Description
OpenVPN is free to install and provide secure access to your private business network on-premise. Milesight routers could work as OpenVPN client and connect to the OpenVPN server. This chapter will take openVPN cloud as example to describe how to configure the OpenVPN client on Milesight routers and CPEs. If you need to connect Milesight gateways/hotspots to openVPN cloud, please refer to How to Connect Milesight Gateways to OpenVPN Cloud
Requirement
-OpenVPN Cloud Account
-OpenVPN Connect Software
-Milesight routers/CPEs
Configuration
1. Create Network on OpenVPN Cloud
Log in your openVPN Cloud account, go to Networks page to click Create Network.
Select the scenario according to your requirement. In this example, we select Remote Access, then click Continue.
Name your network and connector, select the connector region, click Next.
Add a private subnet, the subnet should the same as Milesight router LAN port subnet, then click Next.
Select the location as OpenWrt and download the ovpn profile, click Next and Finish to complete the creation. Please note that every client ovpn file should use in only one device.
2. OpenVPN Settings on Milesight Routers
1. Ensure router has accessed the network and is able to reach the openVPN cloud. You can use ping the openVPN cloud ID in router to check the connection.
2. Go to Network -> VPN -> OpenVPN Client page to configure basic OpenVPN client parameters according to ovpn file.
You can refer to below list to fill in router settings according to ovpn file. Necessary certs can be imported as Step 3 and Step 4. Click here to learn more about OpenVPN configurations.
Note: below parameters with “*” are optional, users can keep these settings by default.
Parameters | OpenVPN Configuration |
Protocol | TCP---proto tcp; UDP---proto udp |
Remote IP Address & Port | remote [Remote IP Address] [Port] |
Interface | tun---dev tun; tap---dev tap |
Authentication | None: ifconfig [Local Tunnel IP] [Remote Tunnel IP] |
Pre-shared: secret [preshared.key] | |
Username/Password: auth-user-pass [Username&Password] | |
X.509 cert: ca [ca.crt];cert [client.crt]; key [client.key] | |
Enable TLS Authentication | tls-auth [ta.key] 1 |
Compression* | LZO---comp-lzo; none |
Link Detection Interval & Detection* | keepalive [Interval] [Detection] |
Cipher | cipher [Cipher] |
MTU* | tun-mtu [MTU] |
Max Frame Size* | fragment [Frame Size] |
Verbose Level* | ERROR-- verb 0 WARNING -- verb 4 NOTICE-- verb 5DEBUG -- verb 6 |
Expert Option | Add extra necessary configuration and separate them by “;”, example: auth SHA256;key-direction 1 Note: For Milesight gateways and hotspots, it only supports adding one configuration and format is different, example: --auth SHA256 |
3. Generate necessary certificates via ovpn files according to authentication needs.
CA Cert: Copy the content between <ca> ...<ca> to another blank txt file and save the file as ca.crt.
Public client cert: Copy the content between <cert> ...<cert> to another blank txt file and save the file as client.crt.
Private client key: Copy the content between <key> ...<key> to another blank txt file and save the file as client.key.
TA key: Copy the content between <tls-auth> ...<tls-auth> to another blank txt file and save the file as ta.key. This file is optional and only need when selecting TLS authentication.
Note: All above file names can be customized but the file suffix must be fixed. During copy, do not add any extra characters in new cert files (especially blank character), or it will cause router fails to connect to openVPN server.
4. Go to Network -> VPN -> Certifications page to import the certs you generate in Step 3.
5. Check VPN connection status in Status -> VPN page. It shows the router has connected and receive a tunnel IP.
3. Access the Router Remotely
Open the OpenVPN Connect software, click “+” to fill in OpenVPN Cloud URL and account information log in the OpenVPN Cloud and add the Configuration Profile as software instructions.
Enable the connection, the PC will connect to the OpenVPN Cloud.
After connected, users can use the router LAN IP to access the router. If this not work, please go to Network->Firewall->Security to check if remote access services are enable. If access failed, check if your PC firewall has closed.