OpenVPN client

Description

With the OpenVPN server, you can:

  • tunnel any IP subnetwork or virtual ethernet adapter over a single UDP or TCP port,

  • configure a scalable, load-balanced VPN server farm using one or more machines that can handle thousands of dynamic connections from incoming VPN clients,

  • use all of the encryption, authentication, and certification features of the OpenSSL library to protect your private network traffic as it transits the internet,

  • use any cipher, key size, or HMAC digest (for datagram integrity checking) supported by the OpenSSL library,

  • choose between static-key-based conventional encryption or certificate-based public-key encryption,

  • use static, pre-shared keys or TLS-based dynamic key exchange,

  • use real-time adaptive link compression and traffic-shaping to manage link bandwidth utilization,

  • tunnel networks whose public endpoints are dynamic such as DHCP or dial-in clients,

  • tunnel networks through connection-oriented stateful firewalls without having to use explicit firewall rules,

  • tunnel networks over NAT,

  • create secure ethernet bridges using virtual tap devices, and

  • control OpenVPN using a GUI on Windows or Mac OS X.

Read more about OpenVPN at: https://openvpn.net

Site-to-site VPN routing using both LAN and LTE

By default, all Vutlan monitoring systems use LAN as a primary access point. If LAN becomes unavailable, the monitoring system will switch to a secondary LTE connection using "VT760 / LTE modem", if installed. Network availability via LAN is determined by ping specified addresses, read more at LTE modem mode.

Problem:

If OpenVPN is not enabled and there's a switch between LAN and LTE connection, the SNMP software may lose the system, because LAN and LTE can have different IP addresses.

Solution:

By Enabling OpenVPN we can create a secure site-to-site setup, where two (or more) different networks are connected using one OpenVPN tunnel. See the picture below. In this connection model, devices in one network can reach devices in the other network, and vice versa. OpenVPN Access server routes SNMP software or the operator directly to the Vutlan monitoring system allowing SNMP software to constantly stay connected to the Vutlan monitoring device.

Configuration

Since version 2.7.4, you can access a private network using the OpenVPN client. Client settings are in the "Preferences" menu, in the "VPN client" tab.

Here are the following items available for configuration:

  • Status - displays the current connection status and client actions, the Refresh the button allows you to update the status information forcibly;

  • IP address - IP address obtained in the VPN network;

  • Connection Time - captures the time of the last successful connection to the VPN server;

  • Enable VPN Client - allows you to enable or disable the VPN client if the client is on, the device will automatically make a connection;

  • VPN server address - The IP address of the VPN server;

  • VPN Server Port - the VPN server port, typically 1194;

  • LZO compression - use or not compression;

  • Authorization Type - a method of authorizing a client on the server; authorization is available by password, by certificates, and by password and certificates at the same time;

  • Username - the user name, when authorizing using a password;

  • Password - user password, when authorizing using a password;

  • CA certificate - server certificate (Certificate Authority), the Upload button allows you to upload a file;

  • User certificate - the client certificate, the Upload button allows you to download the file;

  • Private key - client's private key, the Upload button allows you to upload a file;

  • Enable TLS static key - use additional TLS authentication. It should always be used, regardless of user authentication mode;

  • TLS static key - static TLS key file, the Upload button allows you to upload a file;

  • Enable Watchdog - use watchdog ping to verify connection status;

  • Watchdog period - watchdog ping frequency, in seconds;

  • Watchdog timeout - if during this time there is no ping, the connection is considered to be broken, in seconds;

  • IP Address or hostname of ping destination - address to verify the VPN connection.

After clicking the Save button, the parameters will be saved and the OpenVPN client will start connecting, or close the connection if the client has been disconnected.

OpenVPN is not able to independently monitor the connection status, that is why you can use Watchdog Ping to verify the connection. When specifying an address for testing the connection, use the address of the resource within the VPN, usually the address of the server. When setting a timeout, it is recommended that it be at least 3 times longer than the ping period. Suppose during the timeout period, no successful ping passes to the specified address. In that case, the connection is considered to be broken and the client will attempt to establish a new connection to the VPN server.

How to configure a server

Please, read the official documentation for Open VPN.