Chapter 5: OpenVPN OpenVPN Configuration 361

Example 5‐5 V1 OpenVPN configuration ‐ site‐to‐site with TLS

Set the local IP address of the vyatta@V1# set interfaces openvpn vtun0 local‐address
VPN tunnel. 192.168.200.1

Set the OpenVPN mode. vyatta@V1# set interfaces openvpn vtun0 mode site‐to‐site

Set the remote IP address of the vyatta@V1# set interfaces openvpn vtun0 remote‐address
VPN tunnel. 192.168.200.2

Specify the physical IP address vyatta@V1# set interfaces openvpn vtun0 remote‐host
of the remote host. 87.65.43.21

Set the role of this endpoint. vyatta@V1# set interfaces openvpn vtun0 tls role passive

Specify the location of the CA vyatta@V1# set interfaces openvpn vtun0 tls ca‐cert‐file
certificate file. /config/auth/ca.crt

Specify the location of the host vyatta@V1# set interfaces openvpn vtun0 tls cert‐file
certificate file. /config/auth/V1.crt

Specify the location of the CRL vyatta@V1# set interfaces openvpn vtun0 tls crl‐file
parameters file. /config/auth/crl.pem

Specify the location of the DH vyatta@V1# set interfaces openvpn vtun0 tls dh‐file
file. /config/auth/dh1024.pem

Specify the location of the host vyatta@V1# set interfaces openvpn vtun0 tls key‐file
key file. /config/auth/V1.key

Commit the change. vyatta@V1# commit

Show the OpenVPN vyatta@V1# show interfaces openvpn vtun0

configuration. local‐address 192.168.200.1
mode site‐to‐site
remote‐address 192.168.200.2
remote‐host 87.65.43.21
tls {
role passive
ca‐cert‐file /config/auth/ca.crt
cert‐file /config/auth/V1.crt
crl‐file /config/auth/cr1.pem
dh‐file /config/auth/dh1024.pem
key‐file /config/auth/V1.key
}

Note that the configuration is the same as the previous section except that the shared-
secret-key-file option has been replaced by tls options. That endpoint V1 takes the
passive role means the dh-file option is required. The optional crl-file is also specified in
this example.

VPN 6.5R1 v01 Vyatta

Chapter 5: OpenVPN OpenVPN Configuration 362

To configure V2 for a site-to-site VPN with TLS, perform the following steps in
configuration mode.

Example 5‐6 V2 OpenVPN configuration ‐ site‐to‐site with TLS

Step Command

Create the vtun0 configuration vyatta@V2# set interfaces openvpn vtun0

node.

Set the local IP address of the vyatta@V2# set interfaces openvpn vtun0 local‐address
VPN tunnel. 192.168.200.2

Set the OpenVPN mode. vyatta@V2# set interfaces openvpn vtun0 mode site‐to‐site

Set the remote IP address of the vyatta@V2# set interfaces openvpn vtun0 remote‐address
VPN tunnel. 192.168.200.1

Specify the physical IP address vyatta@V2# set interfaces openvpn vtun0 remote‐host
of the remote host. 12.34.56.78

Set the role of this endpoint. vyatta@V2# set interfaces openvpn vtun0 tls role active

Specify the location of the CA vyatta@V2# set interfaces openvpn vtun0 tls ca‐cert‐file
certificate file. /config/auth/ca.crt

Specify the location of the host vyatta@V2# set interfaces openvpn vtun0 tls cert‐file
certificate file. /config/auth/V2.crt

Specify the location of the host vyatta@V2# set interfaces openvpn vtun0 tls key‐file
key file. /config/auth/V2.key

Commit the change. vyatta@V2# commit

Show the OpenVPN vyatta@V2# show interfaces openvpn vtun0

configuration. local‐address 192.168.200.2
mode site‐to‐site
remote‐address 192.168.200.1
remote‐host 12.34.56.78
tls {
role active
ca‐cert‐file /config/auth/ca.crt
cert‐file /config/auth/V2.crt
key‐file /config/auth/V2.key
}

The configuration is the same as in the previous example, except for that the tls
option is specified, the optional crl-file option is not specified, and the fact that
endpoint V2 takes the active role means dh-file is not needed.

VPN 6.5R1 v01 Vyatta

Chapter 5: OpenVPN OpenVPN Configuration 363

Client‐Server Mode
In a typical remote access VPN setup there is one OpenVPN endpoint that acts as the
server. Remote users will run OpenVPN as clients to connect to the server and establish
VPN tunnels. This is illustrated in Figure 5-5.

VPN 6.5R1 v01 Vyatta

Chapter 5: OpenVPN OpenVPN Configuration 364

Figure 5‐5 Client‐server mode

OpenVPN tunnel

OpenVPN interface OpenVPN interface

192.168.200.1 192.168.200.x
Physical interface
( assigned by server)
12.34.56.78

OpenVPN server (V1) OpenVPN client (V2)

One thing to note is that OpenVPN requires TLS in client-server mode, and the server
takes the passive role while the clients are active. Therefore, it is not necessary to specify
the tls role option when operating in this mode. In the above example, assuming that V1
is the server and V2 is a client, the configuration for V1 is shown below.

To configure V1 for client-server with TLS, perform the following steps in

configuration mode. In this example:
• The mode option specifies that this endpoint will operate in server mode.
• The server subnet option indicates that the client’s tunnel IP address is allocated
from the 192.168.200.0/24 subnet and that the server’s tunnel IP address (that is, the
address of vtun0 on the server) is 192.168.200.1.
• The remote-host option is not set since the clients will be actively contacting the
server.

Example 5‐7 V1 OpenVPN configuration ‐ client‐server with TLS (server)

Step Command

Create the vtun0 configuration vyatta@V1# set interfaces openvpn vtun0

node.

Set the OpenVPN mode. vyatta@V1# set interfaces openvpn vtun0 mode server

Set the subnet for the OpenVPN vyatta@V1# set interfaces openvpn vtun0 server subnet
tunnel. 192.168.200.0/24

VPN 6.5R1 v01 Vyatta

Chapter 5: OpenVPN OpenVPN Configuration 365

Example 5‐7 V1 OpenVPN configuration ‐ client‐server with TLS (server)

Specify the location of the CA vyatta@V1# set interfaces openvpn vtun0 tls ca‐cert‐file
certificate file. /config/auth/ca.crt

Specify the location of the host vyatta@V1# set interfaces openvpn vtun0 tls cert‐file
certificate file. /config/auth/V1.crt

Specify the location of the CRL vyatta@V1# set interfaces openvpn vtun0 tls crl‐file
parameters file. /config/auth/crl.pem

Specify the location of the DH vyatta@V1# set interfaces openvpn vtun0 tls dh‐file
file. /config/auth/dh1024.pem

Specify the location of the host vyatta@V1# set interfaces openvpn vtun0 tls key‐file
key file. /config/auth/V1.key

Commit the change. vyatta@V1# commit

Show the OpenVPN vyatta@V1# show interfaces openvpn vtun0

configuration. mode server
server {
subnet 192.168.200.0/24
}
tls {
ca‐cert‐file /config/auth/ca.crt
cert‐file /config/auth/V1.crt
crl‐file /config/auth/cr1.pem
dh‐file /config/auth/dh1024.pem
key‐file /config/auth/V1.key
}

To configure V2 for client-server with TLS, perform the following steps in

configuration mode. In this example:
• V2 is in client mode and so it needs to actively contact the server; therefore the
remote-host option is needed to indicate where the server is.
• When the tunnel is established, V2’s tunnel IP address (that is, the address of
vtun0 on V2) will be assigned by V1 from the 192.168.200.0/24 subnet.

Example 5‐8 V2 OpenVPN configuration ‐ client‐server with TLS (client)

Step Command

Create the vtun0 configuration vyatta@V2# set interfaces openvpn vtun0

node.

Set the OpenVPN mode. vyatta@V2# set interfaces openvpn vtun0 mode client

VPN 6.5R1 v01 Vyatta

Chapter 5: OpenVPN OpenVPN Configuration 366

Example 5‐8 V2 OpenVPN configuration ‐ client‐server with TLS (client)

Specify the physical IP address vyatta@V2# set interfaces openvpn vtun0 remote‐host
of the remote host. 12.34.56.78

Specify the location of the CA vyatta@V2# set interfaces openvpn vtun0 tls ca‐cert‐file
certificate file. /config/auth/ca.crt

Specify the location of the host vyatta@V2# set interfaces openvpn vtun0 tls cert‐file
certificate file. /config/auth/V2.crt

Specify the location of the host vyatta@V2# set interfaces openvpn vtun0 tls key‐file
key file. /config/auth/V2.key

Commit the change. vyatta@V2# commit

Show the OpenVPN vyatta@V2# show interfaces openvpn vtun0

configuration. mode client
remote‐host 12.34.56.78
tls {
ca‐cert‐file /config/auth/ca.crt
cert‐file /config/auth/V2.crt
key‐file /config/auth/V2.key
}

Setting Up OpenVPN Clients on Windows Hosts

As mentioned earlier, OpenVPN is different from and cannot interoperate with the
“SSL VPN” solutions on the market, and therefore OpenVPN must be installed on
all VPN hosts. In a remote access VPN setup, many remote users will need to connect
to the OpenVPN server from hosts that run Windows. To set up the OpenVPN client
on a Windows machine, download and install the OpenVPN Windows Installer
package from the OpenVPN Web site
(http://openvpn.net/index.php/downloads.html).
After installation, the OpenVPN client can be either run from the Windows command
line or controlled by the OpenVPN GUI. Using the setup from the previous section as
example, if the client V2 is a Windows host, the OpenVPN client can be run from the
command line by issuing the command shown in Example 5-9, using the addressing,
certificate, and key information for your site.
Example 5‐9 Running OpenVPN from the command line

openvpn ‐‐dev tun ‐‐client ‐‐remote ip‐address ‐‐ca ca‐cert‐filename ‐‐

cert endpoint‐cert‐filename ‐‐key endpoint‐key‐filename

VPN 6.5R1 v01 Vyatta

Chapter 5: OpenVPN OpenVPN Configuration 367

This command establishes a VPN tunnel with the OpenVPN server V1 in Example 5-8.
Note that the referenced files must be in the same directory from which this command is
issued. Otherwise, full paths should be used for the files.
Alternatively, to control the OpenVPN client using the OpenVPN GUI,you must create
a control file. The file must be named with extension .ovpn; for example, vyatta.ovpn.
A configuration file that corresponds to the preceding command line contains would
look as shown in Example 5-10 (with corresponding changes for your site information).

Example 5‐10 OpenVPN configuration file

dev tun
client
remote 12.34.56.78
ca ca.crt
cert V2.crt
key V2.key

Put the configuration file and the referenced files (certificates, etc.) into the
OpenVPN configuration directory. This is usually C:\Program files\
OpenVPN\config.
Start the OpenVPN GUI, which will show an icon in the notification area of the
Windows taskbar. To establish the OpenVPN tunnel, right-click the icon and select
Connect from the drop-down menu. If there are multiple ovpn configuration files, the
actions for each configuration appear in each file’s own drop-down menu.

Firewall Configuration
The firewall configuration for an OpenVPN tunnel interface is the same as the
configuration for other types of interfaces. Here is an example.
To configure firewall on V1, perform the following steps in configuration mode.

Example 5‐11 V1 OpenVPN firewall configuration

Step Command

Create the vtun0 configuration vyatta@V1# set interfaces openvpn vtun0

node.

Additional configuration ...

commands.

Set the firewall rule for inbound vyatta@V1# set interfaces openvpn vtun0 firewall in
traffic on the vtun0 interface. name rules‐in

VPN 6.5R1 v01 Vyatta

Chapter 5: OpenVPN OpenVPN Configuration 368

Example 5‐11 V1 OpenVPN firewall configuration

Additional configuration ...

commands.

Commit the change. vyatta@V1# commit

Show the OpenVPN vyatta@V1# show interfaces openvpn vtun0

configuration. ...
firewall {
in {
name rules‐in
}
}
...

