>ZeroTier Network ID. Log in to your ZeroTier account in order to locate the ZeroTier Network ID, which should be a string of hexadecimal characters.</td>
       <td>ZeroTier Network ID. Log in to your ZeroTier account in order to locate the ZeroTier Network ID, which should be a string of hexadecimal characters.</td>
     </tr>
     </tr>
     <tr>
     <tr>
       <td>Port/td>
       <td>Port</td>
       <td>integer [0..65535]; default: <b>none</b></td>
       <td>integer [0..65535]; default: <b>none</b></td>
       <td>ZeroTier Network port.</td>
       <td>ZeroTier Network port.</td>
     </tr>
     </tr>
</table>
</table>
<!--
 
==WireGuard==
==WireGuard==


Line 1,789: Line 1,856:
might be regarded as the most secure, easiest to use, and simplest VPN solution.
might be regarded as the most secure, easiest to use, and simplest VPN solution.


<u><b>Note:</b> WireGuard is additional software that can be installed from the <b>Services → [[{{{name}}} Package Manager|Package Manager]]</b> page.</u>
WireGuard works by adding an interface which acts as a tunnel. To create one enter its name and click the <b>Add</b> button. This should add a new Wireguard instance and open a configuration window.
 
WireGuard works by adding an interface which acts as a tunnel. To create one enter its name and click the <b>Add</b> button.  
To configure it click the <b>Edit</b> [[File:Networking_rutx_manual_edit_button_v1.png]] button.


[[File:Networking_rutx_vpn_wireguard_v1.png|border|class=tlt-border]]
[[File:Networking_rutx_vpn_wireguard_v1.png|border|class=tlt-border]]


===General Instance Settings===
===General Instance Settings===
Line 1,948: Line 2,011:
     </tr>
     </tr>
</table>
</table>
-->
 
[[Category:{{{name}}} Services section]]
[[Category:{{{name}}} Services section]]