|
|
| (28 intermediate revisions by 2 users not shown) |
| Line 1: |
Line 1: |
| − | <p style="color:red">The information on this page is updated in accordance with the [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.06.6'''] firmware version .</p> | + | <h1>Introduction</h1> |
| | | | |
| − | =Introduction=
| + | In this example, we will configure an OpenVPN server, will let Client1 and Client2 communicate, while isolating Client3 to only be able to communicate with OpenVPN server |
| | | | |
| − | Normally, OpenVPN Client access is controlled by enabling or disabling the Client to Client button in OpenVPN Servers configuration, however, at times, more granular control is required. In this example, we will configure an OpenVPN server with 3 Clients:
| + | <h1>Generating certificates for an OpenVPN server</h1> |
| | | | |
| − | <ul>
| + | 1)Navigate to '''System -> Administration -> Certificates''' |
| − | #<li> Client 1 will be able to communicate with Client 2 and OpenVPN server</li>
| |
| − | #<li> Client 2 will be able to communicate with Client 1 and OpenVPN server</li>
| |
| − | #<li> Client 3 will only be able to communicate with OpenVPN server, but not with any of other clients</li>
| |
| − | </ul>
| |
| | | | |
| − | If You have trouble seeing any of the settings, be sure to enable "'''Advanced mode'''"
| + | 2)Generate 2 certificates . Recommended key size is at least 2048 bits for security reasons: |
| − | [[File:Networking rutos manual webui basic advanced mode 75.gif|none|border|center|class=tlt-border]]
| |
| − | =Topology=
| |
| | | | |
| − | [[File:OpenVPN Topology v4.png|none|border|left|class=tlt-border|1000x1000px]]
| + | 2.1) CA |
| | | | |
| | + | 2.2) Server |
| | | | |
| − | <ul>
| + | 3) In Certificate Manager download Server certificate |
| − | <li> OpenVPN server tunnel address - 10.0.0.1, OpenVPN subnet - 10.0.0.0/27, LAN device address - 192.168.5.114</li>
| |
| − | <li> Client 1 VPN tunnel address - 10.0.0.6, LAN device address - 192.168.10.216</li>
| |
| − | <li> Client 2 VPN tunnel address - 10.0.0.10, LAN device address - 192.168.20.193</li>
| |
| − | <li> Client 3 VPN tunnel address - 10.0.0.14, LAN device address - 192.168.30.178</li>
| |
| − | </ul>
| |
| − | =Generating certificates for an OpenVPN server=
| |
| | | | |
| − | Navigate to '''System → Administration → Certificates → Generate Certificate'''
| |
| | | | |
| − | Generate 2 certificates. Recommended key size is at least '''2048 bits''' for security reasons:
| + | [[File:Certificate download v2.png|none|thumb|alt=|1000x1000px]] |
| | | | |
| − |  1. CA
| + | For any OpenVPN clients, You will need to generate “Client” certificates, download certificate and key, and send them to the client |
| | | | |
| − |  2. Server
| + | <h1>Creating an OpenVPN server</h1> |
| | | | |
| − | In Certificate Manager download Server certificate.
| + | 1) Connect to WebUI and enable Advanced mode |
| | | | |
| − | [[File:Certificate download v4.png|none|border|left|class=tlt-border|1100x1100px]] | + | [[File:Advanced mode toggle v2.png|none|thumb|alt=|1000x1000px]] |
| | | | |
| − | For any OpenVPN clients, You will need to generate “'''Client'''” certificates, download the certificate and key, and send them to the client
| + | 2) Navigate to '''Services -> VPN -> OpenVPN''' |
| | | | |
| − | There are multiple methods of how certificates could be generated, you could follow this tutorial instead:
| + | 3) Add a new OpenVPN instance with a Server role |
| − | [[How to generate TLS certificates (Windows)?]]
