Jump to content
  • EN

OpenVPN configuration examples: Difference between revisions

OpenVPN configuration examples (view source)

Revision as of 13:54, 24 October 2024

8,425 bytes added ,  24 October
no edit summary
VisualWikitext
m (Justas.Cip moved page OpenVPN configuration examples RUT R 00.07 to OpenVPN configuration examples without leaving a redirect)
No edit summary
 
Line 44: Line 44:
Before you continue you'll have to obtain the necessary certificates and keys. When you use a third-party OpenVPN service, they should provide you with their certificates and even configuration files.
Before you continue you'll have to obtain the necessary certificates and keys. When you use a third-party OpenVPN service, they should provide you with their certificates and even configuration files.


If you're creating your server, you'll have to generate these files yourself. To get detailed instructions on how to generate TLS certificates and keys check out our article on the topic of '''[[How to generate TLS certificates (Windows)?|Windows TLS certificate generation]]'''.
If you're creating your server, you'll have to generate these files yourself. The most simple way to generate certificates is by navigating '''[[RUTX50_Administration#Certificate_Generation|System → Administration → Certificates]]''' on WebUI and pressing the '''Generate''' button.
 
After devices has finished generating all the files, you can download them by navigating to
'''[[RUTX50_Administration#Certificate_Import|System → Administration → Certificates → Certificates Manager]]''' and pressing the '''Export''' button next to the required files.
 
To get detailed instructions on how to generate TLS certificates and keys on other platforms check out our article on the topic of '''[[How to generate TLS certificates (Windows)?|Windows TLS certificate generation]]'''.


===Configuration===
===Configuration===
----
----
Now we can start configuring OpenVPN Server and Client instances. For this example we will be creating a TUN (Tunnel) type connection that uses the UDP protocol for data transfer and TLS for Authentication. We will be using two RUT routers: '''RUT1''' ('''Server'''; LAN IP: '''192.168.1.1'''; WAN (Public static) IP: '''213.226.191.61''') and '''RUT2''' ('''Client'''; LAN IP: '''192.168.2.1'''); that will be connected into virtual network (with the virtual address: '''10.0.0.0'''):
Now we can start configuring OpenVPN Server and Client instances. For this example we will be creating a TUN (Tunnel) type connection that uses the UDP protocol for data transfer and TLS for Authentication. We will be using two RUT routers: '''RUT1''' ('''Server'''; LAN IP: '''192.168.1.1'''; WAN (Public static) IP: '''213.***.***.***''') and '''RUT2''' ('''Client'''; LAN IP: '''192.168.2.1'''); that will be connected into virtual network (with the virtual address: '''172.16.1.0''')
 
====OpenVPN Server configuration====
----
 
Start by configuring OpenVPN Server on '''RUT1''' device. Login to the WebUI, navigate to '''Services → VPN → OpenVPN''', enter any name and select role as '''Server'''. After pressing the '''Add button''', make the following changes:
 
'''Note:''' ''Not specified fields can be left as is or changed according to your needs.''
 
<table class="nd-othertables_2">
    <tr>
        <th width=330; style="border-bottom: 1px solid white;></th>
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>
[[File:Openvpn server tunnel mode configuration rev1.png|border|class=tlt-border]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 4px solid white>


[[File:Networking rut configuration openvpn configuration.png|alt=|border|class=tlt-border|1100px]]
# '''Enable''' the instance
# Select '''Tunnel''' mode
# Select '''UDP''' protocol
# Select '''Port'''
# Select '''TLS''' authentication
# Set '''Keep alive''' period
# Set virtual network '''IP address'''
# Set virtual network '''Netmask'''
# If you generated certificates on the device, turn this option '''ON'''
# Select '''Certificate authority'''
# Select '''Server certificate'''
# Select '''Server key'''
# Select '''Diffie Hellman''' parameters
#[[File:Networking_save_apply_button_fw76_v1.png|70px]]
        </td>
    </tr>
</table>


To sum up, just make sure the Server and the Clients use the same parameters (same authentication, same port, same protocol, etc.). Another important aspect is the '''Virtual network IP address''' (10.0.0.0 in this case). The Server and the connected Clients will be given IP addresses that belong to this network. If you're creating an exceptionally large network, you might want to change the '''Virtual network netmask'''.
====OpenVPN Client configuration====
----
Next, configure OpenVPN Client on '''RUT2''' device. Login to the WebUI, navigate to '''Services → VPN → OpenVPN''', enter any name and select role as '''Client'''. After pressing the '''Add button''', make the following changes:


From the Client side, make sure to enter the correct '''Remote host/IP address''' (213.226.191.61 in this case). This is the Server's Public IP address, not the virtual IP address.
'''Note:''' ''Not specified fields can be left as is or changed according to your needs.''
 
