OpenVPN: Configuring client using X.509 Certificates

.

The ACM5000, ACM5500, IM7200 and IM4200 products with Firmware V3.2 and later each have OpenVPN clients and server software embedded. 

OpenVPN allows secure VPN tunneling of data through a single TCP/UDP port over an unsecured network. So an OpenVPN tunnel could be established between a roaming Windows client and an Opengear console server within a data centre. Or OpenVPN tunnels could be set up between distributed ACM5004-2-G edge devices (which may not have any publicly accessible IP addresses allocated from their carrier) and some third party OpenVPN server at the enterprise central management site. 

Configuring OpenVPN can be complex so Opengear provides a simple GUI interface for basic set up. However a lot more detailed information on the OpenVPN Access server and client can be found in the many HOW TO and FAQ documents on the www.openvpn.net site. 

 (Note: Make sure that the console server system time is correct when working with OpenVPN. Otherwise authentication issues may arise)

Adding OpenVPN Client Tunnel

• Select OpenVPN on the Serial & Networks menu
• Click Add and complete the Add OpenVPN Tunnel screen
  
  
  
  
  
  
• Enter a descriptive name you wish to identify the OpenVPN Tunnel, for example client1-VPN
• Leave the  Enabled box unchecked to prevent OpenVPN from starting before certificates have been uploaded. We will come back to this page and Enable the tunnel once the certificates have been loaded.
  
  
• Check Control by Auto-Response if the tunnel is to be controlled by "Network Interface" Auto-Response action. If selected, the default state for the tunnel will be Down
• Select PKI (X.509 Certificates)
• Select the Device Driver to be used, either Tun-IP or Tap-Ethernet. The TUN (network tunnel) and TAP (network tap) drivers are virtual network drivers that support IP tunneling and Ethernet tunneling, respectively. TUN and TAP are part of the Linux kernel.
• Select either UDP or TCP as the Protocol. UDP is the default and preferred protocol for OpenVPN.

• Check or uncheck the Compression button to enable or disable compression, respectively 
• Select Client Mode
• Set Primary Server Address to the OpenVPN server FQDN or IP address
• Set the Primary Server Port to a different port or leave it as the default port 1194
• The Secondary Server Address and Port is optional
• Set Remote Network and Remote Subnet Mask is optional. The OpenVPN server should provide this info during connection.
  
  eg
  IP Pool Network: 172.16.100.0
  IP Pool Netmask: 255.255.255.0
  
  
• Click Apply to save the changes

Manage OpenVPN Certificate Files

• Once the initial tunnel has been created, it's time to load the certificates files.
• Select OpenVPN on the Serial & Networks menu, find the tunnel name that was created earlier and click on the Edit link
• Select the Manage OpenVPN Files tab
• Click on the Root CA Certificate Browse button and select the ca.crt file that was created earlier
• Click on the Certificate File Browse button and select the client1.crt file that was created earlier
• Click on the Private Key FileBrowse button and select the client1.key file that was created earlier
• Diffie-Hellman File is not required on the client configuration
• Click the Apply button to save
• Saved files will be displayed in red on the right-hand side of the Upload button.
• To enable OpenVPN, find the tunnel name that was created earlier and click on the Edit link
• Check the Enabled button and click Apply to save changes.
• Select Statistics on the Status menu to verify that the tunnel is operational.