Template:Networking rutos manual vpn: Difference between revisions
Template:Networking rutos manual vpn (view source)
Revision as of 17:19, 28 March 2022
, 28 March 2022no edit summary
Gytispieze (talk | contribs) No edit summary |
Gytispieze (talk | contribs) No edit summary |
||
Line 30: | Line 30: | ||
To begin configuration, click the button that looks like a pencil next to the client instance. Refer to the figure and table below for information on the OpenVPN client's configuration fields: | To begin configuration, click the button that looks like a pencil next to the client instance. Refer to the figure and table below for information on the OpenVPN client's configuration fields: | ||
[[File: | [[File:Networking_trb2_vpn_openvpn_client_configuration_v3.png|border|class=tlt-border|]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 102: | Line 102: | ||
<td>Yes {{!}} No {{!}} None; default: <b>None</b></td> | <td>Yes {{!}} No {{!}} None; default: <b>None</b></td> | ||
<td>Turns LZO data compression on or off.</td> | <td>Turns LZO data compression on or off.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Authentication</td> | <td>Authentication</td> | ||
<td> | <td>Static key {{!}} TLS {{!}} TLS/Password {{!}} Password ; default: <b>Static key</b></td> | ||
<td>Authentication mode, used to secure data sessions. | <td>Authentication mode, used to secure data sessions. | ||
<ul> | <ul> | ||
Line 125: | Line 120: | ||
</ul> | </ul> | ||
</td> | </td> | ||
</tr> | |||
<tr> | |||
<td>Encryption</td> | |||
<td>DES-CBC 64 {{!}} RC2-CBC 128 {{!}} DES-EDE-CBC 128 {{!}} DES-EDE3-CBC 192 {{!}} DESX-CBC 192 {{!}} BF-CBC 128 {{!}} RC2-40-CBC 40 {{!}} CAST5-CBC 128 {{!}} RC2-40CBC 40 {{!}} CAST5-CBC 128 {{!}} RC2-64-CBC 64{{!}} AES-128-CBC 128 {{!}} AES-192-CBC 192 {{!}} AES-256-CBC 256 {{!}} none; default: <b>BF-CBC 128</b></td> | |||
<td>Algorithm used for packet encryption.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 172: | Line 172: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">Password:</span> HMAC authentication algorithm</td> | |||
<td>none {{!}} SHA1 {{!}} SHA256 {{!}} SHA384 {{!}} SHA512; default: <b>SHA1</b></td> | |||
<td>HMAC authentication algorithm type.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><span style="color: #0054a6;">Password:</span> | <td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">Password:</span> Additional HMAC authentication</td> | ||
<td> | <td>off {{!}} on; default: <b>off</b></td> | ||
<td> | <td>An additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Extra options</td> | <td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">Password:</span> HMAC authentication key</td> | ||
<td>string; default: <b>none</b></td> | <td>.key file; default: <b>none</b></td> | ||
<td>Extra OpenVPN options to be used by the OpenVPN instance.</td> | <td>Uploads an HMAC authentication key file.</td> | ||
</tr> | |||
<tr> | |||
<td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">Password:</span> HMAC key direction</td> | |||
<td>0 {{!}} 1 {{!}} none; default: <b>1</b></td> | |||
<td>The value of the key direction parameter should be complementary on either side (client and server) of the connection. If one side uses <i>0</i>, the other side should use <i>1</i>, or both sides should omit the parameter altogether.</td> | |||
</tr> | |||
<tr> | |||
<td><span style="color: #0054a6;">Password:</span> User name</td> | |||
<td>string; default: <b>none</b></td> | |||
<td>Username used for authentication to the OpenVPN server.</td> | |||
</tr> | |||
<tr> | |||
<td><span style="color: #0054a6;">Password:</span> Password</td> | |||
<td>string; default: <b>none</b></td> | |||
<td>Password used for authentication to the OpenVPN server.</td> | |||
</tr> | |||
<tr> | |||
<td>Extra options</td> | |||
<td>string; default: <b>none</b></td> | |||
<td>Extra OpenVPN options to be used by the OpenVPN instance.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 192: | Line 212: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">Password:</span> Certificate authority</td> | |||
<td>.ca file; default: <b>none</b></td> | |||
<td>Certificate authority is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><span style="color: red;">TLS:</span> Client certificate</td> | |||
<td>.crt file; default: <b>none</b></td> | |||
<td><span style="color: red;">TLS:</span> Client certificate</td> | |||
<td>.crt file; default: <b>none</b></td> | |||
<td>Client certificate is a type of digital certificate that is used by client systems to make authenticated requests to a remote server. Client certificates play a key role in many mutual authentication designs, providing strong assurances of a requester's identity.</td> | <td>Client certificate is a type of digital certificate that is used by client systems to make authenticated requests to a remote server. Client certificates play a key role in many mutual authentication designs, providing strong assurances of a requester's identity.</td> | ||
</tr> | </tr> | ||
Line 258: | Line 258: | ||
To begin configuration, click the button that looks like a pencil next to the server instance. Refer to the figure and table below for information on the OpenVPN server's configuration fields: | To begin configuration, click the button that looks like a pencil next to the server instance. Refer to the figure and table below for information on the OpenVPN server's configuration fields: | ||
[[File: | [[File:Networking_rutx_vpn_openvpn_server_configuration_v3.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 294: | Line 294: | ||
<li><b>User Datagram Protocol</b> (<b>UDP</b>) - packets are sent to the recipient without error-checking or back-and-forth quality control, meaning that when packets are lost, they are gone forever. This makes it less reliable but faster than TCP; therefore, it should be used when transfer speed is crucial (for example, video streaming, live calls).</li> | <li><b>User Datagram Protocol</b> (<b>UDP</b>) - packets are sent to the recipient without error-checking or back-and-forth quality control, meaning that when packets are lost, they are gone forever. This makes it less reliable but faster than TCP; therefore, it should be used when transfer speed is crucial (for example, video streaming, live calls).</li> | ||
</ul> | </ul> | ||
</td> | </td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 305: | Line 305: | ||
<td>Yes {{!}} No {{!}} None; default: <b>None</b></td> | <td>Yes {{!}} No {{!}} None; default: <b>None</b></td> | ||
<td>Turns LZO data compression on or off.</td> | <td>Turns LZO data compression on or off.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Authentication</td> | <td>Authentication</td> | ||
<td> | <td>Static key {{!}} TLS {{!}} TLS/Password {{!}} Password ; default: <b>Static key</b></td> | ||
<td>Authentication mode, used to secure data sessions. | <td>Authentication mode, used to secure data sessions. | ||
<ul> | <ul> | ||
Line 324: | Line 319: | ||
</ul>All mentioned certificates can be generated using OpenVPN or Open SSL utilities on any type of host machine. One of the most popular utilities used for this purpose is called Easy-RSA. | </ul>All mentioned certificates can be generated using OpenVPN or Open SSL utilities on any type of host machine. One of the most popular utilities used for this purpose is called Easy-RSA. | ||
</li> | </li> | ||
<li><b>Password</b> is a simple username/password based authentication where the owner of the OpenVPN server provides the login data.</li> | |||
<li><b>TLS/Password</b> uses both TLS and username/password authentication.</li> | <li><b>TLS/Password</b> uses both TLS and username/password authentication.</li> | ||
</ul> | </ul> | ||
Line 329: | Line 325: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><span style="color: purple;">Static key:</span> Local tunnel endpoint IP</td> | <td>Encryption</td> | ||
