Openvpn
From Wiki of WFilter NG Firewall
(Difference between revisions)
(→OpenVPN Client) |
(→User&Pass Clients) |
||
(9 intermediate revisions by one user not shown) | |||
Line 9: | Line 9: | ||
= OpenVPN Server = | = OpenVPN Server = | ||
== Server Settings == | == Server Settings == | ||
− | * Auth | + | * Auth by: "by certificate" or "by user&pass". |
− | + | ** Users & Pass(recommended): authenticate by user & password, only "local users" with "VPN" privilege have VPN access. | |
− | ** Users & Pass: authenticate by user & password, only "local users" with "VPN" privilege have VPN access. | + | ** Certificate: authenticate by certificate, client need to import the certificate created by the server. |
* Protocol and port: connection protocol and port, shall be consistent with the client settings. | * Protocol and port: connection protocol and port, shall be consistent with the client settings. | ||
* Client Subnet: WFilter's openVPN works in "subnet" mode. In this mode, OpenVPN will setup a new subnet, which can not same as existing LAN subnets. | * Client Subnet: WFilter's openVPN works in "subnet" mode. In this mode, OpenVPN will setup a new subnet, which can not same as existing LAN subnets. | ||
* Push Route: The subnets will be pushed to clients routing table, so client can access server's subnets. For example: '''route 192.168.126.0 255.255.255.0''' | * Push Route: The subnets will be pushed to clients routing table, so client can access server's subnets. For example: '''route 192.168.126.0 255.255.255.0''' | ||
+ | * Auth Type: | ||
+ | ** "Local Auth": authenticate with username and password of local accounts. Only "local users" with "VPN" priviledge have VPN access. | ||
+ | ** "Email Auth": send credentials to a pop/imap email server for authentication. | ||
+ | ** "Ldap Auth": send credentials to a ldap server for authentication. | ||
+ | ** "Radius Auth": send credentials to a remote radius server for authentication. | ||
+ | |||
[[File:openvpn_settings1.png|800px]] | [[File:openvpn_settings1.png|800px]] | ||
Line 22: | Line 28: | ||
* "Client Subnets" defines client subnets for site-to-site VPN. | * "Client Subnets" defines client subnets for site-to-site VPN. | ||
* "Client Subnets" defines client subnets for server to access client networks. For example: '''192.168.126.0 255.255.255.0''' | * "Client Subnets" defines client subnets for server to access client networks. For example: '''192.168.126.0 255.255.255.0''' | ||
+ | * For "Client IP", DHCP is enough for most cases. You also can setup a static ip address for a client, so you can configure firewall ACL rules to limit the accessible resources for this ip address. | ||
* For user & pass authentication clients, the client id shall be client username. | * For user & pass authentication clients, the client id shall be client username. | ||
* For certificate authentication clients, you need to download and import the client certificate in client side. | * For certificate authentication clients, you need to download and import the client certificate in client side. | ||
Line 53: | Line 60: | ||
= Windows Clients = | = Windows Clients = | ||
− | |||
* Download and install the offical openvpn client: https://openvpn.net/index.php/open-source/downloads.html | * Download and install the offical openvpn client: https://openvpn.net/index.php/open-source/downloads.html | ||
* Download CA certificate in WFilter NG Firewall, copy it to openvpn's config directoy with name "ca.crt". | * Download CA certificate in WFilter NG Firewall, copy it to openvpn's config directoy with name "ca.crt". | ||
− | * | + | * Download client configuration. |
+ | |||
+ | [[File:openvpn_exportconfig.png|800px]] | ||
+ | |||
+ | == User&Pass Clients == | ||
+ | |||
+ | * Download the config file into the config directory of openvpn, with file content format: | ||
<pre> | <pre> | ||
client | client | ||
Line 68: | Line 80: | ||
verb 3 | verb 3 | ||
auth-user-pass #auth by username | auth-user-pass #auth by username | ||
+ | <ca> | ||
+ | #embeded CA certificate, you can post CA content here. If your client supports embeded CA, "ca ca.crt" is not needed. | ||
+ | -----BEGIN CERTIFICATE----- | ||
+ | ...... | ||
+ | -----END CERTIFICATE----- | ||
+ | </ca> | ||
</pre> | </pre> | ||
Line 97: | Line 115: | ||
VPN access to LAN is controlled by firewall rules. For example, if you want to allow vpn access to all LAN clients, you need to add a firewall rule(Interface:WAN, Type: FORWARD, Action: Allow): | VPN access to LAN is controlled by firewall rules. For example, if you want to allow vpn access to all LAN clients, you need to add a firewall rule(Interface:WAN, Type: FORWARD, Action: Allow): | ||
+ | |||
+ | * Example 1, allow VPN users to access all LAN resources: | ||
[[File:openvpn_firewall01.png|800px]] | [[File:openvpn_firewall01.png|800px]] | ||
+ | |||
+ | * Example 2, allow access to target subnet only: | ||
+ | |||
+ | [[File:openvpn_firewall02.png|800px]] | ||
[[Category:VPN]] | [[Category:VPN]] |
Latest revision as of 17:19, 30 June 2023
Contents |
[edit] 1 Introduction
- OpenVPN is an open-source software application that implements VPN based on SSL. These two modules can setup OpenVPN tunnels in WFilter NG Firewall.
