Configure an OpenVPN server

The new OpenVPN server configuration is displayed.

The OpenVPN server is enabled by default. To disable, toggle off Enable.

• TUN (OpenVPN managed)
• TAP - OpenVPN managed
• TAP - Device only

See OpenVPN for information about OpenVPN server modes.

1. For Zone, select the firewall zone for the OpenVPN server. For TUN device types, this should be set to Internal to treat clients as LAN devices.
2. (Optional) Select the Metric for the OpenVPN server. If multiple active routes match a destination, the route with the lowest metric will be used. The default setting is 0.
3. For Address, type the IP address and subnet mask of the OpenVPN server.
4. (Optional) For First IP address and Last IP address, set the range of IP addresses that the OpenVPN server will use when providing IP addresses to clients. The default is from 80 to 99.

1. Select the Authentication type:
   • Certificate only: Uses only certificates for client authentication. Each client requires a public and private key.
   • Username/password only: Uses a username and password for client authentication. You must create an OpenVPN authentication group and user. See Configure an OpenVPN Authentication Group and User for instructions.
   • Certificate and username/password: Uses both certificates and a username and password for client authentication. Each client requires a public and private key, and you must create an OpenVPN authentication group and user. See Configure an OpenVPN Authentication Group and User for instructions.
2. Paste the contents of the CA certificate (usually in a ca.crt file), the Public key (for example, server.crt), the Private key (for example, server.key), and the Diffie Hellman key (usually in dh2048.pem) into their respective fields. The contents will be hidden when the configuration is saved.

Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI.

> config
(config)>

(config)> add vpn openvpn server name
(config vpn openvpn server name)>

where name is the name of the OpenVPN server.

The OpenVPN server is enabled by default. To disable the server, type:

(config vpn openvpn server name)> enable false
(config vpn openvpn server name)>

(config vpn openvpn server name)> device_type value
(config vpn openvpn server name)>

where value is one of:

• TUN (OpenVPN managed)—Also known as routing mode. Each OpenVPN client is assigned a different IP subnet from the OpenVPN server and other OpenVPN clients. OpenVPN clients use Network Address Translation (NAT) to route traffic from devices connected on its LAN interfaces to the OpenVPN server.
• TAP - OpenVPN managed—Also know as bridging mode. A more advanced implementation of OpenVPN. The Connect EZ 4/4i device creates an OpenVPN interface and uses standard interface configuration (for example, a standard DHCP server configuration).
• TAP - Device only—An alternate form of OpenVPN bridging mode, in which the device, rather than OpenVPN, controls the interface configuration. If this method is is, the OpenVPN server must be included as a device in either an interface or a bridge.

See OpenVPN for information about OpenVPN modes. The default is tun.

1. Set the IP address and subnet mask of the OpenVPN server.

   (config vpn openvpn server name)> address ip_address/netmask
   (config vpn openvpn server name)>

2. Set the firewall zone for the OpenVPN server. For TUN device types, this should be set to internal to treat clients as LAN devices.

   (config vpn openvpn server name)> zone value
   (config vpn openvpn server name)>

   To view a list of available zones:

   (config vpn openvpn server name)> firewall zone ?
   
   Zone: The zone for the local TUN interface. To treat clients as LAN devices this would usually be
   set to internal.
   Format:
     any
     dynamic_routes
     edge
     external
     internal
     ipsec
     loopback
     setup
   Current value:
   
   (config vpn openvpn server name)>

3. (Optional) Set the route metric for the OpenVPN server. If multiple active routes match a destination, the route with the lowest metric will be used.

   (config vpn openvpn server name)> metric value
   (config vpn openvpn server name)>

   where value is an interger between 0 and 65535. The default is 0.

4. (Optional) Set the range of IP addresses that the OpenVPN server will use when providing IP addresses to clients:
   1. Set the first address in the range limit:

      (config vpn openvpn server name)> server_first_ip value
      (config vpn openvpn server name)>

      where value is a number between 1 and 255. The number entered here will represent the first client IP address. For example, if address is set to 192.168.1.1/24 and server_first_ip is set to 80, the first client IP address will be 192.168.1.80.

      The default is from 80.

   2. Set the last address in the range limit:

      (config vpn openvpn server name)> server_last_ip value
      (config vpn openvpn server name)>

      where value is a number between 1 and 255. The number entered here will represent the last client IP address. For example, if address is set to 192.168.1.1/24 and server_last_ip is set to 99, the last client IP address will be 192.168.1.80.

      The default is from 80.

(config vpn openvpn server name)> port port
(config vpn openvpn server name)>

The default is 1194.

1. To allow the server to manage certificates:

   (config vpn openvpn server name)> autogenerate true
   (config vpn openvpn server name)>

2. To create certificates externally and add them to the server

   (config vpn openvpn server name)> autogenerate false
   (config vpn openvpn server name)>

The default setting is false.

3. If autogenerate is set to false:
   1. Set the authentication type:

      (config vpn openvpn server name)> authentication value
      (config vpn openvpn server name)>

   where value is one of:

   • cert: Uses only certificates for client authentication. Each client requires a public and private key.
   • passwd: Uses a username and password for client authentication. You must create an OpenVPN authentication group and user. See Configure an OpenVPN Authentication Group and User for instructions.

   • cert_passwd: Uses both certificates and a username and password for client authentication. Each client requires a public and private key, and you must create an OpenVPN authentication group and user. See Configure an OpenVPN Authentication Group and User for instructions.

   2. Paste the contents of the CA certificate (usually in a ca.crt file) into the value of the cacert parameter:

      (config vpn openvpn server name)> cacert value
      (config vpn openvpn server name)>

   3. Paste the contents of the public key (for example, server.crt) into the value of the server_cert parameter:

      (config vpn openvpn server name)> server_cert value
      (config vpn openvpn server name)>

   4. Paste the contents of the private key (for example, server.key) into the value of the server_key parameter:

      (config vpn openvpn server name)> server_key value
      (config vpn openvpn server name)>

   5. Paste the contents of the Diffie Hellman key (usually in dh2048.pem) into the value of the diffie parameter:

      (config vpn openvpn server name)> diffie value
      (config vpn openvpn server name)>

(config)> save
Configuration saved.
>

Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device.