<td>DES-CBC 64 {{!}} RC2-CBC 128 {{!}} DES-EDE-CBC 128 {{!}} DES-EDE3-CBC 192 {{!}} DESX-CBC 192 {{!}} BF-CBC 128 {{!}} RC2-40-CBC 40 {{!}} CAST5-CBC 128 {{!}} RC2-40CBC 40 {{!}} CAST5-CBC 128 {{!}} RC2-64-CBC 64{{!}} AES-128-CBC 128 {{!}} AES-192-CBC 192 {{!}} AES-256-CBC 256 {{!}} none; default: <b>BF-CBC 128</b></td> | |||
<td>Algorithm used for packet encryption.</td> | |||
</tr> | |||
<tr> | |||
<td><span style="color: purple;">Static key:</span> Local tunnel endpoint IP</td> | |||
<td>ip; default: <b>none</b></td> | <td>ip; default: <b>none</b></td> | ||
<td>IP address of the local OpenVPN network interface.</td> | <td>IP address of the local OpenVPN network interface.</td> | ||
Line 394: | Line 395: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><span style="color: #0054a6;">TLS/Password:</span> | <td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">Password:</span> HMAC authentication algorithm</td> | ||
<td> | <td>none {{!}} SHA1 {{!}} SHA256 {{!}} SHA384 {{!}} SHA512; default: <b>SHA1</b></td> | ||
<td> | <td>HMAC authentication algorithm type.</td> | ||
</tr> | |||
<tr> | |||
<td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">Password:</span> Additional HMAC authentication</td> | |||
<td>off {{!}} on; default: <b>off</b></td> | |||
<td>An additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks.</td> | |||
</tr> | |||
<tr> | |||
<td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">Password:</span> HMAC authentication key</td> | |||
<td>.key file; default: <b>none</b></td> | |||
<td>Uploads an HMAC authentication key file.</td> | |||
</tr> | |||
<tr> | |||
<td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">Password:</span> HMAC key direction</td> | |||
<td>0 {{!}} 1 {{!}} none; default: <b>1</b></td> | |||
<td>The value of the key direction parameter should be complementary on either side (client and server) of the connection. If one side uses <i>0</i>, the other side should use <i>1</i>, or both sides should omit the parameter altogether.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><span style="color: #0054a6;">TLS/Password:</span> | <td><span style="color: #0054a6;">TLS/Password:</span>Usernames & Passwords</td> | ||
<td> | <td>text file; default: <b>none</b></td> | ||
<td> | <td>File containing usernames and passwords against which the server can authenticate clients. Each username and password pair should be placed on a single line and separated by a space.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 508: | Line 524: | ||
To begin configuration, click the button that looks like a pencil located next to the instance. Refer to the figure and table below for information on the fields located in the GRE instance configuration section. | To begin configuration, click the button that looks like a pencil located next to the instance. Refer to the figure and table below for information on the fields located in the GRE instance configuration section. | ||
[[File: | [[File:Networking_rutx_vpn_gre_gre_configuration_main_settings_v3.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 523: | Line 539: | ||
<tr> | <tr> | ||
<td>Tunnel source</td> | <td>Tunnel source</td> | ||
<td>network interface; default: <b> | <td>network interface; default: <b>LAN</b></td> | ||
<td>Network interface used to establish the GRE Tunnel.</td> | <td>Network interface used to establish the GRE Tunnel.</td> | ||
</tr> | </tr> | ||
Line 533: | Line 549: | ||
<tr> | <tr> | ||
<td>MTU</td> | <td>MTU</td> | ||
<td>integer; default: <b>1476</b></td> | <td>integer [68..9200]; default: <b>1476</b></td> | ||
<td>Sets the maximum transmission unit (MTU) size. It is the largest size of a protocol data unit (PDU) that can be transmitted in a single network layer transaction.</td> | <td>Sets the maximum transmission unit (MTU) size. It is the largest size of a protocol data unit (PDU) that can be transmitted in a single network layer transaction.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 553: | Line 564: | ||
<tr> | <tr> | ||
<td>Path MTU Discovery</td> | <td>Path MTU Discovery</td> | ||