<table class="nd-othertables_2">
    <tr>
        <th width=330; style="border-bottom: 1px solid white;></th>
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>
 
[[File:Openvpn client tunnel mode configuration rev2.png|border|class=tlt-border]]</th>
 
    </tr>
    <tr>
        <td style="border-bottom: 4px solid white>
# '''Enable''' the instance
# Select '''Tunnel''' mode
# Select '''UDP''' protocol
# Select '''Port'''
# Select '''TLS''' authentication
# Enter '''Public IP''' address of the '''Server''' (WAN IP of RUT1)
# Set '''Keep alive''' period
# Enter server network '''IP address''' (If you wish to access it)
# Enter server network '''Netmask'''
# Select '''Certificate authority'''
# Select '''Client certificate'''
# Select '''Client key'''
#[[File:Networking_save_apply_button_fw76_v1.png|70px]]
        </td>
    </tr>
</table>
 
To sum up, just make sure the Server and the Clients use the same parameters (same authentication, same port, same protocol, etc.). Another important aspect is the '''Virtual network IP address''' (172.16.1.0 in this case). The Server and the connected Clients will be given IP addresses that belong to this network. If you're creating an exceptionally large network, you might want to change the '''Virtual network netmask'''.
 
From the Client side, make sure to enter the correct '''Remote host/IP address''' (213.***.***.*** in this case). This is the Server's Public IP address, not the virtual IP address.


==Static key Authentication==
==Static key Authentication==
Line 66: Line 136:
====Within the router====
====Within the router====
----
----
In order to generate a Static key within the router connect to the device via the '''[[CLI|Command Line Interface]]''' ('''[[CLI]]''') or '''SSH''' (the default username is '''root''', the password is your router's admin password, '''admin01''' by default). CLI can be found in the router's WebUI, under Services. To connect to the router via SSH, use the Terminal app (type ssh '''[email protected]'''; replace 192.168.1.1 with your router's LAN IP address) if you're using a Linux-based OS. Or download '''PuTTY''', a free SSH and telnet client, if you're using Windows.
In order to generate a Static key within the router connect to the device via the '''[[CLI|Command Line Interface]]''' ('''[[CLI]]''') or '''SSH''' (the default username is '''root''', the password is your router's admin password that you use to login to router's WEB UI). CLI can be found in the router's WebUI, under Services. To connect to the router via SSH, use the Terminal app (type ssh '''[email protected]'''; replace 192.168.1.1 with your router's LAN IP address) if you're using a Linux-based OS. Or download '''PuTTY''', a free SSH and telnet client, if you're using Windows.


When you have connected to the router, relocate to the directory (for example, '''cd /etc/easy-rsa/keys/''') where you want to store your Static key and use this command:
When you have connected to the router, relocate to the directory (for example, '''cd /etc/''') where you want to store your Static key and use this command:


  # openvpn --genkey --secret static.key
  # openvpn --genkey secret static.key


The newly generated Static key will appear in the same directory where you issued the command above.
The newly generated Static key will appear in the same directory where you issued the command above.
Line 78: Line 148:
If you are using a Linux-based OS, extracting files from the router is simple. Just go to the directory on your PC where you want to relocate the files, right click anywhere and choose the '''Open in Terminal''' option. In the Terminal command line use the '''Secure Copy''' ('''scp''') command to copy the files from the router. The full command should look something like this:
If you are using a Linux-based OS, extracting files from the router is simple. Just go to the directory on your PC where you want to relocate the files, right click anywhere and choose the '''Open in Terminal''' option. In the Terminal command line use the '''Secure Copy''' ('''scp''') command to copy the files from the router. The full command should look something like this:


  $ scp [email protected]:/etc/easy-rsa/keys/static.key ./
  $ scp [email protected]:/etc/static.key ./


The '''[email protected]:/etc/easy-rsa/keys/static.key''' specifies the path to where the Static key is located (replace the IP address with your router's LAN IP); the '''./''' denotes that you want to copy the contents to the directory you are in at the moment.
The '''[email protected]:/etc/static.key''' specifies the path to where the Static key is located (replace the IP address with your router's LAN IP); the '''./''' denotes that you want to copy the contents to the directory you are in at the moment.


