Jump to content

OpenVPN Access Control: Difference between revisions

m
Fixes
m (More informative testing)
m (Fixes)
Line 1: Line 1:
<h1>Introduction</h1>


<p style="color:red">The information on this page is updated in accordance with the [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.06.6'''] firmware version .</p>
=Introduction=
----
Normally, OpenVPN Client access is controlled by enabling or disabling the Client to Client button in OpenVPN Servers configuration, however, at times, more granular control is required. In this example, we will configure an OpenVPN server with 3 Clients:
Normally, OpenVPN Client access is controlled by enabling or disabling the Client to Client button in OpenVPN Servers configuration, however, at times, more granular control is required. In this example, we will configure an OpenVPN server with 3 Clients:


<ul>
<ul>
<li> Client 1 will be able to communicate with Client 2 and OpenVPN server</li>
#<li> Client 1 will be able to communicate with Client 2 and OpenVPN server</li>
<li> Client 2 will be able to communicate with Client 1 and OpenVPN server</li>
#<li> Client 2 will be able to communicate with Client 1 and OpenVPN server</li>
<li> Client 3 will only be able to communicate with OpenVPN server, but not with any of other clients</li>
#<li> Client 3 will only be able to communicate with OpenVPN server, but not with any of other clients</li>
</ul>
</ul>


<h1>Topology</h1>
=Topology=
 
----
[[File:OpenVPN Topology v1.png|none|thumb|alt=|1000x1000px]]
[[File:OpenVPN Topology v1.png|border|center|class=tlt-border]]




Line 21: Line 25:
</ul>
</ul>


<h1>Generating certificates for an OpenVPN server</h1>
=Generating certificates for an OpenVPN server=
----
Navigate to '''System -> Administration -> Certificates'''


1)Navigate to '''System -> Administration -> Certificates'''
&emsp; 1. Generate 2 certificates . Recommended key size is at least '''2048 bits''' for security reasons:


2)Generate 2 certificates . Recommended key size is at least 2048 bits for security reasons:
&emsp;&emsp; 1.1. CA


2.1) CA
&emsp;&emsp; 1.2 Server


2.2) Server
&emsp; 2.In Certificate Manager download Server certificate


3) In Certificate Manager download Server certificate


There are multiple methods of how certificates could be generated, you could follow this tutorial instead:
There are multiple methods of how certificates could be generated, you could follow this tutorial instead:
[[How to generate TLS certificates (Windows)?]]
[[How to generate TLS certificates (Windows)?]]


[[File:Certificate download v2.png|none|thumb|alt=|1000x1000px]]
[[File:Certificate download v3.png|none|border|left|class=tlt-border]]


For any OpenVPN clients, You will need to generate “Client” certificates, download certificate and key, and send them to the client
For any OpenVPN clients, You will need to generate “Client” certificates, download certificate and key, and send them to the client


<h1>Creating an OpenVPN server</h1>
=Creating an OpenVPN server=


1) Connect to WebUI and enable Advanced mode
Connect to WebUI and enable Advanced mode


[[File:Networking rutos manual webui basic advanced mode 75.gif|none|thumb|alt=|1000x1000px]]
[[File:Networking rutos manual webui basic advanced mode 75.gif|none|thumb|alt=|1000x1000px]]


2) Navigate to '''Services -> VPN -> OpenVPN'''
Navigate to '''Services -> VPN -> OpenVPN'''
 
&emsp; 1. Add a new OpenVPN instance with a Server role
 
&emsp; 2. Create an OpenVPN server with these settings
 
 
[[File:OpenVPN server settings v3.png|none|thumb|alt=|1000x1000px]]
 
1) Client to client – disabled
 
2) Virtual network IP address – 10.0.0.0
 
3) Virtual network netmask – 255.255.255.224


3) Add a new OpenVPN instance with a Server role
4) Certificate files from device - on


4) Create an OpenVPN server with these settings


Press '''"Save & Apply"''', enable OpenVPN server and check if the server is online


[[File:OpenVPN server settings v2.png|none|thumb|alt=|1000x1000px]]
[[File:OpenVPN server is online v2.png|none|border|left|class=tlt-border]]


<ul>
=Connecting clients to the OpenVPN server=
<li>Virtual network IP address – 10.0.0.0</li>
----
<li>Virtual network netmask – 255.255.255.224</li>
 
<li>Client to client – disabled</li>
Navigate to '''Services -> VPN -> OpenVPN'''
<li>Certificate files from device - on</li>
 
</ul>
&emsp; 1. Add a new OpenVPN instance with a Client role
 
&emsp; 2. Create an OpenVPN client with these settings


5) Press '''"Save & Apply"''', enable OpenVPN server and check if the server is online
[[File:OpenVPN Client1 v3.png|none|border|center|class=tlt-border]]


[[File:OpenVPN server is online v2.png|none|thumb|alt=|1000x1000px]]


<h1>Connecting clients to the OpenVPN server</h1>
&emsp;&emsp; 1) Remote host/IP address - Public IP of the OpenVPN server's router


1) Navigate to '''Services -> VPN -> OpenVPN'''
&emsp;&emsp; 2) Remote network IP address - 10.0.0.0


2) Add a new OpenVPN instance with a Client role
&emsp;&emsp; 3) Remote network netmask - 255.255.255.224


3) Create an OpenVPN client with these settings
&emsp;&emsp; 4) Add the certificates from the OpenVPN server - Certificate Authority, Client certificate, and Client key which we downloaded in the Certificate Generation step


[[File:OpenVPN Client1 v2.png|none|thumb|alt=|1000x1000px]]


<ul>
&emsp; 4. Press "Save & Apply", enable OpenVPN client and check if the connection is made
<li>Remote host/IP address - Public IP of the OpenVPN server's router</li>
<li>Remote network IP address - 10.0.0.0</li>
<li>Remote network netmask - 255.255.255.224</li>
<li>And add the certificates from the OpenVPN server - Certificate Authority, Client certificate, and Client key which we downloaded in the Certificate Generation step</li>
</ul>
4) Press "Save & Apply", enable OpenVPN client and check if the connection is made


[[File:OpenVPN Client1 connected v2.png|none|thumb|alt=|1000x1000px]]
[[File:OpenVPN Client1 connected v2.png|none|border|left|class=tlt-border]]


5) Repeat this step for as many clients as You need. For this example, we will have 3 clients
Repeat this step for as many clients as You need. For this example, we will have 3 clients


<h1>Client to Client LAN network communication</h1>
=Client to Client LAN network communication=
----
==TLS Clients==
----


1) On the OpenVPN server router, navigate to '''Services -> VPN -> OpenVPN''', Press "'''Edit'''" on the server, scroll down and add TLS clients
&emsp; 1. On the OpenVPN server router, navigate to '''Services -> VPN -> OpenVPN''', Press "'''Edit'''" on the server, scroll down and add TLS clients


Add clients which LAN address You want to have access to, in our case, we add all 3 clients
Add clients which LAN address You want to have access to, in our case, we add all 3 clients
Line 106: Line 121:
<li>Covered network - Which LAN subnet should clients be able to communicate with in the OpenVPN server</li>
<li>Covered network - Which LAN subnet should clients be able to communicate with in the OpenVPN server</li>
</ul>
</ul>
==Firewall Zones==
----


This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets
This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets


1) Navigate to '''Network -> Firewall -> General settings -> Zones''' and set OpenVPN zone to forward traffic to LAN
&emsp; Navigate to '''Network -> Firewall -> General settings -> Zones''' and set OpenVPN zone to forward traffic to LAN


[[File:OpenVPN to LAN zone forward.png|none|thumb|alt=|1000x1000px]]
[[File:OpenVPN to LAN zone forward.png|none|thumb|alt=|1000x1000px]]




==Routes to LAN subnets==
----


Create a route to other client LAN networks using WebUI. This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets
Create a route to other client LAN networks using WebUI. This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets


1) Navigate to '''Services -> VPN -> OpenVPN''' press '''"Edit"''' on the OpenVPN client and add routes to other client LAN subnets. In this image, we are editing Client 1's configuration, to add routes to Client 2's (192.168.20.0/24) and Client 3's (192.168.30.0/24) LAN subnets.
&emsp; 1. Navigate to '''Services -> VPN -> OpenVPN''' press '''"Edit"''' on the OpenVPN client and add routes to other client LAN subnets. In this image, we are editing Client 1's configuration, to add routes to <b>Client 2's (192.168.20.0/24)</b> and <b>Client 3's (192.168.30.0/24)</b> LAN subnets.


[[File:OpenVPN client routes.png|none|thumb|alt=|1000x1000px]]
[[File:OpenVPN client routes.png|none|thumb|alt=|1000x1000px]]


<h1>Controlling access with firewall</h1>
=Controlling access with firewall=
----


1) Navigate to '''Network -> Firewall -> Access Control'''
Navigate to '''Network -> Firewall -> Access Control''' and create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks
 
2) Create a new deny rule. In this example, we are denying Client 3 from accessing any other clients and their LAN networks


[[File:Deny Client3 rule.png|none|thumb|alt=|1000x1000px]]
[[File:Deny Client3 rule.png|none|thumb|alt=|1000x1000px]]
Line 139: Line 159:




<h1>Testing the setup</h1>
=Testing the setup=
----


Client 1 to Client 2
Client 1 to Client 2


  Pinging 192.168.20.193 from 192.168.10.216 with 32 bytes of data:
  Pinging 192.168.20.193 from 192.168.10.216 with 32 bytes of data:
Line 152: Line 172:
Client 1 to Client 3
Client 1 to Client 3


  Pinging 192.168.30.178 from 192.168.10.216 with 32 bytes of data:
  Pinging 192.168.30.178 from 192.168.10.216 with 32 bytes of data:
  Request timed out.
  Request timed out.
Line 162: Line 180:
Client 2 to Client 1
Client 2 to Client 1


  Pinging 192.168.10.216 from 192.168.20.193 with 32 bytes of data:
  Pinging 192.168.10.216 from 192.168.20.193 with 32 bytes of data:
  Reply from 192.168.10.216: bytes=32 time=185ms TTL=125
  Reply from 192.168.10.216: bytes=32 time=185ms TTL=125
Line 172: Line 188:
Client 2 to Client 3
Client 2 to Client 3


  Pinging 192.168.30.178 from 192.168.20.193 with 32 bytes of data:
  Pinging 192.168.30.178 from 192.168.20.193 with 32 bytes of data:
  Request timed out.
  Request timed out.
Line 182: Line 196:
Client 3 to Client 1
Client 3 to Client 1


  Pinging 192.168.10.216 from 192.168.30.178 with 32 bytes of data:
  Pinging 192.168.10.216 from 192.168.30.178 with 32 bytes of data:
  Request timed out.
  Request timed out.
Line 192: Line 204:
Client 3 to Client 2
Client 3 to Client 2


  Pinging 192.168.20.193 from 192.168.30.178 with 32 bytes of data:
  Pinging 192.168.20.193 from 192.168.30.178 with 32 bytes of data:
  Request timed out.
  Request timed out.
Line 207: Line 217:
  Reply from 192.168.5.114: bytes=32 time=81ms TTL=62
  Reply from 192.168.5.114: bytes=32 time=81ms TTL=62
  Reply from 192.168.5.114: bytes=32 time=107ms TTL=62
  Reply from 192.168.5.114: bytes=32 time=107ms TTL=62
   
   
  Pinging 192.168.20.193 from 192.168.5.114 with 32 bytes of data:
  Pinging 192.168.20.193 from 192.168.5.114 with 32 bytes of data:
Line 215: Line 223:
  Reply from 192.168.5.114: bytes=32 time=132ms TTL=62
  Reply from 192.168.5.114: bytes=32 time=132ms TTL=62
  Reply from 192.168.5.114: bytes=32 time=232ms TTL=62
  Reply from 192.168.5.114: bytes=32 time=232ms TTL=62
   
   
  Pinging 192.168.30.178 from 192.168.5.114 with 32 bytes of data:
  Pinging 192.168.30.178 from 192.168.5.114 with 32 bytes of data:
Line 226: Line 232:
<br>
<br>


<h1>See also</h1>
=See also=
----
 
<ul>
<ul>
<li>[[OpenVPN_configuration_examples_RUT_R_00.07]]</li>
<li>[[OpenVPN_configuration_examples_RUT_R_00.07]]</li>
Line 239: Line 247:




<h1>External links</h1>
=External links=
----


https://openvpn.net/index.php/open-source/documentation/howto.html - some additional information on OpenVPN
https://openvpn.net/index.php/open-source/documentation/howto.html - some additional information on OpenVPN