Changes

OpenVPN configuration examples RUT R 00.07 (view source)

Revision as of 10:15, 16 May 2022

2,133 bytes added , 10:15, 16 May 2022

no edit summary

Line 156: Line 156:

As you can see, the two fields in question are '''Remote network IP address''' and '''Remote network IP netmask'''. The values placed in these fields specify the Server's LAN address and having them filled will automatically add the necessary route into the routing table when the OpenVPN connection goes up. However, if your OpenVPN Server has multiple Clients, you would need to do this for all of them. If that is the case, use this next method.

----

−

Even another method is pushing the necessary routes via the OpenVPN Server. This method is the most foolproof because it will generate a route to the Server's private network for all connecting Clients. Therefore, in case of configuration changes you would only have to edit one field in the Server's configuration instead of having to edit all of the Clients' configurations.

+

Even another method is pushing the necessary routes via the OpenVPN Server. This method is the most foolproof because it will generate a route to the Server's private network for all connecting Clients. Therefore, in case of configuration changes, you would only have to edit one field in the Server's configuration instead of having to edit all of the Clients' configurations.

To accomplish this, go to OpenVPN Server's configuration window and locate the '''Push option''' field. Let's say that the Server's LAN IP address is 192.168.1.1. In this case use the line '''route 192.168.1.0 255.255.255.0'''

Line 166: Line 166:

====Clients from Server====

----

−

Reaching OpenVPN Clients' private networks from the Server is a bit trickier than the opposite, because in order to do so the Server has to be aware of the different specific addresses and Common Names of specific Clients.

+

Reaching OpenVPN Clients' private networks from the Server is a bit trickier than the opposite because in order to do so the Server has to be aware of the different specific addresses and Common Names of specific Clients.

To accomplish this, we can use the '''TLS Clients''' function. TLS Clients is a way to more specifically differentiate Clients by their Common Name (CN) found in the client certificate file. It can be used to assign specific VPN addresses to specific Clients and bind them to their LAN addresses so that other devices in the Client‘s LAN can be reached from the Server.

−

In other words, TLS Clients ~~binds~~ Common Names (found in Client certificates) to Clients' private networks. If the certificate hasn't been tampered with in any after generation, the Common name should be the same as the file name (without the file type extension). For example, a certificate called '''client1.crt''' will likely have the Common Name of '''client1'''. But just to be sure you can open the certificate and check:

+

In other words, TLS Clients bind Common Names (found in Client certificates) to Clients' private networks. If the certificate hasn't been tampered with in any after generation, the Common name should be the same as the file name (without the file type extension). For example, a certificate called '''client1.crt''' will likely have the Common Name of '''client1'''. But just to be sure you can open the certificate and check:

[[File:Checking common name.png|alt=|border|class=tlt-border]]

Once you know the Common Names and LAN IP Addresses of your OpenVPN Clients, you can create TLS Clients instances for each of them:

+

[[File:Networking rut configuration openvpn tls clients v1.jpg|alt=|border|class=tlt-border]]

+

In addition, with TLS Clients you can manually assign Virtual local and remote endpoint addresses for the Clients. But these fields are not mandatory and the addresses will be assigned automatically if they are left unchecked.

+

====Client to Client====

+

----

+

For Client to Client communication to work you have to do three things:

+

*Create unique TLS Clients instances for each of the Clients

+

*Push the necessary routes via the Push option field

+

*Enable Client to Client functionality in the Server's configuration

+

====='''TLS Clients'''=====

+

----

+

First, configure TLS Clients. You can find the description on how to do that in the section before this one ('''[[OpenVPN_configuration_examples#Clients_from_Server|here]]'''). This is necessary in the case of multiple Clients because the Server will not only be pushing the routes of other Clients but also the routes to the Clients' own networks to their routing tables. This would cause the Clients' routers to be unreachable until the OpenVPN connection is terminated.

+

TLS Clients solves this issue because the configuration then "tells" the router not to push certain routes to certain Clients. For example, if a router pushes the route '''192.168.5.0 255.255.555.0''' to a Client whose LAN IP address is 192.168.5.1, that Client will not be able to reach its network. TLS Clients prevent this - if a Client, for example, has the LAN IP address of 192.168.5.1, he will not receive the ''route 192.168.5.0 255.255.555.0''.

+

=====Push options=====

+

----

+

Next, configure the necessary push options. You will have to include all Clients' networks if you want them all to communicate with each other. For the sake of argument, let's say you have three Clients that belong to three distinct LAN networks:

+

*192.168.5.0

+

*192.168.6.0

+

*192.168.7.0

+

To give them all the necessary routes, you would have to include these three push options:

+

route 192.168.5.0 255.255.255.0

+

route 192.168.6.0 255.255.255.0

+

route 192.168.7.0 255.255.255.0

+

The configuration should look something like this:

Edvinas.Dryzas

Administrators

489

edits