Changes

OpenVPN Access Control (view source)

Revision as of 13:47, 28 March 2024

1,374 bytes added ,  28 March
m
no edit summary
Line 1: Line 1:  
<h1>Introduction</h1>
 
<h1>Introduction</h1>
   −
In this example, we will configure an OpenVPN server, will let Client1 and Client2 communicate, while isolating Client3 to only be able to communicate with OpenVPN server
+
In this example, we will configure an OpenVPN server, will let Client1 and Client2 communicate, while isolating Client3 only to be able to communicate with OpenVPN server
    
<h1>Generating certificates for an OpenVPN server</h1>
 
<h1>Generating certificates for an OpenVPN server</h1>
   −
1)Navigate to System -> Administration -> Certificates
+
1)Navigate to '''System -> Administration -> Certificates'''
   −
2)Generate 2 certificates with a keysize 1024:
+
2)Generate 2 certificates . Recommended key size is at least 2048 bits for security reasons:
    
2.1) CA
 
2.1) CA
Line 15: Line 15:  
3) In Certificate Manager download Server certificate
 
3) In Certificate Manager download Server certificate
    +
There are multiple methods of how certificates could be generated, you could follow this tutorial instead:
 +
[[How to generate TLS certificates (Windows)?]]
    
[[File:Certificate download v2.png|none|thumb|alt=|1000x1000px]]
 
[[File:Certificate download v2.png|none|thumb|alt=|1000x1000px]]
Line 24: Line 26:  
1) Connect to WebUI and enable Advanced mode
 
1) Connect to WebUI and enable Advanced mode
   −
[[File:Advanced mode toggle v2.png|none|thumb|alt=|1000x1000px]]
+
[[File:Networking rutos manual webui basic advanced mode 75.gif|none|thumb|alt=|1000x1000px]]
   −
2) Navigate to Services -> VPN -> OpenVPN
+
2) Navigate to '''Services -> VPN -> OpenVPN'''
    
3) Add a new OpenVPN instance with a Server role
 
3) Add a new OpenVPN instance with a Server role
Line 35: Line 37:  
[[File:OpenVPN server settings v2.png|none|thumb|alt=|1000x1000px]]
 
[[File:OpenVPN server settings v2.png|none|thumb|alt=|1000x1000px]]
   −
Virtual network IP address – 10.0.0.0
+
<ul>
 +
<li>Virtual network IP address – 10.0.0.0</li>
 +
<li>Virtual network netmask – 255.255.255.224</li>
 +
<li>Client to client – disabled</li>
 +
<li>Certificate files from device - on</li>
 +
</ul>
   −
Virtual network netmask – 255.255.255.224
+
5) Press '''"Save & Apply"''', enable OpenVPN server and check if the server is online
 
  −
Client to client – disabled
  −
 
  −
Certificate files from device - on
  −
 
  −
5) Press "Save & Apply", enable OpenVPN server and check if the server is online
      
[[File:OpenVPN server is online v2.png|none|thumb|alt=|1000x1000px]]
 
[[File:OpenVPN server is online v2.png|none|thumb|alt=|1000x1000px]]
Line 49: Line 50:  
<h1>Connecting clients to the OpenVPN server</h1>
 
<h1>Connecting clients to the OpenVPN server</h1>
   −
1) Navigate to Services -> VPN -> OpenVPN
+
1) Navigate to '''Services -> VPN -> OpenVPN'''
    
2) Add a new OpenVPN instance with a Client role
 
2) Add a new OpenVPN instance with a Client role
Line 55: Line 56:  
3) Create an OpenVPN client with these settings
 
3) Create an OpenVPN client with these settings
   −
[[File:OpenVPN Client1.png|none|thumb|alt=|1000x1000px]]
+
[[File:OpenVPN Client1 v2.png|none|thumb|alt=|1000x1000px]]
 
  −
Remote host/IP address - Public IP of the OpenVPN server's router
  −
.
  −
Remote network IP address - 10.0.0.0
  −
 
  −
Remote network netmask - 255.255.255.240
  −
 
  −
And add the certificates from the OpenVPN server - Certificate Authority, Client certificate and Client key which we downloaded in Certificate Generation step
      +
<ul>
 +
<li>Remote host/IP address - Public IP of the OpenVPN server's router</li>
 +
<li>Remote network IP address - 10.0.0.0</li>
 +
<li>Remote network netmask - 255.255.255.224</li>
 +
<li>And add the certificates from the OpenVPN server - Certificate Authority, Client certificate, and Client key which we downloaded in the Certificate Generation step</li>
 +
</ul>
 
4) Press "Save & Apply", enable OpenVPN client and check if the connection is made
 
