OpenVPN Tunnels

(Draft version only)

OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. You can use and setup OpenVPN tunnels with this device.

To use OpenVPN, you must first install an OpenVPN application along with an easy-rsa tool and configure OpenVPN on your computer. Then you must also generate the certificates for the OpenVPN server and client before configuring the device.

To configure OpenVPN client and server on this device the following files are required:

  • ca.crt (build-ca command)
  • dh1024.pem (build-dh command)
  • mtrServer.crt and mtrServer.key (build-key-server <machine-name> command)
  • mtrClient1.crt  and mtrClient1.key (build-key <machine-name> command)

Note: When you configure OpenVPN server and client make sure both sides use the same settings, and certificates.

Configuration 1: OpenVPN Tunnel with TLS Authorization Mode (Device only)

This first configuration establishes the OpenVPN Tunnel connection from a device client to a device server using TLS  as Authorization Mode. This involves adding and configuring both OpenVPN Server and Client sides within the device UI.

To add an OpenVPN Server using TLS:

  1. Go to Tunnels > OpenVPN Tunnels > OpenVPN Tunnel Configuration.
  2. Click Add Tunnel.
  3. Enter the Name.
  4. Select the Type as SERVER from the drop-down.
  5. You can also enter an optional Description.
  6. Click Next.
  7. Enter the following fields (using TLS as Authorization Mode):
    1. Interface Type as TUN from the drop-down.
    2. Authorization Mode as TLS from the drop-down.
    3. Protocol as UDP.
    4. VPN Subnet.
    5. Port number.
    6. VPN Netmask.
    7. LZO Compression as ADAPTIVE from the drop-down.
    8. Enter the contents of the following files generated from the easy-rsa tool. You can copy and paste this content from the certificate files after opening from a text editor like Notepad (all required):Select the Encryption Cipher
      1. CA PEM (.crt)
      2. Diffie Hellman PEM (.pem)
      3. Server Certificate PEM (.crt)
      4. Server Key PEM (.key)
    9. Select the Encryption Cipher.
  1. Click Next.

Note: Use the same CA PEM certificate and parameters as the Server for the OpenVPN clients .

  1. Remote Network Routes create a route from the server network to the client network. This allows the server to get an access to the client’s network. In the OpenVPN Tunnel dialog box, under Remote Network Routes:
    1. Choose an available Saved Network as your remote network route from the drop-down if desired (optional).
    2. Or enter the Remote Network Route (should be the client subnet). For example, if the client IP address is 192.168.3.1, enter 192.168.3.0.
    3. Enter the Remote Network Mask (usually 255.255.255.0).
    4. You may enter Gateway (optional).
    5. Click Add Route.
  1. The system displays your recently-added Remote Network Route with the client subnet (remote network route + mask).
  2. Push Routes create a route from client’s network to the server’s network. This allows clients to get access to the server’s network. Under Push Routes:
    1. Click Client To Client box if you want this optional feature (this establishes a connection between multiple clients that are connected to the server).
    2. Choose an available Saved Network as your push route from the drop-down if desired (optional).
    3. Or enter the Remote Network Route (same address as the server subnet above).
    4. Or enter the Remote Network Mask (same as above).
    5. You may enter Gateway (optional).
    6. Click Add Route.
      Note: If you use Static Key Authorization Mode, the Push Routes do not work.
  1. The system displays your recently-added Push Route with the client subnet (remote network route + mask).
  2. Click Next.
  3. The system displays the Configuration Preview window (read-only).
  4. Click Finish.
  5. Click Save and Restart to save your changes.

To add an OpenVPN Client using TLS:

  1. Go to Tunnels > OpenVPN Tunnels > OpenVPN Tunnel Configuration.
  2. Click Add Tunnel.
  3. Enter the Name of the tunnel.
  4. Select the Type as CLIENT from the drop-down.
  5. You can also enter an optional Description.
  6. Click Next.
  7. Enter the following fields (using TLS as Authorization Mode):
    1. Interface Type as TUN from the drop-down.
    2. Authorization Mode as TLS from the drop-down.
    3. Protocol as UDP.
    4. Remote Host (server public IP address).
    5. Remote Port number.
    6. LZO Compression as ADAPTIVE from the drop-down.
    7. Enter the contents of the following files generated from the easy-rsa tool. You can copy and paste this content from the certificate files after opening from a text editor like Notepad (all required):
      1. CA PEM (.crt)
      2. Client Certificate PEM (.crt)
      3. Client Key PEM (.key)
    8. Click Next.
  1. If you use TLS as Authorization Mode, you do not need configure or add Remote Network Routes. The server adds the routes if the server’s Push Routes are already configured. If you use Static Key as Authorization Mode, you must add and configure Remote Network Routes.
  2. Click Next.
  3. The system displays the Configuration Preview window (read-only).
  4. Click Finish.
  5. Click Save and Restart to save your changes.

Now the device client can access the device server subnet. You can ping IP address of the device server subnet from the client console to test this.

Note: The PC connected to the device does not have access to the device server subnet.

Configuration 2: OpenVPN Tunnel with TLS Authorization Mode (Device and Connected PC)

This second configuration provides access between a device server and its subnet and device client and its subnet. An additional configuration is needed on the device server side. This also allows your PC to connect with the device server and ultimately to the device client through that server.

  1. Configure the device server as shown under how to add an OpenVPN Server using TLS (steps 1-14).
  2. Open device console, go to /var/config/ovpnccd/openVPNServerName. Create the folder if not present in the device.
  3. Create a file that has the client certificate name with the following information:For each client, you must create a separate file in the folder /var/config/ovpnccd/yourserverName. Note: Make the file name the same as the Common Name value used to create the certificate.
    1. iroute [Client_Subnet] [Mask]
    2. example – echo “iroute 192.168.3.0 255.255.255.0” > mtrClient1
  4. Configure device client as shown under how to add an OpenVPN Client (steps 1-12).

Once properly configured, you should have a connection between the device server and device client and their subnets. Your PC can also connect with the device server and thus the device client through that server.

Configuration 3: OpenVPN Tunnel with Static Key Authorization Mode (device server and client)

This third configuration establishes the OpenVPN Tunnel connection from a device client to a device server using Static Key as Authorization Mode. This involves adding and configuring both OpenVPN Server and Client sides within the device UI.

When using Static Key, the OpenVPN tunnel is created between only two end-points, the client and server. You cannot connect more than one client to the server in this mode. Remote Network Route must be specified in both configurations, client and server, in order to establish the connection between subnets.

To add an OpenVPN Server using Static Key:

  1. Go to Tunnels > OpenVPN Tunnels > OpenVPN Tunnel Configuration.
  2. Click Add Tunnel.
  3. Enter the Name.
  4. Select the Type as SERVER from the drop-down.
  5. You can also enter an optional Description.
  6. Click Next.
  7. Enter the following fields (using STATIC KEY as Authorization Mode):
    1. Interface Type as TUN from the drop-down.
    2. Authorization Mode as STATIC KEY from the drop-down.
    3. Protocol as UDP.
    4. Local Address as DEFAULT.
    5. Port number. (The device is connected to the PC1 via Ethernet cable.)
    6. Remote Address as DEFAULT.
    7. LZO Compression as ADAPTIVE from the drop-down.
    8. Hash Algorithm as DEFAULT.
    9. Encryption Cipher as DEFAULT.
    10. Generate and enter the Static Key PEM (required). Both server and client must use the same static key. See example below:

 —–BEGIN OpenVPN Static key V1—–

3f4c9113b2ec15a421cfe21a5af015bb967059021c1fd6f66ecfd00533d967237875215e20e80a2d59efd79148d6acdea9358dcafe0efdbb54003ff

376c71432dd9d16f55e7d8917a32bfe07d61591b7bbb43c7bad214482b8547ec9dca8910f514d9f4270ccaeff1a79852ae27c1c307c9dc3c836d1c3

80bece3c70fd2104e1968ed29b6c3388719226f959f69f9be43688ed27bc3a4dbc83f640370524b47bb871816af79586d0708781fad384480d0609b

11c31d27baa6e902d29277a474e3e2785a8410d595c0f9c75312375b4bd09876e1a47a598e114749a09c35f098e9123015c2795c702e4a346a8bccd

00305c7cb30beef66ad33f43dacc2e662128

—–END OpenVPN Static key V1—–

  1. Click Next.

  2. Remote Network Routes create a route from the server network to the client network. This allows the server to get access to the client’s network. In the OpenVPN Tunnel dialog box, under Remote Network Routes:
      1. Choose an available Saved Network as your remote network route from the drop-down if desired (optional).
      2. Or enter the Remote Network Route (should be the client subnet). For example, if the client IP address is 192.168.3.1, enter 192.168.3.0.
      3. Enter the Remote Network Mask (usually 255.255.255.0).
      4. Click Add Route.
  3. The system displays your recently-added Remote Network Route with the client subnet (remote network route + mask).Note: Push Routes are not required with Static Key as Authorization Mode.
  1. Click Next.
  2. The system displays the Configuration Preview window (read-only).
  3. Click Finish.
  4. Click Save and Restart to save your changes.

