31,703
edits
Changes
Template:Networking rutos manual vpn (view source)
Revision as of 09:20, 22 November 2022
, 09:20, 22 November 2022no edit summary
To begin configuration, click the button that looks like a pencil next to the client instance. Refer to the figure and table below for information on the OpenVPN client's configuration fields:
To begin configuration, click the button that looks like a pencil next to the client instance. Refer to the figure and table below for information on the OpenVPN client's configuration fields:
[[File:Networking_trb2_vpn_openvpn_client_configuration_v2.png|border|class=tlt-border|]]
[[File:Networking_rutos_vpn_openvpn_client_configuration_v3.png|border|class=tlt-border|]]
<table class="nd-mantable">
<table class="nd-mantable">
<tr>
<tr>
<td>Enable external Services</td>
<td>Enable external Services</td>
<td>off {{!}}<span style="color:#FF8000 ;"> on</span>; default: <b>off</b></td>
<td>off {{!}}<span style="color:#FF8000 ;">on</span>; default: <b>off</b></td>
<td>Turns the OpenVPN external Services on or off.</td>
<td>Turns the OpenVPN external Services on or off.</td>
</tr>
</tr>
<tr>
<tr>
<td>Protocol</td>
<td>Protocol</td>
<td>UDP {{!}} TCP{{#ifeq:{{{series}}}|RUTX| {{!}} UDP6 {{!}} TCP6}}; default: <b>UDP</b></td>
<td>UDP {{!}} TCP {{!}} <span style="color: green;"><b>UDP6</b></span> {{!}} <span style="color: green;"><b>TCP6</b></span>; default: <b>UDP</b></td>
<td>Transfer protocol used by the OpenVPN connection.
<td>Transfer protocol used by the OpenVPN connection.
<ul>
<ul>
<tr>
<tr>
<td>Remote network IP address</td>
<td>Remote network IP address</td>
<td>ip; default: <b>none</b></td>
<td>ip4; default: <b>none</b></td>
<td>LAN IP address of the remote network (server).</td>
<td>LAN IP address of the remote network (server).</td>
</tr>
</tr>
<td>netmask; default: <b>none</b></td>
<td>netmask; default: <b>none</b></td>
<td>LAN IP subnet mask of the remote network (server).</td>
<td>LAN IP subnet mask of the remote network (server).</td>
</tr>
<tr>
<td><span style="color: green;">Remote network IPv6 address</span></td>
<td>ip6; default: <b>none</b></td>
<td>IPv6 address of the remote network (server). This field is becomes visible when protocol is set to UDP6 or TCP6</td>
</tr>
</tr>
<tr>
<tr>
<td>string; default: <b>none</b></td>
<td>string; default: <b>none</b></td>
<td>Password used for authentication to the OpenVPN server.</td>
<td>Password used for authentication to the OpenVPN server.</td>
</tr>
<tr>
<td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">Password:</span>Use PKCS #12 format</td>
<td>off {{!}} on; default: <b>off</b></td>
<td>Turn PKCS #12 format on or off.</td>
</tr>
</tr>
<tr>
<tr>
<td>Extra OpenVPN options to be used by the OpenVPN instance.</td>
<td>Extra OpenVPN options to be used by the OpenVPN instance.</td>
</tr>
</tr>
<tr>
<td>Certificate files from device</td>
<td>Certificate files from device</td>
<td>off {{!}} on; default: <b>off</b></td>
<td>off {{!}} on; default: <b>off</b></td>
<td>Turn on this option if you want to select generated certificate files from device.</td>
<td>Turn on this option if you want to select generated certificate files from device.</td>
</tr>
<tr>
<tr>
<td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">Password:</span> HMAC authentication algorithm</td>
<td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">Password:</span> HMAC authentication algorithm</td>
</tr>
</tr>
<tr>
<tr>
<td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">Password:</span> Additional HMAC authentication</td>
<td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">Password:</span>Additional HMAC authentication</td>
<td>off {{!}} on; default: <b>off</b></td>
<td>off {{!}} on; default: <b>off</b></td>
<td>An additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks.</td>
<td>An additional layer of HMAC authentication on top of the TLS control channel to protect against DoS attacks.</td>
<tr>
<tr>
<td>Protocol</td>
<td>Protocol</td>
<td>UDP {{!}} TCP{{#ifeq:{{{series}}}|RUTX| {{!}} <span style="color: #20C0D7;"><b>UDP6</b></span> {{!}} <span style="color: #20C0D7;"><b>TCP6</b></span>}}; default: <b>UDP</b></td>
<td>UDP {{!}} TCP {{!}} <span style="color: green;"><b>UDP6</b></span> {{!}} <span style="color: green;"><b>TCP6</b></span>; default: <b>UDP</b></td>
<td>Transfer protocol used by the OpenVPN connection.
<td>Transfer protocol used by the OpenVPN connection.
<ul>
<ul>
<td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">TLS/Password:</span> <span style="color: #20C0D7;"><b>Virtual network IPv6 address</b></span></td>
<td><span style="color: red;">TLS</span>/<span style="color: #0054a6;">TLS/Password:</span> <span style="color: #20C0D7;"><b>Virtual network IPv6 address</b></span></td>
<td>ip6; default: <b>none</b></td>
<td>ip6; default: <b>none</b></td>
<td>IPv6 address of the OpenVPN network.</td>
<td>IPv6 address of the OpenVPN network. This field becomes visible when protocol is set to UDP6 or TCP6</td>
</tr>
</tr>
<tr>
<tr>
<td>network(); default: <b>none</b></td>
<td>network(); default: <b>none</b></td>
<td>Selects which networks should be made accessible to this client.</td>
<td>Selects which networks should be made accessible to this client.</td>
</tr>
</table>
====PKCS #12====
----
Enable <b>PKCS #12 format</b> if you wish to use a PKCS #12 archive file format to bundle all the members of a chain of trust instead of uploading certificates separately.
PKCS #12 configuration settings become visible when the <b>Use PKCS #12 format</b> slider is turned on.
[[File:Networking_rutos_vpn_openvpn_pkcs_v1.png|border|class=tlt-border]]
<table class="nd-mantable">
<tr>
<th>Field</th>
<th>Value</th>
<th>Description</th>
</tr>
<tr>
<td>Use PKCS #12 format</td>
<td>off {{!}} on; default: <b>off</b></td>
<td>Turn PKCS #12 format on or off.</td>
</tr>
<tr>
<td>PKCS #12 passphrase</td>
<td>string; default: <b>none</b></td>
<td>Passphrase used to decrypt PKCS #12 certificates.</td>
</tr>
<tr>
<td>PKCS #12 certificate chain</td>
<td>-(interactive button)</td>
<td>Use to upload certificate chain file.</td>
</tr>
</tr>
</table>
</table>
----
----
[[File:Networking_rutx_vpn_ipsec_ipsec_configuration_proposal_settings_phase1_v2.png|border|class=tlt-border]]
[[File:Networking_rutx_vpn_ipsec_ipsec_configuration_proposal_settings_phase1_v1.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
</tr>
</tr>
<tr>
<tr>
<td>Encryption</td>
<td>Encryption algorithm</td>
<td>3DES {{!}} AES 128 {{!}} AES 192 {{!}} AES 256 {{!}} AES128 GCM8 {{!}} AES192 GCM8 {{!}} AES256 GCM8 {{!}} AES128 GCM12 {{!}} AES192 GCM12 {{!}} AES256 GCM12 {{!}} AES128 GCM16 {{!}} AES192 GCM16 {{!}} AES256 GCM16; default: <b>AES 128</b></td>
<td>3DES {{!}} AES 128 {{!}} AES 192 {{!}} AES 256 {{!}} AES128 GCM8 {{!}} AES192 GCM8 {{!}} AES256 GCM8 {{!}} AES128 GCM12 {{!}} AES192 GCM12 {{!}} AES256 GCM12 {{!}} AES128 GCM16 {{!}} AES192 GCM16 {{!}} AES256 GCM16; default: <b>AES 128</b></td>
<td>Algorithm used for data encryption.</td>
<td>Algorithm used for data encryption.</td>
----
----
[[File:Networking_rutx_vpn_ipsec_ipsec_configuration_proposal_settings_phase2_v2.png|border|class=tlt-border]]
[[File:Networking_rutx_vpn_ipsec_ipsec_configuration_proposal_settings_phase2_v1.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
</tr>
</tr>
<tr>
<tr>
<td>Encryption</td>
<td>Encryption algorithm</td>
<td>3DES {{!}} AES 128 {{!}} AES 192 {{!}} AES 256 {{!}} AES128 GCM8 {{!}} AES192 GCM8 {{!}} AES256 GCM8 {{!}} AES128 GCM12 {{!}} AES192 GCM12 {{!}} AES256 GCM12 {{!}} AES128 GCM16 {{!}} AES192 GCM16 {{!}} AES256 GCM16; default: <b>3DES</b></td>
<td>3DES {{!}} AES 128 {{!}} AES 192 {{!}} AES 256 {{!}} AES128 GCM8 {{!}} AES192 GCM8 {{!}} AES256 GCM8 {{!}} AES128 GCM12 {{!}} AES192 GCM12 {{!}} AES256 GCM12 {{!}} AES128 GCM16 {{!}} AES192 GCM16 {{!}} AES256 GCM16; default: <b>3DES</b></td>
<td>Algorithm used for data encryption.</td>
<td>Algorithm used for data encryption.</td>
</tr>
</tr>
<tr>
<tr>
<td>Hash</td>
<td>Hash algorithm</td>
<td>MD5 {{!}} SHA1 {{!}} SHA256 {{!}} SHA384 {{!}} SHA512; default: <b>MD5</b></td>
<td>MD5 {{!}} SHA1 {{!}} SHA256 {{!}} SHA384 {{!}} SHA512; default: <b>MD5</b></td>
<td>Algorithm used for exchanging authentication and hash information.</td>
<td>Algorithm used for exchanging authentication and hash information.</td>
<br>
<br>
----
----
[[File:Networking_rutos_manual_vpn_dmvpn_gre_parameters_configuration_v2.png|border|class=tlt-border]]
[[File:Networking_rutos_manual_vpn_dmvpn_gre_parameters_configuration.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
</tr>
</tr>
<tr>
<tr>
<td>Outbound key</td>
<td>GRE keys</td>
<td>integer [0..65535]; default: <b>none</b></td>
<td>integer [0..65535]; default: <b>none</b></td>
<td>A key used to identify incoming GRE packets.</td>
<td>A key used to identify incoming and outgoing GRE packets.</td>
</tr>
</tr>
</table>
</table>
<br>
<br>
----
----
[[File:Networking_rutx_vpn_dmvpn_nhrp_parameters_configuration_v4.png|border|class=tlt-border]]
[[File:Networking_rutx_vpn_dmvpn_nhrp_parameters_configuration_v2.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
<td>integer; default: <b>7200</b></td>
<td>integer; default: <b>7200</b></td>
<td>Specifies the holding time for NHRP Registration Requests and Resolution Replies sent from this interface or shortcut-target. The hold time is specified in seconds and defaults to two hours.</td>
<td>Specifies the holding time for NHRP Registration Requests and Resolution Replies sent from this interface or shortcut-target. The hold time is specified in seconds and defaults to two hours.</td>
</tr>
</tr>
</table>
</table>
Advanced Settings section contains Metric and MTU configuration for this WireGuard interface.
Advanced Settings section contains Metric and MTU configuration for this WireGuard interface.
[[File:Networking_rutx_vpn_wireguard_instance_advanced_v1.png|border|class=tlt-border]]
[[File:Networking_rutos_vpn_wireguard_instance_advanced_v2.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
<td>integer [1280..1420]; default: <b>none</b></td>
<td>integer [1280..1420]; default: <b>none</b></td>
<td>Maximum Transmission Unit for this tunnel interface.</td>
<td>Maximum Transmission Unit for this tunnel interface.</td>
</tr>
<tr>
<td>DNS servers</td>
<td>ip | ips; default: <b>none</b></td>
<td>DNS server(s) for this Wireguard interface.</td>
</tr>
</tr>
</table>
</table>
In the General section of Peer instance you can configure basic information about the endpoint to allow communications.
In the General section of Peer instance you can configure basic information about the endpoint to allow communications.
[[File:Networking_rutx_vpn_wireguard_instance_peer_instance_general_v1.png|border|class=tlt-border]]
[[File:Networking_rutos_vpn_wireguard_instance_peer_instance_general_v2.png|border|class=tlt-border]]
<table class="nd-mantable">
<table class="nd-mantable">
<td>ip; default: <b>none</b></td>
<td>ip; default: <b>none</b></td>
<td>A single IP address or a list of them which are allowed to communicate with this peer.</td>
<td>A single IP address or a list of them which are allowed to communicate with this peer.</td>
</tr>
<tr>
<td>Description</td>
<td>string; default: <b>none</b></td>
<td>Description of the peer.</td>
</tr>
<tr>
<td>Route Allowed IPs</td>
<td>off {{!}} on; default: <b>off</b></td>
<td>Enable to create routes for <b>Allowed IPs</b> for this peer.</td>
</tr>
</tr>
</table>
</table>
