VPN Tunnel

This manual describes how to configure a VPN tunnel to access an external OpenVPN server from the IACBOX.

Creating the OpenVPN Server #

You can obtain OpenVPN from the official project website

This website also covers detailed information on how to install OpenVPN on different operating systems like Linux, Windows, Mac OSX etc.

Generate Certificates & Keys #

In order to use OpenVPN you need to generate certificates and keys for both, the OpenVPN server and the according client (IACBOX). This manual describes how to generate self-signed TLS/SSL certificates.

There are many different tools to generate the certificates and keys. We recommend to use Easy-RSA which is a simple OpenSSL front-end to generate certificates and keys for both, Windows and Linux.

Easy-RSA can be obtained here: https://github.com/OpenVPN/easy-rsa

After extracting Easy-RSA switch to the directory easy-rsa/2.0/ where you can find the different build scripts and edit the vars file. Based on the parameters in the vars file, the certificates and keys will be generated. Due to his, edit/enter the following important parameters in the vars file:

# The KEY_SIZE should be at least 2048. For enhanced security
# you can also increase the KEY_SIZE to 4096.
export KEY_SIZE=2048

# The CA_EXPIRE defines in how many days the root CA key will
# expire. For some Eays-RSA installations this is set to 1 year
# as default so make sure to check this value.
export CA_EXPIRE=3650

# The KEY_EXPIRE defines in how many days the created
# certificates will expire. For some Easy-RSA installations this
# is set to 1 year as default so make sure to check this value.
export KEY_EXPIRE=3650

# The **two letter ISO code** for the country where your
# organization is located. For example **us** or **gb**.
export KEY_COUNTRY

# The state/region where your organization is located. This should not be abbreviated.
export KEY_PROVINCE

# The city where your organization is located.
export KEY_CITY

# The legal name of your organization. This should not be
# abbreviated and should include suffixes such as *Inc*, *Corp* or *LLC*.
export KEY_ORG

# An email address used to contact your organization.
export KEY_EMAIL

# The division of your organization handling the certificate.
export KEY_OU

# The name of the generated key. For example hotspot.
export KEY_NAME

Save the changes you made for the vars file. Note the commands below refer to a Linux system. First run the following commands to initialize the public key infrastructure (PKI):

. ./vars
./build-ca

In order to generate the certificate and key for the OpenVPN server, run the following command. As server-name you can select an own name, for example vpnserver.

./build-key-server server-name

Continue with Enter and confirm the following question with y:

Sign the certificate? [y/n]: y
1 out of 1 certificate request certified, commit? [y/n]: y

The next step is to generate the certificate and key for the client. Therefore run the following command. As client-name you can select an own name, for example hotspot01.

./build-key client-name

Again continue with Enter and confirm the following question with y:

Sign the certificate? [y/n]: y
1 out of 1 certificate requests certified, commit? [y/n]: y

The last step is to generate a Diffie Hellman prime.

./build-dh

By now the following files should have been created:

• ca.crt - Needed by the server and all clients, serves as Root CA certificate.
• ca.key - Needed by the key signing machine only, serves as Root CA key.
• dh{n}.pem - Needed by the server only, serves as Diffie Hellman prime.
• vpnserver.crt - Needed by the server only, serves as server certificate.
• vpnserver.key - Needed by the server only, serves as server key.
• client1.crt - Needed by the IACBOX client 1, serves as client certificate for just this client.
• client1.key - Needed by the IACBOX client 1, serves as client key for just this client.

For a more secure version you can optionally use an TLS-auth key. Generate it with:

openvpn --genkey --secret ta.key

All the generated certificates and keys are stored in the keys directory. In order to use them with OpenVPN, copy the keys directory to the OpenVPN directory where the OpenVPN server daemon runs. On linux this tends to be /etc/openvpn and on windows it is usually C:Program Files\OpenVPNconfig.