4) Press "Save & Apply", enable OpenVPN client and check if the connection is made
   −
[[File:OpenVPN Client1 connected.png|none|thumb|alt=|1000x1000px]]
+
[[File:OpenVPN Client1 connected v2.png|none|thumb|alt=|1000x1000px]]
    
5) Repeat this step for as many clients as You need. For this example, we will have 3 clients
 
5) Repeat this step for as many clients as You need. For this example, we will have 3 clients
    
<h1>Client to Client LAN network communication</h1>
 
<h1>Client to Client LAN network communication</h1>
1) On the OpenVPN server router, navigate to Services -> VPN -> OpenVPN, Press "Edit" on the server, scroll down and add TLS clients
+
 
 +
1) On the OpenVPN server router, navigate to '''Services -> VPN -> OpenVPN''', Press "'''Edit'''" on the server, scroll down and add TLS clients
    
Add clients which LAN address You want to have access to, in our case, we add all 3 clients
 
Add clients which LAN address You want to have access to, in our case, we add all 3 clients
    +
[[File:TLS Client 1.png||none|thumb|alt=|1000x1000px]]
    +
<ul>
 +
<li>Common name - common name of the certificate which was generated previously</li>
 +
<li>Virtual local endpoint - client’s local address in the virtual network</li>
 +
<li>Virtual remote endpoint - client’s remote address in the virtual network</li>
 +
<li>Private network - client's LAN subnet</li>
 +
<li>Covered network - Which LAN subnet should clients be able to communicate with in the OpenVPN server</li>
 +
</ul>
    +
This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets
   −
Common name - common name of the certificate which was generated previously
+
1) Navigate to '''Network -> Firewall -> General settings -> Zones''' and set OpenVPN zone to forward traffic to LAN
Virtual local endpoint - client’s local address in the virtual network.
  −
Virtual remote endpoint - client’s remote address in the virtual network.
  −
Private network - client's LAN subnet
  −
Covered network - Which LAN subnet should clients be able to communicate with in the OpenVPN server
      +
[[File:OpenVPN to LAN zone forward.png|none|thumb|alt=|1000x1000px]]
   −
This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets
     −
1) Navigate to Network -> Firewall -> General settings -> Zones and set OpenVPN zone to forward traffic to LAN
     −
This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets
+
Create a route to other client LAN networks using WebUI. This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets
   −
1) Create a route to other client LAN networks using WebUI or CLI. To create route from client 1's LAN to client 2's LAN using CLI use this command
+
1) Navigate to '''Services -> VPN -> OpenVPN''' press '''"Edit"''' on the OpenVPN client and add routes to other client LAN subnets. In this image, we are editing Client 1's configuration, to add routes to Client 2's (192.168.20.0/24) and Client 3's (192.168.30.0/24) LAN subnets.
   −
ip route add 192.168.20.0/24 via 10.0.0.6
+
[[File:OpenVPN client routes.png|none|thumb|alt=|1000x1000px]]
    
<h1>Controlling access with firewall</h1>
 
<h1>Controlling access with firewall</h1>
   −
1) Navigate to Network -> Firewall -> Access Control
+
1) Navigate to '''Network -> Firewall -> Access Control'''
    
2) Create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks
 
2) Create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks
   −
Source interface - OpenVPN
+
[[File:Deny Client3 rule.png|none|thumb|alt=|1000x1000px]]
 +
 
 +
<ul>
 +
<li>Source interface - OpenVPN</li>
 +
<li>Destination interface - OpenVPN</li>
 +
<li>Source IP - OpenVPN remote IP and LAN subnet of client 3</li>
 +
<li>Destination IP - other client OpenVPN remote endpoints and LAN subnets</li>
 +
<li>Action - Deny</li>
 +
</ul>
 +
This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet
   −
Destination interface - OpenVPN
+
<h1>See also</h1>
 +
<ul>
 +
<li>[[OpenVPN_configuration_examples_RUT_R_00.07]]</li>
 +
<li>[[How to generate TLS certificates (Windows)?]]</li>
 +
<li>[[OpenVPN client on Windows]]</li>
 +
<li>[[OpenVPN client on Linux]]</li>
 +
<li>[[OpenVPN server on Windows]]</li>
 +
<li>[[OpenVPN traffic split]]</li>
 +
<li>[[Configuration file .ovpn upload tutorial]]</li>
 +
</ul>
   −
Source IP - OpenVPN remote IP and LAN subnet of client 3
     −
Destination IP - other client OpenVPN remote endpoints and LAN subnets
+
<h1>External links</h1>
   −
This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet
+
https://openvpn.net/index.php/open-source/documentation/howto.html - some additional information on OpenVPNs
Retrieved from "https://wiki.teltonika-networks.com/view/Special:MobileDiff/122129...122144"

Navigation menu