The routers of INSYS icom can act as OpenVPN server and/or establish connections to an OpenVPN server as OpenVPN client.

Situation

The router shall be included into an existing OpenVPN network as client.

Solution

The Startup wizard of the router permits to prepare an optional OpenVPN connection besides the configuration of Internet access. This OpenVPN connection must then be configured.

It is prerequisite that the respective certificates and keys are available and the configuration of the server is known. We act on the assumption that the router is in default settings for the following proceeding.

Configuration via web interface

  1. Open web interface of the router using a browser:

    • 192.168.1.1

    • User name: insys (default)

    • Password: icom (default)

  2. In the title bar of the web interface, click on (Display help text) to show the inline help that provides helpful information regarding the individual configuration parameters.

  3. In the HelpWizards menu, click on Startup.

    • Under VPN connection, select Prepare for OpenVPN. [1]

    • Configure Internet access (WAN) and plant network (LAN) accordingly and click on Execute wizard.

      This step is described in detail in the Quick Installation Guide of the respective router and will not be detailed here.
  4. Import the certificates and keys for the client provided by the operator of the OpenVPN server in the AdministrationCertificates menu in the Import certificates or keys section. [2]

  5. Activate in the InterfacesOpenVPN menu the OpenVPN tunnel added by the Startup wizard (check checkbox active) and edit it ():

    • Description: enter an appropriate name for the tunnel

    • Mode: Client

    • Tunnelling over port (local / remote): enter the ports used by the OpenVPN server

    • Protocol: select the protocol used by the OpenVPN server

    • CA certificate: select the CA certificate uploaded in the previous step

    • Certificate: select the client certificate uploaded in the previous step

    • Private key: select the client key uploaded in the previous step

    • Cipher and hash algorithm: select the settings used by the OpenVPN server

    • IP address or domain name of remote site: enter the IP address of the OpenVPN server

      In case the OpenVPN server requires a static key for authentication and encryption (tls-crypt) or only for authentication (tls-auth) additionally, or a user name/password combination for authentication additionally, these need to be configured also.
  6. Click on Save settings.

  7. Check in the NetfilterIP filter menu the filter rules added by the Startup wizard and adjust them if necessary. This may be necessary if the protocol or port for the OpenVPN tunnel have been adjusted.

  8. Click on Save settings.

  9. Activate the profile with a click on the blinking gear in the title bar ().

Functional test

  1. Check in the StatusSystem status menu, whether the WAN chain containing the OpenVPN tunnel will be established.

Troubleshooting

  • Change to the StatusLog view menu and check the messages in the OpenVPN log.

  • You may disable the netfilters in the NetfilterIP filter menu temporarily to find out, whether inadequate filter settings prevent connections.


1. This adds a WAN chain containing an OpenVPN tunnel with the associated firewall rules.
2. In case of the client, these are the CA certificate, the client certificate and the secret client key. The certificates and keys can also be bundled in a PKCS12 container. It may be possible that a password is necessary for import.