<td>off {{!}} on; default: <b> | <td>off {{!}} <span style="color:blue">on</span>; default: <b>off</b></td> | ||
<td>When unchecked, sets the <i>nopmtudisc</i> option for tunnel. Can not be used together with the TTL option.</td> | <td>When unchecked, sets the <i>nopmtudisc</i> option for tunnel. Can not be used together with the TTL option.</td> | ||
</tr> | |||
<tr> | |||
<td><span style="color:blue">TTL</span></td> | |||
<td>integer [0..255]; default: <b>255</b></td> | |||
<td>Sets a custom TTL (Time to Live) value for encapsulated packets. TTL is a field in the IP packet header which is initially set by the sender and decreased by 1 on each hop. When it reaches 0 it is dropped and the last host to receive the packet sends an ICMP "Time Exceeded" message back to the source.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Keep alive</td> | <td>Keep alive</td> | ||
<td>off {{!}} on; default: <b>off</b></td> | <td>off {{!}} <span style="color:red">on</span>; default: <b>off</b></td> | ||
<td>Turns "keep alive" on or off. The "keep alive" feature sends packets to the remote instance in order to determine the health of the connection. If no response is received, the device will attempt to re-establish the tunnel.</td> | <td>Turns "keep alive" on or off. The "keep alive" feature sends packets to the remote instance in order to determine the health of the connection. If no response is received, the device will attempt to re-establish the tunnel.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Keep alive interval</td> | <td><span style="color:red">Keep alive interval</span></td> | ||
<td>integer [0..255]; default: <b>none</b></td> | <td>integer [0..255]; default: <b>none</b></td> | ||
<td>Frequency (in seconds) at which "keep alive" packets are sent to the remote instance.</td> | <td>Frequency (in seconds) at which "keep alive" packets are sent to the remote instance.</td> | ||
Line 632: | Line 648: | ||
<tr> | <tr> | ||
<td>Authentication method</td> | <td>Authentication method</td> | ||
<td>Pre-shared key {{!}} X.509; default: <b>Pre-shared key</b></td> | <td>Pre-shared key {{!}} X.509 {{!}} EAP; default: <b>Pre-shared key</b></td> | ||
<td>Specify authentication method. Choose between Pre-shared key and X.509 certificates.</td> | <td>Specify authentication method. Choose between Pre-shared key and X.509 certificates.</td> | ||
</tr> | </tr> | ||
Line 640: | Line 656: | ||
<td>A shared password used for authentication between IPsec peers before a secure channel is established.</td> | <td>A shared password used for authentication between IPsec peers before a secure channel is established.</td> | ||
</tr> | </tr> | ||
<!-- removed on 7.0, to return | <!-- removed on 7.0, to return in the future <tr> | ||
<td><span style="color:darkred">Certificate files from device</span></td> | <td><span style="color:darkred">Certificate files from device</span></td> | ||
<td>off {{!}} on; default: <b>off</b></td> | <td>off {{!}} on; default: <b>off</b></td> | ||
Line 716: | Line 732: | ||
<tr> | <tr> | ||
<td>Type</td> | <td>Type</td> | ||
<td> | <td>PSK {{!}} XAUTH {{!}} EAP {{!}} RSA; default: <b>PSK</b></td> | ||
<td>IPSec secret type.</br><b>NOTE:</b> XAUTH secrets are IKEv1 only.</td> | <td>IPSec secret type.</br><b>NOTE:</b> XAUTH secrets are IKEv1 only.</td> | ||
</tr> | </tr> | ||
Line 759: | Line 775: | ||
---- | ---- | ||
[[File: | [[File:Networking_rutos_vpn_ipsec_connection_settings_general_settings_v2.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 811: | Line 827: | ||
</ul> | </ul> | ||
</td> | </td> | ||
</tr> | |||
<tr> | |||
<td>Enable XAUTH</td> | |||
<td>off {{!}} on; default: <b>off</b></td> | |||
<td>Enables XAUTH authentication before allowing access for remote users.</td> | |||
</tr> | </tr> | ||
</table> | </table> | ||
Line 1,485: | Line 1,506: | ||
<tr> | <tr> | ||
<td>Tunnel source</td> | <td>Tunnel source</td> | ||
<td>network interface; default: <b> | <td>network interface; default: <b>LAN</b></td> | ||
<td>Network interface used to establish the GRE Tunnel.</td> | <td>Network interface used to establish the GRE Tunnel.</td> | ||
</tr> | </tr> | ||
Line 1,560: | Line 1,581: | ||
<tr> | <tr> | ||
<td>DH/PFS group</td> | <td>DH/PFS group</td> | ||
<td>MODP768 {{!}} MODP1024 {{!}} MODP1536 {{!}} MODP2048 {{!}} MODP3072 {{!}} MODP4096 {{!}} ECP192 {{!}} ECP224 {{!}} ECP256 {{!}} ECP384 {{!}} ECP521; default: <b> | <td>MODP768 {{!}} MODP1024 {{!}} MODP1536 {{!}} MODP2048 {{!}} MODP3072 {{!}} MODP4096 {{!}} ECP192 {{!}} ECP224 {{!}} ECP256 {{!}} ECP384 {{!}} ECP521; default: <b>MODP1024</b></td> | ||
<td>Diffie-Hellman (DH) group used in the key exchange process. Higher group numbers provide more security, but take longer and use more resources to compute the key. Must match with another incoming connection to establish IPSec. </td> | <td>Diffie-Hellman (DH) group used in the key exchange process. Higher group numbers provide more security, but take longer and use more resources to compute the key. Must match with another incoming connection to establish IPSec. </td> | ||
</tr> | </tr> | ||
Line 1,586: | Line 1,607: | ||
<tr> | <tr> | ||
<td>NHRP network ID</td> | <td>NHRP network ID</td> | ||
<td>integer; default: <b> | <td>integer; default: <b>none</b></td> | ||
<td>An identifier used to define the NHRP domain. This is a local parameter and its value does not need to match the values specified on other domains. However, the NHRP ID is added to packets which arrive on the GRE interface; therefore, it may be helpful to use the same ID for troubleshooting purposes.</td> | <td>An identifier used to define the NHRP domain. This is a local parameter and its value does not need to match the values specified on other domains. However, the NHRP ID is added to packets which arrive on the GRE interface; therefore, it may be helpful to use the same ID for troubleshooting purposes.</td> | ||
</tr> | </tr> | ||
Line 1,596: | Line 1,617: | ||
<tr> | <tr> | ||
<td>NHRP hold time</td> | <td>NHRP hold time</td> | ||
<td>integer; default: <b> | <td>integer; default: <b>none</b></td> | ||
<td>Specifies the holding time for NHRP Registration Requests and Resolution Replies sent from this interface or shortcut-target. The hold time is specified in seconds and defaults to two hours.</td> | <td>Specifies the holding time for NHRP Registration Requests and Resolution Replies sent from this interface or shortcut-target. The hold time is specified in seconds and defaults to two hours.</td> | ||
</tr> | </tr> | ||
Line 1,605: | Line 1,626: | ||
In computer networking, <b>Layer 2 Tunneling Protocol</b> (<b>L2TP</b>) is a tunneling protocol used to support virtual private networks (VPNs). It is more secure than PPTP but, because it encapsulates the transferred data twice, but it is slower and uses more CPU power. | In computer networking, <b>Layer 2 Tunneling Protocol</b> (<b>L2TP</b>) is a tunneling protocol used to support virtual private networks (VPNs). It is more secure than PPTP but, because it encapsulates the transferred data twice, but it is slower and uses more CPU power. | ||
===L2TP | ===L2TP Global Settings=== | ||
---- | |||
[[File:Networking_rutos_manual_vpn_l2tp_global_settings_v1.png|border|class=tlt-border]] | |||
<table class="nd-mantable"> | |||
<tr> | |||
<th>Field</th> | |||
<th>Value</th> | |||
<th>Description</th> | |||
</tr> | |||
<tr> | |||
<td>Require CHAP</td> | |||
<td>off {{!}} on; default: <b>on</b></td> | |||
<td>When enabled, peer will be required to authenticate itself using standard CHAP authentication.</td> | |||
</tr> | |||
<tr> | |||
<td>Refuse PAP</td> | |||
<td>off {{!}} on; default: <b>on</b></td> | |||
<td>When enabled, pppd will not agree to authenticate itself to the peer using Password Authentication Protocol (PAP).</td> | |||
</tr> | |||
</table> | |||
===L2TP Client=== | |||
---- | ---- | ||