 

To add an OpenVPN Client using Static Key:

  1. Go to Tunnels > OpenVPN Tunnels > OpenVPN Tunnel Configuration.
  2. Click Add Tunnel.
  3. Enter the Name.
  4. Select the Type as CLIENT from the drop-down.
  5. You can also enter an optional Description.
  6. Click Next.
  7. Enter the following fields (using STATIC KEY as Authorization Mode):
    1. Interface Type as TUN from the drop-down.
    2. Authorization Mode as STATIC KEY from the drop-down.
    3. Protocol as UDP.
    4. Local Address as DEFAULT.
    5. Remote Host.
    6. Remote Address as DEFAULT.
    7. Remote Port number.
    8. Hash Algorithm as DEFAULT from drop-down.
    9. LZO Compression as ADAPTIVE from the drop-down.
    10. Select the Encryption Cipher as DEFAULT from drop-down.
    11. Select the Hash Algorithm as DEFAULT from drop-down.
    12. Enter the Static Key PEM (required). Both server and client must use the same static key. See example below:

 —–BEGIN OpenVPN Static key V1—–

3f4c9113b2ec15a421cfe21a5af015bb967059021c1fd6f66ecfd00533d967237875215e20e80a2d59efd79148d6acdea9358dcafe0efdbb54003ff

376c71432dd9d16f55e7d8917a32bfe07d61591b7bbb43c7bad214482b8547ec9dca8910f514d9f4270ccaeff1a79852ae27c1c307c9dc3c836d1c3

80bece3c70fd2104e1968ed29b6c3388719226f959f69f9be43688ed27bc3a4dbc83f640370524b47bb871816af79586d0708781fad384480d0609b

11c31d27baa6e902d29277a474e3e2785a8410d595c0f9c75312375b4bd09876e1a47a598e114749a09c35f098e9123015c2795c702e4a346a8bccd

00305c7cb30beef66ad33f43dacc2e662128
—–END OpenVPN Static key V1—–
.

  1. Click Next.

  2. Remote Network Routes create a route from the server network to the client network. This allows the server to get access to the client’s network. In the OpenVPN Tunnel dialog box, under Remote Network Routes:
      1. Choose an available Saved Network as your remote network route from the drop-down if desired (optional).
      2. Or enter the Remote Network Route (should be the client subnet). For example, if the client IP address is 192.168.2.1, enter 192.168.2.0.
      3. Enter the Remote Network Mask (usually 255.255.255.0).
      4. Click Add Route.
  3. The system displays your recently-added Remote Network Route with the client subnet (remote network route + mask).
    Note: Push Routes are not required with Static Key as Authorization Mode.
  1. Click Next.
  2. The system displays the Configuration Preview window (read-only).
  3. Click Finish.
  4. Click Save and Restart to save your changes.

Configuration 4: OpenVPN Tunnel with Static Key Authorization Mode and TCP

This fourth configuration establishes the OpenVPN Tunnel connection from a device client to a device server using Static Key as Authorization Mode and TCP protocol (instead of UDP for the third configuration). This involves adding and configuring both OpenVPN Server and Client sides within the device UI.

To add an OpenVPN Server using Static Key and TCP:

  1. Go to Tunnels > OpenVPN Tunnels > OpenVPN Tunnel Configuration.
  2. Click Add Tunnel.
  3. Enter the Name.
  4. Select the Type as SERVER from the drop-down.
  5. You can also enter an optional Description.
  6. Click Next.
  7. Enter the following fields (using STATIC KEY as Authorization Mode):
    1. Interface Type as TUN from the drop-down.
    2. Authorization Mode as STATIC KEY from the drop-down.
    3. Protocol as TCP.
    4. Local Address as DEFAULT.
    5. Port number. (The device is connected to the PC1 via Ethernet cable.)
    6. Remote Address as DEFAULT.
    7. Hash Algorithm as ECDSA-WITH-SHA1.
    8. LZO Compression as ADAPTIVE from the drop-down.
    9. Encryption Cipher as CAMELLIA-256-CBC.
    10. Generate and enter the Static Key PEM (required). Both server and client must use the same static key. See example below:

