Revision as of 13:47, 28 March 2024

Introduction

In this example, we will configure an OpenVPN server, will let Client1 and Client2 communicate, while isolating Client3 only to be able to communicate with OpenVPN server

Generating certificates for an OpenVPN server

1)Navigate to System -> Administration -> Certificates

2)Generate 2 certificates . Recommended key size is at least 2048 bits for security reasons:

2.1) CA

2.2) Server

3) In Certificate Manager download Server certificate

There are multiple methods of how certificates could be generated, you could follow this tutorial instead: How to generate TLS certificates (Windows)?

For any OpenVPN clients, You will need to generate “Client” certificates, download certificate and key, and send them to the client

Creating an OpenVPN server

1) Connect to WebUI and enable Advanced mode

2) Navigate to Services -> VPN -> OpenVPN

3) Add a new OpenVPN instance with a Server role

4) Create an OpenVPN server with these settings

Virtual network IP address – 10.0.0.0
Virtual network netmask – 255.255.255.224
Client to client – disabled
Certificate files from device - on

5) Press "Save & Apply", enable OpenVPN server and check if the server is online

Connecting clients to the OpenVPN server

1) Navigate to Services -> VPN -> OpenVPN

2) Add a new OpenVPN instance with a Client role

3) Create an OpenVPN client with these settings

Remote host/IP address - Public IP of the OpenVPN server's router
Remote network IP address - 10.0.0.0
Remote network netmask - 255.255.255.224
And add the certificates from the OpenVPN server - Certificate Authority, Client certificate, and Client key which we downloaded in the Certificate Generation step

4) Press "Save & Apply", enable OpenVPN client and check if the connection is made

5) Repeat this step for as many clients as You need. For this example, we will have 3 clients

Client to Client LAN network communication

1) On the OpenVPN server router, navigate to Services -> VPN -> OpenVPN, Press "Edit" on the server, scroll down and add TLS clients

Add clients which LAN address You want to have access to, in our case, we add all 3 clients

Common name - common name of the certificate which was generated previously
Virtual local endpoint - client’s local address in the virtual network
Virtual remote endpoint - client’s remote address in the virtual network
Private network - client's LAN subnet
Covered network - Which LAN subnet should clients be able to communicate with in the OpenVPN server

This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets

1) Navigate to Network -> Firewall -> General settings -> Zones and set OpenVPN zone to forward traffic to LAN

Create a route to other client LAN networks using WebUI. This step should be done on all clients that want their LAN subnets be accessible and to access other client's LAN subnets

1) Navigate to Services -> VPN -> OpenVPN press "Edit" on the OpenVPN client and add routes to other client LAN subnets. In this image, we are editing Client 1's configuration, to add routes to Client 2's (192.168.20.0/24) and Client 3's (192.168.30.0/24) LAN subnets.

Controlling access with firewall

1) Navigate to Network -> Firewall -> Access Control

2) Create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks

Source interface - OpenVPN
Destination interface - OpenVPN
Source IP - OpenVPN remote IP and LAN subnet of client 3
Destination IP - other client OpenVPN remote endpoints and LAN subnets
Action - Deny

This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet

External links

https://openvpn.net/index.php/open-source/documentation/howto.html - some additional information on OpenVPNs