An <b>L2TP client</b> is an entity that initiates a connection to an L2TP server. To create a new client instance, go to the <i>Services → VPN → L2TP</i> section, select <i>Role: Client</i>, enter a custom name and click the 'Add' button. An L2TP client instance with the given name will appear in the "L2TP Configuration" list. | An <b>L2TP client</b> is an entity that initiates a connection to an L2TP server. To create a new client instance, go to the <i>Services → VPN → L2TP</i> section, select <i>Role: Client</i>, enter a custom name and click the 'Add' button. An L2TP client instance with the given name will appear in the "L2TP Configuration" list. | ||
Line 1,611: | Line 1,654: | ||
To begin configuration, click the button that looks like a pencil next to the client instance. Refer to the figure and table below for information on the L2TP client's configuration fields: | To begin configuration, click the button that looks like a pencil next to the client instance. Refer to the figure and table below for information on the L2TP client's configuration fields: | ||
[[File: | [[File:Networking_rutos_manual_vpn_l2tp_client_v1.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 1,640: | Line 1,683: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Default route</td> | <td>CHAP Secret</td> | ||
<td>string; default: <b>none</b></td> | |||
<td>A secret used for L2TP Tunnel Authentication.</td> | |||
</tr> | |||
<tr> | |||
<td>Default route</td> | |||
<td>off {{!}} on; default: <b>off</b></td> | <td>off {{!}} on; default: <b>off</b></td> | ||
<td>When turned on, this connection will become device default route. This means that all traffic directed to the Internet will go through the L2TP server and the server's IP address will be seen as this device's source IP to other hosts on the Internet.{{#ifeq:{{{series}}}|RUTX|<br><b>NOTE</b>: this can only be used when [[{{{name}}} Failover|Failover]] is turned off.}}</td> | <td>When turned on, this connection will become device default route. This means that all traffic directed to the Internet will go through the L2TP server and the server's IP address will be seen as this device's source IP to other hosts on the Internet.{{#ifeq:{{{series}}}|RUTX|<br><b>NOTE</b>: this can only be used when [[{{{name}}} Failover|Failover]] is turned off.}}</td> | ||
Line 1,646: | Line 1,694: | ||
</table> | </table> | ||
===L2TP | ===L2TP Server=== | ||
---- | ---- | ||
An <b>L2TP server</b> is an entity that waits for incoming connections from L2TP clients. To create a new server instance, go to the <i>Services → VPN → L2TP</i> section, select <i>Role: Server</i>, enter a custom name and click the 'Add' button. An L2TP server instance with the given name will appear in the "L2TP Configuration" list. Only one L2TP server instance is allowed to be added. | An <b>L2TP server</b> is an entity that waits for incoming connections from L2TP clients. To create a new server instance, go to the <i>Services → VPN → L2TP</i> section, select <i>Role: Server</i>, enter a custom name and click the 'Add' button. An L2TP server instance with the given name will appear in the "L2TP Configuration" list. Only one L2TP server instance is allowed to be added. | ||
Line 1,654: | Line 1,702: | ||
To begin configuration, click the button that looks like a pencil next to the server instance. Refer to the figure and table below for information on the L2TP server's configuration fields: | To begin configuration, click the button that looks like a pencil next to the server instance. Refer to the figure and table below for information on the L2TP server's configuration fields: | ||
[[File: | [[File:Networking_rutx_vpn_l2tp_server_configuration_v3.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 1,681: | Line 1,729: | ||
<td>ip; default: <b>192.168.0.30</b></td> | <td>ip; default: <b>192.168.0.30</b></td> | ||
<td>L2TP IP address leases will end with the address specified in this field.</td> | <td>L2TP IP address leases will end with the address specified in this field.</td> | ||
</tr> | |||
<tr> | |||
<td>Enable CHAP</td> | |||
