| 
Connecting an SSL VPN between an ImageStream Router and a Windows PC Using OpenVPN
ImageStream's version 4.2 releases include support for the highly secure SSL VPN tunnels. A detailed explanation of basic SSL VPN configurations using the OpenVPN software on ImageStream routers is available in the ImageStream Router Installation Manual. The SSL tunnel interface mode for Inetics devices uses the OpenVPN suite and allows IP packet tunneling inside encrypted UDP or TCP packets. The protocol is designed to be lightweight and simple, and to work seamlessly with dynamic addresses, NAT and SOCKS proxies. An OpenVPN tunnel device is a standard network device and may be configured in the same manner as all physical devices and subinterfaces. If your configuration requires dynamic routing (BGP, OSPF, RIP) or metric-based static routing failover configurations, you should use the OpenVPN SSL tunnels. Unlike CIPE tunnels or other tunnels supported by the ImageStream router, OpenVPN tunnels use the standard hardware and protocol status functions and may be used with configurations that rely on interface status. ImageStream Linux 4.2 or later releases provide support for OpenVPN tunnels. An ImageStream router's OpenVPN implementation can interoperate with any OpenVPN client on any operating system. OpenVPN tunnels are controlled by a virtual Tunnel interface configured in the interface configuration file. The interface is configured similarly to a Serial WAN interface. For this example, we will use this configuration showing a point-to-point between an ImageStream router and a Windows PC running the OpenVPN client. In the example below, we will use a network configuration that has a single local Ethernet segment and a single Serial device. All Quality of Service rules are applied in the transmit direction. Once traffic has arrived at the router, bandwidth usage has already happened and quality of service in the receive direction would have little effect.
====ETHERNET===================== 172.16.0.0/16 ===
|
| LAN IP: 172.16.0.1
+-------+--------+
| Ethernet0 |
| |
| Router A |
| |
| Serial0 |
+-------+--------+
| WAN IP: 210.145.243.1 (255.255.255.252)
|
====INTERNET/WAN=================
|
| IP: Dynamically assigned
+-------+--------+
| Windows PC |
+-------+--------+
Before You Start
The configurations listed in this section may not match ones suitable for use on your network. Any device names, IP addresses, tunnel keys or bandwidth values are provided as examples. You will need to change the commands in the examples below to match the settings suitable for your network.
Configuring the ImageStream Router for an OpenVPN tunnel
For detailed information on the meaning of OpenVPN tunnel commands, please see the ImageStream Router Installation manual. The configuration below assumes that the Windows PC uses a dynamic IP address. For staticly addressed Windows clients, enter that address instead of "0.0.0.0" below.
In the example diagram above, the ImageStream Router will use the following configuration:
!
interface Tunnel0
description Tunnel to Windows Laptop
bandwidth 384000
tunnel mode openvpn
tunnel source 210.145.243.1 5000
tunnel destination 0.0.0.0 5000
tunnel options --secret /etc/openvpn/test.key --dev-type tap --float --disable-occ
ip address 192.168.45.1 255.255.255.252
pointopoint address 192.168.45.2
!
Please note the use of a separate key file ("/etc/openvpn/test.key"). For ease of configuration, ImageStream recommends using a separate key file instead of specifying a key for replication in the main configuration file (wan.conf). To generate an OpenVPN key from the router's Bash shell, run the command:
openvpn --genkey --secret /etc/openvpn/test.key
Make sure to copy the identical key file to both the ImageStream Router and the Windows PC. The configuration above also includes three other options required for interoperation between the ImageStream Router and Windows PC.
The configuration on the ImageStream router also includes three other special options:
The --dev-type tap option configures the OpenVPN tunnel for TAP mode. In TAP mode, the OpenVPN tunnel will use Ethernet frames. TAP mode operation is recommended for full interoperability with the Windows OpenVPN client.
The --float command enables the ImageStream Router to accept connections from a client whose IP address and port may change, due to DHCP or NAT configurations. The router will still use the key to authenticate the connection and ensure that only properly configured and authorized clients can create a VPN tunnel.
The --disable-occ option enables the ImageStream Router to accept connections from different client versions, or from client versions that have different options enabled. The options consistency check can be enabled for stricter security checks, but may create problems if the Windows client configuration does not match the router's configuration exactly. The router will still use the key to authenticate the connection and ensure that only properly configured and authorized clients can create a VPN tunnel.
To install and operate the OpenVPN client for Windows, please follow the instructions listed at the OpenVPN Web site: http://openvpn.sourceforge.net. In the example above, the Windows PC will use the following configuration file:
***** Begin Windows config file *****
# Network type (tun for routed, tap for ethernet bridging).
dev tap
# enable LZO compression
comp-lzo
# Moderate logging
verb 4
mute 10
#
# Detect a dead peer.
#
ping-restart 15
ping-timer-rem
persist-tun
persist-key
# keep-alive ping
ping 5
float
disable-occ
############################
# Non-X.509 configurations #
############################
#Specify the secret here, or point to a file
secret test.key
#####################################
# SITE-SPECIFIC SETTINGS #
# (usually different for each user) #
#####################################
#Tunnel's UDP port
port 5000
#Remote peer
remote 210.145.243.1
# Set the IP address and netmask of the OpenVPN interface.
ifconfig 192.168.45.2 255.255.255.252
# Protocol [tcp-server | tcp-client | udp] Default is udp, usually best.
# proto udp
***** End Windows Config File *****
|
