OpenVPN Tunnel

APPLICATION NOTE
 OpenVPN Tunnel

Used symbols
Danger – Information regarding user safety or potential damage to the router.

Attention – Problems that can arise in specific situations.

Information, notice – Useful tips or information of special interest.

Example – Example of function, command or script.

Open Source Software License

The software in this device uses various pieces of open source software governed by
following licenses: GPL versions 2 and 3, LGPL version 2, BSD-style licenses, MIT-style
licenses. The list of components together with complete license texts can be found on the
device itself: See Licenses link at the bottom of the router’s main Web page (General Status)
or point your browser to address DEVICE_IP/licenses.cgi. If you are interested in obtaining
the source, please contact us at:

[email protected]

Modifications and debugging of LGPL-linked executables:

The manufacturer of the device hereby grants the right to use debugging techniques (e.g.
decompilation) and making customer modifications of any executable linked with a LGPL li-
brary for own purposes. Note these rights are limited to the customer’s own usage. No further
distribution of such modified executables and no transmission of the information obtained dur-
ing these actions may be done.

Advantech B+B SmartWorx s.r.o., Sokolska 71, 562 04 Usti nad Orlici, Czech Republic.
Document No. APP-0007-EN, revision from November 21, 2018. Released in the Czech Republic.

i
 OpenVPN Tunnel

Contents
1 OpenVPN protocol 1
1.1 Restrictions in Advantech routers . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2 Configuration of OpenVPN tunnel 2

3 Router on both sides of tunnel 6

3.1 OpenVPN tunnel without authentication . . . . . . . . . . . . . . . . . . . . . . 6
3.2 OpenVPN tunnel with pre-shared secret authentication . . . . . . . . . . . . . . 9
3.3 OpenVPN tunnel with username/password authentication . . . . . . . . . . . . 12
3.4 OpenVPN tunnel with X.509 certificate authentication . . . . . . . . . . . . . . 15

4 Tunnel against WIN/Linux CLIENT 18

4.1 OpenVPN tunnel configuration on the router . . . . . . . . . . . . . . . . . . . . 18
4.2 OpenVPN tunnel configuration on Computer 1 with Windows . . . . . . . . . . 21

5 Tunnel against WIN/Linux SERVER 22

5.1 OpenVPN tunnel configuration on the router . . . . . . . . . . . . . . . . . . . . 22
5.2 Tunnel configuration on Computer 1 – Server . . . . . . . . . . . . . . . . . . . 25

6 Multiclient-Server – Advantech router (CLIENT) 26

6.1 OpenVPN tunnel configuration on Advantech routers . . . . . . . . . . . . . . . 27
6.2 OpenVPN server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

7 Multiclient-Server – Advantech router (CLIENT to CLIENT) 29

7.1 OpenVPN server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
7.2 OpenVPN tunnel configuration on Advantech routers . . . . . . . . . . . . . . . 31

8 Creation of pre-shared key in Windows 33

9 Creation of certificates in Windows 34

9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
9.2 Generating of certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
9.3 Overview of the generated files . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

10 Recommended Literature 36

Appendix A: Installation of OpenVPN Windows A1

ii
 OpenVPN Tunnel

Appendix B: Installation of Easy-RSA on Windows B1

iii
 OpenVPN Tunnel

List of Figures
1 Basic scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2 Configuration form for OpenVPN tunnel . . . . . . . . . . . . . . . . . . . . . . 5
3 Router on both sides of tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4 Configuration of the first router – SERVER (no authentication) . . . . . . . . . . 7
5 Network Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
6 System log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
7 Configuration of the first router – SERVER (pre-shared secret) . . . . . . . . . 10
8 Network Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
9 System log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
10 Configuration of the first router – SERVER (username/password) . . . . . . . . 13
11 Network Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
12 System log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
13 Configuration of the first router – SERVER (X.509 certificate) . . . . . . . . . . 16
14 Network Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
15 System log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
16 OpenVPN tunnel against Windows/Linux CLIENT . . . . . . . . . . . . . . . . . 18
17 Router configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
18 Network Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
19 System log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
20 OpenVPN tunnel against Windows/Linux SERVER . . . . . . . . . . . . . . . . 22
21 Router configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
22 Network Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
23 System log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
24 OpenVPN Multiserver – Advantech router (CLIENT) . . . . . . . . . . . . . . . 26
25 Configuration of Advantech router . . . . . . . . . . . . . . . . . . . . . . . . . . 27
26 OpenVPN client to client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
27 Advantech router configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
28 Network Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
29 System log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
30 Generating a pre-shared key . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
31 Installation of OpenVPN – basic information . . . . . . . . . . . . . . . . . . . . A1
32 Installation of OpenVPN – license agreement . . . . . . . . . . . . . . . . . . . A2
33 Installation of OpenVPN – components . . . . . . . . . . . . . . . . . . . . . . A2
34 Installation of OpenVPN – location . . . . . . . . . . . . . . . . . . . . . . . . . A3

