OpenVPN is one of the most popular protocols for VPN connection. It can be used to create a virtual private network or to interconnect local networks. OpenVPN is open source and distributed free of charge under the GNU GPL license. It provides faster connection speeds than other VPN protocols. In addition, OpenVPN can be called one of the safest protocols. All transmitted data is securely protected by the OpenSSL encryption library and SSLv3/TLSv1 protocols, which provides high security and anonymity.
Keenetic router features TCP and UDP mode for OpenVPN connection, TLS authentication, use of certificates and encryption keys to increase the security of VPN connection.
NOTE: Important! Keenetic router that will host the OpenVPN server must be connected to the Internet with a global IP address, and when using the KeenDNS domain name, it must be configured in Direct access mode. If any of these conditions are not met, it will not be possible to connect to such a server from the Internet.
Installing the system component 'OpenVPN client' is necessary to configure the OpenVPN connection. With this component, you can use both client and OpenVPN server in your Keenetic. A detailed description of the client mode you may find in the article 'OpenVPN client'. You can install the system component on the 'General system settings' page in the 'Updates and components' section by clicking 'Component options'.
The OpenVPN mode (client or server) is mainly defined by its configuration file.
NOTE: Important! OpenVPN configuration requirements for use in Keenetic:
- The configuration must be in a single file.
- Certificates, keys, etc., should be included in this file.
- In the configuration, you should use only the options listed in the document: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage.
- Some of the options described above may not be supported. For example, our OpenVPN implementation does not support options related to IPv6.
- The order of the options and the certificates and keys enabled do not matter.
- The OpenVPN configuration file is not saved in the startup-config configuration file. To get a backup of the OpenVPN client interface settings, you must save it separately.
Let's consider an example of connecting OpenVPN of the 'site-to-site' type.
We will connect the Keenetic#2 client (Home-segment 192.168.2.0/24, tunnel address: 10.1.0.2) to the server on Keenetic#1 (Home-segment 192.168.1.0/24, tunnel address: 10.1.0.1)
1. First, let's look at the simplest configuration using a shared secret key.
1.1 The minimum configuration of the OpenVPN server for Keenetic#1:
dev tun
ifconfig 10.1.0.1 10.1.0.2
cipher AES-128-CBC
<secret>
<--insert the secret key here
</secret>
verb 3
route 192.168.2.0 255.255.255.0
1.2 The minimum configuration of the OpenVPN client for Keenetic#2:
dev tun
remote KEENETIC-1.mykeenetic.net <-- server's domain name or IP address
ifconfig 10.1.0.2 10.1.0.1
cipher AES-128-CBC
<secret>
<--insert the secret key here
</secret>
verb 3
route 192.168.1.0 255.255.255.0
or
redirect-gateway def1
or
route 0.0.0.0 0.0.0.0 <-- if it's neccessary to route all the traffic in the tunnel
1.3 Generate a shared secret key. To do this, download and install OpenVPN from here: https://openvpn.net/index.php/download/community-downloads.html
In this example, we will be using version 2.4.6-I602 for Windows.
After installing the software, restart the computer.
By default, the program will be installed in the C:\Program folder.
Run the Windows command line as an administrator. Go to C:\Program Files\OpenVPN\bin and run the command:
openvpn.exe --genkey --secret static.key
1.4 Open the generated static.key file with the shared secret key in any text editor (e.g. Notepad), copy its contents to the clipboard (Ctrl-A, Ctrl-C) and paste (Ctrl-V) into the appropriate locations of the client and server configuration files.
Examples of static-server.ovpn configuration files for Keenetic#1 and static-client.ovpn configuration files for Keenetic#2 with shared secret key are attached at the end of this article. There are other commented out (starting with ';') OpenVPN settings in these files which may be used later if necessary. You can use these configuration files for verification by replacing the domain name KEENETIC-1.mykeenetic.ru in static-client.ovpn with the domain name of your Keenetic#1 or its public IP address and a shared secret key to the one you generated in both files.
1.5 Go to the 'Other connections' page in the web interface of the 1st Keenetic and click 'Create connection' in the 'VPN connections' section. In the 'VPN connection settings' window, select 'OpenVPN' in the 'Type (protocol)' field.
Then enter the name of the connection in the 'Connection name' field and insert the contents of the static-server.ovpn configuration file in the 'OpenVPN configuration' field. Save the settings.
NOTE: Important! From KeeneticOS 3.4.1 the server only works when 'Connect via' - 'Any Internet connection' is specified.
1.6 In the same way, add an OpenVPN connection to the web interface of the second Keenetic, but with a static-client.ovpn configuration:
1.7 Additionally, on the Keenetic#1 (server) side, the following commands will need to be executed via the command-line interface (CLI) of the router:
interface OpenVPN0 no ip global
interface OpenVPN0 security-level private
To allow traffic between the Home and OpenVPN0 interfaces, which have a private security level, run the command:
no isolate-private
If you plan to use this server to connect the client to the Internet as well, run the command:
ip nat 10.1.0.2 255.255.255.255
and save the settings with the command:
system configuration save
1.8 Finally, it is necessary to open a port for OpenVPN connection. The default port is UDP/1194. To do this, create a rule for the 'Provider' interface or for the interface used to access the Internet on the 'Firewall' page (in addition to the 'Provider', it can be PPPoE, L2TP or PPTP interfaces).
On the 'Firewall rule' window, select 'Allow' in the 'Action' field, 'UDP' in the 'Protocol' field, and 'Equals 1194' in the 'Destination port number' field.
This completes the configuration of the OpenVPN tunnel. Successful installation of the tunnel can be proved by the messages in the System log (on the 'Diagnostics' page):
Try pinging both ends of the tunnel to check:
ping 10.1.0.1
ping 10.1.0.2
and then remote subnets:
ping 192.168.1.1
ping 192.168.2.1
2. Configuration using two-way TLS authentication.
The disadvantage of the above-mentioned authentication method, with the help of a shared secret key, is that its theft from one of the participating VPN hosts leads to the necessity of changing this key from all participants. This raises the question of how to transfer the new key through an insecure Internet channel safely. Therefore, if needed to connect several clients to the server, one should choose TLS authentication.
In this case, each party has its own private key, which is not transferred anywhere. Only the client's public key certificate signed by the CA is transmitted. Such certificates are issued for a certain period of time by specialized organizations for money. But for organizing VPN inside your company, if there are no special requirements for security, you can use your own certifying centre.
Now let's consider an example of creating keys and certificates in Windows to connect two clients: Keenetic-2 and Keenetic-3 to the Keenetic-1 server.
To create all necessary keys and certificates, we need a set of EasyRSA scripts from the OpenVPN package version 2.4.6-I602 for Windows, which also uses the openssl utility included in it.
To install EasyRSA, mark the component 'EasyRSA 2 Certificate Management Scripts' when installing OpenVPN:
In OpenVPN 2.5.x versions, to install the EasyRSA scripts, press the 'Customize' button on the first installer screen and scroll to the bottom of the component list.
2.1 Open the Windows command line as an administrator.
Go to C:\Program Files\OpenVPN\easy-rsa and run:
init-config.bat
As a result, we will get a vars.bat file that configures the environment for generating your keys and certificates.
Open this file in Windows Notepad and specify a folder to store them; by default, it's 'keys':
set KEY_DIR=keys
as well as the default values of your certificate owner's fields, for example:
set KEY_COUNTRY=GB
set KEY_PROVINCE=YourProvince
set KEY_CITY=YourCity
set KEY_ORG=YourOrganisation
set KEY_EMAIL=mail@example.com
set KEY_CN=CommonName
set KEY_NAME=KeyName
set KEY_OU=OrganisationUnit
Save the changed file.