If you are using Windows, you can copy files from the router using '''WinSCP''', an Open source freeware SFTP, SCP, and FTP client for Windows OS. Use the same login information with WinSCP as with CLI or SSH. Once you've connected to the router with WinSCP, copying the files should be simple enough: just relocate to the directory where you generated the key, select the Static key file and drag it to a directory on your PC where you would like to store it.
If you are using Windows, you can copy files from the router using '''WinSCP''', an Open source freeware SFTP, SCP, and FTP client for Windows OS. Use the same login information with WinSCP as with CLI or SSH. Once you've connected to the router with WinSCP, copying the files should be simple enough: just relocate to the directory where you generated the key, select the Static key file and drag it to a directory on your PC where you would like to store it.
Line 90: Line 160:
To generate a Static key on a Linux PC, go to the directory where you want the key to appear, right-click anywhere in that directory, and chose the option '''Open in Terminal'''. In the Terminal window execute this command:
To generate a Static key on a Linux PC, go to the directory where you want the key to appear, right-click anywhere in that directory, and chose the option '''Open in Terminal'''. In the Terminal window execute this command:


  $ openvpn --genkey --secret static.key
  $ openvpn --genkey secret static.key


The newly generated key should then appear in the directory you were in.
The newly generated key should then appear in the directory you were in.


===Configuration===
===Configuration===
----
----
When you have a Static key, you can start configuring OpenVPN Server and Client instances. For this example we will be creating a TUN (Tunnel) type connection that uses the UDP protocol for data transfer and Static key for Authentication. We will be using two RUT routers: '''RUT1''' ('''Server'''; LAN IP: '''192.168.1.1'''; WAN (Public static) IP: '''213.226.191.61''') and '''RUT2''' ('''Client'''; LAN IP: '''192.168.2.1'''); the two routers will be connected via OpenVPN; the Server's Virtual IP address will be '''10.0.0.1'''; the Client's - '''10.0.0.2''':
When you have a Static key, you can start configuring OpenVPN Server and Client instances. For this example we will be creating a TUN (Tunnel) type connection that uses the UDP protocol for data transfer and Static key for Authentication. We will be using two RUT routers: '''RUT1''' ('''Server'''; LAN IP: '''192.168.1.1'''; WAN (Public static) IP: '''213.***.***.***''') and '''RUT2''' ('''Client'''; LAN IP: '''192.168.2.1'''); the two routers will be connected via OpenVPN; the Server's Virtual IP address will be '''172.16.0.1'''; the Client's - '''172.16.0.2''':
 
====Server configuration====
----
 
Start by configuring OpenVPN Server on '''RUT1''' device. Login to the WebUI, navigate to '''Services → VPN → OpenVPN''' enter any name and select role as '''Server'''. After pressing the '''Add button''', make the following changes:
 
'''Note:''' ''Not specified fields can be left as is or changed according to your needs.''
 
<table class="nd-othertables_2">
    <tr>
        <th width=440; style="border-bottom: 1px solid white;></th>
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>
[[File:VPN server static key rev1.png|border|class=tlt-border]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 4px solid white>
# '''Enable''' the instance
# Select '''Tunnel''' mode
# Select '''UDP''' protocol
# Select '''Port'''
# Select '''Static key'''
# Set '''Local''' tunnel endpoint IP (virtual IP of '''RUT1''')
# Set '''Remote''' tunnel endpoint IP (virtual IP of '''RUT2''')
# Set '''Remote''' network IP address (LAN network of '''RUT2''')
# Set remote network '''Netmask'''
# Select '''Static key'''
#[[File:Networking_save_apply_button_fw76_v1.png|70px]]
        </td>
    </tr>
</table>
 
====Client configuration====
----
Next, configure OpenVPN Client on '''RUT2''' device. Login to the WebUI, navigate to '''Services → VPN → OpenVPN''', enter any name and select role as '''Client'''. After pressing the '''Add button''', make the following changes:
 
'''Note:''' ''Not specified fields can be left as is or changed according to your needs.''
 