iv
 OpenVPN Tunnel

List of Tables
1 Configuration of OpenVPN tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Configuration of the first router (no authentication) . . . . . . . . . . . . . . . . 6
3 Configuration of the second router (no authentication) . . . . . . . . . . . . . . 6
4 Configuration of the first router (pre-shared secret) . . . . . . . . . . . . . . . . 9
5 Configuration of the second router (pre-shared secret) . . . . . . . . . . . . . . 9
6 Configuration of the first router (username/password) . . . . . . . . . . . . . . . 12
7 Configuration of the second router (username/password) . . . . . . . . . . . . 12
8 Configuration of the first router (X.509 certificate) . . . . . . . . . . . . . . . . . 15
9 Configuration of the second router (X.509 certificate) . . . . . . . . . . . . . . . 15
10 Router configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
11 Router configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
12 Overview of the generated files . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

v
 OpenVPN Tunnel

1. OpenVPN protocol
OpenVPN (Open Virtual Private Network) is a means of interconnection of several com-
puters through an untrusted public network. It is easily possible to reach a situation where
connected computers are able to communicate with each other as if they were connected in
a single closed private network (this network is consequently trusted). Using client-server ar-
chitecture, OpenVPN is capable of ensuring a direct connection between computers behind
NAT without any need to configure NAT. It has a few ways to authenticate clients – using a
pre-shared key, a certificate or a username and password.
OpenVPN uses the officially assigned port 1194, which is applied as a default in newer
versions. It offers two types of network interfaces (Universal TUN and TAP driver), which
enable creation of an IP tunnel (TUN) on the third layer of the ISO/OSI or on the second layer
(layer-2 Ethernet TAP), which is able to transmit any type of data. OpenVPN uses a common
network protocols (TCP and UDP) and thus creates an alternative to IPsec protocol.

Figure 1: Basic scheme

1.1 Restrictions in Advantech routers

• Routers allow to create only four OpenVPN tunnels simultaneously
• Routers only support TUN adapter
• Routers can not be used as a multiclient server

1
 OpenVPN Tunnel

2. Configuration of OpenVPN tunnel

OpenVPN tunnel allows protected connection of four networks LAN to the one network.
To open the OpenVPN tunnel configuration page, click OpenVPN in the Configuration section
of the main menu. The menu item will expand and you will see four separate configuration
pages: 1st Tunnel, 2nd Tunnel, 3rd Tunnel and 4th Tunnel. Description of all items is listed in
following table.

In v3 routers, the IPv4 and IPv6 tunnels are supported. In v2 routers, only IPv4 tunnels are
supported.

Item Description
Create If enabled, the tunnel is activated.
1st|2nd|3rd|4th
OpenVPN tunnel
Description Description (or name) of tunnel.
Protocol Communication protocol:
• UDP – OpenVPN will communicate using UDP
• TCP server – OpenVPN will communicate using TCP in server
mode
• TCP client – OpenVPN will communicate using TCP in client
mode
• UDPv6 – OpenVPN will communicate using UDPv6
• TCPv6 server – OpenVPN will communicate using TCPv6 in
server mode
• TCPv5 client – OpenVPN will communicate using TCPv6 in
client mode
UDP/TCP port Port of the relevant protocol (UDP or TCP).
Remote IP Address IP address of opposite tunnel side (domain name can be used).
Remote Subnet IP address of a network behind opposite tunnel side.
Remote Subnet Mask Subnet mask of a network behind opposite tunnel side.
Redirect Gateway Allows to redirect all traffic on Ethernet.
Local Interface IP Defines the IP address of a local interface.
Address
Remote Interface Defines the IP address of the interface of opposite tunnel side.
IP Address
Remote IPv6 Subnet IPv6 address of a network behind opposite tunnel side.
Continued on next page

2
 OpenVPN Tunnel

Continued from previous page

Item Description
Remote IPv6 Subnet IPv6 subnet mask of a network behind opposite tunnel side.
Mask
Local Interface IPv6 Defines the IPv6 address of a local interface.
Address
Remote Interface Defines the IPv6 address of the interface of opposite tunnel side.
IPv6 Address
Ping Interval Defines the time interval after which sends a message to oppo-
site side of tunnel for checking the existence of the tunnel.
Ping Timeout Defines the time interval during which the router waits for a mes-
sage sent by the opposite side. For proper verification of Open-
VPN tunnel, Ping Timeout must be greater than Ping Interval.
Renegotiate Interval Sets renegotiate period (reauthorization) of the OpenVPN tun-
nel. This parameter can be set only when Authenticate Mode is
set to username/password or X.509 certificate. After this time
period, router changes the tunnel encryption to ensure the con-
tinues safety of the tunnel.
Max Fragment Size Defines the maximum size of a sent packet
Compression Sent data can be compressed:
• none – no compression is used
• LZO – a lossless compression is used (must be set on both
sides of the tunnel!)
NAT Rules Applies NAT rules to the OpenVPN tunnel:
• applied – NAT rules are applied to the OpenVPN tunnel
• not applied – NAT rules are not applied to the OpenVPN tunnel
Authenticate Mode Sets authentication mode:
• none – no authentication is set
• Pre-shared secret – sets the shared key for both sides of the
tunnel
• Username/password – enables authentication using CA Certifi-
cate, Username and Password.
• X.509 Certificate (multiclient) – enables X.509 authentication in
multiclient mode
• X.509 Certificate (client) – enables X.509 authentication in
client mode
• X.509 Certificate (server) – enables X.509 authentication in
server mode
Continued on next page

3
 OpenVPN Tunnel

Continued from previous page

Item Description
Pre-shared Secret Authentication using pre-shared secret can be used for all offered
authentication mode.
CA Certificate Auth. using CA Certificate can be used for username/password
and X.509 Certificate modes.
DH Parameters Protocol for exchange key DH parameters can be used for X.509
Certificate authentication in server mode.
Local Certificate This authentication certificate can be used for X.509 Certificate
authentication mode.
Local Private Key It can be used for X.509 Certificate authentication mode.
Username Authentication using a login name and password authentication
can be used for username/password mode.
Password Authentication using a login name and password authentication
can be used for username/password mode.
Extra Options Allows to define additional parameters of OpenVPN tunnel such
as DHCP options etc.
Table 1: Configuration of OpenVPN tunnel

The changes in settings will be applied after pressing the Apply button.

Tips for working with the configuration form:

• CLIENT routers must have filled in Remote IP Address item (IP serveru).
• For SERVER routers we recomend not to fill in Remote IP Address item!
• If two routers are situated against each other, one of them is CLIENT and the other is
SERVER.
• It is always recommended to set Ping Interval and Ping Timeout items.

4
 OpenVPN Tunnel

Figure 2: Configuration form for OpenVPN tunnel

5
 OpenVPN Tunnel

3. Router on both sides of tunnel

The figure below shows a situation where the Advantech router is situated on both sides of
OpenVPN tunnel. IP address of SIM cards in the router can be static or dynamic.

Figure 3: Router on both sides of tunnel

3.1 OpenVPN tunnel without authentication

Configuration of the first router – SERVER:
Item Value
Remote Subnet 192.168.3.0
Remote Subnet Mask 255.255.255.0
Local Interface IP Address 172.16.0.101
Remote Interface IP Address 172.16.0.102
Table 2: Configuration of the first router (no authentication)

Configuration of the second router – CLIENT:

Item Value
Remote IP Address 10.0.2.36
Remote Subnet 192.168.1.0
Remote Subnet Mask 255.255.255.0
Local Interface IP Address 172.16.0.102
Remote Interface IP Address 172.16.0.101
Table 3: Configuration of the second router (no authentication)

6
 OpenVPN Tunnel

Figure 4: Configuration of the first router – SERVER (no authentication)

Note: Configuration of the second router is similar, the difference is only in items listed in table
3 Configuration of the second router (no authentication) on page 6. If NAT Rules parameter is
enabled, specified rules (in the configuration form of NAT) are applied to the OpenVPN tunnel.

7
 OpenVPN Tunnel

After establishing an OpenVPN tunnel, an interface tun0 and a route in the routing table of
the router are displayed on the Network Status page.

Figure 5: Network Status

It is also possible to check successful establishment of OpenVPN tunnel in the system log
(System Log item in menu). Listings should end with line Inicialization Sequence Completed.

Figure 6: System log

8
 OpenVPN Tunnel

3.2 OpenVPN tunnel with pre-shared secret authentication

Configuration of the first router – SERVER:
Item Value
Remote Subnet 192.168.3.0
Remote Subnet Mask 255.255.255.0
Local Interface IP Address 172.16.0.101
Remote Interface IP Address 172.16.0.102
Authenticate Mode pre-shared secret
Pre-shared Secret shared key for both of routers
Table 4: Configuration of the first router (pre-shared secret)

Configuration of the second router – CLIENT:

Item Value
Remote IP Address 10.0.2.36
Remote Subnet 192.168.1.0
Remote Subnet Mask 255.255.255.0
Local Interface IP Address 172.16.0.102
Remote Interface IP Address 172.16.0.101
Authenticate Mode pre-shared secret
Pre-shared Secret shared key for both of routers
Table 5: Configuration of the second router (pre-shared secret)

The procedure of creating pre-shared key is described in chapter 8 Creation of pre-shared key
in Windows on page 33.

9
 OpenVPN Tunnel

Figure 7: Configuration of the first router – SERVER (pre-shared secret)

vspace1mm Note: Configuration of the second router is similar, the difference is only in
items listed in table 5 Configuration of the second router (pre-shared secret) on page 9. If NAT
Rules parameter is enabled, specified rules (in the configuration form of NAT) are applied to
the OpenVPN tunnel.

10
 OpenVPN Tunnel

After establishing an OpenVPN tunnel, an interface tun0 and a route in the routing table of
the router are displayed on the Network Status page.

Figure 8: Network Status

It is also possible to check successful establishment of OpenVPN tunnel in the system log
(System Log item in menu). Listings should end with line Inicialization Sequence Completed.

Figure 9: System log

11
 OpenVPN Tunnel

3.3 OpenVPN tunnel with username/password authentication

Configuration of the first router – SERVER:
Item Value
Remote Subnet 192.168.3.0
Remote Subnet Mask 255.255.255.0
Authenticate Mode username/password
CA Certificate generated certificate from VPN server
Username username assigned by the VPN server
Password password assigned by the VPN server
Table 6: Configuration of the first router (username/password)

Configuration of the second router – CLIENT:

Item Value
Remote IP Address 10.0.2.36
Remote Subnet 192.168.1.0
Remote Subnet Mask 255.255.255.0
Authenticate Mode username/password
CA Certificate generated certificate from VPN server
Username username assigned by the VPN server
Password password assigned by the VPN server
Table 7: Configuration of the second router (username/password)

The procedure of creating certificate is described in chapter 9 Creation of certificates in Win-

dows on page 34.

12
 OpenVPN Tunnel

Figure 10: Configuration of the first router – SERVER (username/password)

Note: Configuration of the second router is similar, the difference is only in items listed in
table 7 Configuration of the second router (username/password) on page 12. If NAT Rules
parameter is enabled, specified rules (in the configuration form of NAT) are applied to the
OpenVPN tunnel. 13
 OpenVPN Tunnel

After establishing an OpenVPN tunnel, an interface tun0 and a route in the routing table of
the router are displayed on the Network Status page.

Figure 11: Network Status

It is also possible to check successful establishment of OpenVPN tunnel in the system log
(System Log item in menu). Listings should end with line Inicialization Sequence Completed.

Figure 12: System log

14
 OpenVPN Tunnel

3.4 OpenVPN tunnel with X.509 certificate authentication

Configuration of the first router – SERVER:
Item Value
Remote Subnet 192.168.3.0
Remote Subnet Mask 255.255.255.0
Local Interface IP Address 172.16.0.101
Remote Interface IP Address 172.16.0.102
Authenticate Mode X.509 certificate (server)
CA Certificate generated certificate from VPN server
DH Parameters Diffie-Hellman protocol for key exchange
Local Certificate local certificate assigned by the VPN server
Local Private Key local private key assigned by the VPN server
Table 8: Configuration of the first router (X.509 certificate)

Configuration of the second router – CLIENT:

Item Value
Remote IP Address 10.0.2.36
Remote Subnet 192.168.1.0
Remote Subnet Mask 255.255.255.0
Local Interface IP Address 172.16.0.102
Remote Interface IP Address 172.16.0.101
Authenticate Mode X.509 certificate (client)
CA Certificate generated certificate from VPN server
Local Certificate local certificate assigned by the VPN server
Local Private Key local private key assigned by the VPN server
Table 9: Configuration of the second router (X.509 certificate)

The procedure of creating certificate is described in chapter 9 Creation of certificates in Win-

dows on page 34.

