Openvpn naujas: Difference between revisions

OpenVPN configuration types

Before configuring anything you should first know what type of OpenVPN connection suits your needs the best. The key things to be considered here are the type of connection (TUN (tunnel) or TAP (bridged)), the data transfer protocol (User Datagram Protocol (UDP) or Transmission Control Protocol (TCP)), and the authentication type (TLS or Static key). Here is a short overview of the differences:

• Type
  • TUN (tunnel) - simulates a network layer device and it operates with layer 3 packets like IP packets. TUN is used for routing and connecting multiple clients to a single server.
  • TAP (bridged) - simulates a link layer device and it operates with layer 2 packets like Ethernet frames. TAP is used for creating a network bridge between two Ethernet segments in different locations.

• Protocol
  • UDP - is used by apps to deliver a faster stream of information by doing away with error-checking.
  • TCP - a suite of protocols used by devices to communicate over the Internet and most local networks. It provides apps a way to deliver (and receive) an ordered and error-checked stream of information packets over the network.

• Authentication
  • TLS - uses SSL/TLS + certificates for authentication and key exchange.
  • Static key - uses a pre-shared Static key. Can only be used between two peers.

Overviews of most of these types and variations are provided in this article. Concerning TCP vs UDP, we will be using UDP for all examples. Choosing between TCP and UDP doesn't affect the rest of the configuration, so you can still follow the given examples no matter which protocol you are using. Simply choose the one that suits your purposes.

TUN (tunnel) OpenVPN

TAP (bridged) OpenVPN

TLS Authentication

This section provides a guide on how to configure a successful OpenVPN connection between an OpenVPN Client and Server, using the TLS Authentication method on RUTxxx routers.

Generating TLS certificates/keys

A connection that uses TLS requires multiple certificates and keys for authentication:

• OpenVPN server
  • The root certificate file (Certificate Authority)
  • Server certificate
  • Server key
  • Diffie Hellman Parameters

• OpenVPN client
  • The root certificate file (Certificate Authority)
  • Client certificate
  • Client key

Before you continue you'll have to obtain the necessary certificates and keys. When you use a third-party OpenVPN service, they should provide you with their certificates and even configuration files.

If you're creating your server, you'll have to generate these files yourself. The most simple way to generate certificates is by navigating System → Administration → Certificates on WebUI and pressing the Generate button.

After devices has finished generating all the files, you can download them by navigating to System → Administration → Certificates → Certificates Manager and pressing the Export button next to the required files.

To get detailed instructions on how to generate TLS certificates and keys on RUTOS devices, check out our article on the topic of TLS Certificates.

Configuration

Now we can start configuring OpenVPN Server and Client instances. For this example we will be creating a TUN (Tunnel) type connection that uses the UDP protocol for data transfer and TLS for Authentication. We will be using two RUT routers: RUT1 (Server; LAN IP: 192.168.1.1; WAN (Public static) IP: 213.***.***.***) and RUT2 (Client; LAN IP: 192.168.2.1); that will be connected into virtual network (with the virtual address: 172.16.1.0)

OpenVPN Server configuration

Start by configuring OpenVPN Server on RUT1 device. Login to the WebUI, navigate to Services → VPN → OpenVPN, enter any name and select role as Server. After pressing the Add button, make the following changes:

Note: Not specified fields can be left as is or changed according to your needs.

Enable the instance Select Server role Name your instance Select Manual as configuration type Select TLS authentication Select Tunnel mode Choose the method for assigning virtual IPs. NET30 is selected by default. Select UDP protocol Select Port Set virtual network IP address Set virtual network Netmask Keep alive period If you generated certificates on the device, turn this option ON Select Certificate authority Select Server certificate Select Server key Select Diffie Hellman parameters

OpenVPN Client configuration

Next, configure OpenVPN Client on RUT2 device. Login to the WebUI, navigate to Services → VPN → OpenVPN, enter any name and select role as Client. After pressing the Add button, make the following changes:

Note: Not specified fields can be left as is or changed according to your needs.

Enable the instance Select Tunnel mode Select UDP protocol Select Port Select TLS authentication Enter Public IP address of the Server (WAN IP of RUT1) Set Keep alive period Enter server network IP address (If you wish to access it) Enter server network Netmask Select Certificate authority Select Client certificate Select Client key

To sum up, just make sure the Server and the Clients use the same parameters (same authentication, same port, same protocol, etc.). Another important aspect is the Virtual network IP address (172.16.1.0 in this case). The Server and the connected Clients will be given IP addresses that belong to this network. If you're creating an exceptionally large network, you might want to change the Virtual network netmask.

From the Client side, make sure to enter the correct Remote host/IP address (213.***.***.*** in this case). This is the Server's Public IP address, not the virtual IP address.