73
edits
Changes
mLine 10:
Line 10: − Line 22:
Line 21: − − − −   1. Generate 2 certificates . Recommended key size is at least '''2048 bits''' for security reasons:+ −    1.1. CA+ − + −   2. In Certificate Manager download Server certificate+ Line 46:
Line 42: − + − − + Line 67:
Line 62: − − + Line 83:
Line 77: − + − Line 110:
Line 103: − −   Navigate to '''Network -> Firewall -> General settings -> Zones''' and set OpenVPN zone to forward traffic to LAN.+ − − − −   1. Navigate to '''Services -> VPN -> OpenVPN''' press '''"Edit"''' on the OpenVPN client and add routes to other client LAN subnets. In this image, we are editing Client 1's configuration's extra options, to add routes to <b>Client 2's (192.168.20.0/24)</b> and <b>Client 3's (192.168.30.0/24)</b> LAN subnets.+ + − Line 150:
Line 139: − −
no edit summary
#<li> Client 3 will only be able to communicate with OpenVPN server, but not with any of other clients</li>
#<li> Client 3 will only be able to communicate with OpenVPN server, but not with any of other clients</li>
</ul>
</ul>
=Topology=
=Topology=
<li> Client 3 VPN tunnel address - 10.0.0.14, LAN device address - 192.168.30.178</li>
<li> Client 3 VPN tunnel address - 10.0.0.14, LAN device address - 192.168.30.178</li>
</ul>
</ul>
=Advanced mode=
=Advanced mode=
If You have trouble seeing any of the settings, be sure to enable "'''Advanced mode'''"
If You have trouble seeing any of the settings, be sure to enable "'''Advanced mode'''"
[[File:Networking rutos manual webui basic advanced mode 75.gif|none|border|center|class=tlt-border]]
[[File:Networking rutos manual webui basic advanced mode 75.gif|none|border|center|class=tlt-border]]
=Generating certificates for an OpenVPN server=
=Generating certificates for an OpenVPN server=
Navigate to '''System → Administration → Certificates → Generate Certificate'''
Navigate to '''System → Administration → Certificates → Generate Certificate'''
Generate 2 certificates. Recommended key size is at least '''2048 bits''' for security reasons:
 1 CA
   1.2. Server
 2. Server
In Certificate Manager download Server certificate.
There are multiple methods of how certificates could be generated, you could follow this tutorial instead:
There are multiple methods of how certificates could be generated, you could follow this tutorial instead:
[[File:Certificate download v4.png|none|border|left|class=tlt-border|1100x1100px]]
[[File:Certificate download v4.png|none|border|left|class=tlt-border|1100x1100px]]
For any OpenVPN clients, You will need to generate “Client” certificates, download certificate and key, and send them to the client
For any OpenVPN clients, You will need to generate “Client” certificates, download the certificate and key, and send them to the client
=Creating an OpenVPN server=
=Creating an OpenVPN server=
Navigate to '''Services -> VPN -> OpenVPN''', Add a new OpenVPN instance with a Server role with these settings:
Navigate to '''Services -> VPN -> OpenVPN''', Add a new OpenVPN instance with a '''Server role''' with these settings:
[[File:OpenVPN server is online v3.png|none|border|left|class=tlt-border|1100x1100px]]
[[File:OpenVPN server is online v3.png|none|border|left|class=tlt-border|1100x1100px]]
=Connecting clients to the OpenVPN server=
=Connecting clients to the OpenVPN server=
Navigate to '''Services -> VPN -> OpenVPN'''. Add a new OpenVPN instance with a Client role with these settings:
Navigate to '''Services -> VPN -> OpenVPN'''. Add a new OpenVPN instance with a '''Client role''' with these settings:
[[File:OpenVPN Client1 v3.png|none|border|center|class=tlt-border]]
[[File:OpenVPN Client1 v3.png|none|border|center|class=tlt-border]]
Press "'''Save & Apply'''", enable OpenVPN client and check if the connection is made
Press "'''Save & Apply'''", enable OpenVPN client, and check if the connection is made
[[File:OpenVPN Client1 connected v2.png|none|border|left|class=tlt-border|1100x1100px]]
[[File:OpenVPN Client1 connected v2.png|none|border|left|class=tlt-border|1100x1100px]]
Repeat this step for as many clients as You need. For this example, we will have 3 clients.
Repeat this step for as many clients as You need. For this example, we will have 3 clients.
=Client to Client LAN network communication=
=Client to Client LAN network communication=
==TLS Clients==
==TLS Clients==
<li>'''Covered network''' - Which LAN subnet should clients be able to communicate with in the OpenVPN server</li>
<li>'''Covered network''' - Which LAN subnet should clients be able to communicate with in the OpenVPN server</li>
</ul>
</ul>
==Firewall Zones==
==Firewall Zones==
This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets.
This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets.
Navigate to '''Network -> Firewall -> General settings -> Zones''' and set OpenVPN zone to forward traffic to LAN.
[[File:OpenVPN to LAN zone forward v2.png|none|border|left|class=tlt-border|1100x1100px]]
[[File:OpenVPN to LAN zone forward v2.png|none|border|left|class=tlt-border|1100x1100px]]
==Routes to LAN subnets==
==Routes to LAN subnets==
Create a route to other client LAN networks using WebUI. This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets.
Create a route to other client LAN networks using WebUI. This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets.
Navigate to '''Services -> VPN -> OpenVPN''' press '''"Edit"''' on the OpenVPN client and add routes to other client LAN subnets. In this image, we are editing Client 1's configuration's extra options, to add routes to <b>Client 2's (192.168.20.0/24)</b> and <b>Client 3's (192.168.30.0/24)</b> LAN subnets.
[[File:OpenVPN client routes v2.png|none|border|left|class=tlt-border]]
[[File:OpenVPN client routes v2.png|none|border|left|class=tlt-border]]
=Controlling access with firewall=
=Controlling access with firewall=
This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet.
This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet.
=Testing the setup=
=Testing the setup=