15
 OpenVPN Tunnel

Figure 13: Configuration of the first router – SERVER (X.509 certificate)

16
 OpenVPN Tunnel

Note: Configuration of the second router is similar, the difference is only in items listed in table
9 Configuration of the second router (X.509 certificate) on page 15. If NAT Rules parameter is
enabled, specified rules (in the configuration form of NAT) are applied to the OpenVPN tunnel.
After establishing an OpenVPN tunnel, an interface tun0 and a route in the routing table of
the router are displayed on the Network Status page.

Figure 14: Network Status

It is also possible to check successful establishment of OpenVPN tunnel in the system log
(System Log item in menu). Listings should end with line Inicialization Sequence Completed.

Figure 15: System log

17
 OpenVPN Tunnel

4. Tunnel against WIN/Linux CLIENT

The figure below shows situation, where Advantech router is on one side of OpenVPN
tunnel and device with an operating system Windows/Linux in CLIENT mode is on the other
side. IP address of the SIM card in the router can be static or dynamic.

Figure 16: OpenVPN tunnel against Windows/Linux CLIENT

4.1 OpenVPN tunnel configuration on the router

Item Value
Remote Subnet 192.168.3.0
Remote Subnet Mask 255.255.255.0
Local Interface IP Address 172.16.0.101
Remote Interface IP Address 172.16.0.102
Authenticate Mode X.509 certificate (server)
CA Certificate generated certificate from router (SERVER)
DH Parameters Diffie-Hellman protokol for key exchange
Local Certificate local certificate assigned by router (SERVER)
Local Private Key local private key assigned by router (SERVER)
Table 10: Router configuration

18
 OpenVPN Tunnel

Figure 17: Router configuration

19
 OpenVPN Tunnel

Note: If NAT Rules parameter is enabled, specified rules (in the configuration form of NAT) are
applied to the OpenVPN tunnel.
After establishing an OpenVPN tunnel, an interface tun0 and a route in the routing table of
the router are displayed on the Network Status page.

Figure 18: Network Status

It is also possible to check successful establishment of OpenVPN tunnel in the system log
(System Log item in menu). Listings should end with line Inicialization Sequence Completed.

Figure 19: System log

20
 OpenVPN Tunnel

4.2 OpenVPN tunnel configuration on Computer 1 with Windows

It is necessary to perform the following configuration on the computer, which is referred to
as Computer 1 in the diagram from the beginning of this chapter.

remote 10.0.2.36
tls-client

dev tun

pull

ifconfig 172.16.0.102 172.16.0.101

route 192.168.2.0 255.255.255.0 172.16.0.102

mute 10

ca cacert.pem
cert client-cert.pem
key client-key2.pem

comp-lzo

verb 3

21
 OpenVPN Tunnel

5. Tunnel against WIN/Linux SERVER

The figure below shows situation, where Advantech router is on one side of OpenVPN
tunnel and device with an operating system Windows/Linux in SERVER mode is on the other
side. IP address of the SIM card in the router can be static or dynamic.

Figure 20: OpenVPN tunnel against Windows/Linux SERVER

5.1 OpenVPN tunnel configuration on the router

Item Value
Remote IP Address server.dynalias.com
Remote Subnet 192.168.10.0
Remote Subnet Mask 255.255.255.0
Local Interface IP Address 172.16.0.102
Remote Interface IP Address 172.16.0.101
Authenticate Mode X.509 certificate (client)
CA Certificate generated certificate from router
DH Parameters Diffie-Hellman protokol for key exchange
Local Certificate local certificate assigned by router
Local Private Key local private key assigned by router
Table 11: Router configuration

22
 OpenVPN Tunnel

Figure 21: Router configuration

23
 OpenVPN Tunnel

Note: If NAT Rules parameter is enabled, specified rules (in the configuration form of NAT) are
applied to the OpenVPN tunnel.
After establishing an OpenVPN tunnel, an interface tun0 and a route in the routing table of
the router are displayed on the Network Status page.

Figure 22: Network Status

It is also possible to check successful establishment of OpenVPN tunnel in the system log
(System Log item in menu). Listings should end with line Inicialization Sequence Completed.

Figure 23: System log

24
 OpenVPN Tunnel

5.2 Tunnel configuration on Computer 1 – Server

It is necessary to perform the following configuration on the computer, which is referred to
as Computer 1 – Server in the diagram from the beginning of this chapter.

local 192.168.10.2
tls-server

dev tun

pull

ifconfig 172.16.0.101 172.16.0.102

route 192.168.1.0 255.255.255.0 172.16.0.102

mute 10

ca cacert.pem
cert client-cert.pem
key client-key2.pem

comp-lzo

verb 3

25
 OpenVPN Tunnel

6. Multiclient-Server – Advantech
router (CLIENT)
The figure below shows situation, where OpenVPN multiserver is on one side of OpenVPN
tunnel and several Advantech routers (three in this case) in CLIENT mode are on the other
side. IP address of the SIM card in the routers can be static or dynamic.

Figure 24: OpenVPN Multiserver – Advantech router (CLIENT)

26
 OpenVPN Tunnel

6.1 OpenVPN tunnel configuration on Advantech routers

Figure 25: Configuration of Advantech router

Note: Configuration of other routers is similar, the difference is only in item Description.
27
 OpenVPN Tunnel

6.2 OpenVPN server configuration

Configuration file (*.ovpn) stored on the server will contain of:
server 10.8.0.0 255.255.255.0
port 1194
proto udp
dev tun
comp-lzo
keepalive 10 60
dh dh1024.pem
ca ca.crt
key server.key
cert server.crt
ifconfig-pool-persist ipp.txt
status openvpn-status.log
client-config-dir ccd
persist-key
persist-tun
verb 3
route 192.168.1.0 255.255.255.0
route 192.168.2.0 255.255.255.0
route 192.168.3.0 255.255.255.0

In the configuration above is specified cofiguration directory named as ccd. This directory
is stored on the server in root directory of OpenVPN application. File names of client’s config-
uration files stored at this directory must match the names of certifications generated for every
single client. In our case, there will be three configuration files with following content:
file ccd\Client001
iroute 192.168.1.0 255.255.255.0

file ccd\Client002
iroute 192.168.2.0 255.255.255.0

file ccd\Client003
iroute 192.168.3.0 255.255.255.0

28
 OpenVPN Tunnel

7. Multiclient-Server – Advantech
router (CLIENT to CLIENT)
The figure below shows situation, where OpenVPN server is on one side of OpenVPN
tunnel and several Advantech routers (three in this case) in CLIENT mode are on the other
side. IP address of the SIM card in the routers can be static or dynamic.

Figure 26: OpenVPN client to client

29
 OpenVPN Tunnel

7.1 OpenVPN server configuration

Configuration file (*.ovpn) stored on the server will contain of:
server 10.8.0.0 255.255.255.0
port 1194
proto udp
dev tun
comp-lzo
keepalive 10 60
dh dh1024.pem
ca ca.crt
key server.key
cert server.crt
ifconfig-pool-persist ipp.txt
status openvpn-status.log
client-config-dir ccd
client-to-client
persist-key
persist-tun
verb 3
route 192.168.1.0 255.255.255.0
route 192.168.2.0 255.255.255.0
route 192.168.3.0 255.255.255.0

In the configuration above is specified cofiguration directory named as ccd. This directory
is stored on the server in root directory of OpenVPN application. File names of client’s config-
uration files stored at this directory must match the names of certifications generated for every
single client. In our case, there will be three configuration files with following content (routes
between the clients can be defined according to need):
file ccd\Client1
iroute 192.168.1.0 255.255.255.0
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.3.0 255.255.255.0"
push "route 192.168.10.0 255.255.255.0"
file ccd\Client2
iroute 192.168.2.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.3.0 255.255.255.0"
push "route 192.168.10.0 255.255.255.0"
file ccd\Client3
iroute 192.168.3.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.10.0 255.255.255.0"

30
 OpenVPN Tunnel

7.2 OpenVPN tunnel configuration on Advantech routers

Figure 27: Advantech router configuration

31
 OpenVPN Tunnel

After establishing an OpenVPN tunnel, an interface tun0 and a route in the routing table of
the router are displayed on the Network Status page.

Figure 28: Network Status

It is also possible to check successful establishment of OpenVPN tunnel in the system log
(System Log item in menu). Listings should end with line Inicialization Sequence Completed.

Figure 29: System log

32
 OpenVPN Tunnel

8. Creation of pre-shared key in

Windows
For creating pre-shared key is needed to have installed OpenVPN program. Descrip-
tion of installation can be found in appendix A: Installation of OpenVPN on Windows on
page A1.

The figure below describes a way to easily generate a pre-shared key. The key is stored
into file called static.key and it’s content should be inserted into the Pre-shared Secret box in
the form for configuration of OpenVPN tunnel in the router.

Figure 30: Generating a pre-shared key

Example of pre-shared key:

#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
52dbd2b3380dabd210e8665cf0304de8
ac53ce6bf3ac2605bd3653fd66a113a4
373d57375763de58a38992f580efb97b
817e1b6d61ffbbf559ed9d2c927cef13
39baa06de34c7b4b05df6d4971aa97d0
ec72e4465af647a89e82b335db3dcbb8
a7dd9d190960215ac137e8e2456d2deb
4446b74b3360fe5bf0ac565d4a253a78
9823fd9891db70e190926dbf557c5ad9
cbdb7c0a649a1948b3e5dccce838fc4c
fd6e12b69b7d6bea95c87ee670e85fb1
8ac594f8a9a56921bb2e423dbcd3cbad
650d1543e486ffb956e7a9780925adfe
369e32c5913674bb655b414bde5eb6a0
184c6f2a51f648285f0ab91ea2fe8a20
a9bc715fe96301af90f41f17432e79e3
-----END OpenVPN Static key V1-----
33
 OpenVPN Tunnel

9. Creation of certificates in Windows

For creating certificates is required to have OpenVPN program and Easy-RSA utility
installed. Description of installation can be found in appendix A: Installation of OpenVPN
on Windows on page A1 and in appendix B: Installation of Easy-RSA on Windows on
page B1.

9.1 Introduction
Digital certificates are digitally signed public encryption keys. They are issued by a certifi-
cation authority (CA). Certificates are kept in X.509 format, which contains information such as
the owner of the public key, the certificate issuer or the creator of the digital signature. Certifi-
cates are used to identify the counterparty when creating a secure connection (HTTPS, VPN,
etc.). On the basis of principle of a trust transfer, it is possible to trust unknown certificates
signed by trusted certification authorities. It is typically used a hierarchical model.

9.2 Generating of certificates

Easy-RSA needs to first initialize a directory for the Public Key Infrastructure (PKI). Multiple
PKIs can be managed with a single installation of Easy-RSA, but the default directory is called
simply "pki" unless otherwise specified.
First, you need to open an Easy-RSA console. It is done by executing of EasyRSA-Start.bat
file located in Easy-RSA root folder. To create or clear out (re-initialize) a new PKI, use the
command ./easyrsa init-pki which will create a new, blank PKI structure ready to be used.
Once created, this PKI can be used to make a new CA or generate keypairs.
The next step will be to create a certificate authority (CA) usinng the command ./easyrsa
build-ca. Now, it is possible to generate certificates and keys for elements in the network
(server, client01, client02, . . . ). In case of a server, use ./easyrsa build-server-full
server command. For clients use ./easyrsa build-client-full clientXY command, where
clientXY term means a particular client (client01, client02, . . . ). It follows that the certificates
and keys must be generated for each element in the network separately.
Finally, there is a need to generate a Diffie-Hellman parameters (DH key). Use ./easyrsa
gen-dh command to generate the key file. Please note that this process may take a long time.

34
 OpenVPN Tunnel

9.3 Overview of the generated files

The following table describes the meaning of the generated files and their location (to be
uploaded to server or to the client).

File location Description To be uploaded to

issued\server.crt Signed certificate of VPN server server
private\server.key Personal RSA key of VPN server server
reqs\server.req Request for signing server (not required)
issued\client01.crt Signed certificate of VPN client client
private\client01.key Personal RSA key of VPN client client
reqs\client01.req Request for signing server (not required)
private\ca.key Key to k CA secret and secure repository
ca.crt CA certificate clients and server
dh.pem Diffie-Helmann key server only
Table 12: Overview of the generated files

35
 OpenVPN Tunnel

10. Recommended Literature

[1] Advantech B+B SmartWorx: v2 Routers Configuration Manual (MAN-0021-EN)
[2] Advantech B+B SmartWorx: SmartFlex Configuration Manual (MAN-0023-EN)
[3] Advantech B+B SmartWorx: SmartMotion Configuration Manual (MAN-0024-EN)
[4] Advantech B+B SmartWorx: SmartStart Configuration Manual (MAN-0022-EN)
[5] Advantech B+B SmartWorx: ICR-3200 Configuration Manual (MAN-0042-EN)

Product related documents can be obtained on Engineering Portal at

https://ep.advantech-bb.cz/ address.

36
 OpenVPN Tunnel

Appendix A: Installation of OpenVPN on Win-

dows
The OpenVPN installation file can be downloaded from following address:
https://openvpn.net/index.php/download/community-downloads.html.

Open the downloaded installation file, the following window will be displayed.

Figure 31: Installation of OpenVPN – basic information

Press Next button, read the license agreement (see figure 32) and then press Next button
again. Now, there is displayed a window in which it is possible to select the components that
will be included in installation of OpenVPN program (see figure 33).

A1
 OpenVPN Tunnel

Figure 32: Installation of OpenVPN – license agreement

Figure 33: Installation of OpenVPN – components

A2
 OpenVPN Tunnel

Before starting the installation, it is necessary to select a directory in which OpenVPN

program will be installed. To start the installation press Install button and wait for completion
of the process. Finally, press Next button and then Finish button.

Figure 34: Installation of OpenVPN – location

A3
 OpenVPN Tunnel

Appendix B: Installation of Easy-RSA on Win-

dows
Easy-RSA is a utility for managing X.509 PKI, or Public Key Infrastructure (PKI). The official
Windows release also comes bundled with the programs necessary to use Easy-RSA. The
shell code attempts to limit the number of external programs it depends on. Crypto-related
tasks use openssl as the functional backend.
The Easy-RSA utility was installed along with the OpenVPN installation of version 2.2.x
and earlier. Since OpenVPN version 2.3.x the Easy-RSA utility has to be installed separately.
It can be downloaded from https://github.com/OpenVPN/easy-rsa address.
Easy-RSA’s main program is a script, supported by a couple of config files. As such, there
is no formal "installation" required. Preparing to use Easy-RSA is as simple as downloading
the compressed package and extract it to a location of your choosing. There is no compiling
or OS-dependent setup required.
You should install and run Easy-RSA as a non-root (non-Administrator) account as root
access is not required. Installation package also include the doc folder containing the docu-
mentation for the Easy-RSA utility.
Public Key Infrastructure (PKI) describes the collection of files and associations between
the CA, keypairs, requests, and certificates. An Easy-RSA PKI contains the following directory
structure:

• private \ - Dir with private keys generated on this host.

• reqs\ - Dir with locally generated certificate requests (for a CA imported requests are
stored here).

In a clean PKI no files will exist until, just the bare directories. Commands called later will
create the necessary files depending on the operation. When building a CA, a number of new
files are created by a combination of Easy-RSA and (indirectly) openssl. The important CA
files are:

• ca.crt – This is the CA certificate.

• index.txt – This is the "master database" of all issued certs.

• serial – Stores the next serial number (serial numbers increment).

• private\ca.key – This is the CA private key (security-critical).

• certs_by_serial\ – Dir with all CA–signed certs by serial number.

• issued\– Dir with issued certs by commonName.

B1
 OpenVPN Tunnel

Easy-RSA 3 no longer needs any configuration file prior to operation, unlike earlier ver-
sions. However, the vars.example file contains many commented options that can be used
to control non-default behavior as required. Reading this file will provide an idea of the basic
configuration available. Note that a vars file must be named just vars (without an extension) to
actively use it. It is not necessary to use this config file unless you wish to change operational
defaults. These defaults should be fine for many uses without the need to copy and edit the
vars file.
Invoking Easy-RSA is done through your preferred shell. Under Windows, you will use the
EasyRSA-Start.bat program to provide a POSIX-shell environment suitable for using Easy-
RSA. The basic format for running commands is ./easyrsa command [cmd-opts] where -
command is the name of a command to run, and cmd-opts are any options to supply to the
command. Some commands have mandatory or optional cmd-opts. Note the leading .\ com-
ponent of the command. This is required in Unix-like environments and may be a new concept
to some Windows users.
General usage and command help can be shown with ./easyrsa help [command]. When
run without any command, general usage and a list of available commands are shown; when
a command is supplied, detailed help output for that command is shown.

B2