<table class="nd-othertables_2">
    <tr>
        <th width=440; style="border-bottom: 1px solid white;></th>
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>
[[File:VPN client static key rev1.png|border|class=tlt-border]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 4px solid white>
# '''Enable''' the instance
# Select '''Tunnel''' mode
# Select '''UDP''' protocol
# Select '''Port'''
# Select '''Static key'''
# Enter '''Public IP address''' of server (WAN IP of '''RUT1''')
# Set '''Local tunnel endpoint IP''' (virtual IP of '''RUT2''')
# Set '''Remote tunnel endpoint IP''' (virtual IP of '''RUT1''')
# Set '''Remote network IP address''' (LAN network of '''RUT1''')
# Set remote network '''Netmask'''
# Select '''Static key'''
#[[File:Networking_save_apply_button_fw76_v1.png|70px]]
        </td>
    </tr>
</table>


[[File:Networking rut configuration openvpn instances static v1.png|alt=|border|class=tlt-border|1100px]]


To sum up, just make sure the Server and the Clients use the same parameters (same authentication, same port, same protocol, etc.). Other important aspects are the '''Local tunnel endpoint IP''' and the '''Remote tunnel endpoint IP'''. Take note these two particular parameter values are reversed for the individual Client and the Server configurations since these values represent opposite things depending on the instance's perspective.
To sum up, just make sure the Server and the Clients use the same parameters (same authentication, same port, same protocol, etc.). Other important aspects are the '''Local tunnel endpoint IP''' and the '''Remote tunnel endpoint IP'''. Take note these two particular parameter values are reversed for the individual Client and the Server configurations since these values represent opposite things depending on the instance's perspective.


From the Client side, make sure to enter the correct '''Remote host/IP address''' (213.226.191.61 in this case). This is the Server's Public IP address, not the virtual IP address.
From the Client side, make sure to enter the correct '''Remote host/IP address''' (213.***.***.*** in this case). This is the Server's Public IP address, not the virtual IP address.


==TAP (bridged) OpenVPN==
==TAP (bridged) OpenVPN==


This section provides a guide on how to configure a successful OpenVPN TAP (bridged) connection between an OpenVPN Client and Server on RUT routers.
This section provides a guide on how to configure a successful OpenVPN TAP (bridged) connection between an OpenVPN Client and Server on RUT routers.


===Configuration===
===Configuration===
----
----
TAP is used for creating a network bridge between Ethernet segments in different locations. For this example we will be creating a TAP (bridged) type connection that uses the UDP protocol for data transfer and TLS for Authentication. We will be using two RUT routers: '''RUT1''' ('''Server'''; LAN IP: '''192.168.1.1'''; WAN (Public static) IP: '''213.226.191.61''') and '''RUT2''' ('''Client'''; LAN IP: '''192.168.1.2'''); the two routers will be connected via OpenVPN.
TAP is used for creating a network bridge between Ethernet segments in different locations. For this example we will be creating a TAP (bridged) type connection that uses the UDP protocol for data transfer and TLS for Authentication. We will be using two RUT routers: '''RUT1''' ('''Server'''; LAN IP: '''192.168.1.1'''; WAN (Public static) IP: '''213.***.***.***''') and '''RUT2''' ('''Client'''; LAN IP: '''192.168.1.2'''); the two routers will be connected via OpenVPN.
 
====Server configuration====
----
Start by configuring OpenVPN TAP Server on '''RUT1''' device. Login to the WebUI, navigate to '''Services → VPN → OpenVPN''', enter any name and select role as '''Server'''. After pressing the '''Add button''', make the following changes:
 
'''Note:''' ''Not specified fields can be left as is or changed according to your needs.''
 
<table class="nd-othertables_2">
    <tr>
        <th width=440; style="border-bottom: 1px solid white;></th>
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>
[[File:VPN TAP server configuration rev1.png|border|class=tlt-border]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 4px solid white>
# '''Enable''' the instance
# Select '''TAP (bridged)''' mode
# Select '''Interface''' that you like to bridge
# Select '''UDP''' protocol
# Select '''Port'''
# Select '''TLS''' authentication
# If you generated certificates on the device, turn this option '''ON'''
# Select '''Certificate authority'''
# Select '''Server certificate'''
# Select '''Server key'''
# Select '''Diffie Hellman''' parameters
#[[File:Networking_save_apply_button_fw76_v1.png|70px]]
        </td>
    </tr>
</table>
 
====Client configuration====
----
 
Next, configure OpenVPN TAP Client on '''RUT2''' device. Login to the WebUI, navigate to '''Services → VPN → OpenVPN''', enter any name and select role as '''Client'''. After pressing the '''Add button''', make the following changes:
 
'''Note:''' ''Not specified fields can be left as is or changed according to your needs.''
 
<table class="nd-othertables_2">
    <tr>
        <th width=440; style="border-bottom: 1px solid white;></th>
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>
[[File:VPN TAP client configuration rev2.png|border|class=tlt-border]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 4px solid white>
# '''Enable''' the instance
# Select '''TAP (bridged)''' mode
# Select '''Interface''' that you like to bridge
# Select '''UDP''' protocol
# Select '''Port'''
# Select '''TLS''' authentication
# Enter '''Public IP''' address of server (WAN IP of '''RUT1''')
# Select '''Certificate authority'''
# Select '''Client certificate'''
# Select '''Client key'''
#[[File:Networking_save_apply_button_fw76_v1.png|70px]]
        </td>
    </tr>
</table>


[[File:Networking rut configuration openvpn tap configuration v1.png|alt=|border|class=tlt-border|1100px]]


To sum up, just make sure the Server and the Clients use the same parameters (same authentication, same port, same protocol, etc.). Since the OpenVPN interface that comes up is bridged with the LAN interface, make sure the routers are in the '''same subnet''' (192.168.1.0 in this case). While making sure of that, don't forget that the routers can't have the same IP address, just the same subnet (for example, if both routers have the LAN IP 192.168.1.1, the connection won't work; if one has, for example, 192.168.1.1 and the other 192.168.1.100, then the connection will work).
To sum up, just make sure the Server and the Clients use the same parameters (same authentication, same port, same protocol, etc.). Since the OpenVPN interface that comes up is bridged with the LAN interface, make sure the routers are in the '''same subnet''' (192.168.1.0 in this case). While making sure of that, don't forget that the routers can't have the same IP address, just the same subnet (for example, if both routers have the LAN IP 192.168.1.1, the connection won't work; if one has, for example, 192.168.1.1 and the other 192.168.1.100, then the connection will work).
Line 118: Line 309:
For this example, we used TLS Authentication. If you want to use a different Authentication method, refer to the relevant section of this article. The authentication configuration will not be different because of the chosen OpenVPN type (TUN or TAP).
For this example, we used TLS Authentication. If you want to use a different Authentication method, refer to the relevant section of this article. The authentication configuration will not be different because of the chosen OpenVPN type (TUN or TAP).


From the Client side, make sure to enter the correct '''Remote host/IP address''' (213.226.191.61 in this case). This is the Server's Public IP address, not the LAN IP address.
From the Client side, make sure to enter the correct '''Remote host/IP address''' (213.***.***.*** in this case). This is the Server's Public IP address, not the LAN IP address.


==Testing an OpenVPN connection==
==Testing an OpenVPN connection==


The most important thing after configuration is making sure that the newly established connection works. You can check the status of an OpenVPN connection on the '''Status Network → OpenVPN''' page:
The most important thing after configuration is making sure that the newly established connection works. You can check the status of an OpenVPN connection on the '''Services VPN → OpenVPN''' page:


'''Server side'''
'''Server side'''


[[File:Networking rutxxx configuration openvpn server v1.png|alt=|border|class=tlt-border|1100px]]
[[File:Server status rev3.png|border|class=tlt-border|1000px]]


'''Client side'''
'''Client side'''


[[File:Networking rut configuration openvpn client v1.png|alt=|border|class=tlt-border|1100px]]
[[File:VPN client tunnel status rev1.png|border|class=tlt-border|1000px]]
 
If you check the server - the status should be Active. If you check the client - the status should be Connected. The server should have active client and if you check logs, you should find line "Initialization Sequence Completed"
 
[[File:VPN logs.png|border|class=tlt-border]]


Another method of testing pinging the other instance's virtual or private IP address. You can send ping packets via CLI, SSH, or from the '''[[RUT955_Administration#Diagnostics|System → Administration → Troubleshoot → Diagnostics]]''' section of the router's WebUI:
Another method of testing pinging the other instance's virtual or private IP address. You can send ping packets via CLI, SSH, or from the '''[[RUT241_Maintenance#Diagnostics|System → Maintenance → Troubleshoot → Diagnostics]]''' section of the router's WebUI:


[[File:Networking rut configuration diagnostics ping v1.jpg|alt=|border|class=tlt-border]]
[[File:VPN troubleshoot ping rev3.png|alt=|border|class=tlt-border]]


Ping the Server's virtual/private IP address from the Client or vice versa. If the ping packets are transmitted successfully, congratulations, your OpenVPN connection is working.
Ping the Client's virtual IP address from the Server or vice versa. If the ping packets are transmitted successfully, congratulations, your OpenVPN connection is working.


==Additional configuration==
==Additional configuration==
Line 145: Line 340:
----
----
You may want your OpenVPN Clients to be able to reach devices that are in the Server device's private network (LAN) or vice versa. This section will provide directions on how to do that.
You may want your OpenVPN Clients to be able to reach devices that are in the Server device's private network (LAN) or vice versa. This section will provide directions on how to do that.