 —–BEGIN OpenVPN Static key V1—–

3f4c9113b2ec15a421cfe21a5af015bb967059021c1fd6f66ecfd00533d967237875215e20e80a2d59efd79148d6acdea9358dcafe0efdbb54003ff

376c71432dd9d16f55e7d8917a32bfe07d61591b7bbb43c7bad214482b8547ec9dca8910f514d9f4270ccaeff1a79852ae27c1c307c9dc3c836d1c3

80bece3c70fd2104e1968ed29b6c3388719226f959f69f9be43688ed27bc3a4dbc83f640370524b47bb871816af79586d0708781fad384480d0609b

11c31d27baa6e902d29277a474e3e2785a8410d595c0f9c75312375b4bd09876e1a47a598e114749a09c35f098e9123015c2795c702e4a346a8bccd

00305c7cb30beef66ad33f43dacc2e662128

—–END OpenVPN Static key V1—–

  1. Click Next.
  2. Remote Network Routes create a route from the server network to the client network. This allows the server to get access to the client’s network. In the OpenVPN Tunnel dialog box, under Remote Network Routes:
      1. Choose an available Saved Network as your remote network route from the drop-down if desired (optional).
      2. Or enter the Remote Network Route (should be the client subnet). For example, if the client IP address is 192.168.3.1, enter 192.168.3.0.
      3. Enter the Remote Network Mask (usually 255.255.255.0).
      4. Or click Add Route.
  3. The system displays your recently-added Remote Network Route with the client subnet (remote network route + mask).
    Note: Push Routes are not required with Static Key as Authorization Mode.
  1. Click Next.
  2. The system displays the Configuration Preview window (read-only).
  3. Click Finish.
  4. Click Save and Restart to save your changes.

To add an OpenVPN Client using Static Key and TCP:

  1. Go to Tunnels > OpenVPN Tunnels > OpenVPN Tunnel Configuration.
  2. Click Add Tunnel.
  3. Enter the Name.
  4. Select the Type as CLIENT from the drop-down.
  5. You can also enter an optional Description.
  6. Click Next.
  7. Enter the following fields (using STATIC KEY as Authorization Mode):
    1. Interface Type as TUN from the drop-down.
    2. Authorization Mode as STATIC KEY from the drop-down.
    3. Protocol as TCP.
    4. Local Address as DEFAULT..
    5. Remote Host.
    6. Remote Address as DEFAULT.
    7. Remote Port number.
    8. Hash Algorithm as ECDSA-WITH-SHA1.
    9. LZO Compression as ADAPTIVE from the drop-down.
    10. Encryption Cipher as CAMELLIA-256-CBC.
    11. Generate and enter the Static Key PEM (required). Both server and client must use the same static key. See example below:

 —–BEGIN OpenVPN Static key V1—–

3f4c9113b2ec15a421cfe21a5af015bb967059021c1fd6f66ecfd00533d967237875215e20e80a2d59efd79148d6acdea9358dcafe0efdbb54003ff

376c71432dd9d16f55e7d8917a32bfe07d61591b7bbb43c7bad214482b8547ec9dca8910f514d9f4270ccaeff1a79852ae27c1c307c9dc3c836d1c3

80bece3c70fd2104e1968ed29b6c3388719226f959f69f9be43688ed27bc3a4dbc83f640370524b47bb871816af79586d0708781fad384480d0609b

11c31d27baa6e902d29277a474e3e2785a8410d595c0f9c75312375b4bd09876e1a47a598e114749a09c35f098e9123015c2795c702e4a346a8bccd

00305c7cb30beef66ad33f43dacc2e662128

—–END OpenVPN Static key V1—–

  1. Click Next.
  2. Remote Network Routes create a route from the server network to the client network. This allows the server to get access to the client’s network. In the OpenVPN Tunnel dialog box, under Remote Network Routes:
      1. Choose an available Saved Network as your remote network route from the drop-down if desired (optional).
      2. Or enter the Remote Network Route (should be the client subnet). For example, if the client IP address is 192.168.2.1, enter 192.168.2.0.
      3. Enter the Remote Network Mask (usually 255.255.255.0).
      4. Click Add Route.
  3. The system displays your recently-added Remote Network Route with the client subnet (remote network route + mask).
    Note: Push Routes are not required with Static Key as Authorization Mode.
  1. Click Next.
  2. The system displays the Configuration Preview window (read-only).
  3. Click Finish.
  4. Click Save and Restart to save your changes.