Changes

Before configuring anything you should first know what type of OpenVPN connection suits your needs the best. The key things to be considered here are the type of connection ('''TUN''' ('''tunnel''') or '''TAP''' ('''bridged''')), the data transfer protocol ('''User Datagram Protocol''' ('''UDP''') or '''Transmission Control Protocol''' ('''TCP''')) and authentication type ('''TLS''' or '''Static key'''). Here is a short overview of the differences:

Before configuring anything you should first know what type of OpenVPN connection suits your needs the best. The key things to be considered here are the type of connection ('''TUN''' ('''tunnel''') or '''TAP''' ('''bridged''')), the data transfer protocol ('''User Datagram Protocol''' ('''UDP''') or '''Transmission Control Protocol''' ('''TCP''')) and authentication type ('''TLS''' or '''Static key'''). Here is a short overview of the differences:

* Type

*Type

** TUN (tunnel) - simulates a network layer device and it operates with layer 3 packets like IP packets. TUN is used for routing and connecting '''multiple''' clients to a single server.

**TUN (tunnel) - simulates a network layer device and it operates with layer 3 packets like IP packets. TUN is used for routing and connecting '''multiple''' clients to a single server.

** TAP (bridged) - simulates a link layer device and it operates with layer 2 packets like Ethernet frames. TAP is used for creating a network bridge between '''two''' Ethernet segments in different locations.

**TAP (bridged) - simulates a link layer device and it operates with layer 2 packets like Ethernet frames. TAP is used for creating a network bridge between '''two''' Ethernet segments in different locations.

* Protocol

*Protocol

** UDP -  is used by apps to deliver a faster stream of information by doing away with error-checking.

**UDP -  is used by apps to deliver a faster stream of information by doing away with error-checking.

** TCP - a suite of protocols used by devices to communicate over the Internet and most local networks. It provides apps a way to deliver (and receive) an ordered and error-checked stream of information packets over the network.

**TCP - a suite of protocols used by devices to communicate over the Internet and most local networks. It provides apps a way to deliver (and receive) an ordered and error-checked stream of information packets over the network.

* Authentication

*Authentication

** TLS - uses SSL/TLS + certificates for authentication and key exchange.

**TLS - uses SSL/TLS + certificates for authentication and key exchange.

** Static key - uses a pre-shared Static key. Can only be used between two peers.

**Static key - uses a pre-shared Static key. Can only be used between two peers.

Overviews on most of these types and variations are provided in this article. Concerning TCP vs UDP, we will be using UDP for all examples. Choosing between TCP and UDP doesn't affect the rest of the configuration, so you can still follow the given examples no matter which protocol you are using. Simply choose the one that suits your purposes.

Overviews on most of these types and variations are provided in this article. Concerning TCP vs UDP, we will be using UDP for all examples. Choosing between TCP and UDP doesn't affect the rest of the configuration, so you can still follow the given examples no matter which protocol you are using. Simply choose the one that suits your purposes.

A connection that uses TLS requires multiple certificates and keys for authentication:

A connection that uses TLS requires multiple certificates and keys for authentication:

* OpenVPN server

*OpenVPN server

** The root certificate file (Certificate Authority)

**The root certificate file (Certificate Authority)

** Server certificate

**Server certificate

** Server key

**Server key

** Diffie Hellman Parameters

**Diffie Hellman Parameters

* OpenVPN client

*OpenVPN client

** The root certificate file (Certificate Authority)

**The root certificate file (Certificate Authority)

** Client certificate

**Client certificate

** Client key

**Client key

Before you continue you'll to obtain the necessary certificates and keys. When you use a third party OpenVPN service, they should provide you with their certificates and even configuration files.

Before you continue you'll to obtain the necessary certificates and keys. When you use a third party OpenVPN service, they should provide you with their certificates and even configuration files.

If you are using Windows, you can copy files from the router using '''WinSCP''', an Open source freeware SFTP, SCP and FTP client for Windows OS. Use the same login information with WinSCP as with CLI or SSH. Once you've connected to the router with WinSCP, copying the files should be simple enough: just relocate to directory where you generated the key, select the Static key file and drag it to directory on your PC where you would like to store it.