- OpenVPN Server: provide VPN service for remote access and site-to-site VPN server.
- OpenVPN Client: VPN client to connect other OpenVPN servers.
[edit] 2 OpenVPN Server
[edit] 2.1 Server Settings
- Auth by: "by certificate" or "by user&pass".
- Users & Pass(recommended): authenticate by user & password, only "local users" with "VPN" privilege have VPN access.
- Certificate: authenticate by certificate, client need to import the certificate created by the server.
- Protocol and port: connection protocol and port, shall be consistent with the client settings.
- Client Subnet: WFilter's openVPN works in "subnet" mode. In this mode, OpenVPN will setup a new subnet, which can not same as existing LAN subnets.
- Push Route: The subnets will be pushed to clients routing table, so client can access server's subnets. For example: route 192.168.126.0 255.255.255.0
- Auth Type:
- "Local Auth": authenticate with username and password of local accounts. Only "local users" with "VPN" priviledge have VPN access.
- "Email Auth": send credentials to a pop/imap email server for authentication.
- "Ldap Auth": send credentials to a ldap server for authentication.
- "Radius Auth": send credentials to a remote radius server for authentication.
[edit] 2.2 Client Subnets
- "Client Subnets" defines client subnets for site-to-site VPN.
- "Client Subnets" defines client subnets for server to access client networks. For example: 192.168.126.0 255.255.255.0
- For "Client IP", DHCP is enough for most cases. You also can setup a static ip address for a client, so you can configure firewall ACL rules to limit the accessible resources for this ip address.
- For user & pass authentication clients, the client id shall be client username.
- For certificate authentication clients, you need to download and import the client certificate in client side.
[edit] 2.3 CA Certificate
- CA certificate: the CA certificate which shall be imported into openVPN client directory, you can click "Replace" to generate a new certificate.
[edit] 3 OpenVPN Client
OpenVPN client can connect to multiple OpenVPN servers.
- Server ID:unique server ID, alphabet and numeric charactors only.
- Remote server: remote openvpn server domains or IP addresses. You can have multiple remote entries for load balance between servers. One server per line.
- Protocol and port.
- Proxy: connect to remote proxy OpenVPN server via a HTTP proxy.
- Auth Type:
- User & Pass: Authenticate by username and password.
- Certificate: Authenticate by certificate files created in server.
- CA Certificate
You can check and import CA certificate. A client shall have the server's CA to establish a SSL connection.
[edit] 4 Windows Clients
- Download and install the offical openvpn client: https://openvpn.net/index.php/open-source/downloads.html
- Download CA certificate in WFilter NG Firewall, copy it to openvpn's config directoy with name "ca.crt".
- Download client configuration.
[edit] 4.1 User&Pass Clients
- Download the config file into the config directory of openvpn, with file content format:
client dev tun proto udp #Connection protocol, same as the server settings. remote 192.168.1.246 1194 #Server IP(domain) and port nobind persist-key persist-tun ca ca.crt #ca.crt filename, same directory with the myvpn.ovpn verb 3 auth-user-pass #auth by username <ca> #embeded CA certificate, you can post CA content here. If your client supports embeded CA, "ca ca.crt" is not needed. -----BEGIN CERTIFICATE----- ...... -----END CERTIFICATE----- </ca>
[edit] 4.2 Certificate Clients
- configure file:
client dev tun proto udp #Connection protocol, same as the server settings. remote 192.168.1.246 1194 #Server IP(domain) and port nobind persist-key persist-tun ca ca.crt #ca.crt filename, same directory with the myvpn.ovpn verb 3 cert vpnuser.crt #Exported client certificate key vpnuser.key #Exported client certificate key
- Now you can launch "OpenVPN GUI" with administrator privilege, input correct username and password to access VPN.
[edit] 5 Firewall Rules
VPN access to LAN is controlled by firewall rules. For example, if you want to allow vpn access to all LAN clients, you need to add a firewall rule(Interface:WAN, Type: FORWARD, Action: Allow):
- Example 1, allow VPN users to access all LAN resources:
- Example 2, allow access to target subnet only: