489
edits
Changes
no edit summary
==Additional configuration==
==Additional configuration==
This section will provide examples of some additional OpenVPN related configurations like how to reach another OpenVPN instance's private LAN or how to use an OpenVPN instance as a Proxy.
This section will provide examples of some additional OpenVPN-related configurations like how to reach another OpenVPN instance's private LAN or how to use an OpenVPN instance as a Proxy.
===Reaching a device's LAN network===
===Reaching a device's LAN network===
====Server from Client====
====Server from Client====
----
----
To reach another OpenVPN instance's LAN network, you have to have a '''route''' to that network with the '''Virtual remote endpoint''' as the ''' gateway. You can add '''Static routes''' via command line, but these routes are removed automatically when router reboots or when connection goes down even if only for a moment. To solve this, you add permanent static routes via the router's WebUI in the '''[[Routing#Static_Leases|Network → Routing → Static Routes]]''' page. But this method is also not foolproof since it means that if an address ever changes, you would have to also modify the static route on all related devices. '''
To reach another OpenVPN instance's LAN network, you have to have a '''route''' to that network with the '''Virtual remote endpoint''' as the ''' gateway. You can add '''Static routes''' via the command line, but these routes are removed automatically when the router reboots or when the connection goes down even if only for a moment. To solve this, you add permanent static routes via the router's WebUI in the '''[[Routing#Static_Leases|Network → Routing → Static Routes]]''' page. But this method is also not foolproof since it means that if an address ever changes, you would have to also modify the static route on all related devices. '''
----
----
Another method of reaching the OpenVPN Server's private network from the Client is specifying the network in the OpenVPN Client's configuration. To do so, open the Client's configuration window and fill in these two fields:
Another method of reaching the OpenVPN Server's private network from the Client is specifying the network in the OpenVPN Client's configuration. To do so, open the Client's configuration window and fill in these two fields:
[[File:Networking rut configuration openvpn route v1.jpg|alt=|border|class=tlt-border]]
As you can see, the two fields in question are '''Remote network IP address''' and '''Remote network IP netmask'''. The values placed in these fields specify the Server's LAN address and having them filled will automatically add the necessary route into the routing table when the OpenVPN connection goes up. However, if your OpenVPN Server has multiple Clients, you would need to do this for all of them. If that is the case, use this next method.
----
Even another method is pushing the necessary routes via the OpenVPN Server. This method is the most foolproof because it will generate a route to the Server's private network for all connecting Clients. Therefore, in case of configuration changes you would only have to edit one field in the Server's configuration instead of having to edit all of the Clients' configurations.
To accomplish this, go to OpenVPN Server's configuration window and locate the '''Push option''' field. Let's say that the Server's LAN IP address is 192.168.1.1. In this case use the line '''route 192.168.1.0 255.255.255.0'''
[[File:Networking rutxxx configuration ovpn push settings v1.jpg|alt=|border|class=tlt-border]]
Modify the information so that it reflects your own configuration. Do not specify the gateway, because the command will not work. The correct gateway will be assigned automatically.
====Clients from Server====
----
Reaching OpenVPN Clients' private networks from the Server is a bit trickier than the opposite, because in order to do so the Server has to be aware of the different specific addresses and Common Names of specific Clients.
To accomplish this, we can use the '''TLS Clients''' function. TLS Clients is a way to more specifically differentiate Clients by their Common Name (CN) found in the client certificate file. It can be used to assign specific VPN addresses to specific Clients and bind them to their LAN addresses so that other devices in the Client‘s LAN can be reached from the Server.
In other words, TLS Clients binds Common Names (found in Client certificates) to Clients' private networks. If the certificate hasn't been tampered with in any after generation, the Common name should be the same as the file name (without the file type extension). For example, a certificate called '''client1.crt''' will likely have the Common Name of '''client1'''. But just to be sure you can open the certificate and check:
[[File:Checking common name.png|alt=|border|class=tlt-border]]
Once you know the Common Names and LAN IP Addresses of your OpenVPN Clients, you can create TLS Clients instances for each of them: