Open VPN Configuration Guide

Summary

This document is intended to assist the user in establishing a VPN tunnel using the Open VPN client.

Only TUN support (no TAP)
Do not support Open VPN Server pushed Routes.
Exclusive to IPV4 (will not work with IPV6 or PPPoE).
Limited amount of Testing with different Open VPN configurations; highly recommend to adhere to provided Open VPN default config files for initial evaluation.
The filename of the VPN client config and certificates must be the same as the provided reference example.
Application of the VPN TAR and enable/disable the feature via the web will force a reboot. (This restriction will be removed and is currently undergoing testing).

** Above restrictions may be addressed as we further develop the feature and/or in response to customer feedback.

Web status page will show state of VPN connection as well as VPN IP and Gateway IP.
Deskset MMI will show state of VPN connection as well as VPN IP and Gateway IP under Network Status.
It is important that that NTP or manual time is configured correctly so that the unit will have the correct date/time before VPN set-up. If the dates are mismatched this could invalidate the initial TLS handshake.
If VPN is enabled, but not connected, all traffic will continue to route via the LAN IP.
If VPN is enabled and connected, then all traffic will route via the VPN tunnel. ** The exception is the web server which will still be accessible via the LAN IP.

Open VPN can be enabled via the Network_Advanced web page.
The TAR file can be uploaded as shown below.
The unit will reboot whenever the Enable setting is modified and saved, or when a new TAR is uploaded.

<settings>
<network>
<vpn>
<enable>1</enable>
</vpn>
</network>
<file>
<vpn>
<advanced_config>file_url</advanced_config>
</vpn>
</file>
</settings>

Parameters	Possible values	Defaults	WebUI	WebUI page/section	Access Right	Exportable
<settings><network><vpn><enable>value</enable></vpn></network></settings>	0, 1	0	VPN Enable	New Section on NETWORK->Advanced->VPN	admin, superadmin	yes
<settings><file><vpn><advanced_config>value</advanced_config></vpn></file></settings>	file url (eg. http://myserver/openvpn_client.tar)					no

The exact file and directory names above must be used for the device to function correctly.

The ca.crt, client.cert and client.key are all generated via the Open VPN server.
client.conf File:
- A reference client.conf file has been attached "client.conf"
  Download: client.conf
- The only parameter that you will need to modify is the remote server IP and port.
- The product operation has been validated using the attached client.conf and server.conf files.
- There are too many variations of parameters within the config files that have not been validated within the timeframe. Deviation from the supplied reference config files may result in unexpected behavior.
server.conf File:
- A reference Open VPN server.conf file has been attached "server.conf"
  Download: server.conf
- It should not be necessary to modify any parameters within this file.
- The product operation has been validated using the attached client.conf and server.conf files.
- There are too many variations of parameters within the config files that have not been validated within the timeframe. Deviation from the supplied reference config files may result in unexpected behavior.

The M200 does not support a high verbosity level in client.conf, such as:
```
verb 9
```
Recommended is to use "verb 3"

Further Information

Related articles