| |
| − | =Creating an OpenVPN server=
| |
| | | | |
| − | Navigate to '''Services -> VPN -> OpenVPN'''. Add a new OpenVPN instance with a '''Server role''' with these settings:
| + | 4) Create an OpenVPN server with these settings |
| | | | |
| | | | |
| − | [[File:OpenVPN server settings v3.png|none|border|left|class=tlt-border]] | + | [[File:OpenVPN server settings v2.png|none|thumb|alt=|1000x1000px]] |
| | | | |
| − | 1 - <b>Client to client</b> – disabled
| + | Virtual network IP address – 10.0.0.0 |
| | | | |
| − | 2 - <b>Virtual network IP address</b> – 10.0.0.0
| + | Virtual network netmask – 255.255.255.224 |
| | | | |
| − | 3 - <b>Virtual network netmask</b> – 255.255.255.224
| + | Client to client – disabled |
| | | | |
| − | 4 - <b>Certificate files from device</b> - on
| + | Certificate files from device - on |
| | | | |
| | + | 5) Press '''"Save & Apply"''', enable OpenVPN server and check if the server is online |
| | | | |
| − | Press '''"Save & Apply"''', enable OpenVPN server and check if the server is online.
| + | [[File:OpenVPN server is online v2.png|none|thumb|alt=|1000x1000px]] |
| | | | |
| − | [[File:OpenVPN server is online v3.png|none|border|left|class=tlt-border|1100x1100px]]
| + | <h1>Connecting clients to the OpenVPN server</h1> |
| − | =Connecting clients to the OpenVPN server=
| |
| | | | |
| − | Navigate to '''Services -> VPN -> OpenVPN'''. Add a new OpenVPN instance with a '''Client role''' with these settings: | + | 1) Navigate to '''Services -> VPN -> OpenVPN''' |
| | | | |
| − | [[File:OpenVPN Client1 v3.png|none|border|center|class=tlt-border]]
| + | 2) Add a new OpenVPN instance with a Client role |
| | | | |
| − |    1 - '''Remote host/IP address''' - Public IP of the OpenVPN server's router
| + | 3) Create an OpenVPN client with these settings |
| | | | |
| − |    2 - '''Remote network IP address''' - 10.0.0.0
| + | [[File:OpenVPN Client1 v2.png|none|thumb|alt=|1000x1000px]] |
| | | | |
| − |    3 - '''Remote network netmask''' - 255.255.255.224
| + | Remote host/IP address - Public IP of the OpenVPN server's router |
| | | | |
| − |    4 - '''Add the certificates from the OpenVPN server''' - Certificate Authority, Client certificate, and Client key which we downloaded in the Certificate Generation step.
| + | Remote network IP address - 10.0.0.0 |
| | | | |
| | + | Remote network netmask - 255.255.255.224 |
| | | | |
| − | Press "'''Save & Apply'''", enable OpenVPN client, and check if the connection is made
| + | And add the certificates from the OpenVPN server - Certificate Authority, Client certificate, and Client key which we downloaded in the Certificate Generation step |
| | | | |
| − | [[File:OpenVPN Client1 connected v2.png|none|border|left|class=tlt-border|1100x1100px]]
| + | 4) Press "Save & Apply", enable OpenVPN client and check if the connection is made |
| | | | |
| − | Repeat this step for as many clients as You need. For this example, we will have 3 clients.
| + | [[File:OpenVPN Client1 connected v2.png|none|thumb|alt=|1000x1000px]] |
| − | =Client to Client LAN network communication=
| |
| − | ==TLS Clients==
| |
| | | | |
| − | On the OpenVPN server router, navigate to '''Services -> VPN -> OpenVPN''', Press "'''Edit'''" on the server, scroll down and add '''TLS clients''' which LAN address You want to have access to, in our case, we add all 3 clients:
| + | 5) Repeat this step for as many clients as You need. For this example, we will have 3 clients |
| − | ===TLS Client 1===
| |
| − | ----
| |
| − | [[File:TLS Client1 v3.png|none|border|left|class=tlt-border]]
| |
| − | ===TLS Client 2===
| |
| − | ----
| |
| − | [[File:TLS Client2 v3.png|none|border|left|class=tlt-border]]
| |
| − | ===TLS Client 3===
| |
| − | ----
| |
| − | [[File:TLS Client3 v3.png|none|border|left|class=tlt-border]]
| |
| | | | |
| − | <ul> | + | <h1>Client to Client LAN network communication</h1> |
| − | <li>'''Common name''' - common name of the certificate which was generated previously</li>
| |
| − | <li>'''Virtual local endpoint''' - client’s local address in the virtual network</li>
| |
| − | <li>'''Virtual remote endpoint''' - client’s remote address in the virtual network</li>
| |
| − | <li>'''Private network''' - client's LAN subnet</li>
| |
| − | <li>'''Covered network''' - Which LAN subnet should clients be able to communicate with in the OpenVPN server</li>
| |
| − | </ul> | |
| − | ==Firewall Zones==
| |
| | | | |
| − | This step should be done on OpenVPN '''server and all clients''' that want their LAN subnets be accessible and to access other client's LAN subnets.
| + | 1) On the OpenVPN server router, navigate to Services -> VPN -> OpenVPN, Press "Edit" on the server, scroll down and add TLS clients |
| | | | |
| − | Navigate to '''Network -> Firewall -> General settings -> Zones''' and set OpenVPN zone to forward traffic to LAN.
| + | Add clients which LAN address You want to have access to, in our case, we add all 3 clients |
| | | | |
| − | [[File:OpenVPN to LAN zone forward v2.png|none|border|left|class=tlt-border|1100x1100px]] | + | [[File:TLS Client 1.png||none|thumb|alt=|1000x1000px]] |
| − | ==Routes to LAN subnets==
| |
| | | | |
| − | Create a route to other client LAN networks using WebUI. This step should be done on '''all clients''' that want their LAN subnets be accessible and to access other client's LAN subnets.
| |
| | | | |
| | + | Common name - common name of the certificate which was generated previously |
| | | | |
| − | Navigate to '''Services -> VPN -> OpenVPN''' press '''"Edit"''' on the OpenVPN client and add routes to other client LAN subnets. In this image, we are editing Client 1's configuration's extra options, to add routes to <b>Client 2's (192.168.20.0/24)</b> and <b>Client 3's (192.168.30.0/24)</b> LAN subnets.
| + | Virtual local endpoint - client’s local address in the virtual network |
| | | | |
| − | (In some cases, pushing routes to LAN addresses from the OpenVPN server to clients, breaks routing on the clients, so doing it from the client side is safer, but more time consuming)
| + | Virtual remote endpoint - client’s remote address in the virtual network |
| | | | |
| − | [[File:OpenVPN client routes v2.png|none|border|left|class=tlt-border]]
| + | Private network - client's LAN subnet |
| − | =Controlling access with firewall=
| |
| | | | |
| − | Navigate to '''Network -> Firewall -> Access Control''' and create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks.
| + | Covered network - Which LAN subnet should clients be able to communicate with in the OpenVPN server |
| | | | |
| − | [[File:Deny Client3 rule v2.png|none|border|left|class=tlt-border]]
| |
| | | | |
| | + | This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets |
| | | | |
| − |    1 - '''Protocol''' - All protocols
| + | 1) Navigate to '''Network -> Firewall -> General settings -> Zones''' and set OpenVPN zone to forward traffic to LAN |
| | | | |
| − |    2 - '''Source zone''' - OpenVPN
| + | [[File:OpenVPN to LAN zone forward.png|none|thumb|alt=|1000x1000px]] |
| | | | |
| − |    3 - '''Source IP''' - OpenVPN remote IP and LAN subnet of client 3
| |
| | | | |
| − |    4 - '''Destination zone''' - OpenVPN
| + | This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets |
| | | | |
| − |    5 - '''Destination address''' - other client OpenVPN remote endpoints and LAN subnets
| |
| | | | |
| − |    6 - '''Action''' - Deny
| + | 1) Create a route to other client LAN networks using WebUI or CLI. To create route from client 1's LAN to client 2's LAN using CLI use this command |
| | | | |
| | + | ip route add 192.168.20.0/24 via 10.0.0.6 |
| | | | |
| − | This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet.
| + | <h1>Controlling access with firewall</h1> |
| − | =Testing the setup=
| |
| | | | |
| − | If You have followed the steps correctly, configuration should be finished. These should be the results that You will be getting:
| + | 1) Navigate to Network -> Firewall -> Access Control |
| | | | |
| | + | 2) Create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks |
| | | | |
| − | Client 1 to Client 2
| + | [[File:Deny Client3 rule.png|none|thumb|alt=|1000x1000px]] |
| | | | |
| − | Pinging 192.168.20.193 from 192.168.10.216 with 32 bytes of data:
| |
| − | Reply from 192.168.20.194: bytes=32 time=172ms TTL=125
| |
| − | Reply from 192.168.20.194: bytes=32 time=114ms TTL=125
| |
| − | Reply from 192.168.20.194: bytes=32 time=113ms TTL=125
| |
| − | Reply from 192.168.20.194: bytes=32 time=294ms TTL=125
| |
| | | | |
| − | Client 1 to Client 3
| + | Source interface - OpenVPN |
| | | | |
| − | Pinging 192.168.30.178 from 192.168.10.216 with 32 bytes of data:
| + | Destination interface - OpenVPN |
| − | Request timed out.
| |
| − | Request timed out.
| |
| − | Request timed out.
| |
| − | Request timed out.
| |
| | | | |
| − | Client 2 to Client 1
| + | Source IP - OpenVPN remote IP and LAN subnet of client 3 |
| | | | |
| − | Pinging 192.168.10.216 from 192.168.20.193 with 32 bytes of data:
| + | Destination IP - other client OpenVPN remote endpoints and LAN subnets |
| − | Reply from 192.168.10.216: bytes=32 time=185ms TTL=125
| |
| − | Reply from 192.168.10.216: bytes=32 time=123ms TTL=125
| |
| − | Reply from 192.168.10.216: bytes=32 time=227ms TTL=125
| |
| − | Reply from 192.168.10.216: bytes=32 time=189ms TTL=125
| |
| | | | |
| − | Client 2 to Client 3
| + | Action - Deny |
| | | | |
| − | Pinging 192.168.30.178 from 192.168.20.193 with 32 bytes of data:
| + | This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet |
| − | Request timed out.
| |
| − | Request timed out.
| |
| − | Request timed out.
| |
| − | Request timed out.
| |
| − | | |
| − | Client 3 to Client 1 | |
| − | | |
| − | Pinging 192.168.10.216 from 192.168.30.178 with 32 bytes of data:
| |
| − | Request timed out.
| |
| − | Request timed out.
| |
| − | Request timed out.
| |
| − | Request timed out.
| |
| − | | |
| − | Client 3 to Client 2
| |
| − | | |
| − | Pinging 192.168.20.193 from 192.168.30.178 with 32 bytes of data:
| |
| − | Request timed out.
| |
| − | Request timed out.
| |
| − | Request timed out.
| |
| − | Request timed out.