====Server from Client====
====Server from Client====
Line 152: Line 349:
Another method of reaching the OpenVPN Server's private network from the Client is specifying the network in the OpenVPN Client's configuration. To do so, open the Client's configuration window and fill in these two fields:
Another method of reaching the OpenVPN Server's private network from the Client is specifying the network in the OpenVPN Client's configuration. To do so, open the Client's configuration window and fill in these two fields:


[[File:Networking rut configuration openvpn route v1.jpg|alt=|border|class=tlt-border]]
[[File:Openvpn client option network.png|alt=|border|class=tlt-border]]


As you can see, the two fields in question are '''Remote network IP address''' and '''Remote network IP netmask'''. The values placed in these fields specify the Server's LAN address and having them filled will automatically add the necessary route into the routing table when the OpenVPN connection goes up. However, if your OpenVPN Server has multiple Clients, you would need to do this for all of them. If that is the case, use this next method.
As you can see, the two fields in question are '''Remote network IP address''' and '''Remote network IP netmask'''. The values placed in these fields specify the Server's LAN address and having them filled will automatically add the necessary route into the routing table when the OpenVPN connection goes up. However, if your OpenVPN Server has multiple Clients, you would need to do this for all of them. If that is the case, use this next method.
Line 160: Line 357:
To accomplish this, go to OpenVPN Server's configuration window and locate the '''Push option''' field. Let's say that the Server's LAN IP address is 192.168.1.1. In this case use the line '''route 192.168.1.0 255.255.255.0'''
To accomplish this, go to OpenVPN Server's configuration window and locate the '''Push option''' field. Let's say that the Server's LAN IP address is 192.168.1.1. In this case use the line '''route 192.168.1.0 255.255.255.0'''


[[File:Networking rutxxx configuration ovpn push settings v1.jpg|alt=|border|class=tlt-border]]
[[File:VPN push option.png|alt=|border|class=tlt-border]]


Modify the information so that it reflects your own configuration. Do not specify the gateway, because the command will not work. The correct gateway will be assigned automatically.
Modify the information so that it reflects your own configuration. Do not specify the gateway, because the command will not work. The correct gateway will be assigned automatically.
Line 172: Line 369:
In other words, TLS Clients bind Common Names (found in Client certificates) to Clients' private networks. If the certificate hasn't been tampered with in any after generation, the Common name should be the same as the file name (without the file type extension). For example, a certificate called '''client1.crt''' will likely have the Common Name of '''client1'''. But just to be sure you can open the certificate and check:
In other words, TLS Clients bind Common Names (found in Client certificates) to Clients' private networks. If the certificate hasn't been tampered with in any after generation, the Common name should be the same as the file name (without the file type extension). For example, a certificate called '''client1.crt''' will likely have the Common Name of '''client1'''. But just to be sure you can open the certificate and check:


[[File:Checking common name.png|alt=|border|class=tlt-border]]
[[File:Checking common name rev2.png|alt=|border|class=tlt-border]]
 
Once you know the Common Names and LAN IP Addresses of your OpenVPN Clients, you can create TLS Clients instances for each of them. Navigate to  '''[[RUT241_VPN#OpenVPN|Services → VPN → OpenVPN]]''' and edit existing server configuration. Scroll down, and you will find TLS clients section.


Once you know the Common Names and LAN IP Addresses of your OpenVPN Clients, you can create TLS Clients instances for each of them:
Make the following changes:
# Enter Common name
# Edit the new client instance


[[File:Networking rut configuration openvpn tls clients v1.jpg|alt=|border|class=tlt-border|1100px]]
[[File:VPN TLS pre client.png|alt=|border|class=tlt-border]]


In addition, with TLS Clients you can manually assign Virtual local and remote endpoint addresses for the Clients. But these fields are not mandatory and the addresses will be assigned automatically if they are left unchecked.
In a pop-up window make the following changes:
#<li value="3">Enter Common name
# Enter the local VPN tunnel endpoint IP address of the client instance
# Enter the local VPN tunnel endpoint IP address of the client instance
# Enter private network of the client
#[[File:Networking_save_apply_button_fw76_v1.png|70px]]
 
[[File:TLS client addition no LAN rev1.png|alt=|border|class=tlt-border]]
 
Now you should be able to reach client's RUT2 private LAN network which is 192.168.2.0 from previous example.


