Technical Guide
FEATURE OVERVIEW AND CONFIGURATION GUIDE
OpenVPN
Introduction This guide describes AlliedWare Plus™ OpenVPN and its configuration.
AlliedWare Plus OpenVPN provides a seamless, secure and easy means for employees tohave access to the same resources whether they are inside or outside their companypremises. Staff members have the ability to work securely from remote locations such asfrom home or when on business trips.
Products and software version that apply to this guide
This guide applies to AlliedWare Plus products that support Web Control, running version5.4.5 or later.
To see whether a product supports OpenVPN, see the following documents:
The product’s Datasheet
The AlliedWare Plus Datasheet
The product’s Command Reference
These documents are available from the above links on our website at alliedtelesis.com.
Feature support may change in later software versions. For the latest information, see theabove documents.
alliedtelesis.com xC613-22017-00 REV C
Introduction
Contents
Introduction.............................................................................................................................................................................1
Products and software version that apply to this guide .......................................................................1
What Is OpenVPN?............................................................................................................................................................3
About OpenVPN TAP mode...............................................................................................................................4
About OpenVPN TUN mode.............................................................................................................................4
RADIUS attributes supported by OpenVPN.............................................................................................5
Configuration Example .....................................................................................................................................................7
Configuring OpenVPN TAP service .................................................................................................................7
Configuring OpenVPN TAP service and client ..........................................................................................9
Configuring the router for OpenVPN TAP service ......................................................................9
Configuring OpenVPN client for TAP service .............................................................................. 10
Configuring OpenVPN TUN service............................................................................................................ 11
Configuring the router for OpenVPN TUN service ................................................................. 11
Configuring OpenVPN client for TUN service ............................................................................ 13
Page 2 | OpenVPN
What Is OpenVPN?
What Is OpenVPN?AlliedWare Plus OpenVPN is an SSL/TLS-based application used for creating a secureconnection from a remote client to a head office. It establishes an encrypted andauthenticated tunnel between the client and server and uses that tunnel for transportingtraffic from one end to the other.
AlliedWare Plus OpenVPN provides the following benefits:
Full Data Link Layer access
Proven standards-based SSL/TLS authentication and encryption
Implicit firewall/NAT traversal
AlliedWare Plus OpenVPN is built on a solid and industry-tested security foundation withtremendous ease of use. It offers you the flexibility to work in a variety of modes that areeasy to understand and hard to make insecure.
AlliedWare Plus OpenVPN provides the following key features:
Protection of IPv4 and IPv6 traffic overTLS tunnel
Configurable listening UDP port
Concurrent clients, with a max number of 10 by default
Client frame 802.1Q tagging withVID
Server authentication using certificates
Client authentication via RADIUS Server over IPv4 and IPv6
Group network access control based on 802.1Q tagged interfaces
Virtual Tunnel Interface for OpenVPN tunnels
Single OpenVPN tunnel interface
IPv4 and IPv6 as a delivery protocol
Support forTAP mode andTUN mode
OpenVPN | Page 3
What Is OpenVPN?
Figure 1: AlliedWare Plus OpenVPN
About OpenVPN TAP mode
TAP is a virtual network device. TAP creates aVirtual Tunnel Interface (VTI) that carriesLayer 2 frames.You may want to useTAP to transport:
Ethernet frames over a Bridge
Network protocols, such as IPv4, IPv6, IPX
Note thatTAP will cause broadcast overhead on theVPN tunnel and add the overhead ofEthernet headers on all packets transported over theVPN tunnel. The distribution of clientIP addresses through DHCP is only supported inTAP mode.
About OpenVPN TUN mode
TUN is also a virtual network device. TUN creates aVirtual Tunnel Interface (VTI) thatcarries Layer 3 packets.You may want to useTUN to:
Transport traffic that is destined for theVPN client
Transport only Layer 3 packets
SupportVPN on mobile devices.
Note: TUN cannot be used in bridges and broadcast traffic is not transported in TUN mode.
SSL VPN
Internet
Head office
Remoteworker
Remoteworker
Remoteworker
Page 4 | OpenVPN
What Is OpenVPN?
RADIUS attributes supported by OpenVPN
When RADIUS is used for client authentication, there are several attributes that can beconfigured on the RADIUS server for each user. These attributes provide a mechanism forconfiguring the user’s network configuration when accessing the network viaVPN using thesame mechanisms used when connecting directly or by WiFi.
The following attributes are supported by OpenVPN:
ID ATTRIBUTE TYPE SPECIFICATION EXAMPLE USAGE
1 User-Name string RFC2865 "foo" Client username
2 Password string RFC2865 "bar" Client password
6 Service-Type integer RFC2865 8 = AuthenticateOnly
OpenVPNrequests login onlyto the RADIUSserver
8 Framed-IP-Address ipaddr RFC2865 10.10.10.50 IP address to bepushed to theclient
9 Framed-IP-Netmask ipaddr RFC2865 255.255.255.0 IP netmask to bepushed to theclient
22 Framed-Route string RFC2865 "10.10.11.0/810.10.10.1 1"
Route to bepushed to theclient
MS-28 Microsoft-Primary-DNS-Server
ipaddr RFC2548 10.10.10.1 Primary DNS topush to client (ifmultiple primaryDNS servers areprovided, only thefirst one will beused.)
MS-29 Microsoft-Secondary-DNS-Server
ipaddr RFC2548 10.10.10.2 Secondary DNSto push to client(if no primaryaddress provided,this will beignored.)
97 Framed-IPv6-Prefix ipv6prefix RFC3162 "fc00:2::2/64" IPv6 prefix to bepushed to theclient
169 DNS-Server-IPv6-Address
ipv6addr RFC6911 "fc00:2::1“ IPv6 DNS addressto be pushed tothe client (withoutNH)
170 Route-IPv6-Information
ipv6prefix RFC6911 "fc00:3::/64“ IPv6 route to bepushed to theclient
OpenVPN | Page 5
What Is OpenVPN?
64 Tunnel-Type integer RFC3580 13 =VLAN ClientVLANassignment.Tag the clienttraffic if 802.1Qtagging isconfigured(TAP mode only).
65 Tunnel-Medium-Type integer RFC3580 6 = 802 ClientVLANassignment.Tag the clienttraffic if 802.1Qtagging isconfigured(TAP mode only).
81 Tunnel-Private-Group-Id
string RFC3580 "20" =VLANID20
ClientVLANassignment.Tag the clienttraffic if 802.1Qtagging isconfigured(TAP mode only).
ID ATTRIBUTE TYPE SPECIFICATION EXAMPLE USAGE
Page 6 | OpenVPN
Configuration Example
Configuration ExampleOpenVPN supports remote access from multiple operating systems and mobile devices,which means you can have remote access to the company Intranet. For more informationabout how to configure OpenVPN on the client device, visit https://openvpn.net.
The following examples show you how to configure both OpenVPNTAP service andTUNservice.
Configuring OpenVPN TAP service
Step 1: Configure local RADIUS server for OpenVPN TAP mode.
awplus#configure terminal
Specify a local RADIUS server host and set parameters for the server.
awplus(config)#radius-server host 127.0.0.1 key awplus-local-radius-server
Declare local CA (Certificate Authority) as the trustpoint that the system uses.
awplus(config)#crypto pki trustpoint local
Obtain a system certificate from local CA.
awplus(config)#crypto pki enroll local
Enter the local RADIUS server configuration mode.
awplus(config)#radius-server local
Configure client user group and configure client IP address. Note that this step is optional forconfiguring OpenVPNTAP mode.
awplus(config-radsrv)#group foo
Configure client user IP address. If you want to support more client users, you need to createa group for each client user. Note that if you wan to configure client IP address with theRAIDUS server, then this step is required. If you don’t want to configure client IP addresswith the RADIUS server, then this step is not required and you can configure client IPaddress via DHCP.
awplus(config-radsrv-group)#attribute Framed-IP-Address 192.168.1.11
Configure IP subnet mask of the tunnel interface. Note that if you wan to configure client IPaddress with the RAIDUS server, then this step is required. If you don’t want to configureclient IP address with the RADIUS server, then this step is not required and you canconfigure client IP address via DHCP.
awplus(config-radsrv-group)#attribute Framed-IP-Netmask 255.255.255.0
OpenVPN | Page 7
Configuration Example
Configure the route for packets routing from network 192.168.0.0/16 to the remotenetwork through the tunnel with 192.168.1.1 being the IP address of the remote tunnelinterface. Note that this step is optional for configuring OpenVPNTAP mode.
awplus(config-radsrv-group)#attribute Framed-Route "192.168.0.0/16 192.168.1.1"
Return to the local RADIUS server configuration mode.
awplus(config-radsrv-group)#exit
Add the NAS with an IP address to the list of clients that may send authentication requeststo the local RADIUS server.
awplus(config-radsrv)#nas 127.0.0.1 key awplus-local-radius-server
Add a user to the RADIUS server database and specify the user name and password.
awplus(config-radsrv)#user foo password bar group foo
Enable local RADIUS server.
awplus(config-radsrv)#server enable
Step 2: Configure device interface.
awplus(config-radsrv)#exit
Create a tunnel interface.
awplus(config-if)#interface tunnel20
Configure an IP address for the tunnel interface.
awplus(config-if)#ip address 192.168.1.1/24
Step 3: Set OpenVPN tunnel mode.
awplus(config-if)#tunnel mode openvpn tap
Page 8 | OpenVPN
Configuring OpenVPN TAP service and client
Configuring the router for OpenVPN TAP service
Step 1: Configure user authentication.
A local RADIUS server is used for username and password authentication. The followingconfiguration enables the RADIUS server, allows access from the local host (127.0.0.1) usingthe shared secret ‘awplus-local-radius-server’, and creates a user ‘foo’ with password ‘bar’.
awplus#configure terminalawplus(config)#radius-server localawplus(config-radsrv)#server enableawplus(config-radsrv)#nas 127.0.0.1 key awplus-local-radius-serverawplus(config-radsrv)#user foo password bar
Configure the router to use the local RADIUS server for OpenVPN user authentication.
awplus(config-radsrv)#exitawplus(config)#radius-server host 127.0.0.1 key awplus-local-radius-serverawplus(config)#aaa authentication openvpn default group radius
Step 2: Configure server authentication.
Declare local CA (Certificate Authority) as the trust point that the system uses.
awplus(config)#crypto pki trustpoint local
Obtain a system certificate from local CA.
awplus(config)#crypto pki enroll local
Export this CA public certificate, so theVPN client can use it to verify the ComputerCertificate of theVPN router.This generates a file named cacert.pem on the flash file system.The file will be used in this example.
awplus(config)#crypto pki export local pem url cacert.pem
Step 3: Configure device interface.
awplus(config)#interface eth1awplus(config-if)#ip address 172.31.1.1/24
Step 4: Enable OpenVPN TAP service.
Create an interface for the OpenVPN router to be accessed by the client.
awplus(config-if)#interface tunnel1awplus(config-if)#tunnel mode openvpn tap
Step 5: Connect OpenVPN clients to the LAN.
Create a virtual Ethernet bridge to connect theVPN clients to the LAN.
awplus(config-if)#exitawplus(config)#bridge 1
This newly created bridge will have two ports. One is the physical port ETH2 that isconnected to the LAN network. The other is the tunnel interface where the virtualOpenVPNTAP NIC will connect to.
Assign ETH2 and tunnel1 to the bridge.
awplus(config)#interface eth2awplus(config-if)#bridge-group 1awplus(config)#interface tunnel1awplus(config-if)#bridge-group 1
Configuring OpenVPN client for TAP service
Several OpenVPN clients are available for many platforms. Most have in common that theyrely on a .ovpn-file. Once the .open file is created client configuration is typically a matter ofloading the file. This file tested with OpenVPN 2.3 but should work with OpenVPN 2.1 ornewer clients.
#Configure for client modeclient#The server requires the client to provide a username/password forauthentication.auth-user-pass#Require encryptioncipher AES-128-CBC#Configure for TAP modedev tapproto udp#The address of the OpenVPN router to connect toremote 172.31.1.1
The certificate blob is copied from the cacert.pem-file generated below.This .ovpn file canbe used by all clients. The individual client uses the username and password to authenticatethemselves.
Configuring OpenVPN TUN service
Configuring the router for OpenVPN TUN service
Step 1: Configure local RADIUS server for OpenVPN TUN mode.
awplus#configure terminal
Specify a local RADIUS server host and set parameters for the server.
awplus(config)#radius-server host 127.0.0.1 key awplus-local-radius-serverawplus(config)#aaa authentication openvpn default group radius
Declare local CA (Certificate Authority) as the trust point that the system uses.
awplus(config)#crypto pki trustpoint local
Obtain a system certificate from local CA.
awplus(config)#crypto pki enroll local
Enter the local RADIUS server configuration mode.
awplus(config)#radius-server local
Configure client user group and configure client IP address.
awplus(config-radsrv)#group foo
<ca>-----BEGIN CERTIFICATE-----MIICXDCCAcWgAwIBAgIBADANBgkqhkiG9w0BAQUFADA0MRcwFQYDVQQKEw5BbGxpZWQtVGVsZXNpczEZMBcGA1UEAxMQQWxsaWVkd2FyZVBsdXNDQTAeFw0xNTA2MTkxMDQxMzZaFw0zNTA2MTQxMDQxMzZaMDQxFzAVBgNVBAoTDkFsbGllZC1UZWxlc2lzMRkwFwYDVQQDExBBbGxpZWR3YXJlUGx1c0NBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCywR9mBFrxnIVw577vtmvui5RnTBjLMJWkqF6eOhvt1Rzw9H8SZWPIzjLs+Z21b5Nsc8YjB0kLcISu3lfZrxtIPlkEm81U8mImHJnTBAmkHUZi5fBJbH12KG7rUZ/Zxq591+vatwabyRiDIPEeis/aa1wEFm03uBc21NMsQYENiwIDAQABo34wfDAMBgNVHRMEBTADAQH/MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUXJbOiME3bd2KhOLH8D25nt7xQ6UwHwYDVR0jBBgwFoAUXJbOiME3bd2KhOLH8D25nt7xQ6UwDQYJKoZIhvcNAQEFBQADgYEAYZG8DWKYj8rYkkvbZ1/ZhsLzubAH1ggUueS1eCzanh9zi5o92+pwOTPgi/g3JnDecpw06L6kvgTItZxwa32whO2RjUzzhCLegc9DKyEixmAZ6bUd29Idsn1DpGHEgPXTQgSTQrb4HcOAlbrG7Eh/IlRN1ByE4QAUNaP6N84nZwo=-----END CERTIFICATE-----</ca>
Configuration Example
Configure client user IP address. If you want to support more client users, you need to createa group for each client user.
awplus(config-radsrv-group)#attribute Framed-IP-Address 192.168.1.11
Configure IP subnet mask of the tunnel interface.
awplus(config-radsrv-group)#attribute Framed-IP-Netmask 255.255.255.0
Configure the route for packets routing from network 192.168.0.0/16 to the remotenetwork through the tunnel with 192.168.1.1 being the IP address of the remote tunnelinterface. Note that this step is optional for configuring OpenVPNTUN mode.
awplus(config-radsrv-group)#attribute Framed-Route "192.168.0.0/16 192.168.1.1"
Return to the local RADIUS server configuration mode.
awplus(config-radsrv-group)#exit
Add the NAS with an IP address to the list of clients that may send authentication requeststo the local RADIUS server.
awplus(config-radsrv)#nas 127.0.0.1 key awplus-local-radius-server
Add a user to the RADIUS server database and specify the user name and password.
awplus(config-radsrv)#user foo password bar group foo
Enable local RADIUS server.
awplus(config-radsrv)#server enable
Step 2: Configure device interface.
awplus(config-radsrv)#exit
Create a tunnel interface.
awplus(config-if)#interface tunnel20
Configure an IP address for the tunnel interface.
awplus(config-if)#ip address 192.168.1.1/24
Step 3: Set OpenVPN tunnel mode.
awplus(config-if)#tunnel mode openvpn tun
Page 12 | OpenVPN
Configuring OpenVPN client for TUN service
Several OpenVPN clients are available for many platforms. Most have in common that theyrely on a .ovpn-file. Once the .open file is created client configuration is typically a matter ofloading the file. This file tested with OpenVPN 2.3 but should work with OpenVPN 2.1 ornewer clients.
Below is an example OpenVPNTUN mode client .ovpn config file.
remote 10.0.0.1 1194 udppulltls-clientcipher AES-128-CBCauth SHA1tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHAexplicit-exit-notifyauth-user-passca cacert.pemkeepalive 10 120dev-type tunfloattun-ipv6topology subnetpasstosport 1194verb 7setenv CLIENT_CERT 0setenv ALLOW_PASSWORD_SAVE 0
C613-22017-00 REV C
North America Headquarters | 19800 North Creek Parkway | Suite 100 | Bothell | WA 98011 | USA | T: +1 800 424 4284 | F: +1 425 481 3895Asia-Pacifi c Headquarters | 11 Tai Seng Link | Singapore | 534182 | T: +65 6383 3832 | F: +65 6383 3830EMEA & CSA Operations | Incheonweg 7 | 1437 EK Rozenburg | The Netherlands | T: +31 20 7950020 | F: +31 20 7950021
alliedtelesis.com© 2015 Allied Telesis Inc. All rights reserved. Information in this document is subject to change without notice. All company names, logos, and product designs that are trademarks or registered trademarks are the property of their respective owners.