For more information on configuring firewall for interfaces, see the firewall chapter in
the Vyatta Firewall Reference Guide.

Using an OpenVPN Access Server

This feature is available only in the Vyatta Subscription Edition.

Another OpenVPN scenario involves connecting to an OpenVPN Access Server and

using the configuration information it provides to establish an OpenVPN tunnel to an
OpenVPN server. The configuration for this is very simple, as the OpenVPN Access
Server provides all the necessary VPN configuration information to the connecting host
(the Vyatta system in this case) . A configuration scenario using an OpenVPN Access
Server is shown in Figure 5-6.

VPN 6.5R1 v01 Vyatta

Chapter 5: OpenVPN OpenVPN Configuration 369

Figure 5‐6 Using an OpenVPN Access Server to establish an OpenVPN tunnel

Authentication Server OpenVPN Access Server

12.34.56.78

OpenVPN tunnel

OpenVPN interface OpenVPN interface

192.168.200.1 192.168.200.x

OpenVPN Server Vyatta device (V2)

192.168.100.0/24

Private Network 1 Private Network 2

To configure V2 to establish an OpenVPN tunnel to an OpenVPN server using an

OpenVPN Access Server as shown in Figure 5-6, perform the following steps in
configuration mode.

Example 5‐12 V2 ‐ Client‐Side Connection to OpenVPN Access Server (Autologin enabled)

Step Command

Create the vtun0 configuration vyatta@V2# set interfaces openvpn vtun0

node.

Specify the OpenVPN Access vyatta@V2# set interfaces openvpn vtun0 remote‐configuration
Server IP address. server 12.34.56.78

Specify the user name to be vyatta@V2# set interfaces openvpn vtun0 remote‐configuration
authenticated at the OpenVPN username abcd
Access Server.

Specify the password to be vyatta@V2# set interfaces openvpn vtun0 remote‐

authenticated at the configuration password efgh
OpenVPN Access Server.

Commit the change. vyatta@V2# commit

VPN 6.5R1 v01 Vyatta

Chapter 5: OpenVPN OpenVPN Configuration 370

Example 5‐12 V2 ‐ Client‐Side Connection to OpenVPN Access Server (Autologin enabled)

Show the configuration. vyatta@V2# show interfaces openvpn vtun0

remote‐configuration {
password efgh
server 12.34.56.78
username abcd
}

This example is valid for a scenario where Autologin is enabled on the OpenVPN server
for tunnel establishment. If Autologin is disabled, the interfaces openvpn <vtunx>
remote-configuration tunnel-username <username> and interfaces openvpn
<vtunx> remote-configuration tunnel-password <password> commands must also be
used to establish the tunnel.
To configure V2 to establish an OpenVPN tunnel to an OpenVPN server (with
Autologin disabled) using an OpenVPN Access Server as shown in Figure 5-6,
perform the following steps in configuration mode.

Example 5‐13 V2 ‐ Client‐Side Connection to OpenVPN Access Server (Autologin disabled)

Step Command

Create the vtun0 configuration vyatta@V2# set interfaces openvpn vtun0

node.

Specify the OpenVPN Access vyatta@V2# set interfaces openvpn vtun0 remote‐configuration
Server IP address. server 12.34.56.78

Specify the user name to be vyatta@V2# set interfaces openvpn vtun0 remote‐configuration
authenticated at the OpenVPN username abcd
Access Server.

Specify the password to be vyatta@V2# set interfaces openvpn vtun0 remote‐

authenticated at the configuration password efgh
OpenVPN Access Server.

Specify the user name required vyatta@V2# set interfaces openvpn vtun0 remote‐
to establish the tunnel with the configuration tunnel‐username tun‐un3
OpenVPN server.

Specify the password required vyatta@V2# set interfaces openvpn vtun0 remote‐
to establish the tunnel with configuration tunnel‐password tun‐pwdxyz
the OpenVPN server.

Commit the change. vyatta@V2# commit

VPN 6.5R1 v01
Vyatta