Changes

600 bytes added , 9 April

Topology changes

Line 1: Line 1: −

−

The information on this page is updated in accordance with the [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.06.6'''] firmware version .

=Introduction=

−

~~----~~

+

Normally, OpenVPN Client access is controlled by enabling or disabling the Client to Client button in OpenVPN Servers configuration, however, at times, more granular control is required. In this example, we will configure an OpenVPN server with 3 Clients:

Line 13: Line 11:

</ul>

+

If You have trouble seeing any of the settings, be sure to enable "'''Advanced mode'''"

+

[[File:Networking rutos manual webui basic advanced mode 75.gif|none|border|center|class=tlt-border]]

=Topology=

−

~~----~~

+

−

[[File:OpenVPN Topology v1.png|border|~~center~~|class=tlt-border]]

+

Line 24: Line 24:

<li> Client 3 VPN tunnel address - 10.0.0.14, LAN device address - 192.168.30.178</li>

</ul>

+

=Generating certificates for an OpenVPN server=

−

~~=Generating certificates for an OpenVPN server=~~

+

Navigate to '''System → Administration → Certificates → Generate Certificate'''

−

~~----~~

+

−

Navigate to '''System -> Administration -> Certificates'''

+

Generate 2 certificates. Recommended key size is at least '''2048 bits''' for security reasons:

−

&emsp; 1. ~~Generate 2 certificates . Recommended key size is at least '''2048 bits''' for security reasons:~~

+

&emsp;1. CA

−

&emsp;~~&emsp; 1~~.~~1. CA~~

+

&emsp;2. Server

−

~~&emsp;&emsp; 1~~.~~2 Server~~

+

In Certificate Manager download Server certificate.

−

~~&emsp; 2.In~~ Certificate ~~Manager~~ download ~~Server certificate~~

+

+

For any OpenVPN clients, You will need to generate “'''Client'''” certificates, download the certificate and key, and send them to the client

There are multiple methods of how certificates could be generated, you could follow this tutorial instead:

[[How to generate TLS certificates (Windows)?]]

−

~~[[File:Certificate download v3.png|none|border|left|class=tlt-border]]~~

−

~~For any OpenVPN clients, You will need to generate “Client” certificates, download certificate and key, and send them to the client~~

−

=Creating an OpenVPN server=

−

~~Connect to WebUI and enable Advanced mode~~

+

Navigate to '''Services -> VPN -> OpenVPN'''. Add a new OpenVPN instance with a '''Server role''' with these settings:

−

~~[[File:Networking rutos manual webui basic advanced mode 75.gif|none|thumb|alt=|1000x1000px]]~~

−

Navigate to '''Services -> VPN -> OpenVPN'''

−

~~&emsp; 1~~. Add a new OpenVPN instance with a Server role

−

~~&emsp; 2. Create an OpenVPN server~~ with these settings

−

~~[[File:OpenVPN server settings v3.png|none|thumb|alt=|1000x1000px]]~~

−

~~1) Client to client – disabled~~

+

[[File:OpenVPN server settings v3.png|none|border|left|class=tlt-border]]

−

~~2) Virtual network IP address~~ – ~~10.0.0.0~~

+

1 - Client to client – disabled

−

3) Virtual network ~~netmask~~ – ~~255~~.~~255~~.~~255~~.~~224~~

+

2 - Virtual network IP address – 10.0.0.0

−

~~4) Certificate files from device~~ - on

+

3 - Virtual network netmask – 255.255.255.224

+

4 - Certificate files from device - on

−

~~Press '''"Save & Apply"''', enable OpenVPN server and check if the server is online~~

−

~~[[File:~~OpenVPN server is online v2.~~png|none|border|left|class=tlt-border]]~~

+

Press '''"Save & Apply"''', enable OpenVPN server and check if the server is online.

+

=Connecting clients to the OpenVPN server=

−

~~----~~

−

~~Navigate to '''Services -> VPN -> OpenVPN'''~~

−

~~&emsp; 1. Add a new OpenVPN instance with a Client role~~

−

~~&emsp; 2~~. ~~Create an~~ OpenVPN ~~client~~ with these settings

+

Navigate to '''Services -> VPN -> OpenVPN'''. Add a new OpenVPN instance with a '''Client role''' with these settings:

[[File:OpenVPN Client1 v3.png|none|border|center|class=tlt-border]]

+

&emsp;&emsp; 1 - '''Remote host/IP address''' - Public IP of the OpenVPN server's router

−

&emsp;&emsp; 1) Remote ~~host/~~IP address - ~~Public IP of the OpenVPN server's router~~

+

&emsp;&emsp; 2 - '''Remote network IP address''' - 10.0.0.0

−

&emsp;&emsp; 2) Remote network ~~IP address~~ - 10.0.0.0

+

&emsp;&emsp; 3 - '''Remote network netmask''' - 255.255.255.224

−

&emsp;&emsp; ~~3) Remote network netmask~~ - ~~255.255.255~~.~~224~~

+

&emsp;&emsp; 4 - '''Add the certificates from the OpenVPN server''' - Certificate Authority, Client certificate, and Client key which we downloaded in the Certificate Generation step.

−

~~&emsp;&emsp; 4) Add the certificates from the OpenVPN server - Certificate Authority, Client certificate, and Client key which we downloaded in the Certificate Generation step~~

+

Press "'''Save & Apply'''", enable OpenVPN client, and check if the connection is made

−

~~&emsp; 4~~. ~~Press "Save & Apply", enable OpenVPN client and check if the connection is made~~

+

−

~~[[File:OpenVPN Client1 connected v2~~.~~png|none|border|left|class~~=~~tlt-border]]~~

+

Repeat this step for as many clients as You need. For this example, we will have 3 clients.

+

=Client to Client LAN network communication=

+

==TLS Clients==

−

~~Repeat this step for as many~~ clients as You ~~need. For this example~~, we ~~will have~~ 3 clients

+

On the OpenVPN server router, navigate to '''Services -> VPN -> OpenVPN''', Press "'''Edit'''" on the server, scroll down and add '''TLS clients''' which LAN address You want to have access to, in our case, we add all 3 clients:

−

+

===TLS Client 1===

−

=Client ~~to Client LAN network communication~~=

+

----

+

[[File:TLS Client1 v3.png|none|border|left|class=tlt-border]]

+

===TLS Client 2===

----

−

==TLS ~~Clients~~==

+

[[File:TLS Client2 v3.png|none|border|left|class=tlt-border]]

+

===TLS Client 3===

----

+

[[File:TLS Client3 v3.png|none|border|left|class=tlt-border]]

+

<ul>

+

<li>'''Common name''' - common name of the certificate which was generated previously</li>

+

<li>'''Virtual local endpoint''' - client’s local address in the virtual network</li>

+

<li>'''Virtual remote endpoint''' - client’s remote address in the virtual network</li>

+

<li>'''Private network''' - client's LAN subnet</li>

+

<li>'''Covered network''' - Which LAN subnet should clients be able to communicate with in the OpenVPN server</li>

+

</ul>

+

==Firewall Zones==

−

~~&emsp; 1. On the~~ OpenVPN ~~server router, navigate to~~ '''~~Services -> VPN -> OpenVPN~~'''~~, Press "~~'~~''Edit'''" on the server, scroll down and add TLS clients~~

+

This step should be done on OpenVPN '''server and all clients''' that want their LAN subnets be accessible and to access other client's LAN subnets.

−

~~Add clients which LAN address You want~~ to ~~have access~~ to~~, in our case, we add all 3 clients~~

+

Navigate to '''Network -> Firewall -> General settings -> Zones''' and set OpenVPN zone to forward traffic to LAN.

−

[[File:~~TLS Client 1~~ v2.png|none|~~thumb~~|~~alt~~=|~~1000x1000px~~]]

+

−

~~[[File:TLS Client 2.png|none|thumb|alt~~=~~|1000x1000px]]~~

+

==Routes to LAN subnets==

−

~~[[File:TLS Client 3.png|none|thumb|alt~~=~~|1000x1000px]]~~

+

Create a route to other client LAN networks using WebUI. This step should be done on '''all clients''' that want their LAN subnets be accessible and to access other client's LAN subnets.

−

~~<ul>~~

−

~~<li>Common name - common name of the certificate which was generated previously</li>~~

−

~~<li>Virtual local endpoint - client’s local address in the virtual network</li>~~

−

~~<li>Virtual remote endpoint - client’s remote address in the virtual network</li>~~

−

~~<li>Private network - client's LAN subnet</li>~~

−

~~<li>Covered network - Which LAN subnet should clients be able to communicate with in the OpenVPN server</li>~~

−

~~</ul>~~

−

~~==Firewall Zones==~~

+

Navigate to '''Services -> VPN -> OpenVPN''' press '''"Edit"''' on the OpenVPN client and add routes to other client LAN subnets. In this image, we are editing Client 1's configuration's extra options, to add routes to Client 2's (192.168.20.0/24) and Client 3's (192.168.30.0/24) LAN subnets.

−

----

−

~~This step should be done on~~ OpenVPN server ~~and all~~ clients ~~that want their LAN subnets be accessible and to access other~~ client~~'s LAN subnets~~

+

(In some cases, pushing routes to LAN addresses from the OpenVPN server to clients, breaks routing on the clients, so doing it from the client side is safer, but more time consuming)

−

~~&emsp; Navigate to '''Network -> Firewall -> General settings~~ -~~> Zones''' and set OpenVPN zone to forward traffic to LAN~~

+

[[File:OpenVPN client routes v2.png|none|border|left|class=tlt-border]]

+

=Controlling access with firewall=

−

~~[[File:OpenVPN~~ to LAN ~~zone forward~~.~~png|none|thumb|alt=|1000x1000px]]~~

+

Navigate to '''Network -> Firewall -> Access Control''' and create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks.

+

[[File:Deny Client3 rule v2.png|none|border|left|class=tlt-border]]

−

~~==Routes to LAN subnets==~~

+

&emsp;&emsp; 1 - '''Protocol''' - All protocols

−

----

−

~~Create a route to other client LAN networks using WebUI. This step should be done on all clients that want their LAN subnets be accessible and to access other client~~'~~s LAN subnets~~

+

&emsp;&emsp; 2 - '''Source zone''' - OpenVPN

−

&emsp; ~~1. Navigate to '''Services~~ -~~> VPN -> OpenVPN~~''' ~~press~~ '''~~"Edit"''' on the~~ OpenVPN ~~client~~ and ~~add routes to other~~ client ~~LAN subnets. In this image, we are editing Client 1's configuration, to add routes to Client 2's (192.168.20.0/24) and Client~~ 3~~'s (192.168.30.0/24) LAN subnets.~~

+

&emsp;&emsp; 3 - '''Source IP''' - OpenVPN remote IP and LAN subnet of client 3

−

~~[[File:~~OpenVPN ~~client routes.png|none|thumb|alt=|1000x1000px]]~~

+

&emsp;&emsp; 4 - '''Destination zone''' - OpenVPN

−

~~=Controlling access with firewall=~~

+

&emsp;&emsp; 5 - '''Destination address''' - other client OpenVPN remote endpoints and LAN subnets

−

----

−

~~Navigate to~~ '''~~Network -> Firewall -> Access Control~~''' ~~and create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks~~

+

&emsp;&emsp; 6 - '''Action''' - Deny

−

~~[[File:Deny Client3 rule.png|none|thumb|alt=|1000x1000px]]~~

−

~~<ul>~~

+

This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet.

−

~~<li>Source interface - OpenVPN</li>~~

+

=Testing the setup=

−

~~<li>Destination interface - OpenVPN</li>~~

−

~~<li>Source IP - OpenVPN remote IP and LAN subnet of client 3</li>~~

−

~~<li>Destination IP - other client OpenVPN remote endpoints and LAN subnets</li>~~

−

~~<li>Action - Deny</li>~~

−

~~</ul>~~

−

This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet

+

If You have followed the steps correctly, configuration should be finished. These should be the results that You will be getting:

−

~~=Testing the setup=~~

−

~~----~~

Client 1 to Client 2

Line 233: Line 216:

=See also=

−

~~----~~

<ul>

Line 248: Line 230:

=External links=

−

~~----~~

https://openvpn.net/index.php/open-source/documentation/howto.html - some additional information on OpenVPN

Julius.lazdauskis

Administrators

92

edits

Namespaces

Variants

Views

More

Search

Changes

OpenVPN Access Control (view source)

Revision as of 14:55, 9 April 2024

Navigation menu

Personal tools

NAVIGATION

Tools

Categories