88
edits
Changes
mLine 10:
Line 10: + + + Line 21:
Line 24: − =Advanced mode= − − If You have trouble seeing any of the settings, be sure to enable "'''Advanced mode'''" − [[File:Networking rutos manual webui basic advanced mode 75.gif|none|border|center|class=tlt-border]] Line 31:
Line 30: − + + + + + − − [[File:Certificate download v4.png|none|border|left|class=tlt-border|1100x1100px]] − − For any OpenVPN clients, You will need to generate “Client” certificates, download the certificate and key, and send them to the client − + Line 85:
Line 84: − + Line 105:
Line 104: − + Line 112:
Line 111: − + + +
no edit summary
#<li> Client 3 will only be able to communicate with OpenVPN server, but not with any of other clients</li>
#<li> Client 3 will only be able to communicate with OpenVPN server, but not with any of other clients</li>
</ul>
</ul>
If You have trouble seeing any of the settings, be sure to enable "'''Advanced mode'''"
[[File:Networking rutos manual webui basic advanced mode 75.gif|none|border|center|class=tlt-border]]
=Topology=
=Topology=
<li> Client 3 VPN tunnel address - 10.0.0.14, LAN device address - 192.168.30.178</li>
<li> Client 3 VPN tunnel address - 10.0.0.14, LAN device address - 192.168.30.178</li>
</ul>
</ul>
=Generating certificates for an OpenVPN server=
=Generating certificates for an OpenVPN server=
Generate 2 certificates. Recommended key size is at least '''2048 bits''' for security reasons:
Generate 2 certificates. Recommended key size is at least '''2048 bits''' for security reasons:
 1 CA
 1. CA
 2. Server
 2. Server
In Certificate Manager download Server certificate.
In Certificate Manager download Server certificate.
[[File:Certificate download v4.png|none|border|left|class=tlt-border|1100x1100px]]
For any OpenVPN clients, You will need to generate “'''Client'''” certificates, download the certificate and key, and send them to the client
There are multiple methods of how certificates could be generated, you could follow this tutorial instead:
There are multiple methods of how certificates could be generated, you could follow this tutorial instead:
[[How to generate TLS certificates (Windows)?]]
[[How to generate TLS certificates (Windows)?]]
=Creating an OpenVPN server=
=Creating an OpenVPN server=
Navigate to '''Services -> VPN -> OpenVPN''', Add a new OpenVPN instance with a '''Server role''' with these settings:
Navigate to '''Services -> VPN -> OpenVPN'''. Add a new OpenVPN instance with a '''Server role''' with these settings:
==TLS Clients==
==TLS Clients==
On the OpenVPN server router, navigate to '''Services -> VPN -> OpenVPN''', Press "'''Edit'''" on the server, scroll down and add TLS clients and add clients which LAN address You want to have access to, in our case, we add all 3 clients:
On the OpenVPN server router, navigate to '''Services -> VPN -> OpenVPN''', Press "'''Edit'''" on the server, scroll down and add '''TLS clients''' which LAN address You want to have access to, in our case, we add all 3 clients:
===TLS Client 1===
===TLS Client 1===
----
----
==Firewall Zones==
==Firewall Zones==
This step should be done on OpenVPN server and all clients that want their LAN subnets be accessible and to access other client's LAN subnets.
This step should be done on OpenVPN '''server and all clients''' that want their LAN subnets be accessible and to access other client's LAN subnets.
Navigate to '''Network -> Firewall -> General settings -> Zones''' and set OpenVPN zone to forward traffic to LAN.
Navigate to '''Network -> Firewall -> General settings -> Zones''' and set OpenVPN zone to forward traffic to LAN.
==Routes to LAN subnets==
==Routes to LAN subnets==
Create a route to other client LAN networks using WebUI. This step should be done on all <b>clients</b> that want their LAN subnets be accessible and to access other client's LAN subnets.
Create a route to other client LAN networks using WebUI. This step should be done on '''all clients''' that want their LAN subnets be accessible and to access other client's LAN subnets.
Navigate to '''Services -> VPN -> OpenVPN''' press '''"Edit"''' on the OpenVPN client and add routes to other client LAN subnets. In this image, we are editing Client 1's configuration's extra options, to add routes to <b>Client 2's (192.168.20.0/24)</b> and <b>Client 3's (192.168.30.0/24)</b> LAN subnets.
Navigate to '''Services -> VPN -> OpenVPN''' press '''"Edit"''' on the OpenVPN client and add routes to other client LAN subnets. In this image, we are editing Client 1's configuration's extra options, to add routes to <b>Client 2's (192.168.20.0/24)</b> and <b>Client 3's (192.168.30.0/24)</b> LAN subnets.
(In some cases, pushing routes to LAN addresses from the OpenVPN server to clients, breaks routing on the clients, so doing it from the client side is safer, but more time consuming)
[[File:OpenVPN client routes v2.png|none|border|left|class=tlt-border]]
[[File:OpenVPN client routes v2.png|none|border|left|class=tlt-border]]
