OpenVPN Server Configuration

ImageStream Linux version 4.2.7 includes support for the highly scalable OpenVPN client/server mode. This feature allows multiple clients to establish SSL VPN tunnels to the router using a single UDP or TCP port. It also allows the router in server mode to control IP address assignments and OpenVPN features that can be pushed to the clients. Clients can have a simplified, often unified configuration where most options are controlled by the server and pushed to the clients.

Windows clients using OpenVPN version 2.0 and ImageStream routers can connect simultaneously to an ImageStream router running in OpenVPN server mode.

ImageStream uses a username/password authentication scheme in addition to SSL/TLS Public Key Infrastructure (PKI) certificate authentication for additional security and to simplify the setup of SSL tunnels.

====ETHERNET===================== 192.168.0.0/24 ===
        |
        | LAN IP: 192.168.0.1
+-------+--------+
|   Ethernet0    |
|                |
|   Router A     |
|                |
|   Serial0      |
+-------+--------+
        | WAN IP: 210.145.243.1 (255.255.255.252)
        |
====INTERNET/WAN=================
        |
        | IP: Dynamically assigned
+-------+--------+
|   Ethernet0    |
|                |
|   Router B     |
|                |
+-------+--------+

Before You Start

You will need to have a separate subnet for the OpenVPN clients.

These IP network addresses are given to you by your Internet Service Provider, your leased line carrier, or by ARIN. If you do not plan to connect you network to the Internet, you can use an IP network address set aside for private use. The IP network address for private use can be found in RFC 1597. Most people will use 192.168.0.0 as we have in this example.

Configuration Example

In this example, we are going to assume the following:
  • We will use tap mode (bridging) which simplifies configuration and conserves IP addresses.
  • Router A will be configured as the OpenVPN server, Router B will be the OpenVPN client.
  • Router A has an Ethernet IP address of 192.168.0.1 with a netmask of 255.255.255.0.
  • Router A has an WAN IP address of 210.145.243.1 with a netmask of 255.255.255.252.
  • Router A has a OpenVPN Tunnel IP address of 192.168.10.1 with a netmask of 255.255.255.0.
  • The router will assign IP addresses from 192.168.10.2 through 192.168.10.254 to OpenVPN clients.
  • The router will tell the OpenVPN clients to install a route to the 192.168.0.0 Class C network and 172.16.0.0 Class B network through their tunnel using the "push" directive.
  • Router B will authenticate itself using the username "routerb" and password "test123"
The IP addresses used in this Technical Note are examples only. You will need to use an IP network given to you by your Internet Service Provider.

Router A

user routerb password test123
!
interface Tunnel0
 description Server Mode Tunnel
 tunnel mode openvpn server 192.168.10.0 255.255.255.0
 tunnel options --dev-type tap --passtos --push "route 192.168.0.0 255.255.255.0" --push "route 172.16.0.0 255.255.0.0"
 ip address 192.168.10.1 255.255.255.0
!

Router B

!
interface Tunnel0
 description Client Tunnel
 tunnel mode openvpn client username routerb password test123
 tunnel destination 210.145.243.1
 tunnel options --dev-type tap
!
When the client tunnel is established Router B will be able to communicate with other clients in the 192.168.10.0 Class C network. Router B will also be able to communicate with hosts in the 192.168.0.0 Class C network which was pushed from the server.
RouterB:/usr/local/sand# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=0.483 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=64 time=0.416 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=64 time=0.324 ms

RouterB:/usr/local/sand# ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.483 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=0.416 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=0.324 ms

Troubleshooting

Configuration and run-time errors will be displayed in the router's event log (syslog). Enable event logging to obtain troubleshooting information from the router.
Technical Support
Home >
Technical Notes >
OpenVPN Server Configuration

Software Versions

General Availability
(GA) Releases


Envoy: 4.4.1-30
Others: 4.4.1-30
IDCA:

ICNA Certification


Get Your
ImageStream
Certification