The routers of INSYS icom can act as OpenVPN server and/or establish connections to an OpenVPN server as OpenVPN client.

Situation

The router shall be configured as a server for an OpenVPN network with two clients. The OpenVPN server has the local network 192.168.10.0/24 in this example. The OpenVPN client with the Common Name Client1 has the local network 192.168.20.0/24 and the OpenVPN client with the Common Name Client2 has the local network 192.168.30.0/24.

cg de m3 openvpn server

Solution

The Startup wizard of the router permits to prepare an optional OpenVPN connection besides the configuration of Internet access. This OpenVPN connection must then be configured.

The necessary certificate structure must be generated in advance. The Configuration Guide for Creating a Certificate Structure Using XCA provides instructions for this.

The following certificates and keys are necessary:

File Upload to Secret Common Name for this example

CA certificate

Server, clients

No

CA key

Yes [1]

Server certificate

Server

No

Server

Server key

Server

Yes

Client certificate (separate for each client)

Client

No

Client1, Client2

Client key (separate for each client)

Client

Yes

We act on the assumption that the router is in default settings for the following proceeding.

If you configure an OpenVPN server on your router, you make its network accessible from the outside. Even if an OpenVPN network allows a high degree of security, it may pose a security vulnerability in case of an inadequate configuration. The following proceeding provides assistance for the easy configuration of a server for an OpenVPN network. You are solely responsible for the protection of the OpenVPN network!

Configuration via web interface

  1. Open web interface of the router using a browser:

    • 192.168.1.1

    • User name: insys (default)

    • Password: icom (default)

  2. In the title bar of the web interface, click on (Display help text) to show the inline help that provides helpful information regarding the individual configuration parameters.

  3. In the HelpWizards menu, click on Startup.

    • Under VPN connection, select Prepare for OpenVPN. [2]

    • Configure Internet access (WAN) and plant network (LAN) accordingly and click on Execute wizard.

      This step is described in detail in the Quick Installation Guide of the respective router and will not be detailed here.
  4. Import the certificates and keys for the server generated in advance in the AdministrationCertificates menu in the Import certificates or keys section. [3]

  5. Activate in the InterfacesOpenVPN menu the OpenVPN tunnel added by the Startup wizard (check checkbox active) and edit it ():

    • Description: enter an appropriate name for the tunnel

    • Mode: Server

    • Tunnelling over port (local / remote): enter the used ports

    • Protocol: select the used protocol

    • CA certificate: select the CA certificate uploaded in the previous step

    • Certificate: select the server certificate uploaded in the previous step

    • Private key: select the server key uploaded in the previous step

    • Cipher and hash algorithm: select the used settings

    • Diffie Hellman parameters: select the Diffie-Hellman parameter set already existing in the Certificate Manager

    • Allow communication between clients: check, if communication between the clients shall be possible

      There are further options for configuring the OpenVPN server that might be adjusted accordingly. The tunnel addresses are only used for internal VPN routing and must only be adjusted, if they overlap with already used IP ranges.
  6. Click on Save settings.

  7. Edit in the NetfilterIP filter menu the OpenVPN (tunnel establishment) filter rule (): [4]

    • Packet direction: INPUT

    • Input interface: select the interface that is used by the clients to connect to the server

  8. Click on Save settings.

  9. Check all filter rules added by the Startup wizard and adjust them if necessary. his may be necessary if the protocol or port for the OpenVPN tunnel above have been adjusted.

  10. Add a new route in the RoutingOpenVPN routes menu (upper routing table) () and edit it (): [5]

    • Description: Route to network 192.168.20.0

    • Interface: select above added OpenVPN server

    • IP address: 192.168.20.0/24

    • Common name: Client1

  11. Click on Save settings.

  12. Add a new local route in the RoutingOpenVPN routes menu (upper routing table) () and edit it (): [6]

    • Description: Route to network 192.168.30.0

    • Interface: select above added OpenVPN server

    • IP address: 192.168.30.0/24

    • Common name: Client2

  13. Click on Save settings.

  14. Add a new push route in the RoutingOpenVPN routes menu (lower routing table) () and edit it (): [7]

    • Description: Route to network 192.168.10.0

    • Interface: select above added OpenVPN server

    • IP address: 192.168.10.0/24

    • Common name: do not enter a Common Name [8]

  15. Click on Save settings.

  16. Add a new push route in the RoutingOpenVPN routes menu (lower routing table) () and edit it (): [9]

    • Description: Route to network 192.168.20.0

    • Interface: select above added OpenVPN server

    • IP address: 192.168.20.0/24

    • Common name: Client2

  17. Click on Save settings.

  18. Add a new push route in the RoutingOpenVPN routes menu (lower routing table) () and edit it (): [10]

    • Description: Route to network 192.168.30.0

    • Interface: select above added OpenVPN server

    • IP address: 192.168.30.0/24

    • Common name: Client1

  19. Click on Save settings.

    Since several tunnels are possible at the same time, the server must know the networks of the clients and add the according local routes. With the help of these routes, the server will determine which data packets are sent through which tunnel to the correct client. To differentiate the tunnels, the routes are determined using the Common Name of the client certificate, which has been sent to the server during authentication. These routes will appear in the routing table of the router.
    The push routes will be communicated to the client routers so that they know, which networks are behind the tunnel on the OpenVPN server side. The clients will enter these routes in their local routing table.
    The routes will not be checked for their plausibility.
  20. Activate the profile with a click on the blinking gear in the title bar ().

Functional test

  1. Check in the StatusSystem status menu, whether the WAN chain containing the OpenVPN tunnel has been started.

  2. Check in the StatusSystem detailsOpenVPN menu, which OpenVPN clients are currently connected to the server.

  3. Use in the HelpDebugging menu the Ping tool to try pinging the IP addresses added in the local routes.

Troubleshooting

  • Change to the StatusLog view menu and check the messages in the OpenVPN log.

  • You may disable the netfilters in the NetfilterIP filter menu temporarily to find out, whether inadequate filter settings prevent connections.


1. Never upload the CA key anywhere; it must be shut away in any case.
2. This adds a WAN chain containing an OpenVPN tunnel with the associated firewall rules.
3. In case of the server, these are the Certificate, the secret CA key, the server certificate and the secret server key. The certificates and keys can also be bundled in a PKCS12 container. It may be possible that a password is necessary for import.
4. If the the Prepare OpenVPN option is used in the Startup wizard, this will add suitable firewall rules for an OpenVPN client. The rule for tunnel establishment will be edited here to adjust it for an OpenVPN server.
5. This local route tells the server that the network 192.168.20.0 is behind the client Client1 in the OpenVPN network.
6. This local route tells the server that the network 192.168.30.0 is behind the client Client2 in the OpenVPN network.
7. This route will be communicated to the two client routers so that they know that the network 192.168.10.0 is accessible via the OpenVPN network.
8. If no Common Name is specified, this will be communicated to all clients in the OpenVPN network.
9. This route will be communicated to the client with the Common Name Client2 so that it knows that the network 192.168.20.0 is accessible via the OpenVPN network (behind Client1).
10. This route will be communicated to the client with the Common Name Client1 so that it knows that the network 192.168.30.0 is accessible via the OpenVPN network (behind Client2).