<td>off {{!}} <span style="color:blue">on</span>; default: <b>user</b></td> | |||
<td>Enables Challenge-Handshake Authentication Protocol for L2TP</td> | |||
</tr> | |||
<tr> | |||
<td><span style="color:blue">CHAP Secret</span></td> | |||
<td>string; default: <b>user</b></td> | |||
<td>A secret used for L2TP Tunnel Authentication.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 1,768: | Line 1,826: | ||
<td>Must be specified in hexidecimal form and be length of 8 or 16. eg.: 89ABCDEF. It must match other end Cookie.</td> | <td>Must be specified in hexidecimal form and be length of 8 or 16. eg.: 89ABCDEF. It must match other end Cookie.</td> | ||
</tr> | </tr> | ||
</table> | </table> | ||
===Instance Settings=== | ===Instance Settings=== | ||
---- | ---- | ||
[[File: | [[File:Networking_rutos_vpn_l2tpv3_configuration_instance_settings_v2.png]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
<tr> | <tr> | ||
<th>Field</th> | <th>Field</th> | ||
<th>Value</th> | <th>Value</th> | ||
<th>Description</th> | <th>Description</th> | ||
</tr> | |||
<tr> | |||
<td>Bridge to</td> | |||
<td>None {{!}} LAN; default: <b>None</b></td> | |||
<td>Peer Endpoint IP address.</td> | |||
</tr> | |||
<tr> | |||
<td>IPv4 Address</td> | |||
<td>ip4; default: <b>none</b></td> | |||
<td>IPv4 address of standalone L2TPv3 interface.<td> | |||
</tr> | |||
<tr> | |||
<td>Netmask</td> | |||
<td>netmask; default: <b>255.255.255.0</b></td> | |||
<td>Netmask of standalone L2TPv3 interface. </td> | |||
</tr> | |||
<tr> | |||
<td>IPv6 Address</td> | |||
<td>ip6; default: <b>none</b></td> | |||
<td>IPv6 address of standalone L2TPv3 interface. CIDR notation: address/prefix.<td> | |||
</tr> | |||
<tr> | |||
<td>MTU</td> | |||
<td>integer [64..9000]; default: <b>none</b></td> | |||
<td>Sets the maximum transmission unit (MTU) size. It is the largest size of a protocol data unit (PDU) that can be transmitted in a single network layer transaction.</td> | |||
</tr> | |||
<tr> | |||
<td>Encapsulation</td> | |||
<td>IP {{!}} <span style="color:blue">UDP</span>; default: <b>IP</b></td> | |||
<td>Specify technology to use when connecting to other end.</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td><span style="color:blue">UDP source port</span></td> | ||
<td> | <td>port; default: <b>none</b></td> | ||
<td> | <td>Specifies source port.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td> | <td><span style="color:blue">UDP destination port</span></td> | ||
<td>port; default: <b>none</b></td> | |||
<td>Specifies destination port.</td> | |||
<td> | |||
<td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
Line 1,865: | Line 1,938: | ||
Private keys and generate them, specify Port and IP addresses for communication. | Private keys and generate them, specify Port and IP addresses for communication. | ||
[[File: | [[File:Networking_rutx_vpn_wireguard_instance_general_v2.png|border|class=tlt-border]] | ||
<table class="nd-mantable"> | <table class="nd-mantable"> | ||
Line 1,880: | Line 1,953: | ||
<tr> | <tr> | ||
<td>Private Key</td> | <td>Private Key</td> | ||
<td>string; default: <b> | <td>Base64-encoded string; default: <b>generated</b></td> | ||
<td>Private Key used in authentication.</td> | <td>Private Key used in authentication. Required.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td>Public Key</td> | <td>Public Key</td> | ||
<td>string; default: <b> | <td>Base64-encoded string; default: <b>generated</b></td> | ||
<td>Public Key used in authentication.</td> | <td>Public Key used in authentication.</td> | ||
</tr> | </tr> | ||
Line 1,895: | Line 1,968: | ||
<tr> | <tr> | ||
<td>Listen Port</td> | <td>Listen Port</td> | ||
<td>integer [0..65535]; default: <b> | <td>integer [0..65535]; default: <b>51820</b></td> | ||
<td>Specify port to listen for incomming connections. It will be set to a random integer if left empty.</td> | <td>Specify port to listen for incomming connections. It will be set to a random integer if left empty.</td> | ||
</tr> | </tr> |