If you are using Windows, you can copy files from the router using '''WinSCP''', an Open source freeware SFTP, SCP and FTP client for Windows OS. Use the same login information with WinSCP as with CLI or SSH. Once you've connected to the router with WinSCP, copying the files should be simple enough: just relocate to directory where you generated the key, select the Static key file and drag it to directory on your PC where you would like to store it.

====On a Linux PC====

====On a Linux PC====

====Server from Client====

====Server from Client====

----

----

To reach another OpenVPN instance's LAN network, you have to have a '''route''' to that network with the '''Virtual remote endpoint''' as the ''' gateway. You can add '''Static routes''' via command line, but these routes are removed automatically when router reboots or when connection goes down even if only for a moment. To solve this, you add permanent static routes via the router's WebUI in the '''[[Routing#Static_Leases|Network → Routing → Static Routes]]''' page. But this method is also not foolproof since it means that if an address ever changes, you would have to also modify the static route on all related devices.  

To reach another OpenVPN instance's LAN network, you have to have a '''route''' to that network with the '''Virtual remote endpoint''' as the ''' gateway. You can add '''Static routes''' via command line, but these routes are removed automatically when router reboots or when connection goes down even if only for a moment. To solve this, you add permanent static routes via the router's WebUI in the '''[[Routing#Static_Leases|Network → Routing → Static Routes]]''' page. But this method is also not foolproof since it means that if an address ever changes, you would have to also modify the static route on all related devices. '''

----

----

Another method of reaching the OpenVPN Server's private network from the Client is specifying the network in the OpenVPN Client's configuration. To do so, open the Client's configuration window and fill in these two fields:

Another method of reaching the OpenVPN Server's private network from the Client is specifying the network in the OpenVPN Client's configuration. To do so, open the Client's configuration window and fill in these two fields:

For Client to Client communication to work you have to do three things:  

For Client to Client communication to work you have to do three things:  

* Create unique TLS Clients instances for each of the Clients

*Create unique TLS Clients instances for each of the Clients

* Push the necessary routes via the Push option field

*Push the necessary routes via the Push option field

* Enable Client to Client functionality in the Server's configuration

*Enable Client to Client functionality in the Server's configuration

=====TLS Clients=====

=====TLS Clients=====

Next, configure the necessary push options. You will have to include all Clients' networks if you want them all to communicate with each other. For the sake of argument, lets say you have three Clients that belong to three distinct LAN networks:

Next, configure the necessary push options. You will have to include all Clients' networks if you want them all to communicate with each other. For the sake of argument, lets say you have three Clients that belong to three distinct LAN networks:

* 192.168.5.0

*192.168.5.0

* 192.168.6.0

*192.168.6.0

* 192.168.7.0

*192.168.7.0

To give them all the necessary routes, you would have to include these three push options:

To give them all the necessary routes, you would have to include these three push options:

====Firewall Zone Forwarding====

====Firewall Zone Forwarding====

----

----

Next, go to the '''Network → Firewall → Zone Forwarding section. Click the '''Edit''' button located next to the '''vpn''' rule and in the subsequent window add a check mark next to '''wan''' as such:

Next, go to the '''Network → Firewall → Zone Forwarding section. Click the '''Edit''' button located next to the '''vpn''' rule and in the subsequent window add a check mark next to '''wan''' as such:'''

[[File:Zone forwarding.png|1100px]]

[[File:Zone forwarding.png|1100px]]

==See also==

==See also==

* [[How to generate TLS certificates (Windows)?]]

*[[How to generate TLS certificates (Windows)?]]

* [[OpenVPN client on Windows]]

*[[OpenVPN client on Windows]]

* [[OpenVPN client on Linux]]

*[[OpenVPN client on Linux]]

* [[OpenVPN server on Windows]]

*[[OpenVPN server on Windows]]

* [[OpenVPN traffic split]]

*[[OpenVPN traffic split]]

* Other types of VPNs suported by RUTxxx devices:

*Other types of VPNs suported by RUTxxx devices:

** [[IPsec configuration examples]]

**[[IPsec configuration examples]]

** [[GRE Tunnel configuration examples]]

**[[GRE Tunnel configuration examples]]

** [[PPTP configuration examples]]

**[[PPTP configuration examples]]

** [[L2TP configuration examples]]

**[[L2TP configuration examples]]

==External links==

==External links==