@@ Line 1: / Line 1: @@
 <h1>Introduction</h1>
-In this example, we will configure an OpenVPN server, will let Client1 and Client2 communicate, while isolating Client3 to only be able to communicate with OpenVPN server
+In this example, we will configure an OpenVPN server, will let Client1 and Client2 communicate, while isolating Client3 only to be able to communicate with OpenVPN server
 <h1>Generating certificates for an OpenVPN server</h1>
-)Navigate to System -> Administration -> Certificates
+)Navigate to '''System -> Administration -> Certificates'''
-)Generate 2 certificates with a keysize 1024:
+)Generate 2 certificates . Recommended key size is at least 2048 bits for security reasons:
 .1) CA
@@ Line 15: / Line 15: @@
 ) In Certificate Manager download Server certificate
+There are multiple methods of how certificates could be generated, you could follow this tutorial instead:
+[[How to generate TLS certificates (Windows)?]]
 [[File:Certificate download v2.png|none|thumb|alt=|1000x1000px]]
@@ Line 24: / Line 26: @@
 )	Connect to WebUI and enable Advanced mode
-[[File:Advanced mode toggle v2.png|none|thumb|alt=|1000x1000px]]
+[[File:Networking rutos manual webui basic advanced mode 75.gif|none|thumb|alt=|1000x1000px]]
-)	Navigate to Services -> VPN -> OpenVPN
+)	Navigate to '''Services -> VPN -> OpenVPN'''
 )	Add a new OpenVPN instance with a Server role
@@ Line 35: / Line 37: @@
 [[File:OpenVPN server settings v2.png|none|thumb|alt=|1000x1000px]]
-Virtual network IP address – 10.0.0.0
+<ul>
+<li>Virtual network IP address – 10.0.0.0</li>
+<li>Virtual network netmask – 255.255.255.224</li>
+<li>Client to client – disabled</li>
+<li>Certificate files from device - on</li>
+</ul>
-Virtual network netmask – 255.255.255.224
+) Press '''"Save & Apply"''', enable OpenVPN server and check if the server is online
-Client to client – disabled
-Certificate files from device - on
-) Press "Save & Apply", enable OpenVPN server and check if the server is online
 [[File:OpenVPN server is online v2.png|none|thumb|alt=|1000x1000px]]
@@ Line 49: / Line 50: @@
 <h1>Connecting clients to the OpenVPN server</h1>
-) Navigate to Services -> VPN -> OpenVPN
+) Navigate to '''Services -> VPN -> OpenVPN'''
 ) Add a new OpenVPN instance with a Client role
@@ Line 55: / Line 56: @@
 ) Create an OpenVPN client with these settings
-[[File:OpenVPN Client1.png|none|thumb|alt=|1000x1000px]]
+[[File:OpenVPN Client1 v2.png|none|thumb|alt=|1000x1000px]]
-Remote host/IP address - Public IP of the OpenVPN server's router
-.
-Remote network IP address - 10.0.0.0
-Remote network netmask - 255.255.255.240
-And add the certificates from the OpenVPN server - Certificate Authority, Client certificate and Client key which we downloaded in Certificate Generation step
+<ul>
+<li>Remote host/IP address - Public IP of the OpenVPN server's router</li>
+<li>Remote network IP address - 10.0.0.0</li>
+<li>Remote network netmask - 255.255.255.224</li>
+<li>And add the certificates from the OpenVPN server - Certificate Authority, Client certificate, and Client key which we downloaded in the Certificate Generation step</li>
+</ul>
 ) Press "Save & Apply", enable OpenVPN client and check if the connection is made
-[[File:OpenVPN Client1 connected.png|none|thumb|alt=|1000x1000px]]
+[[File:OpenVPN Client1 connected v2.png|none|thumb|alt=|1000x1000px]]
 ) Repeat this step for as many clients as You need. For this example, we will have 3 clients
 <h1>Client to Client LAN network communication</h1>
-) On the OpenVPN server router, navigate to Services -> VPN -> OpenVPN, Press "Edit" on the server, scroll down and add TLS clients
+) On the OpenVPN server router, navigate to '''Services -> VPN -> OpenVPN''', Press "'''Edit'''" on the server, scroll down and add TLS clients
 Add clients which LAN address You want to have access to, in our case, we add all 3 clients
+[[File:TLS Client 1.png||none|thumb|alt=|1000x1000px]]
+<ul>
+<li>Common name - common name of the certificate which was generated previously</li>
+<li>Virtual local endpoint - client’s local address in the virtual network</li>
+<li>Virtual remote endpoint - client’s remote address in the virtual network</li>
+<li>Private network - client's LAN subnet</li>
+<li>Covered network - Which LAN subnet should clients be able to communicate with in the OpenVPN server</li>
+</ul>
+This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets
-Common name - common name of the certificate which was generated previously
+) Navigate to '''Network -> Firewall -> General settings -> Zones''' and set OpenVPN zone to forward traffic to LAN
-Virtual local endpoint - client’s local address in the virtual network.
-Virtual remote endpoint - client’s remote address in the virtual network.
-Private network - client's LAN subnet
-Covered network - Which LAN subnet should clients be able to communicate with in the OpenVPN server
+[[File:OpenVPN to LAN zone forward.png|none|thumb|alt=|1000x1000px]]
-This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets
-) Navigate to Network -> Firewall -> General settings -> Zones and set OpenVPN zone to forward traffic to LAN
-This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets
+Create a route to other client LAN networks using WebUI. This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets
-) Create a route to other client LAN networks using WebUI or CLI. To create route from client 1's LAN to client 2's LAN using CLI use this command
+) Navigate to '''Services -> VPN -> OpenVPN''' press '''"Edit"''' on the OpenVPN client and add routes to other client LAN subnets. In this image, we are editing Client 1's configuration, to add routes to Client 2's (192.168.20.0/24) and Client 3's (192.168.30.0/24) LAN subnets.
-ip route add 192.168.20.0/24 via 10.0.0.6
+[[File:OpenVPN client routes.png|none|thumb|alt=|1000x1000px]]
 <h1>Controlling access with firewall</h1>
-) Navigate to Network -> Firewall -> Access Control
+) Navigate to '''Network -> Firewall -> Access Control'''
 ) Create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks
-Source interface - OpenVPN
+[[File:Deny Client3 rule.png|none|thumb|alt=|1000x1000px]]
+<ul>
+<li>Source interface - OpenVPN</li>
+<li>Destination interface - OpenVPN</li>
+<li>Source IP - OpenVPN remote IP and LAN subnet of client 3</li>
+<li>Destination IP - other client OpenVPN remote endpoints and LAN subnets</li>
+<li>Action - Deny</li>
+</ul>
+This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet
-Destination interface - OpenVPN
+<h1>See also</h1>
+<ul>
+<li>[[OpenVPN_configuration_examples_RUT_R_00.07]]</li>
+<li>[[How to generate TLS certificates (Windows)?]]</li>
+<li>[[OpenVPN client on Windows]]</li>
+<li>[[OpenVPN client on Linux]]</li>
+<li>[[OpenVPN server on Windows]]</li>
+<li>[[OpenVPN traffic split]]</li>
+<li>[[Configuration file .ovpn upload tutorial]]</li>
+</ul>
-Source IP - OpenVPN remote IP and LAN subnet of client 3
-Destination IP - other client OpenVPN remote endpoints and LAN subnets
+<h1>External links</h1>
-This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet
+https://openvpn.net/index.php/open-source/documentation/howto.html - some additional information on OpenVPNs

Namespaces

Variants

Views

More

Search

Difference between revisions of "OpenVPN Access Control"

Revision as of 13:47, 28 March 2024

Contents

Introduction

Generating certificates for an OpenVPN server

Creating an OpenVPN server

Connecting clients to the OpenVPN server

Client to Client LAN network communication

Controlling access with firewall

See also

External links

Navigation menu

Personal tools

NAVIGATION

Tools

Categories