OpenVPN: Configuring server using X.509 Certificates

The ACM5000, ACM5500, IM7200 and IM4200 products with Firmware V3.2 and later each have OpenVPN clients and server software embedded. 

OpenVPN allows secure VPN tunneling of data through a single TCP/UDP port over an unsecured network. So an OpenVPN tunnel could be established between a roaming Windows client and an Opengear console server within a data centre. Or OpenVPN tunnels could be set up between distributed ACM5004-2-G edge devices (which may not have any publicly accessible IP addresses allocated from their carrier) and some third party OpenVPN server at the enterprise central management site. 

Configuring OpenVPN can be complex so Opengear provides a simple GUI interface for basic set up. However a lot more detailed information on the OpenVPN Access server and client can be found in the many HOW TO and FAQ documents on the www.openvpn.net site. 

 (Note: Make sure that the console server system time is correct when working with OpenVPN. Otherwise authentication issues may arise)

Adding OpenVPN Server Tunnel

• Select OpenVPN on the Serial & Networks menu
• Click Add and complete the Add OpenVPN Tunnel screen
  
  
  
  
  
  
• Enter a descriptive name you wish to identify the OpenVPN Tunnel, for example server1-VPN
• Leave the  Enabled box unchecked to prevent OpenVPN from starting before certificates have been uploaded. We will come back to this page and Enable the tunnel once the certificates have been loaded.
  
  
• Check Control by Auto-Response if the tunnel is to be controlled by "Network Interface" Auto-Response action. If selected, the default state for the tunnel will be Down
• Select PKI (X.509 Certificates)
• Select the Device Driver to be used, either Tun-IP or Tap-Ethernet. The TUN (network tunnel) and TAP (network tap) drivers are virtual network drivers that support IP tunneling and Ethernet tunneling, respectively. TUN and TAP are part of the Linux kernel.
• Select either UDP or TCP as the Protocol. UDP is the default and preferred protocol for OpenVPN.

• Check or uncheck the Compression button to enable or disable compression, respectively 
• Select Server Mode
• Set the Local Port to a different port or leave it as the default port 1194
• Set IP Pool Networking and Netmask which will be allocated to clients. If you are not using the standard /24 /16 private IP then I suggest using a Subnet Calculator http://www.subnet-calculator.com/ to workout the Netmask
  
  eg
  IP Pool Network: 172.16.100.0
  IP Pool Netmask: 255.255.255.0
  
  
• Click Apply to save the changes

Manage OpenVPN Certificate Files

• Once the initial tunnel has been created, it's time to load the certificates files.
• Select OpenVPN on the Serial & Networks menu, find the tunnel name that was created earlier and click on the Edit link
• Select the Manage OpenVPN Files tab
• Click on the Root CA Certificate Browse button and select the ca.crt file that was created earlier
• Click on the Certificate File Browse button and select the server1.crt file that was created earlier
• Click on the Private Key FileBrowse button and select the server1.key file that was created earlier
• Click on the Diffie-Hellman File Browse button and select the dh1024.pem file that was created earler
• Click the Apply button to save
• Saved files will be displayed in red on the right-hand side of the Upload button.
• To enable OpenVPN, find the server1-VPN tunnel name that was created earlier and click on the Edit link
• Check the Enabled button and click Apply to save changes.
• Select Statistics on the Status menu to verify that the tunnel is operational. 
  
  

Windows OpenVPN Server or an OpenVPN Client

For details on installing an OpenVPN Windows client (or server) and connecting to your console server OpenVPN server (or client) refer Configuring a Windows OpenVPN client or server