Configuring a TAP-styled OpenVPN Server and Client

Goal

Difficulty: Medium

Configuring a simple (username/password authentication only) OpenVPN server and client instances on an OpenVPN-enabled Accelerated device.  The instances will be created on separate 6350-SR devices connected over a simple WiFi (172.16.0.0/24) network.  The WiFi network represents the Cellular ISP.

This article focuses on configuring a TAP-style tunnel.  For configuring and connecting to a TUN-style OpenVPN client using the OVPN file, visit the article Configuring an OpenVPN Client on an Accelerated Device.

Relevant Files

The files used to create this article are attached below.

Setup

This article assumes you have basic understanding of server-authentication, certificates, keys, and the fundamentals of OpenVPN.  It also assumes the appropriate private and public certificate (*.crt), key (.*key), and Diffie-Hellman (dh2048.pem) files, as well as the OpenVPN configuration file (*.ovpn) are correctly generated.  For more details on generating these files, visit https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04

Sample

The sample configuration below shows an example network with an OpenVPN-enabled Accelerated device connected via the TAP-style tunnel.

Sample Configuration

Open the configuration page and set the following configurations.

OpenVPN Section Configuration

  1. In the VPN > OpenVPN > Servers section, specify a name for the new "OpenVPN" server (e.g. TapServer) and click Add.
  2. Ensure Enable is selected.
  3. Ensure the Device type pull-down menu is selected to be TAP.  A TAP-styled device encapsulates the ethernet frames similar to a physical network interface.
  4. Ensure the Device pull-down menu is selected to be Bridgedas the device is treated as another device on the bridge.
  5. Set Address to 192.168.2.1/24, this must be a valid gateway in the network of the IP address range.
  6. Specify the First IP address and the Last IP address of the address range if different from the default values.
  7. From the Authentication pull-down menu, select option Username/password only.
  8. Insert the contents of the generated CA certificate (usually in ca.crt file), Public key (e.g. server.crt), Private key (e.g. server.key), and the Diffie Hellman key (usually in dh2048.pem) in their respective fields.  The contents will be hidden when the configuration is saved.

Full files used in this example are attached in the Relevant Files section above.

Network Section Configuration

  1. In the Network > Bridges > LAN > Devices section, click Add to add a new device to the bridge.
  2. From the pull-down menu, select Server: TapServer.

Note that bridging will only allow one TAP server to work.  If multiple TAP servers are required, separate interfaces for each server will need to be created.

Authentication Section Configuration

The following configurations add a new user/group to handle OpenVPN access:

  1. In the Authentication > Groups section, specify a name for the OpenVPN group (e.g. tapGroup).
  2. Select OpenVPN access.
  3. Expand OpenVPN tab, using the pull-down menu next to Tunnel, select appropriate OpenVPN instance, e.g. Server: TapServer.
  4. In the Authentication > Users section, specify a name for a new OpenVPN user (e.g. tapUser).
  5. In the new tapUser user section, ensure Enable is checked, and specify a password for this user (e.g. tapPassword).
  6. In the tapUser > Groups section, click Add and from the pull-down, select the OpenVPN group you wish to affiliate with this user (e.g. tapGroup).
  7. Press Save at the bottom of the configuration page to save changes.

The OpenVPN server should now be operational.  When a client is connected, in the Status > Tunnels page, the OpenVPN section should display a server status with a :

Example TAP-style Client Set Up

This example sets up the client connection manually without an OVPN file.  Same principle applies if an OVPN file is used.

OpenVPN Section Configuration

  1. In the VPN > OpenVPN > Client section, specify a name for the new "OpenVPN" server (e.g. ClientSR) and click Add.
  2. Ensure Enable is selected.
  3. Ensure Use .ovpn file is deselected.
  4. Ensure the Device type pull-down menu is selected to be TAP.
  5. Ensure the Zone pull-down menu is selected to be Internal.
  6. Set the Username/Password fields to the appropriate user credentials as specified in the server (e.g. tapUser & tapPassword).
  7. In the VPN server IP field, specify the IP address of the server.
  8. In the CA certificate field, insert the contents of the generated CA certificate (usually in ca.crt file as attached)
  9. Press Save at the bottom of the configuration page to save changes.

If the configuration is set up correctly and a connection is established, connection-specific information will display on the Tunnels > OpenVPN section of the Status page.

The relevant information about status of the server and the connected clients are shown on the server's Status page:

The relevant information about status of the client connection are shown on the client's Status page: