Jump to content

OpenVPN Access Control: Difference between revisions

Topology changes
m (Topology and summary)
(Topology changes)
 
(20 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<h1>Introduction</h1>
<p style="color:red">The information on this page is updated in accordance with the [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.06.6'''] firmware version .</p>
 
=Introduction=


Normally, OpenVPN Client access is controlled by enabling or disabling the Client to Client button in OpenVPN Servers configuration, however, at times, more granular control is required. In this example, we will configure an OpenVPN server with 3 Clients:
Normally, OpenVPN Client access is controlled by enabling or disabling the Client to Client button in OpenVPN Servers configuration, however, at times, more granular control is required. In this example, we will configure an OpenVPN server with 3 Clients:


<ul>
<ul>
<li> Client 1 will be able to communicate with Client 2 and OpenVPN server</li>
#<li> Client 1 will be able to communicate with Client 2 and OpenVPN server</li>
<li> Client 2 will be able to communicate with Client 1 and OpenVPN server</li>
#<li> Client 2 will be able to communicate with Client 1 and OpenVPN server</li>
<li> Client 3 will only be able to communicate with OpenVPN server, but not with any of other clients</li>
#<li> Client 3 will only be able to communicate with OpenVPN server, but not with any of other clients</li>
</ul>
</ul>


<h1>Topology</h1>
If You have trouble seeing any of the settings, be sure to enable "'''Advanced mode'''"
[[File:Networking rutos manual webui basic advanced mode 75.gif|none|border|center|class=tlt-border]]
=Topology=


[[File:OpenVPN Topology v1.png|none|thumb|alt=|1000x1000px]]
[[File:OpenVPN Topology v4.png|none|border|left|class=tlt-border|1000x1000px]]




Line 20: Line 24:
<li> Client 3 VPN tunnel address - 10.0.0.14, LAN device address - 192.168.30.178</li>
<li> Client 3 VPN tunnel address - 10.0.0.14, LAN device address - 192.168.30.178</li>
</ul>
</ul>
=Generating certificates for an OpenVPN server=


<h1>Generating certificates for an OpenVPN server</h1>
Navigate to '''System → Administration → Certificates → Generate Certificate'''


1)Navigate to '''System -> Administration -> Certificates'''
Generate 2 certificates. Recommended key size is at least '''2048 bits''' for security reasons:


2)Generate 2 certificates . Recommended key size is at least 2048 bits for security reasons:
&emsp;1. CA


2.1) CA
&emsp;2. Server


2.2) Server
In Certificate Manager download Server certificate.


3) In Certificate Manager download Server certificate
[[File:Certificate download v4.png|none|border|left|class=tlt-border|1100x1100px]]
 
For any OpenVPN clients, You will need to generate “'''Client'''” certificates, download the certificate and key, and send them to the client


There are multiple methods of how certificates could be generated, you could follow this tutorial instead:
There are multiple methods of how certificates could be generated, you could follow this tutorial instead:
[[How to generate TLS certificates (Windows)?]]
[[How to generate TLS certificates (Windows)?]]
=Creating an OpenVPN server=


[[File:Certificate download v2.png|none|thumb|alt=|1000x1000px]]
Navigate to '''Services -> VPN -> OpenVPN'''. Add a new OpenVPN instance with a '''Server role''' with these settings:


For any OpenVPN clients, You will need to generate “Client” certificates, download certificate and key, and send them to the client


<h1>Creating an OpenVPN server</h1>
[[File:OpenVPN server settings v3.png|none|border|left|class=tlt-border]]


1) Connect to WebUI and enable Advanced mode
1 - <b>Client to client</b> – disabled


[[File:Networking rutos manual webui basic advanced mode 75.gif|none|thumb|alt=|1000x1000px]]
2 - <b>Virtual network IP address</b> – 10.0.0.0


2) Navigate to '''Services -> VPN -> OpenVPN'''
3 - <b>Virtual network netmask</b> – 255.255.255.224


3) Add a new OpenVPN instance with a Server role
4 - <b>Certificate files from device</b> - on


4) Create an OpenVPN server with these settings


Press '''"Save & Apply"''', enable OpenVPN server and check if the server is online.


