RUT900 VPN

From Teltonika Networks Wiki
Main Page > EOL Products > RUT900 > RUT900 Manual > RUT900 WebUI > RUT900 Services section > RUT900 VPN

Template:Networking rutxxx manual vpn

GRE Tunnel

GRE (Generic Routing Encapsulation RFC2784) is a solution for tunneling RFC1812 private address-space traffic over an intermediate TCP/IP network such as the Internet. GRE tunneling does not use encryption it simply encapsulates data and sends it over the wide area network (WAN).


In the example network diagram two distant networks LAN1 and LAN2 are connected. To create A GRE tunnel the user must know the following parameters:

  • Source and destination IP addresses
  • Tunnel’s local IP address
  • Distant network’s IP address and Subnet mask

To create a new GRE instance, go to the GRE Tunnel tab, type in a name for your new instance in the text field below the GRE Tunnel tab and press the Add New button next to it. The newly created instance will be disabled and unconfigured. To configure it press the Edit button located next to it. This action will redirect you to the instance’s GRE Tunnel Configuration window.


field name value description
Enabled yes | no; Default: no Toggles GRE Tunnel ON or OFF
Remote endpoint IP address ip; Default: " " WAN IP address or hostname of the remote GRE Tunnel instance
Remote network integer [0..32]; Default: " " LAN IP address of the remote device
Remote network netmask integer [0..32]; Default: " " LAN netmask of the remote device
Local tunnel IP ip; Default: " " Local virtual IP address. Can’t be in the same subnet as LAN network
MTU integer [0..255]; Default: 255 Toggles the Path Maximum Transmission Unit Discovery (PMTUD) status on this tunnel ON or OFF
TTL integer [0..255]; Default: 255 Fixed time-to-live (TTL) value on tunneled packets. The 0 is a special value meaning that packets inherit the TTL value
PMTUD yes | no; Default: no Toggles the Path Maximum Transmission Unit Discovery (PMTUD) status on this tunnel ON or OFF
Redirect LAN to GRE yes | no; Default: no Redirects LAN traffic to the GRE interface
Enable Keep alive yes | no; Default: no Gives the ability for one side to originate and receive keep alive packets to and from a remote router
Keep Alive host host | ip; Default: " " Keep Alive IP address to send pings to. Preferably this should be an IP address which belongs to the LAN network on the remote device
Keep alive interval integer [0..255]; Default: " " Frequency at which ICMP packets are sent by the Keep Alive function (in seconds)

To find a more in-depth GRE Tunnel configuration example, visit this page

PPTP

Point-to-Point Tunneling Protocol (PPTP) is a protocol (set of communication rules) that allows corporations to extend their own corporate network through private "tunnels" over the public Internet. Effectively, a corporation uses a wide-area network as a single large local area network. A company no longer needs to lease its own lines for wide-area communication but can securely use the public networks.

For a more in-depth configuration example, visit the PPTP configuration examples page.

PPTP Client


To create a new PPTP instance, go to the PPTP tab, select the Role (server or client) of your instance, type in a name in the New configuration name field and press the Add button next to it. The newly created instance will be disabled and unconfigured. To configure it click the Edit button located next to it. This action will redirect you to the instance’s PPTP Configuration window.


field name value description
Enable yes | no; Default: no Toggles PPTP Client ON or OFF
Use as default gateway yes | no; Default: no Use this PPTP instance as default gateway
Client to client yes | no; Default: no Toggles client to client on the PPTP tunnel ON or OFF
Server host | ip; Default: " " PPTP server's IP address or hostname
Username string; Default: " " User name for authorization with the server
Password string; Default: " " Password used for authorization with the server

PPTP Server


field name value description
Enable yes | no; Default: no Toggles PPTP Server ON or OFF
Local IP ip; Default: 192.168.0.1 Virtual IP Address of this PPTP server
Remote IP range begin ip; Default: 192.168.0.20 Client IP address leases beginning
Remote IP range end ip; Default: 192.168.0.30 Client IP address leases end
User name string; Default: youruser Client's user name used for authentication with this server
Password string; Default: yourpass Client's password used for authentication with this server
PPTP Client's IP ip; Default: " " Client’s IP address. Leave empty to assign a random IP from the IP range specified above

L2TP

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). It is more secure than PPTP but, because it encapsulates the transferred date twice, but it is slower and uses more CPU power.

For a more in-depth configuration example, visit the L2TP configuration examples page.

L2TP Client


To create a new L2TP instance, go to the L2TP tab, select the Role (server or client) of your instance, type in a name in the New configuration name field and press the Add button next to it. The newly created instance will be disabled and unconfigured. To configure it press the Edit button located next to it. This action will redirect you to the instance’s L2TP Configuration window.


field name value description
Enable yes | no; Default: no Toggles L2TP Client ON or OFF
Server host | ip; Default: " " L2TP server's remote IP address or hostname
Username string; Default: " " User name used to authenticate you to the L2TP server
Password string; Default: " " Password used to authenticate you to the server

L2TP Server


field name value description
Enable yes | no; Default: no Toggles L2TP Server ON or OFF
Local IP ip; Default: 192.168.0.1 Virtual IP Address of this L2TP server
Remote IP range begin ip; Default: 192.168.0.20 Client IP address leases beginning
Remote IP range end ip; Default: 192.168.0.30 Client IP address leases end
User name string; Default: user Client's user name used for authentication with this server
Password string; Default: pass Client's password used for authentication with this server

Stunnel

Stunnel is an open-source multi-platform software application used to provide a TLS/SSL tunneling service for already existing clients and servers. Below is an overview of the Stunnel application and its WebUI configuration section implemented on RUTxxx routers. For in-depth examples please visit Stunnel page.