2.2 Create new index.txt and serial auxiliary files by executing (once) in the Windows command line:
vars
clean-all
2.3 Create a private key and certificate for your certificate authority by doing the following:
vars
build-ca
The generated ca.key and ca.cert files of your certification authority will appear in the C:\Program Files\OpenVPN\easy-rsa\keys folder.
2.4 Create a Diffy-Helman file to protect your traffic from decryption. The TLS server will use it. In some cases, the procedure may take some time ( for example, when the key size is 4096 bits, it takes tens of minutes), but it has to be done only once:
vars
build-dh
The file dh2048.pem (or dh4096.pem when using a 4096-bit key size) will appear in the C:\Program Files\OpenVPN\easyrsa\keys folder.
2.5 Create a private key and certificate for the OpenVPN TLS server (Keenetic-1) by executing:
vars
build-key-server Keenetic-1
When the script asks for Common Name (CN), enter the server name, such as Keenetic-1. In the end, double confirm (y) that you are signing the certificate.
2.6 Create the private key, PEM request and certificate for the first OpenVPN TLS client (Keenetic-2) by executing:
vars
build-key Keenetic-2
When the script asks for Common Name (CN), enter the name of the first client - Keenetic-2. Confirm twice (y) that you are signing the certificate.
2.7 Repeat the previous step for the second client (Keenetic-3):
vars
build-key Keenetic-3
When the script will ask for Common Name (CN), enter the name of the second client - Keenetic-3. Confirm twice (y) that you sign the certificate.
Similarly, you can create keys, queries, and certificates for any number of clients.
2.8 Create an HMAC key for additional protection against DoS attacks and flooding by executing:
vars
openvpn.exe --genkey --secret keys\ta.key
At this point, all the necessary files are created:
The following files are required for use in OpenVPN server and clients configs:
ca.crt - certificate of the certification centre
dh2048.pem (or dh4096.pem) - Diffy-Helman file
Keenetic-1.crt - OpenVPN server certificate (Keenetic-1)
Keenetic-1.key - OpenVPN server private key (Keenetic-1)
Keenetic-2.crt - certificate of the 1st OpenVPN client (Keenetic-2)
Keenetic-2.key - private key of the 1st OpenVPN client (Keenetic-2)
Keenetic-3.crt - certificate of the 2nd OpenVPN client (Keenetic-3)
Keenetic-3.key - private key of the 2nd OpenVPN client (Keenetic-3)
ta.key - HMAC key for additional protection against DoS-attacks and flooding
The only thing left to do is to add their contents to the server and client configuration text files.
2.9 To create an OpenVPN server configuration file, use the example server.ovpn located in the C:\Program Files\OpenVPN\sample-config\. You will need to insert the keys and certificates into it as follows:
2.9.1 Replace the line:
ca ca.crt
with the section:
<ca>
-----BEGIN CERTIFICATE-----
<--Insert the body of the certificate of the certification centre from the file ca.crt here
-----END CERTIFICATE-----
</ca>
2.9.2 Replace:
cert server.crt
with the section:
<cert>
-----BEGIN CERTIFICATE-----
<--Insert the body of the OpenVPN server certificate from the Keenetic-1.crt file here
-----END CERTIFICATE-----
</cert>
2.9.3 Replace the line:
key server.key
with the section:
<key>
-----BEGIN PRIVATE KEY-----
<--Insert the body of the OpenVPN server private key from the Keenetic-1.key file here
-----END PRIVATE KEY-----
</key>
2.9.4 Replace the line:
dh dh2048.pem
with the section:
<dh>
-----BEGIN DH PARAMETERS-----
<--Insert the contents of the file Diffie-Helman dh4096.pem here
-----END DH PARAMETERS-----
</dh>
2.9.5 Uncomment the line:
topology subnet
2.9.6 Replace the line:
server 10.8.0.0 255.255.255.0
with the line:
server 10.1.0.0 255.255.255.0
2.9.7 Comment out the line:
;ifconfig-pool-persist ipp.txt
2.9.8 Replace the line:
tls-auth ta.key 0
with the section:
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
<--СInsert the contents of the ta.key file here
-----END OpenVPN Static key V1-----
</tls-auth>
and add the line:
key-direction 0
2.9.9 Comment out the line:
;status openvpn-status.log
2.9 To create the configuration file for the first OpenVPN client, use the example of client.ovpn located in the C:\Program Files\OpenVPN\sample-config\ . You will need to insert the keys and certificates into it as follows:
2.10.1 In the line:
remote my-server-1 1194
replace my-server-1 with the domain name or public IP address of your OpenVPN server (Keenetic-1).
2.10.2 Replace the line:
ca ca.crt
with the section:
<ca>
-----BEGIN CERTIFICATE-----
<--Insert the body of the certificate of the certification authority from the file ca.crt here
-----END CERTIFICATE-----
</ca>
2.10.3 Replace the line:
cert client.crt
with the section:
<cert>
-----BEGIN CERTIFICATE-----
<--Сюда вставьте тело сертификата первого клиента OpenVPN из файла Keenetic-2.crt
-----END CERTIFICATE-----
</cert>
2.10.4 Replace the line:
key client.key
with the section:
<key>
-----BEGIN PRIVATE KEY-----
<--Insert the body of the private key of the first OpenVPN client from the Keenetic-2.key file here
-----END PRIVATE KEY-----
</key>
2.10.5 Replace the line:
tls-auth ta.key 1
with the section:
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
<--Insert the contents of the ta.key file here
-----END OpenVPN Static key V1-----
</tls-auth>
and add the line:
key-direction 1
2.10.6 Add a line with the route to the server's local network:
route 192.168.1.0 255.255.255.0
or:
route 0.0.0.0 0.0.0.0
if all traffic needs to be routed into the tunnel.
2.11 Repeat the same actions for the second client by taking the data from Keenetic-3.crt and Keenetic-3.key files, respectively.
Examples of such configuration files for three Keenetic clients are attached at the end of the article:
tls-server-keenetic-1.ovpn
tls-client-keenetic-2.ovpn
tls-client-keenetic-3.ovpn
You can use them by replacing the KEENETIC-1.mykeenetic.co.uk client name in the clients' files with the domain name or public IP address of your Keenetic-1 server and certificates and keys to the files generated by you.
Now all you need to do is download them to Keenetic routers in the same way as in 1.5, 1.6 and perform the actions described in 1.7, 1.8 of this manual.
This is the end of the setup. Check that the tunnels are set up.
To do this, run ping the server's tunnel address from the client's side:
ping 10.1.0.1
and the server's address on its home network:
ping 192.168.1.1
TIP: Tip: In the second part of the example, for simplicity, we performed all the operations in one folder, although for security reasons, it is recommended to place the certification authority on a separate computer, isolated from the Internet, and store the secret key only on it; and carry the certificate on removable media. Similarly, the private keys of the server and OpenVPN clients should only be placed on the respective sides of the tunnel. Only certificates can be exchanged.
TIP: Note
1. OpenVPN clients connected to the server will be displayed on the 'Device lists' page in the 'Unregistered devices' list. If you have selected the 'No Internet access' policy on the 'Home segment' page in the 'Connection policy for unregistered devices' section, don't forget to register OpenVPN clients if you need to provide them with Internet access as well.
2. The configuration of the OpenVPN interface is not saved in the startup-config file. For backup purposes, we recommend backing up the OpenVPN settings in a separate file.
TIP: Tip: We recommend that you read the following information:
- OpenVPN 2.4 documentation
- https://en.wikipedia.org/wiki/OpenVPN
- https://en.wikipedia.org/wiki/TUN/TAP