Configuring an OpenVPN Client in the Router

The routers of INSYS icom can act as OpenVPN server and/or establish connections to an OpenVPN server as OpenVPN client.

This Configuration Guide shows how to configure an INSYS icom router as OpenVPN client.

Situation

The router shall be included into an existing OpenVPN network as client.

Solution

There are several options for configuring an OpenVPN connection:

The Startup wizard of the router permits to prepare an optional OpenVPN connection besides the configuration of Internet access.
An (additional) OpenVPN connection can be added manually to an already configured router.
Our converter tool can be used to convert an OpenVPN configuration file into an ASCII configuration file for configuring the OpenVPN client in the router.

It is prerequisite that the respective certificates and keys or an OpenVPN configuration file are available and the configuration of the server is known.

Keep your router up to date!
Update your router to icom OS 7.3 or later first! All encryption algorithms that are no longer considered sufficiently secure have been removed starting with this version, which eliminates the possibility of such algorithms being used inadvertently.

Configuration using Startup wizard

We act on the assumption that the router is in default settings for the following proceeding.

Open the user interface of the router: https://insys.icom
Click on To Startup wizard under Startup wizard on the splash screen.
Click in the Wizards → Startup wizard menu on START .
If necessary, change the settings for System time and click on NEXT .
Enter a User name and Password for Authentication or configure an Authentication through certificates and click on NEXT .
Configure the Internet connection and click on NEXT .
Select under Type of VPN connection OpenVPN and as Client as Mode.
1. If you have an OpenVPN configuration file, select Import Client Configuration (.ovpn) and upload the configuration file in the field below.
  Please note!
  Various OpenVPN servers, such as the icom Connectivity Suite, provide ready-made configuration files for clients that contain a complete OpenVPN configuration and the associated certificates and keys
2. If you configure the OpenVPN client manually, select Manual client configuration and configure the connection to the OpenVPN server manually:
  - Enter the address of the OpenVPN server as VPN server address.
  - Enter the port addresses of the tunnel used by the OpenVPN server local and remote for Tunneling via port.
  - Upload the necessary certificates and keys.
Click on NEXT .
If necessary, modify the LAN settings and click on NEXT .
Click on SUBMIT to save the settings of the Startup wizard.
Click on FINALIZE to complete the Startup wizard.

Manual Configuration

We act on the assumption that the router is already configured with the networks for WAN (Internet) and LAN (local networks) and other functions. The OpenVPN client will then only be added to this functioning configuration. If OpenVPN connections are already configured, this connection will be added to the existing ones.

Open the user interface of the router: https://insys.icom
Click in the Network → Interfaces menu in the OpenVPN section on to add an OpenVPN network.
Click on the top right on to extended view to show the detailed settings.
Enter a reasonable Description and select the Mode Client.
Enter under IP address or domain name of remote site the address of the OpenVPN server.
Enter under Tunneling via port the port that is used for the whole data traffic of the tunnel; this can differ between local and remote; however, it must then be ensured that all VPN participants are configured accordingly.
Select the Protocol used by the server.
Check the checkbox Upload and apply certificates and upload the CA certificate, the Certificate and the Private key.
Configure the other parameters according to the requirements of your OpenVPN server.
Notes regarding these other parameters
Alternatively or additionally to the usage of a client certificate and a private key, a user name/password combination can be used for authentication on the OpenVPN server. However, the CA certificate, which is required by all participants of this VPN, will be required in any case.
In addition, it is possible to use a static key for authentication and encryption (tls-crypt) or only for authentication (tls-auth):
- If a key for tls-crypt is selected, this must also be used by the remote terminal.
- If a key for tls-auth is selected, it is possible to specify that the static key can only be used for a certain direction. It is important here that this setting is harmonised with the remote VPN terminal, i.e. no direction is configured for both or the settings are complementary (0/1 or 1/0). The same key must also be used by the remote terminal.
It must be observed here that both directives are not active at the same time by selecting a key!
If the automatic encryption negotiation fails, the cipher algorithm configured here will be used to encrypt the data traffic through the tunnel.
AES CGM and AES CBC are recommended for this as per TR-02102-2. Not recommended are DES, RC2, CAST, Blowfish and IDEA. The hash algorithm configured here will be used independent from the automatic encryption negotiation. SHA-256, 384 and 512 are recommended for this as per TR-02102-2. Not recommended are SHA-1 and 224.
The checkbox Check remote certificate type allows to check whether the certificate of the remote terminal is a server or client certificate. This allows to avoid Man-in-the-Middle attacks for example.
The checkbox Set default route (redirect-gateway) allows to set the default route such that any data traffic is routed through the tunnel.
The checkbox Do not bind local address and port (nobind) can be used to cancel the fixing of the local IP address and the local port for an OpenVPN client.
The checkbox Remote terminal is allowed to change its IP address (float) allows to continue the use of the tunnel, if the remote terminal changes its IP address after successful authentication.
The checkbox Activate LZO compression compresses the data traffic uwing LZO (Lempel-Ziv-Oberhumer). This setting must be identical for client and server.
The detailed nature of the messages, which are entered into the log can be set under Log level. A 0 deactivates logging completely, a 9 results a very detailed log. Level 3 is recommended as standard.
The keys for the data connection are exchanged in regular intervals. The Interval for renegotiation of data channel key configures the time, which must expire before new keys are created.
The Ping interval configures the interval (in seconds) for sending control data via the tunnel, if there is no other data traffic. This can be used by the communication partners to terminate the tunnel in an orderly fashion, in case the tunnel collapses. The ping interval is also used to prevent stateful firewalls at the remote terminal to automatically block the tunnel after a prolonged pause during communication. The value 0 will disable the regular ping.
The Ping restart interval configures the time in seconds after which the tunnel is to be established again, if no ping from the remote terminal has arrived during the complete time. The value 0 prevents the tunnel to be terminated, even if no ping is received any more.
If errors occur during data transmission due to packet size, the packets can be modified accordingly using the parameters Fragment packets, Adjust maximum segment size (mssfix), Link layer MTU (link-mtu) and Tunnel interface MTU (tun-mtu). These parameters should only be modified if one is aware of the effects and has consulted the OpenVPN reference manual.
The maximal wait time to establish connection is the time, which is granted for the establishment of the OpenVPN tunnel within the WAN chain. If the tunnel cannot be established within this time, it is considered as not available in the WAN chain.
Click on SUBMIT.
Click in the Network → Firewall / NAT menu in the IP filter section on to add an IP filter exception (Firewall rule) for tunnel establishment.
Enter a reasonable Description (e.g. Tunnel establishment …) and select the Packet direction OUTPUT.
Select the IP version used for the tunnel and the Protocol used (All permits e.g. all IP versions or protocols).
Select the Output interfaces used for the tunnel (All permits e.g. all interfaces).
Enter as Destination port the port or ports entered above for the tunnel.
Click on SUBMIT.
Click in the Network → Firewall / NAT menu in the IP filter section on to add an IP filter exception (Firewall rule) for the traffic sent by the router into the tunnel.
Enter a reasonable Description (e.g. Traffic from router into tunnel …) and select the Packet direction OUTPUT.
Select the IP version used for the tunnel and the Protocol used (All permits e.g. all IP versions or protocols).
Select as Output interface above added OpenVPN interface (e.g. openvpn2).
Click on SUBMIT.
Click in the Network → Firewall / NAT menu in the IP filter section on to add an IP filter exception (Firewall rule) for the traffic received by the router from the tunnel.
Enter a reasonable Description (e.g. Traffic from tunnel into router …) and select the Packet direction INPUT.
Select the IP version used for the tunnel and the Protocol used (All permits e.g. all IP versions or protocols).
Select as Input interface above added OpenVPN interface (e.g. openvpn2).
Click on SUBMIT.
Click in the Network → Firewall / NAT menu in the IP filter section on to add an IP filter exception (Firewall rule) for the traffic from the local network into the tunnel.
Enter a reasonable Description (e.g. Traffic from local network into tunnel …) and select the Packet direction FORWARD.
Select the IP version used for the tunnel and the Protocol used (All permits e.g. all IP versions or protocols).
Select as Input interface the IP net of the router connected to the local network (e.g. net1).
Select as Output interface above added OpenVPN interface (e.g. openvpn2).
Click on SUBMIT.
Click in the Network → Firewall / NAT menu in the IP filter section on to add an IP filter exception (Firewall rule) for the traffic from the tunnel into the local network.
Enter a reasonable Description (e.g. Traffic from tunnel into local network …) and select the Packet direction FORWARD.
Select the IP version used for the tunnel and the Protocol used (All permits e.g. all IP versions or protocols).
Select as Input interface above added OpenVPN interface (e.G. openvpn2).
Select as Output interface the IP net of the router connected to the local network (e.G. net1).
Click on SUBMIT.
Activate the profile with a click on ACTIVATE PROFILE .

Configuration via OpenVPN configuration file

Please note!
As the converter tool is only available for Windows, you need a PC with the Windows operating system for configuration.

The converter tool enables the conversion of an existing OpenVPN configuration file into an ASCII configuration file, which can then be imported into the router to add the configuration of the OpenVPN client to the existing configuration.

Download the converter tool, unzip the file to your configuration PC and execute the tool.
Click in the File selection section on Load and select the OpenVPN configuration file.
[Optional] In case CA certificate, client certificate and private key are not contained in the OpenVPN configuration file or the certificates contained therein shall not be used, proceed as follows:
1. Check the checkbox Additional files and choose between Use individual certificates (if you have individual certificate files) and Use PKCS#12 (if the certificates are contained in a PKCS#12 container).
2. Upload the individual certificates or the container using the associated Load buttons.
3. [Optional] In case the OpenVPN server uses a static key for encryption (crypt) or only for authentication (auth), check the checkbox Use TLS-auth/crypt and upload the key using the associated Load button.
Enter in the Interface Settings section under OpenVPN interface name a descriptive name that shall be given this OpenVPN interface when adding it to the in router configuration.
Select the IP network interface of the router that is connected to the local network to which you want to connect via the OpenVPN connection.
Click on Convert.
Open the user interface of the router: https://insys.icom
Click in the Administration → Profiles menu in the ASCII configurations section on and upload the ASCII configuration file created using the converter tool (the file is located in the unzipped directory of the tool).
Click in the list in the ASCII configurations section on the line of above uploaded ASCII configuration file and select Apply ASCII configuration.
Click on APPLY ASCII CONFIGURATION.
Activate the profile with a click on ACTIVATE PROFILE .

Functional test

Open the Status → Dashboard page in the menu and observe the establishment of the WAN chain with the OpenVPN tunnel in the WAN chain section.

Troubleshooting

The status of the WAN chain and their interfaces is displayed on the Status → Dashboard page. If an interface does not achieve the online condition, its condition can also be examined on this page.
When configuring the OpenVPN connection with the Startup wizard, only the most important settings are made, but in most cases these are sufficient to establish a connection. If this is not possible, check the detailed settings of the OpenVPN connection. To do this, click on in the line of the created OpenVPN interface in the Network → Interfaces menu in the OpenVPN section to check or edit the settings. Click on to extended view at the top right to show the detailed settings.
In case the OpenVPN server requires a static key for authentication and encryption (tls-crypt) or only for authentication (tls-auth) additionally, or a user name/password combination for authentication additionally, these need to be configured also.
If no network traffic is achieved, the tools integrated in the router can be used for debugging.
Check in the Status → Log-View menu the messages in the OpenVPN log.
Disable the IP filters for IPv4 in the Network → Firewall / NAT menu under Settings IP filter to check whether incorrect filter settings are the reason for connection problems.