Here is an approximate visual representation of Stunnel connection:


Upon creation, Stunnel configuration will be empty. User is expected to define their own configuration using the created configuration template. Stunnel provided encryption and connection will only work with properly configured Stunnel server(s) and client(s).

Duplicate configuration names are not allowed.

Stunnel configuration list window is located at Services → VPN → Stunnel:

Services menu, VPN section:

Stunnel tab:


To create a new configuration, enter the desired name in field below all configuration list entries and click button Add:

Once you’ve added a new Stunnel configuration, it is automatically saved - no need to press the Save button.

By default the configuration will be disabled and unconfigured. You can change the configuration by clicking the Edit button and delete the configuration by clicking the Delete button.

To establish an Stunnel connection you must have configured and enabled Stunnel client and server instances on either same or different routers.

Stunnel Configuration

Default Stunnel configuration:


Stunnel configuration field explanation table:

Field Name Value Description
Enabled yes | no; Default: no Enables the Stunnel configuration.
Operating Mode Client | Server; Default: "" Specifies whether this configuration will be used for Stunnel client or server.
Listen IP ip | host; Default: "" OPTIONAL Specifies which IP address or host should Stunnel listen to. If left empty, defaults to localhost.
Listen Port port (integer [0..65535]); Default: "" Specifies TCP port which Stunnel should listen to. Port cannot be taken by another service!
Connect IP's [host:]port; Default: "" Uses the standard host:port convetion (e.g. 127.0.0.1:6001; localhost:6001). Host part can be emmited - empty host part defaults to localhost. Must contain at least one item. If multiple options are specified, remote address is chosen using a round-robin algorithm.
TLS Cipher None | Secure | Custom Select permitted TLS ciphers (TLSv1.2 and below). If custom is selected, a new field appears to enter custom ciphers.
Allowed TLS Ciphers Cipher[:Cipher]..; Default: "" Only appears if a Custom TLS Cipher is selected
A colon-delimited TLS cipher list (e.g. DES-CBC3-SHA:IDEA-CBC-MD5)
Application Protocol Not specified | Connect | SMTP; Default: Not specified CLIENT SIDE ONLY

This option enables initial, protocol-specific negotiation of the TLS encryption. The protocol option should not be used with TLS encryption on a separate port.

If Connect or SMTP is selected, more customization fields appear.
Protocol Authentication Connect: Basic | NTLM; Default: Basic SMTP: Plain | Login; Default: Plain CLIENT SIDE ONLY

Options depend on the selected protocol

Authentication type for the protocol negotiations.
Protocol Domain domain (text); Default: "" CLIENT SIDE ONLY

Only appears if a Connect protocol is selected

Domain for the protocol negotiations.
Protocol Host host:port; Default: "" CLIENT SIDE ONLY

Only appears if a Connect protocol is selected

Destination address for the protocol negotiations.

Specifies the final TLS server to be connected to by the proxy, and not the proxy server directly connected by Stunnel. The proxy server should be specified with the connect option.
Protocol Username username (text); Default: "" CLIENT SIDE ONLY

Only appears if a protocol is selected

Username for the protocol negotiations.
Protocol Password password (text); Default: "" CLIENT SIDE ONLY

Only appears if a protocol is selected

Password for the protocol negotiations.
Verification None | Verify Chain | Verify Peer; Default: None Verification type. Verify Chain verifies connections against a Certificate Authority (CA) file, while Verify Peer verifies connections against a list of approved certificates.
Verification file file; Default: "" Only appears if a verification type is selected

File which is used to verify peer(s) or a peer chain. A different type of file is expected depending on the verification type selected:

Verify Chain: Expects a CA (Certificate Authority) file.

Verify Peer: Expects a file with one (or more, concatenated) peer certificate(s).
Certificate File file; Default: "" Mandatory for a server configuration. Optional for a client configuration

The parameter specifies the file containing certificates used by stunnel to authenticate itself against the remote client or server.

The file should contain the whole certificate chain starting from the actual server/client certificate, and ending with the self-signed root CA certificate.

Can be a certificate only, or both certificate and private key concatenated into a single file.
Private Key file; Default: Certificate File Can be skipped if the Certificate File is appended with the private key

Must be uploaded if the Certificate File does not contain the private key

A private key, required to authenticate the certificate owner.

After setting the parameters, click the Save button; otherwise, changes will not be saved. Some parameters will be shown in the configuration list table.


Stunnel Global Configuration

Default Stunnel global configuration:


Stunnel global configuration field explanation table:

Field Name Value Description
Enabled yes | no; Default: no Enables/activates all the enabled Stunnel configurations.
Debug Level integer [0..7]; Default: 5 Debugging level. Level is one of the syslog level names or numbers emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), info (6), or debug (7). All logs for the specified level and all levels numerically less than it will be shown. Use 7 for greatest debugging output.
Use alternative config yes | no; Default: no Enable alternative configuration option (Config upload). Be aware that when using alternative configuration, all configurations in Stunnel Configuration section will be skipped.
Upload alternative config file; Default: "" Only appears if the "Use alternative config" is enabled
Upload the alternative Stunnel configuration file.


IMPORTANT:

The router can have multiple configurations set up and enabled at the same time. Note that if at least one configuration is not set correctly, none of them will be enabled, despite the "Enabled" flag being marked.

Also, you must mark the global "Enabled" flag to actually enable all the individually marked configurations.

DMVPN

Click here for DMVPN configuration instructions.

See also