Scribd
Upload
178 views3 pages

Basic Openvpn Client-Server Configuration

This document provides a basic configuration example for an OpenVPN client-server VPN setup. It describes configuring one central router as the OpenVPN server and two branch office routers as clients. The server is configured to authenticate clients using certificates and push a route to its private LAN subnet. Each client is configured with its certificate and key to connect to the server and given its own subnet on the VPN.

Uploaded by

masterlinh2008
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
178 views3 pages

Basic Openvpn Client-Server Configuration

This document provides a basic configuration example for an OpenVPN client-server VPN setup. It describes configuring one central router as the OpenVPN server and two branch office routers as clients. The server is configured to authenticate clients using certificates and push a route to its private LAN subnet. Each client is configured with its certificate and key to connect to the server and given its own subnet on the VPN.

Uploaded by

masterlinh2008
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Portal > Knowledgebase > VPN > OpenVPN > Basic OpenVPN Client-Server Configuration

Basic OpenVPN Client-Server Configuration


Yuriy Andamasov - 2020-08-21 - 0 Comments - in OpenVPN

Introduction
In addition to site-to-site configuration, OpenVPN also supports a client-server model for
VPNs. This mode is more popular than using it in site-to-site mode, and allows for multiple
remote client connections to a single centralized server.

In this mode, you might have multiple configured sites connecting to a single centralized
router. For instance, you may have several branch offices, as well as a central headquarter
office with your central router. The central router can serve as the OpenVPN server, with the
branch office routers acting as OpenVPN clients.

The use of server-client VPNs in OpenVPN requires X.509 certificates to be setup. If you do
not have an existing PKI (Public Key Infrastructure), you may set up a simple one using this
guide.

Configuration Example
Network Specifications
In our example configuration, we will be using the following layout and goals for our
network:

Routers:

Three VyOS routers; one OpenVPN server, and two OpenVPN clients.
Server router: central-rtr, located at the central office.
First client router: branch1-rtr, located at the first branch.
Second client router: branch2-rtr, located at the second branch.

Networks and Addresses:

central-rtr has a public IP address of [Link].


central-rtr has a private physical LAN that needs to be accessible through the
client VPNs. The LAN's subnet is [Link]/24.
Both branch routers have dynamic public IP addresses.
The address range for the tunnel endpoints for clients will be in [Link]/24.
Each client will have a /24-size subnet assigned to it in the [Link]/16 range.
branch1-rtr will have the tunnel endpoint address of [Link] and the subnet
of [Link]/24 assigned to it.
branch2-rtr will have the endpoint address of [Link] and the subnet of
[Link]/24.

X.509 Certificate Information:

Root CN (Common Name): my-root-ca.


Server CN: central.
Server key name: [Link].
Branch 1 CN: branch1.
Branch 1 client key name: [Link].
Branch 2 CN: branch2.
Branch 2 client key name: [Link].

All above certs are signed against our root cert. The file locations for the relevant files will
be in each of the routers at the path /config/auth/ovpn/

Configuring the Server


Firstly, we need to configure our central-rtr to act as our OpenVPN server.

In configuration mode, issue the following commands:

set interface openvpn vtun0 mode 'server'


set interface openvpn vtun0 server subnet [Link]/24
set interface openvpn vtun0 persistent-tunnel
set interface openvpn vtun0 protocol udp
set interface openvpn vtun0 tls ca-cert-file
'/config/auth/ovpn/[Link]'
set interface openvpn vtun0 tls cert-file
'/config/auth/ovpn/[Link]'
set interface openvpn vtun0 tls dh-file
'/config/auth/ovpn/[Link]'
set interface openvpn vtun0 tls key-file
'/config/auth/ovpn/[Link]'

We also need to install a push-route to push the route of the server's LAN of
[Link]/24 to the clients:

set interfaces openvpn vtun0 server push-route [Link]/24

Now we need to set each of the client's configuration options. Client names are identified by
the CN field in their certs:

set interface openvpn vtun0 server client branch1 ip [Link]


set interface openvpn vtun0 server client branch1 subnet
[Link]/24
set interface openvpn vtun0 server client branch2 ip [Link]
set interface openvpn vtun0 server client branch2 subnet
[Link]/24

Configure the Clients


Now we need to configure the client routers. We'll again assume the proper certificate and
key files have been moved to the /config/auth/ovpn/ directory on each client.

Branch 1's Router:

set interfaces openvpn vtun0 mode client


set interfaces openvpn vtun0 remote-host [Link]
set interfaces openvpn vtun0 tls ca-cert-file
/config/auth/ovpn/[Link]
set interfaces openvpn vtun0 tls cert-file
/config/auth/ovpn/[Link]
set interfaces openvpn vtun0 tls key-file
/config/auth/ovpn/[Link]

We also need to set up a static route to our [Link]/16 subnet on each router, as
OpenVPN does not install this route automatically:

set protocols static interface-route [Link]/16 next-hop-interface


vtun0

Branch 2's Router:

set interfaces openvpn vtun0 mode client


set interfaces openvpn vtun0 remote-host [Link]
set interfaces openvpn vtun0 tls ca-cert-file
/config/auth/ovpn/[Link]
set interfaces openvpn vtun0 tls cert-file
/config/auth/ovpn/[Link]
set interfaces openvpn vtun0 tls key-file
/config/auth/ovpn/[Link]
set protocols static interface-route [Link]/16 next-hop-interface
vtun0

You might also like