Line 10: |
Line 10: |
| #<li> Client 3 will only be able to communicate with OpenVPN server, but not with any of other clients</li> | | #<li> Client 3 will only be able to communicate with OpenVPN server, but not with any of other clients</li> |
| </ul> | | </ul> |
− |
| |
| =Topology= | | =Topology= |
| | | |
Line 22: |
Line 21: |
| <li> Client 3 VPN tunnel address - 10.0.0.14, LAN device address - 192.168.30.178</li> | | <li> Client 3 VPN tunnel address - 10.0.0.14, LAN device address - 192.168.30.178</li> |
| </ul> | | </ul> |
− |
| |
− |
| |
| =Advanced mode= | | =Advanced mode= |
| | | |
| If You have trouble seeing any of the settings, be sure to enable "'''Advanced mode'''" | | If You have trouble seeing any of the settings, be sure to enable "'''Advanced mode'''" |
| [[File:Networking rutos manual webui basic advanced mode 75.gif|none|border|center|class=tlt-border]] | | [[File:Networking rutos manual webui basic advanced mode 75.gif|none|border|center|class=tlt-border]] |
− |
| |
| =Generating certificates for an OpenVPN server= | | =Generating certificates for an OpenVPN server= |
| | | |
| Navigate to '''System → Administration → Certificates → Generate Certificate''' | | Navigate to '''System → Administration → Certificates → Generate Certificate''' |
| | | |
− |   1. Generate 2 certificates . Recommended key size is at least '''2048 bits''' for security reasons:
| + | Generate 2 certificates. Recommended key size is at least '''2048 bits''' for security reasons: |
| | | |
− |    1.1. CA
| + |  1 CA |
| | | |
− |    1.2. Server | + |  2. Server |
| | | |
− |   2. In Certificate Manager download Server certificate
| + | In Certificate Manager download Server certificate. |
| | | |
| There are multiple methods of how certificates could be generated, you could follow this tutorial instead: | | There are multiple methods of how certificates could be generated, you could follow this tutorial instead: |
Line 46: |
Line 42: |
| [[File:Certificate download v4.png|none|border|left|class=tlt-border|1100x1100px]] | | [[File:Certificate download v4.png|none|border|left|class=tlt-border|1100x1100px]] |
| | | |
− | For any OpenVPN clients, You will need to generate “Client” certificates, download certificate and key, and send them to the client | + | For any OpenVPN clients, You will need to generate “Client” certificates, download the certificate and key, and send them to the client |
− | | |
| =Creating an OpenVPN server= | | =Creating an OpenVPN server= |
| | | |
− | Navigate to '''Services -> VPN -> OpenVPN''', Add a new OpenVPN instance with a Server role with these settings: | + | Navigate to '''Services -> VPN -> OpenVPN''', Add a new OpenVPN instance with a '''Server role''' with these settings: |
| | | |
| | | |
Line 67: |
Line 62: |
| | | |
| [[File:OpenVPN server is online v3.png|none|border|left|class=tlt-border|1100x1100px]] | | [[File:OpenVPN server is online v3.png|none|border|left|class=tlt-border|1100x1100px]] |
− |
| |
| =Connecting clients to the OpenVPN server= | | =Connecting clients to the OpenVPN server= |
| | | |
− | Navigate to '''Services -> VPN -> OpenVPN'''. Add a new OpenVPN instance with a Client role with these settings: | + | Navigate to '''Services -> VPN -> OpenVPN'''. Add a new OpenVPN instance with a '''Client role''' with these settings: |
| | | |
| [[File:OpenVPN Client1 v3.png|none|border|center|class=tlt-border]] | | [[File:OpenVPN Client1 v3.png|none|border|center|class=tlt-border]] |
Line 83: |
Line 77: |
| | | |
| | | |
− | Press "'''Save & Apply'''", enable OpenVPN client and check if the connection is made | + | Press "'''Save & Apply'''", enable OpenVPN client, and check if the connection is made |
| | | |
| [[File:OpenVPN Client1 connected v2.png|none|border|left|class=tlt-border|1100x1100px]] | | [[File:OpenVPN Client1 connected v2.png|none|border|left|class=tlt-border|1100x1100px]] |
| | | |
| Repeat this step for as many clients as You need. For this example, we will have 3 clients. | | Repeat this step for as many clients as You need. For this example, we will have 3 clients. |
− |
| |
| =Client to Client LAN network communication= | | =Client to Client LAN network communication= |
| ==TLS Clients== | | ==TLS Clients== |
Line 110: |
Line 103: |
| <li>'''Covered network''' - Which LAN subnet should clients be able to communicate with in the OpenVPN server</li> | | <li>'''Covered network''' - Which LAN subnet should clients be able to communicate with in the OpenVPN server</li> |
| </ul> | | </ul> |
− |
| |
| ==Firewall Zones== | | ==Firewall Zones== |
| | | |
| This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets. | | This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets. |
| | | |
− |   Navigate to '''Network -> Firewall -> General settings -> Zones''' and set OpenVPN zone to forward traffic to LAN.
| + | Navigate to '''Network -> Firewall -> General settings -> Zones''' and set OpenVPN zone to forward traffic to LAN. |
| | | |
| [[File:OpenVPN to LAN zone forward v2.png|none|border|left|class=tlt-border|1100x1100px]] | | [[File:OpenVPN to LAN zone forward v2.png|none|border|left|class=tlt-border|1100x1100px]] |
− |
| |
− |
| |
− |
| |
| ==Routes to LAN subnets== | | ==Routes to LAN subnets== |
| | | |
| Create a route to other client LAN networks using WebUI. This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets. | | Create a route to other client LAN networks using WebUI. This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets. |
| | | |
− |   1. Navigate to '''Services -> VPN -> OpenVPN''' press '''"Edit"''' on the OpenVPN client and add routes to other client LAN subnets. In this image, we are editing Client 1's configuration's extra options, to add routes to <b>Client 2's (192.168.20.0/24)</b> and <b>Client 3's (192.168.30.0/24)</b> LAN subnets.
| + | |
| + | Navigate to '''Services -> VPN -> OpenVPN''' press '''"Edit"''' on the OpenVPN client and add routes to other client LAN subnets. In this image, we are editing Client 1's configuration's extra options, to add routes to <b>Client 2's (192.168.20.0/24)</b> and <b>Client 3's (192.168.30.0/24)</b> LAN subnets. |
| | | |
| [[File:OpenVPN client routes v2.png|none|border|left|class=tlt-border]] | | [[File:OpenVPN client routes v2.png|none|border|left|class=tlt-border]] |
− |
| |
| =Controlling access with firewall= | | =Controlling access with firewall= |
| | | |
Line 150: |
Line 139: |
| | | |
| This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet. | | This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet. |
− |
| |
− |
| |
| =Testing the setup= | | =Testing the setup= |
| | | |