OpenVPN Access Control: Difference between revisions
m
Edit with screenshots
m (Edit with screenshots) |
m (Edit with screenshots) |
||
| Line 5: | Line 5: | ||
<h1>Generating certificates for an OpenVPN server</h1> | <h1>Generating certificates for an OpenVPN server</h1> | ||
1)Navigate to System -> Administration -> Certificates | 1)Navigate to '''System -> Administration -> Certificates''' | ||
2)Generate 2 certificates with a keysize 1024: | 2)Generate 2 certificates with a keysize 1024: | ||
| Line 26: | Line 26: | ||
[[File:Advanced mode toggle v2.png|none|thumb|alt=|1000x1000px]] | [[File:Advanced mode toggle v2.png|none|thumb|alt=|1000x1000px]] | ||
2) Navigate to Services -> VPN -> OpenVPN | 2) Navigate to '''Services -> VPN -> OpenVPN''' | ||
3) Add a new OpenVPN instance with a Server role | 3) Add a new OpenVPN instance with a Server role | ||
| Line 43: | Line 43: | ||
Certificate files from device - on | Certificate files from device - on | ||
5) Press "Save & Apply", enable OpenVPN server and check if the server is online | 5) Press '''"Save & Apply"''', enable OpenVPN server and check if the server is online | ||
[[File:OpenVPN server is online v2.png|none|thumb|alt=|1000x1000px]] | [[File:OpenVPN server is online v2.png|none|thumb|alt=|1000x1000px]] | ||
| Line 49: | Line 49: | ||
<h1>Connecting clients to the OpenVPN server</h1> | <h1>Connecting clients to the OpenVPN server</h1> | ||
1) Navigate to Services -> VPN -> OpenVPN | 1) Navigate to '''Services -> VPN -> OpenVPN''' | ||
2) Add a new OpenVPN instance with a Client role | 2) Add a new OpenVPN instance with a Client role | ||
| Line 55: | Line 55: | ||
3) Create an OpenVPN client with these settings | 3) Create an OpenVPN client with these settings | ||
[[File:OpenVPN Client1.png|none|thumb|alt=|1000x1000px]] | [[File:OpenVPN Client1 v2.png|none|thumb|alt=|1000x1000px]] | ||
Remote host/IP address - Public IP of the OpenVPN server's router | Remote host/IP address - Public IP of the OpenVPN server's router | ||
Remote network IP address - 10.0.0.0 | Remote network IP address - 10.0.0.0 | ||
Remote network netmask - 255.255.255. | Remote network netmask - 255.255.255.224 | ||
And add the certificates from the OpenVPN server - Certificate Authority, Client certificate and Client key which we downloaded in Certificate Generation step | And add the certificates from the OpenVPN server - Certificate Authority, Client certificate, and Client key which we downloaded in the Certificate Generation step | ||
4) Press "Save & Apply", enable OpenVPN client and check if the connection is made | 4) Press "Save & Apply", enable OpenVPN client and check if the connection is made | ||
[[File:OpenVPN Client1 connected.png|none|thumb|alt=|1000x1000px]] | [[File:OpenVPN Client1 connected v2.png|none|thumb|alt=|1000x1000px]] | ||
5) Repeat this step for as many clients as You need. For this example, we will have 3 clients | 5) Repeat this step for as many clients as You need. For this example, we will have 3 clients | ||
<h1>Client to Client LAN network communication</h1> | <h1>Client to Client LAN network communication</h1> | ||
1) On the OpenVPN server router, navigate to Services -> VPN -> OpenVPN, Press "Edit" on the server, scroll down and add TLS clients | 1) On the OpenVPN server router, navigate to Services -> VPN -> OpenVPN, Press "Edit" on the server, scroll down and add TLS clients | ||
| Line 80: | Line 81: | ||
Common name - common name of the certificate which was generated previously | Common name - common name of the certificate which was generated previously | ||
Virtual local endpoint - client’s local address in the virtual network | |||
Virtual remote endpoint - client’s remote address in the virtual network | Virtual local endpoint - client’s local address in the virtual network | ||
Virtual remote endpoint - client’s remote address in the virtual network | |||
Private network - client's LAN subnet | Private network - client's LAN subnet | ||
Covered network - Which LAN subnet should clients be able to communicate with in the OpenVPN server | Covered network - Which LAN subnet should clients be able to communicate with in the OpenVPN server | ||
| Line 88: | Line 93: | ||
This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets | This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets | ||
1) Navigate to Network -> Firewall -> General settings -> Zones and set OpenVPN zone to forward traffic to LAN | 1) Navigate to '''Network -> Firewall -> General settings -> Zones''' and set OpenVPN zone to forward traffic to LAN | ||
[[File:OpenVPN to LAN zone forward.png|none|thumb|alt=|1000x1000px]] | |||
This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets | This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets | ||
1) Create a route to other client LAN networks using WebUI or CLI. To create route from client 1's LAN to client 2's LAN using CLI use this command | 1) Create a route to other client LAN networks using WebUI or CLI. To create route from client 1's LAN to client 2's LAN using CLI use this command | ||
ip route add 192.168.20.0/24 via 10.0.0.6 | ip route add 192.168.20.0/24 via 10.0.0.6 | ||
<h1>Controlling access with firewall</h1> | <h1>Controlling access with firewall</h1> | ||
| Line 101: | Line 110: | ||
2) Create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks | 2) Create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks | ||
[[File:Deny Client3 rule.png|none|thumb|alt=|1000x1000px]] | |||
Source interface - OpenVPN | Source interface - OpenVPN | ||
| Line 109: | Line 121: | ||
Destination IP - other client OpenVPN remote endpoints and LAN subnets | Destination IP - other client OpenVPN remote endpoints and LAN subnets | ||
Action - Deny | |||
This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet | This rule will deny all traffic from Client 3 to other clients, but will not interact with traffic, if it's destination is OpenVPN server or it's LAN subnet | ||