[[File:OpenVPN server settings v2.png|none|thumb|alt=|1000x1000px]]
[[File:OpenVPN server is online v3.png|none|border|left|class=tlt-border|1100x1100px]]
=Connecting clients to the OpenVPN server=


<ul>
Navigate to '''Services -> VPN -> OpenVPN'''. Add a new OpenVPN instance with a '''Client role''' with these settings:
<li>Virtual network IP address 10.0.0.0</li>
 
<li>Virtual network netmask – 255.255.255.224</li>
[[File:OpenVPN Client1 v3.png|none|border|center|class=tlt-border]]
<li>Client to client – disabled</li>
 
<li>Certificate files from device - on</li>
&emsp;&emsp; 1 - '''Remote host/IP address''' - Public IP of the OpenVPN server's router
</ul>
 
&emsp;&emsp; 2 - '''Remote network IP address''' - 10.0.0.0


5) Press '''"Save & Apply"''', enable OpenVPN server and check if the server is online
&emsp;&emsp; 3 - '''Remote network netmask''' - 255.255.255.224


[[File:OpenVPN server is online v2.png|none|thumb|alt=|1000x1000px]]
&emsp;&emsp; 4 - '''Add the certificates from the OpenVPN server''' - Certificate Authority, Client certificate, and Client key which we downloaded in the Certificate Generation step.


<h1>Connecting clients to the OpenVPN server</h1>


1) Navigate to '''Services -> VPN -> OpenVPN'''
Press "'''Save & Apply'''", enable OpenVPN client, and check if the connection is made


2) Add a new OpenVPN instance with a Client role
[[File:OpenVPN Client1 connected v2.png|none|border|left|class=tlt-border|1100x1100px]]


3) Create an OpenVPN client with these settings
Repeat this step for as many clients as You need. For this example, we will have 3 clients.
=Client to Client LAN network communication=
==TLS Clients==


[[File:OpenVPN Client1 v2.png|none|thumb|alt=|1000x1000px]]
On the OpenVPN server router, navigate to '''Services -> VPN -> OpenVPN''', Press "'''Edit'''" on the server, scroll down and add '''TLS clients''' which LAN address You want to have access to, in our case, we add all 3 clients:
===TLS Client 1===
----
[[File:TLS Client1 v3.png|none|border|left|class=tlt-border]]
===TLS Client 2===
----
[[File:TLS Client2 v3.png|none|border|left|class=tlt-border]]
===TLS Client 3===
----
[[File:TLS Client3 v3.png|none|border|left|class=tlt-border]]


<ul>
<ul>
<li>Remote host/IP address - Public IP of the OpenVPN server's router</li>
<li>'''Common name''' - common name of the certificate which was generated previously</li>
<li>Remote network IP address - 10.0.0.0</li>
<li>'''Virtual local endpoint''' - client’s local address in the virtual network</li>
<li>Remote network netmask - 255.255.255.224</li>
<li>'''Virtual remote endpoint''' - client’s remote address in the virtual network</li>
<li>And add the certificates from the OpenVPN server - Certificate Authority, Client certificate, and Client key which we downloaded in the Certificate Generation step</li>
<li>'''Private network''' - client's LAN subnet</li>
<li>'''Covered network''' - Which LAN subnet should clients be able to communicate with in the OpenVPN server</li>
</ul>
</ul>
4) Press "Save & Apply", enable OpenVPN client and check if the connection is made
==Firewall Zones==


[[File:OpenVPN Client1 connected v2.png|none|thumb|alt=|1000x1000px]]
This step should be done on OpenVPN '''server and all clients''' that want their LAN subnets be accessible and to access other client's LAN subnets.


5) Repeat this step for as many clients as You need. For this example, we will have 3 clients
Navigate to '''Network -> Firewall -> General settings -> Zones''' and set OpenVPN zone to forward traffic to LAN.


<h1>Client to Client LAN network communication</h1>
[[File:OpenVPN to LAN zone forward v2.png|none|border|left|class=tlt-border|1100x1100px]]
==Routes to LAN subnets==


1) On the OpenVPN server router, navigate to '''Services -> VPN -> OpenVPN''', Press "'''Edit'''" on the server, scroll down and add TLS clients
Create a route to other client LAN networks using WebUI. This step should be done on '''all clients''' that want their LAN subnets be accessible and to access other client's LAN subnets.


Add clients which LAN address You want to have access to, in our case, we add all 3 clients


[[File:TLS Client 1 v2.png|none|thumb|alt=|1000x1000px]]
Navigate to '''Services -> VPN -> OpenVPN''' press '''"Edit"''' on the OpenVPN client and add routes to other client LAN subnets. In this image, we are editing Client 1's configuration's extra options, to add routes to <b>Client 2's (192.168.20.0/24)</b> and <b>Client 3's (192.168.30.0/24)</b> LAN subnets.
[[File:TLS Client 2.png|none|thumb|alt=|1000x1000px]]
[[File:TLS Client 3.png|none|thumb|alt=|1000x1000px]]


(In some cases, pushing routes to LAN addresses from the OpenVPN server to clients, breaks routing on the clients, so doing it from the client side is safer, but more time consuming)


<ul>
[[File:OpenVPN client routes v2.png|none|border|left|class=tlt-border]]
<li>Common name - common name of the certificate which was generated previously</li>
=Controlling access with firewall=
<li>Virtual local endpoint - client’s local address in the virtual network</li>
<li>Virtual remote endpoint - client’s remote address in the virtual network</li>
<li>Private network - client's LAN subnet</li>
<li>Covered network - Which LAN subnet should clients be able to communicate with in the OpenVPN server</li>
</ul>


This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets
Navigate to '''Network -> Firewall -> Access Control''' and create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks.


1) Navigate to '''Network -> Firewall -> General settings -> Zones''' and set OpenVPN zone to forward traffic to LAN
[[File:Deny Client3 rule v2.png|none|border|left|class=tlt-border]]


[[File:OpenVPN to LAN zone forward.png|none|thumb|alt=|1000x1000px]]


&emsp;&emsp; 1 - '''Protocol''' - All protocols


&emsp;&emsp; 2 - '''Source zone''' - OpenVPN


Create a route to other client LAN networks using WebUI. This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets
&emsp;&emsp; 3 - '''Source IP''' - OpenVPN remote IP and LAN subnet of client 3


1) Navigate to '''Services -> VPN -> OpenVPN''' press '''"Edit"''' on the OpenVPN client and add routes to other client LAN subnets. In this image, we are editing Client 1's configuration, to add routes to Client 2's (192.168.20.0/24) and Client 3's (192.168.30.0/24) LAN subnets.
&emsp;&emsp; 4 - '''Destination zone''' - OpenVPN


[[File:OpenVPN client routes.png|none|thumb|alt=|1000x1000px]]
&emsp;&emsp; 5 - '''Destination address''' - other client OpenVPN remote endpoints and LAN subnets


<h1>Controlling access with firewall</h1>
&emsp;&emsp; 6 - '''Action''' - Deny


1) Navigate to '''Network -> Firewall -> Access Control'''


2) Create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks
This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet.
=Testing the setup=


[[File:Deny Client3 rule.png|none|thumb|alt=|1000x1000px]]
If You have followed the steps correctly, configuration should be finished. These should be the results that You will be getting:


<ul>
<li>Source interface - OpenVPN</li>
<li>Destination interface - OpenVPN</li>
<li>Source IP - OpenVPN remote IP and LAN subnet of client 3</li>
<li>Destination IP - other client OpenVPN remote endpoints and LAN subnets</li>
<li>Action - Deny</li>
</ul>
This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet
<h1>Testing the setup</h1>


Client 1 to Client 2
Client 1 to Client 2


  Pinging 192.168.20.193 with 32 bytes of data:
  Pinging 192.168.20.193 from 192.168.10.216 with 32 bytes of data:
  Reply from 192.168.20.194: bytes=32 time=172ms TTL=125
  Reply from 192.168.20.194: bytes=32 time=172ms TTL=125
  Reply from 192.168.20.194: bytes=32 time=114ms TTL=125
  Reply from 192.168.20.194: bytes=32 time=114ms TTL=125
Line 151: Line 155:
Client 1 to Client 3
Client 1 to Client 3


  Pinging 192.168.30.178 with 32 bytes of data:
  Pinging 192.168.30.178 from 192.168.10.216 with 32 bytes of data:
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.
Line 159: Line 163:
Client 2 to Client 1
Client 2 to Client 1


  Pinging 192.168.10.216 with 32 bytes of data:
  Pinging 192.168.10.216 from 192.168.20.193 with 32 bytes of data:
  Reply from 192.168.10.216: bytes=32 time=185ms TTL=125
  Reply from 192.168.10.216: bytes=32 time=185ms TTL=125
  Reply from 192.168.10.216: bytes=32 time=123ms TTL=125
  Reply from 192.168.10.216: bytes=32 time=123ms TTL=125
Line 167: Line 171:
Client 2 to Client 3
Client 2 to Client 3


  Pinging 192.168.30.178 with 32 bytes of data:
  Pinging 192.168.30.178 from 192.168.20.193 with 32 bytes of data:
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.
Line 175: Line 179:
Client 3 to Client 1
Client 3 to Client 1


  Pinging 192.168.10.216 with 32 bytes of data:
  Pinging 192.168.10.216 from 192.168.30.178 with 32 bytes of data:
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.
Line 183: Line 187:
Client 3 to Client 2
Client 3 to Client 2


  Pinging 192.168.20.193 with 32 bytes of data:
  Pinging 192.168.20.193 from 192.168.30.178 with 32 bytes of data:
  Request timed out.
  Request timed out.
  Request timed out.
  Request timed out.
Line 191: Line 195:
And server can reach all of the clients and their LAN subnets
And server can reach all of the clients and their LAN subnets


  Pinging 192.168.10.216 with 32 bytes of data:
  Pinging 192.168.10.216 from 192.168.5.114 with 32 bytes of data:
  Reply from 192.168.5.114: bytes=32 time=264ms TTL=62
  Reply from 192.168.5.114: bytes=32 time=264ms TTL=62
  Reply from 192.168.5.114: bytes=32 time=138ms TTL=62
  Reply from 192.168.5.114: bytes=32 time=138ms TTL=62
Line 198: Line 201:
  Reply from 192.168.5.114: bytes=32 time=107ms TTL=62
  Reply from 192.168.5.114: bytes=32 time=107ms TTL=62
   
   
  Pinging 192.168.20.193 with 32 bytes of data:
  Pinging 192.168.20.193 from 192.168.5.114 with 32 bytes of data:
  Reply from 192.168.5.114: bytes=32 time=61ms TTL=62
  Reply from 192.168.5.114: bytes=32 time=61ms TTL=62
  Reply from 192.168.5.114: bytes=32 time=376ms TTL=62
  Reply from 192.168.5.114: bytes=32 time=376ms TTL=62
Line 205: Line 207:
  Reply from 192.168.5.114: bytes=32 time=232ms TTL=62
  Reply from 192.168.5.114: bytes=32 time=232ms TTL=62
   
   
  Pinging 192.168.30.178 with 32 bytes of data:
  Pinging 192.168.30.178 from 192.168.5.114 with 32 bytes of data:
  Reply from 192.168.5.114: bytes=32 time=226ms TTL=62
  Reply from 192.168.5.114: bytes=32 time=226ms TTL=62
  Reply from 192.168.5.114: bytes=32 time=327ms TTL=62
  Reply from 192.168.5.114: bytes=32 time=327ms TTL=62
Line 214: Line 215:
<br>
<br>


<h1>See also</h1>
=See also=
 
<ul>
<ul>
<li>[[OpenVPN_configuration_examples_RUT_R_00.07]]</li>
<li>[[OpenVPN_configuration_examples_RUT_R_00.07]]</li>
Line 227: Line 229:




<h1>External links</h1>
=External links=


https://openvpn.net/index.php/open-source/documentation/howto.html - some additional information on OpenVPNs
https://openvpn.net/index.php/open-source/documentation/howto.html - some additional information on OpenVPN