| |
| − | | |
| − | And server can reach all of the clients and their LAN subnets
| |
| − | | |
| − | Pinging 192.168.10.216 from 192.168.5.114 with 32 bytes of data:
| |
| − | Reply from 192.168.5.114: bytes=32 time=264ms TTL=62
| |
| − | Reply from 192.168.5.114: bytes=32 time=138ms TTL=62
| |
| − | Reply from 192.168.5.114: bytes=32 time=81ms TTL=62
| |
| − | Reply from 192.168.5.114: bytes=32 time=107ms TTL=62
| |
| − |
| |
| − | Pinging 192.168.20.193 from 192.168.5.114 with 32 bytes of data:
| |
| − | Reply from 192.168.5.114: bytes=32 time=61ms TTL=62
| |
| − | Reply from 192.168.5.114: bytes=32 time=376ms TTL=62
| |
| − | Reply from 192.168.5.114: bytes=32 time=132ms TTL=62
| |
| − | Reply from 192.168.5.114: bytes=32 time=232ms TTL=62
| |
| − |
| |
| − | Pinging 192.168.30.178 from 192.168.5.114 with 32 bytes of data:
| |
| − | Reply from 192.168.5.114: bytes=32 time=226ms TTL=62
| |
| − | Reply from 192.168.5.114: bytes=32 time=327ms TTL=62
| |
| − | Reply from 192.168.5.114: bytes=32 time=111ms TTL=62
| |
| − | Reply from 192.168.5.114: bytes=32 time=80ms TTL=62
| |
| − | | |
| − | <br>
| |
| − | | |
| − | =See also=
| |
| − | | |
| − | <ul>
| |
| − | <li>[[OpenVPN_configuration_examples_RUT_R_00.07]]</li>
| |
| − | <li>[[How to generate TLS certificates (Windows)?]]</li>
| |
| − | <li>[[OpenVPN client on Windows]]</li>
| |
| − | <li>[[OpenVPN client on Linux]]</li>
| |
| − | <li>[[OpenVPN server on Windows]]</li>
| |
| − | <li>[[OpenVPN traffic split]]</li>
| |
| − | <li>[[Configuration file .ovpn upload tutorial]]</li>
| |
| − | <li>[[Firewall traffic rules]]</li>
| |
| − | </ul>
| |
| − | | |
| − | | |
| − | =External links=
| |
| − | | |
| − | https://openvpn.net/index.php/open-source/documentation/howto.html - some additional information on OpenVPN
| |
Introduction
In this example, we will configure an OpenVPN server, will let Client1 and Client2 communicate, while isolating Client3 to only be able to communicate with OpenVPN server
Generating certificates for an OpenVPN server
1)Navigate to System -> Administration -> Certificates
2)Generate 2 certificates . Recommended key size is at least 2048 bits for security reasons:
2.1) CA
2.2) Server
3) In Certificate Manager download Server certificate
For any OpenVPN clients, You will need to generate “Client” certificates, download certificate and key, and send them to the client
Creating an OpenVPN server
1) Connect to WebUI and enable Advanced mode
2) Navigate to Services -> VPN -> OpenVPN
3) Add a new OpenVPN instance with a Server role
4) Create an OpenVPN server with these settings
Virtual network IP address – 10.0.0.0
Virtual network netmask – 255.255.255.224
Client to client – disabled
Certificate files from device - on
5) Press "Save & Apply", enable OpenVPN server and check if the server is online
Connecting clients to the OpenVPN server
1) Navigate to Services -> VPN -> OpenVPN
2) Add a new OpenVPN instance with a Client role
3) Create an OpenVPN client with these settings
Remote host/IP address - Public IP of the OpenVPN server's router
Remote network IP address - 10.0.0.0
Remote network netmask - 255.255.255.224
And add the certificates from the OpenVPN server - Certificate Authority, Client certificate, and Client key which we downloaded in the Certificate Generation step
4) Press "Save & Apply", enable OpenVPN client and check if the connection is made
5) Repeat this step for as many clients as You need. For this example, we will have 3 clients
Client to Client LAN network communication
1) On the OpenVPN server router, navigate to Services -> VPN -> OpenVPN, Press "Edit" on the server, scroll down and add TLS clients
Add clients which LAN address You want to have access to, in our case, we add all 3 clients
Common name - common name of the certificate which was generated previously
Virtual local endpoint - client’s local address in the virtual network
Virtual remote endpoint - client’s remote address in the virtual network
Private network - client's LAN subnet
Covered network - Which LAN subnet should clients be able to communicate with in the OpenVPN server
This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets
1) Navigate to Network -> Firewall -> General settings -> Zones and set OpenVPN zone to forward traffic to LAN
This step should be done on all clients that want their LAN subnets be accessible and to access other client's LAN subnets
1) Create a route to other client LAN networks using WebUI or CLI. To create route from client 1's LAN to client 2's LAN using CLI use this command
ip route add 192.168.20.0/24 via 10.0.0.6
Controlling access with firewall
1) Navigate to Network -> Firewall -> Access Control
2) Create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks
Source interface - OpenVPN
Destination interface - OpenVPN
Source IP - OpenVPN remote IP and LAN subnet of client 3
Destination IP - other client OpenVPN remote endpoints and LAN subnets
Action - Deny
This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet
