Openvpn
From Wiki of WFilter NG Firewall
				
								
				(Difference between revisions)
				
																
				
				
								
				|  (→Firewall Rules) |  (→OpenVPN Client) | ||
| Line 37: | Line 37: | ||
| OpenVPN client can connect to multiple OpenVPN servers. | OpenVPN client can connect to multiple OpenVPN servers. | ||
| * Server ID:unique server ID, alphabet and numeric charactors only. | * Server ID:unique server ID, alphabet and numeric charactors only. | ||
| − | * Remote server: remote openvpn server  | + | * Remote server: remote openvpn server domains or IP addresses. You can have multiple remote entries to load balance between the servers. One server per line. | 
| * Protocol and port. | * Protocol and port. | ||
| * Certificate: certificate file created in server. | * Certificate: certificate file created in server. | ||
Revision as of 15:48, 10 May 2018
| Contents | 
1 Introduction
-  OpenVPN is an open-source software application that implements VPN based on SSL. These two modules can setup OpenVPN tunnels in WFilter NG Firewall.
- OpenVPN Server: provide VPN service for client to access.
- OpenVPN Client: VPN client to connect other OpenVPN servers.
 
2 OpenVPN Server
2.1 Server Settings
-  Auth Type: "by certificate" or "by user&pass".
- Certificate: auth by certificate, client need to import the certificate created by the server.
- Users & Pass: auth by user&password, only "local users" with "VPN" priviledge have VPN access.
 
- Protocol and port: connection protocol and port, shall be consistent with the client settings.
- Client Subnet: WFilter's openVPN works in "subnet" mode. In this mode, OpenVPN will setup a new subnet, which can not same as existing LAN subnets.
- Push Route: The subnets will be pushed to clients routing table, so client can access server's subnets. For example: route 192.168.126.0 255.255.255.0
2.2 Client Settings
- You can only create clients in "by certificate" authenticate type.
- Certificate clients can be other WFilter NGF severs or windows clients.
- "Client Subnets" defines client subnets for server to access client networks. For example: 192.168.126.0 255.255.255.0
- You need to download the client definition and import it in client side.
2.3 CA Certificate
- CA certificate: the CA certificate which shall be imported into openVPN client directory, you can click "Replace" to generate a new certificate.
3 OpenVPN Client
OpenVPN client can connect to multiple OpenVPN servers.
- Server ID:unique server ID, alphabet and numeric charactors only.
- Remote server: remote openvpn server domains or IP addresses. You can have multiple remote entries to load balance between the servers. One server per line.
- Protocol and port.
- Certificate: certificate file created in server.
- Proxy: connect to remote proxy OpenVPN server via a HTTP proxy.
4 Windows Clients
4.1 User&Pass Clients
- Download and install the offical openvpn client: https://openvpn.net/index.php/open-source/downloads.html
- Download CA certificate in WFilter NG Firewall, copy it to openvpn's config directoy with name "ca.crt".
- In config directory of openvpn, create a new text file named "myvpn.ovpn", with below content:
client dev tun proto udp #Connection protocol, same as the server settings. remote 192.168.1.246 1194 #Server IP(domain) and port nobind persist-key persist-tun ca ca.crt #ca.crt filename, same directory with the myvpn.ovpn verb 3 auth-user-pass #auth by username
4.2 Certificate Clients
- configure file:
client dev tun proto udp #Connection protocol, same as the server settings. remote 192.168.1.246 1194 #Server IP(domain) and port nobind persist-key persist-tun ca ca.crt #ca.crt filename, same directory with the myvpn.ovpn verb 3 cert vpnuser.crt #Exported client certificate key vpnuser.key #Exported client certificate key
- Now you can launch "OpenVPN GUI" with administrator privilege, input correct username and password to access VPN.
5 Firewall Rules
VPN access to LAN is controlled by firewall rules. For example, if you want to allow vpn access to all LAN clients, you need to add a firewall rule(Interface:WAN, Type: FORWARD, Action: Allow):








