Description

OpenVPN is free to install and provide secure access to your private business network on-premise. Milesight routers could work as OpenVPN client and connect to the OpenVPN server. This chapter will take openVPN cloud as example to describe how to configure the OpenVPN client on Milesight routers and CPEs. If you need to connect Milesight gateways/hotspots to openVPN cloud, please refer to How to Connect Milesight Gateways to OpenVPN Cloud


Requirement

-OpenVPN Cloud Account

-OpenVPN Connect Software

-Milesight routers/CPEs


Configuration

1. Create Network on OpenVPN Cloud

Log in your openVPN Cloud account, go to Networks page to click Create Network

Select the scenario according to your requirement. In this example, we select Remote Access, then click Continue.

 

Name your network and connector, select the connector region, click Next.


Add a private subnet, the subnet should the same as Milesight router LAN port subnet, then click Next.

 

Select the location as OpenWrt and download the ovpn profile, click Next and Finish to complete the creation. Please note that every client ovpn file should use in only one device.

 


 

2. OpenVPN Settings on Milesight Routers

1. Ensure router has accessed the network and is able to reach the openVPN cloud. You can use ping the openVPN cloud ID in router to check the connection.

2. Go to Network -> VPN -> OpenVPN Client page to configure basic OpenVPN client parameters according to ovpn file.


You can refer to below list to fill in router settings according to ovpn file. Necessary certs can be imported as Step 3 and Step 4. Click here to learn more about OpenVPN configurations.

Note: below parameters with “*” are optional, users can keep these settings by default.

ParametersOpenVPN Configuration
ProtocolTCP---proto tcp; UDP---proto udp
Remote IP Address & Portremote [Remote IP Address] [Port]
Interfacetun---dev tun; tap---dev tap
AuthenticationNone: ifconfig [Local Tunnel IP] [Remote Tunnel IP]
Pre-shared: secret [preshared.key]
Username/Password: auth-user-pass [Username&Password]
X.509 cert: ca [ca.crt];cert [client.crt]; key [client.key]
Enable TLS Authenticationtls-auth [ta.key] 1
Compression*LZO---comp-lzo; none
Link Detection Interval & Detection*keepalive [Interval] [Detection]
Ciphercipher [Cipher]
MTU*tun-mtu [MTU]
Max Frame Size*fragment [Frame Size]

Verbose Level*


ERROR-- verb 0

WARNING -- verb 4

NOTICE-- verb 5

DEBUG -- verb 6


Expert Option


Add extra necessary configuration and separate them by “;”, example: auth SHA256;key-direction 1

Note: For Milesight gateways and hotspots, it only supports adding one configuration and format is different, example: --auth SHA256



3. Generate necessary certificates via ovpn files according to authentication needs.

CA Cert: Copy the content between <ca> ...<ca> to another blank txt file and save the file as ca.crt.

Public client cert: Copy the content between <cert> ...<cert> to another blank txt file and save the file as client.crt.

Private client key: Copy the content between <key> ...<key> to another blank txt file and save the file as client.key.

TA key: Copy the content between <tls-auth> ...<tls-auth> to another blank txt file and save the file as ta.key. This file is optional and only need when selecting TLS authentication.


Note: All above file names can be customized but the file suffix must be fixed. During copy, do not add any extra characters in new cert files (especially blank character), or it will cause router fails to connect to openVPN server.


 


4. Go to Network -> VPN -> Certifications page to import the certs you generate in Step 3.


5. Check VPN connection status in Status -> VPN page. It shows the router has connected and receive a tunnel IP.


3. Access the Router Remotely

Open the OpenVPN Connect software, click “+” to fill in OpenVPN Cloud URL and account information log in the OpenVPN Cloud and add the Configuration Profile as software instructions.

Enable the connection, the PC will connect to the OpenVPN Cloud.

After connected, users can use the router LAN IP to access the router. If this not work, please go to Network->Firewall->Security to check if remote access services are enable. If access failed, check if your PC firewall has closed.