OpenVPN Server Configuration #

Open the OpenVPN configuration file and edit/check the following parameters:

# The OpenVPN default port is set to 1194. If there is a
# firewall in between the OpenVPN server and the clients, be
# sure to allow the configured port for input, forward and output.
port 1194

# If the mode is not set to server per default, change it.
mode server

# Enter the directory where the CA-file can be found.
ca keys/ca.crt

# Enter the directory where the server key file can be found.
key keys/vpnserver.key

# Enter the directory where the server certificate file can be found.
cert keys/vpnserver.crt

# Enter the directory where the Diffie Helmann file can be found.
dh keys/dh2048.pem

# In this example, the 172.17.130.254 is the IP-address for the
# tun1 interface of the OpenVPN server and the 172.17.130.253
# IP-address is used for point-to-point connections.
ifconfig 172.17.130.254 172.17.130.253

# This parameter defines the DHCP pool within OpenVPN clients
# will receive an IP-address. Please note that the IP-address
# range 172.17.0.0/17 should not be used for the ifconfig-pool.
# This IP-address range is already used for other functions of
# IACBOX.
ifconfig-pool 172.17.130.1 172.17.130.250

# This parameter sets a route to the tunnel network
# 172.17.130.0/24. This route is necessary and needs to be set.
route 172.17.130.0 255.255.255.0

# This parameter pushes the defined route to the client
# (IACBOX). Due to this, the client (IACBOX) knows that the
# network 10.5.5.0/24 can be reached via tunnel default gateway
# 172.17.130.254.
push route 10.5.5.0 255.255.255.0

# This directory should have been pre-created in the default
# directory where the OpenVPN server daemon runs. When a new
# client connects to the OpenVPN server, the daemon will check
# this directory for a file which matches the common name of the
# connecting client. If a matching file is found, it will be
# read and processed for additional configuration file
# directives to be applied to the named client.
client-config-dir ccd

# This **optional** parameter can be set if an TLS-auth key is
# used. **Attention:** the key-direction field \[0/1\] is a
# three-state field! If it is set, it has to be set on the
# server and the IACBOX, or has to be left out on both sides.
# it's more secure to use the key direction. On the server-side
# it has to be **0**, on the client **1**.
tls-auth keys/ta.key 0

This means that if there is a client (IACBOX) with the common name hotspot1 (or any other common name like for example hotspot1.vpn) you need to create a new file named hotspot1 (hotspot1.vpn). In this file you can define specific parameters which will only be applied to the corresponding client (IACBOX).

For example:

ifconfig-push 172.17.130.98 172.17.130.254

This parameter assigns the fixed IP-address 172.17.130.98 to the client (IACBOX) and sets the clients default gateway to 172.17.130.254.

iroute 172.29.0.0 255.255.0.0

This parameter sets a client specific route on the OpenVPN server. In this example, a route to the Surf-LAN network of the corresponding client (IACBOX) is set. It is highly recommend to create a separate file in the ccd directory for each client (IACBOX) connected to the OpenVPN server.

System configuration #

Activate the VPN tunnel in the WebAdmin menu Network / VPN tunnel. First of all, you need to upload the certificate and key files to the IACBOX. You need to upload the ca.crt, hotspot1.crt and hotspot1.key to the system.

If optional TLS-Auth is active on the server side (have a look at the description of the server config above) the ta.key file has to be uploaded too. If the Key Direction is used on the server side then the checkbox has to be activated.

Enter a name for the VPN tunnel, the remote host or IP-address and the protocol + port according to your OpenVPN configuration (default = 1194/udp). If the connection was successful, the VPN local IP and VPN remote IP will be displayed on the right.

Routing Protection #

• Protect from Surf-LAN: If this is activated, all connections to the VPN tunnel from the Surf-LAN will be blocked.
• Protect from Management-LAN: If this is activated, all connections to the VPN tunnel from the Management-LAN will be blocked.
• Protect routing from tunnel: If this is activated, all connections from the VPN tunnel to the IACBOX Surf-LAN, Management-LAN and/or Office-LAN will be blocked.

However there are certain configurations where you need to disable the protection. For example: You want to allow connections from the VPN tunnel to the Surf-LAN. Therefore you need to define a route to the Surf-LAN on the OpenVPN server. You can do this by editing the according file for the client (IACBOX) in the ccd directory of the OpenVPN server and adding the route with the parameter iproute 172.29.0.0 255.255.0.0. In addition, you need to disable Protect routing from tunnel at the VPN tunnel configuration on the IACBOX.

Access to Services #

If the client (IACBOX) is connected, you can access the different IACBOX services from the tunnel. If WebAdmin Access is enabled, it is possible to connect from the VPN tunnel to the WebAdmin of the IACBOX by using it’s tunnel IP-address (e.g. https://172.17.130.98).

In addition to the default access services, it is also possible to grant access to custom ports. For example:

• udp:53 → to see if the DNS works
• tcp:8080 → check if the proxy server is running

If you want to add multiple ports use blanks as delimiter (e.g. udp:53 tcp:8080).