The routers of INSYS icom can act as OpenVPN server and/or establish connections to an OpenVPN server as OpenVPN client.

This Configuration Guide shows how to configure an INSYS icom router as OpenVPN server.

The description in this Configuration Guide follows a configuration in the new user interface (web interface) available from icom OS 5.5. Update your router to the latest version of icom OS for the required functionality of the new user interface. The description of this configuration in the classic web interface is available in this Configuration Guide.

Situation

The router shall be configured as a server for an OpenVPN network with two clients. The OpenVPN server has the local network 192.168.10.0/24 in this example. The OpenVPN client with the Common Name Client1 has the local network 192.168.20.0/24 and the OpenVPN client with the Common Name Client2 has the local network 192.168.30.0/24.

cg de m3 openvpn server

Solution

The Startup wizard of the router permits to prepare an optional OpenVPN connection besides the configuration of Internet access. The necessary certificate structure must be generated in advance. The Configuration Guide for Creating a Certificate Structure Using XCA provides instructions for this.

The following certificates and keys are necessary:

File Upload to secret Common Name for this example

CA certificate

Server, clients

No

CA key

Yes [1]

Server certificate

Server

No

Server

Server key

Server

Yes

Client certificate (separate for each client)

Client

No

Client1, Client2

Client key (separate for each client)

Client

Yes

We act on the assumption that the router is in default settings for the following proceeding.

Warning If you configure an OpenVPN server on your router, you make its network accessible from the outside. Even if an OpenVPN network allows a high degree of security, it may pose a security vulnerability in case of an inadequate configuration. The following proceeding provides assistance for the easy configuration of a server for an OpenVPN network. You are solely responsible for the protection of the OpenVPN network!
Warning Update your router to iom OS 7.3 or later first! All encryption algorithms that are no longer considered sufficiently secure have been removed starting with this version, which eliminates the possibility of such algorithms being used inadvertently.

  1. Open the user interface of the router in a browser: insys.icom [2]

  2. Click To Startup Wizard on the startup screen under auto fix *Startup Wizard_. [3].

  3. Click in the handshake outline WizardsStartup wizard menu on   START  auto fix white  .

  4. If necessary, change the time and synchronisation settings and click on   NEXT  menu right white  .

  5. Enter the credentials required for authentication (or configure an Authentication through certificates) and click on   NEXT  menu right white  .

  6. Configure the Internet connection and click on   NEXT  menu right white  .

  7. Activate the Configure VPN switch and select OpenVPN server under Type of VPN connection.

  8. Optional: check the checkbox Allow communication between clients if this should be possible.
    cg en m3 openvpn server v2 01

  9. Upload the required certificates and keys. [4]
    cg en m3 openvpn server v2 02

  10. Click on plus behind OpenVPN server routes to add a route: [5].

    • Network address: 192.168.20.0 / 24

    • Common name: Client1

  11. Click on plus behind OpenVPN server routes to add a route: [6].

    • Network address: 192.168.30.0 / 24

    • Common name: Client2
      cg en m3 openvpn server v2 03

  12. Click on   NEXT  icon: menu-right_white[]  .

  13. Click on plus behind LAN settings to add an IP network: [7].

    • IP address: 192.168.10.1 / 24

    • Ports: check Port 1.2

    • Uncheck DHCP server or specify the range of addresses to be assigned if the router is supposed to act as a DHCP server in the local network.
      cg en m3 openvpn server v2 04

  14. Click on   NEXT  icon: menu-right_white[]  .

  15. Optional: Activate the Configure icom Router Management switch and load a configuration for icom Router Management onto the router.

  16. Click on   RUN WIZARD  .

  17. Observe the execution of the wizard and click on   EXIT WIZARD  .

Note There are further options for configuring the OpenVPN server that might be adjusted accordingly. The tunnel addresses are only used for internal VPN routing and must only be adjusted, if they overlap with already used IP ranges.
Note Since several tunnels are possible at the same time, the server must know the networks of the clients and add the according local routes. With the help of these routes, the server will determine, which data packets are to be sent through which tunnel to the correct client. To differentiate the tunnels, the routes are determined using the Common Name of the client certificate, which has been sent to the server during authentication. These routes appear in the routing table of the router
The push routes are communicated to the client routers so that they know which networks are behind the tunnel on the OpenVPN server side. The clients will enter these routes in their local routing table.
The routes will not be checked for their plausibility.

Functional test

  • Open the view dashboard outline StatusDashboard page in the menu and observe the establishment of the WAN chain with the OpenVPN tunnel in the WAN chain section.

  • Open the cog AdministrationDebugging page in the menu and click on   OPEN DEBUG TOOLS  ladybug white  . Select the Ping tool and try to ping the IP addresses defined in the local routes.

Troubleshooting

  • The status of the WAN chain and their interfaces is displayed on the view dashboard outline StatusDashboard page. If an interface does not achieve the online condition, its condition can also be examined on this page.

  • Check in the view dashboard outline StatusLog-View menu the messages in the OpenVPN log. [8].

  • Disable the IP filters for IPv4 in the lan NetworkFirewall / NAT menu under Settings IP filter to check whether incorrect filter settings are the reason for connection problems.

Back to the Configuration Guides for icom OS Smart Devices

Back to overview

1. Never upload the CA key anywhere; it must always remain protected.
2. Standard IP address: 192.168.1.1; authentication depending on configuration; default for past firmware versions: User name: insys, Password: icom
3. If the router is not in factory settings, the startup screen is not displayed; the Startup Wizard can then be started in the handshake outline WizardsStartup Wizard menu
4. For the server, these are the CA certificate, the secret CA key, the server certificate and the secret server key. The certificates and keys can also be bundled in a PKCS12 container. It may be possible that a password is necessary for import.
5. This local route informs the server that the network 192.168.20.0 is located behind the client Client1 in the OpenVPN network. At the same time, a push route is added that informs the other client routers that the network 192.168.20.0 can be reached via the OpenVPN network
6. This local route informs the server that the network 192.168.30.0 is located behind the client Client2 in the OpenVPN network. At the same time, a push route is added that informs the other client routers that the network 192.168.30.0 can be reached via the OpenVPN network
7. This assigns the address 192.169.10.1 in the local system network to the router and assigns port 1.2 to this network. At the same time, a push route is added that informs the other client routers that the network 192.168.10.0 can be reached via the OpenVPN network
8. The selection of log files is limited to files that already contain entries