Configuring an OpenVPN Client in the Router

The routers of INSYS icom can act as OpenVPN server and/or establish connections to an OpenVPN server as OpenVPN client.

Situation

The router shall be included into an existing OpenVPN network as client.

Solution

The Startup wizard of the router permits to prepare an optional OpenVPN connection besides the configuration of Internet access. This OpenVPN connection must then be configured.

It is prerequisite that the respective certificates and keys are available and the configuration of the server is known. We act on the assumption that the router is in default settings for the following proceeding.

Configuration via web interface

Open web interface of the router using a browser: 192.168.1.1 ^[1]
In the title bar of the web interface, click on (Display help text) to show the inline help that provides helpful information regarding the individual configuration parameters.
In the Help → Wizards menu, click on Startup.
- Under VPN connection, select Prepare for OpenVPN. ^[2]
- Configure Internet access (WAN) and plant network (LAN) accordingly and click on Execute wizard.
  
  This step is described in detail in the Quick Installation Guide of the respective router and will not be detailed here.
Import the certificates and keys for the client provided by the operator of the OpenVPN server in the Administration → Certificates menu in the Import certificates or keys section. ^[3]

Activate in the Interfaces → OpenVPN menu the OpenVPN tunnel added by the Startup wizard (check checkbox active) and edit it ():

Description: enter an appropriate name for the tunnel
Mode: Client
Tunnelling over port (local / remote): enter the ports used by the OpenVPN server
Protocol: select the protocol used by the OpenVPN server
CA certificate: select the CA certificate uploaded in the previous step
Certificate: select the client certificate uploaded in the previous step
Private key: select the client key uploaded in the previous step
Cipher and hash algorithm: select the settings used by the OpenVPN server

IP address or domain name of remote site: enter the IP address of the OpenVPN server

In case the OpenVPN server requires a static key for authentication and encryption (tls-crypt) or only for authentication (tls-auth) additionally, or a user name/password combination for authentication additionally, these need to be configured also.

Click on Save settings.
Check in the Netfilter → IP filter menu the filter rules added by the Startup wizard and adjust them if necessary. This may be necessary if the protocol or port for the OpenVPN tunnel have been adjusted.
Click on Save settings.
Activate the profile with a click on the blinking gear in the title bar ().

Functional test

Check in the Status → System status menu, whether the WAN chain containing the OpenVPN tunnel will be established.

Troubleshooting

Change to the Status → Log view menu and check the messages in the OpenVPN log.
You may disable the netfilters in the Netfilter → IP filter menu temporarily to find out, whether inadequate filter settings prevent connections.

Back to the Configuration Guides for icom OS Smart Devices

Back to overview

1. Login depending on configuration; default for past firmware versions: User name: insys, Password: icom

2. This adds a WAN chain containing an OpenVPN tunnel with the associated firewall rules.

3. In case of the client, these are the CA certificate, the client certificate and the secret client key. The certificates and keys can also be bundled in a PKCS12 container. It may be possible that a password is necessary for import.