OpenVPN Server Configuration
ImageStream Linux version 4.2.7 includes support for the highly scalable OpenVPN client/server mode. This feature allows multiple clients to establish SSL VPN tunnels to the router using a single UDP or TCP port. It also allows the router in server mode to control IP address assignments and OpenVPN features that can be pushed to the clients. Clients can have a simplified, often unified configuration where most options are controlled by the server and pushed to the clients.
Windows clients using OpenVPN version 2.0 and ImageStream routers can connect simultaneously to an ImageStream router running in OpenVPN server mode.
ImageStream uses a username/password authentication scheme in addition to SSL/TLS Public Key Infrastructure (PKI) certificate authentication for additional security and to simplify the setup of SSL tunnels.
====ETHERNET===================== 192.168.0.0/24 ===
| LAN IP: 192.168.0.1
| Ethernet0 |
| Router A |
| Serial0 |
| WAN IP: 220.127.116.11 (255.255.255.252)
| IP: Dynamically assigned
| Ethernet0 |
| Router B |
Before You Start
You will need to have a separate subnet for the OpenVPN clients.
These IP network addresses are given to you by your Internet Service Provider, your leased line carrier, or by ARIN. If you do not plan to connect you network to the Internet, you can use an IP network address set aside for private use. The IP network address for private use can be found in RFC 1597. Most people will use 192.168.0.0 as we have in this example.
In this example, we are going to assume the following:
The IP addresses used in this Technical Note are examples only. You will need to use an IP network given to you by your Internet Service Provider.
- We will use tap mode (bridging) which simplifies configuration and conserves IP addresses.
- Router A will be configured as the OpenVPN server, Router B will be the OpenVPN client.
- Router A has an Ethernet IP address of 192.168.0.1 with a netmask of 255.255.255.0.
- Router A has an WAN IP address of 18.104.22.168 with a netmask of 255.255.255.252.
- Router A has a OpenVPN Tunnel IP address of 192.168.10.1 with a netmask of 255.255.255.0.
- The router will assign IP addresses from 192.168.10.2 through 192.168.10.254 to OpenVPN clients.
- The router will tell the OpenVPN clients to install a route to the 192.168.0.0 Class C network and 172.16.0.0 Class B network through their tunnel using the "push" directive.
- Router B will authenticate itself using the username "routerb" and password "test123"
user routerb password test123
description Server Mode Tunnel
tunnel mode openvpn server 192.168.10.0 255.255.255.0
tunnel options --dev-type tap --passtos --push "route 192.168.0.0 255.255.255.0" --push "route 172.16.0.0 255.255.0.0"
ip address 192.168.10.1 255.255.255.0
description Client Tunnel
tunnel mode openvpn client username routerb password test123
tunnel destination 22.214.171.124
tunnel options --dev-type tap
When the client tunnel is established Router B will be able to communicate with other clients in the 192.168.10.0 Class C network. Router B will also be able to communicate with hosts in the 192.168.0.0 Class C network which was pushed from the server.
RouterB:/usr/local/sand# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=0.483 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=64 time=0.416 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=64 time=0.324 ms
RouterB:/usr/local/sand# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.483 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.416 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=0.324 ms
Configuration and run-time errors will be displayed in the router's event log (syslog). Enable event logging to obtain troubleshooting information from the router.