====Client to Client====
====Client to Client====
Line 193: Line 403:


TLS Clients solves this issue because the configuration then "tells" the router not to push certain routes to certain Clients. For example, if a router pushes the route '''192.168.5.0 255.255.555.0''' to a Client whose LAN IP address is 192.168.5.1, that Client will not be able to reach its network. TLS Clients prevent this - if a Client, for example, has the LAN IP address of 192.168.5.1, he will not receive the ''route 192.168.5.0 255.255.555.0''.
TLS Clients solves this issue because the configuration then "tells" the router not to push certain routes to certain Clients. For example, if a router pushes the route '''192.168.5.0 255.255.555.0''' to a Client whose LAN IP address is 192.168.5.1, that Client will not be able to reach its network. TLS Clients prevent this - if a Client, for example, has the LAN IP address of 192.168.5.1, he will not receive the ''route 192.168.5.0 255.255.555.0''.


=====Push options=====
=====Push options=====
Line 210: Line 421:
The configuration should look something like this:
The configuration should look something like this:


[[File:Networking rut configuration openvpn push options v1.jpg|alt=|border|class=tlt-border]]
[[File:VPN Push option v2.png|alt=|border|class=tlt-border]]
 


=====Enable Client to Client=====
=====Enable Client to Client=====
Line 216: Line 428:
The next and final step is to enable the Client to Client functionality. To do this, go to the OpenVPN server's configuration window and put a checkmark at the '''Client to client''' option:
The next and final step is to enable the Client to Client functionality. To do this, go to the OpenVPN server's configuration window and put a checkmark at the '''Client to client''' option:


[[File:Networking rut configuration ovpn client to client v1.jpg|alt=|border|class=tlt-border]]
[[File:VPN client to client.png|alt=|border|class=tlt-border]]


If you did so and followed all of the previous steps in the section, your OpenVPN Clients should now be able to communicate with each other.
If you did so and followed all of the previous steps in the section, your OpenVPN Clients should now be able to communicate with each other.
Line 224: Line 436:
OpenVPN Servers can be used as Proxies by OpenVPN Clients. This means that the client will be assigned the Public IP address of the OpenVPN server and will be seen as using that IP address when browsing the Internet, transferring data or doing any other online activities. This section provides directions on how to set up an OpenVPN Proxy on RUT routers.
OpenVPN Servers can be used as Proxies by OpenVPN Clients. This means that the client will be assigned the Public IP address of the OpenVPN server and will be seen as using that IP address when browsing the Internet, transferring data or doing any other online activities. This section provides directions on how to set up an OpenVPN Proxy on RUT routers.


====Push options====
 
----
Configure Push options in the OpenVPN Server configuration that will change the Clients' default WAN route to OpenVPN and set the DNS server to the OpenVPN Server's LAN IP. To do so open the OpenVPN configuration window and add these options to the Push option field:
The first thing that you have to do is configure Push options in the OpenVPN Server configuration that will change the Clients' default WAN route to OpenVPN and set the DNS server to the OpenVPN Server's LAN IP. To do so open the OpenVPN configuration window and add these options to the Push option field:


  '''redirect-gateway def1'''
  '''redirect-gateway def1'''
Line 233: Line 444:
In this context, 192.168.1.1 is the OpenVPN Server's LAN IP address. Replace this value with your own Server's LAN IP address.  
In this context, 192.168.1.1 is the OpenVPN Server's LAN IP address. Replace this value with your own Server's LAN IP address.  


====Firewall Zone Forwarding====
After saving the configuration, on the device behind the OpenVPN Client go to '''http://www.whatsmyip.org/'''. If the website shows the Public IP address of the OpenVPN server, it means the Proxy works.
----
Next, go to the '''Network → Firewall → Zone Forwarding section. Click the '''Edit''' button located next to the '''vpn''' rule and in the subsequent window add a checkmark next to '''wan''' as such:'''
 
[[File:Networking rut configuration openvpn firewall v1.jpg|alt=|border|class=tlt-border|1100px]]
 
his will redirect all WAN traffic through the OpenVPN tunnel.
 
To test this out, on the device behind the OpenVPN Client go to '''http://www.whatsmyip.org/'''. If the website shows the Public IP address of the OpenVPN server, it means the Proxy works.


==Remote configuration==
==Remote configuration==
Line 276: Line 479:


In case you have a dynamic public IP address, it is recommended to use the '''[[Dynamic DNS]]''' functionality, and use the hostname provided by the DDNS service as the OpenVPN Server address. You can find some Dynamic DNS configuration examples [[DDNS Configuration Examples|here]].
In case you have a dynamic public IP address, it is recommended to use the '''[[Dynamic DNS]]''' functionality, and use the hostname provided by the DDNS service as the OpenVPN Server address. You can find some Dynamic DNS configuration examples [[DDNS Configuration Examples|here]].


===OpenVPN Server configuration===
===OpenVPN Server configuration===
----For this example we will be creating a TUN (Tunnel) type connection that uses the UDP protocol for data transfer and TLS Authentication, you can refer to [[How to generate TLS certificates (Windows)?|this]] article for more information about TLS certificates and keys. Here is the router '''RUT1''' OpenVPN configuration ('''Server'''; LAN IP: '''192.168.1.1'''; WAN (Public static) IP: '''213.226.191.61;''' OpenVPN Virtual network will be '''10.0.0.0/24''') :
----For this example we will be creating a TUN (Tunnel) type connection that uses the UDP protocol for data transfer and TLS Authentication, you can refer to [[How to generate TLS certificates (Windows)?|this]] article for more information about TLS certificates and keys. Here is the router '''RUT1''' OpenVPN configuration ('''Server'''; LAN IP: '''192.168.1.1'''; WAN (Public static) IP: '''215.***.***.***;''' OpenVPN Virtual network will be '''172.16.1.0/24''').
[[File:OpenVPN-Server-config.png|alt=OpenVPN-Server-Configuration|border]]
 
Start by configuring OpenVPN Server on '''RUT1''' device. Login to the WebUI, navigate to '''Services → VPN → OpenVPN''' enter any name and select role as '''Server'''. After pressing the '''Add button''', make the following changes:
 
'''Note:''' ''Not specified fields can be left as is or changed according to your needs.''
 
<table class="nd-othertables_2">
    <tr>
        <th width=330; style="border-bottom: 1px solid white;></th>
        <th width=800; style="border-bottom: 1px solid white;" rowspan=2>
[[File:OpenVPN server on Windows rev1.png|border|class=tlt-border]]</th>
    </tr>
    <tr>
        <td style="border-bottom: 4px solid white>
 
# '''Enable''' the instance
# Select '''Tunnel''' mode
# Select '''UDP''' protocol
# Select '''Port'''
# Select '''TLS''' authentication
# Set '''Keep alive''' period
# Set virtual network '''IP address'''
# Set virtual network '''Netmask'''
# Enter '''Push option''' to route to the server's LAN network
# If you generated certificates on the device, turn this option '''ON'''
# Select '''Certificate authority'''
# Select '''Server certificate'''
# Select '''Server key'''
# Select '''Diffie Hellman''' parameters
#[[File:Networking_save_apply_button_fw76_v1.png|70px]]
        </td>
    </tr>
</table>


You can add push option ('''route 192.168.1.0 255.255.255.0''') to allow VPN clients to connect to the router LAN network.
You can add push option ('''route 192.168.1.0 255.255.255.0''') to allow VPN clients to connect to the router LAN network.
Line 285: Line 521:
Once the VPN server is ready, It will change its status to Active:
Once the VPN server is ready, It will change its status to Active:


[[File:Server-Status Active.png|border]]
[[File:VPN server status on Windows rev1.png|border]]


===OpenVPN Windows client configuration===
===OpenVPN Windows client configuration===
Line 300: Line 536:


And this is the content of the OpenVPN client config file:
And this is the content of the OpenVPN client config file:
client
 
dev '''tun'''
[[File:VPN windows config file.png|border]]
proto '''udp'''
 
auth '''sha1'''
remote '''213.226.191.61 1194'''
resolv-retry '''infinite'''
nobind
persist-key
persist-tun
ca '''ca.crt'''
cert '''client.crt'''
key '''client.key'''
remote-cert-tls '''server'''
data-ciphers '''BF-CBC'''
cipher '''BF-CBC'''
comp-lzo '''no'''
keepalive '''10 120'''
After saving the configuration file, you can open the '''OpenVPN Connect''' software on your Windows operating system, upload the configuration file, and click connect:
After saving the configuration file, you can open the '''OpenVPN Connect''' software on your Windows operating system, upload the configuration file, and click connect:


[[File:OpenVPN-Client-connected.png|border]]
[[File:VPN windows connect window.png|border|379x599px]]


The OpenVPN Windows client is now connected to the OpenVPN server.
The OpenVPN Windows client is now connected to the OpenVPN server.
Retrieved from "https://wiki.teltonika-networks.com/view/Special:MobileDiff/134832"