TechNote-RemoteAccess via Router as OpenVPN ... - Weidmüller

possibledisastrousΑσφάλεια

9 Δεκ 2013 (πριν από 3 χρόνια και 11 μήνες)

582 εμφανίσεις


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

1

of

47

Remote access scenario
using Weidmüller Routers
running as
OpenVPN
-
Server





This

application scenario is described and tested using the
Weidmüller



Router
s

IE
-
SR
-
2GT
-
LAN
a
nd IE
-
SR
-
2GT
-
UMTS/3G
.



Contents


1.

GENERAL DESCRIPTION
OF APPLICATION REQUI
REMENTS

................................
................................
......

2

1.1


T
ECHNICAL REQUIREMENT
S AND SOLUTION APPRO
ACH

................................
................................
......................

2

1
.2

S
UMMARY OF TECHNICAL
ASPECTS TO IMPLEMENT

THE SCENARIO
„R
EMOTE ACCESS USING
W
EIDMÜLLER
-
R
OUTER AS

....


O
PEN
VPN
-
S
ERVER


................................
................................
................................
................................
...

4

1.3

I
MPLEM
ENTING A SIMPLE TES
T SCENARIO

................................
................................
................................
.......

4

1.4

G
ENERAL NOTES ON IMPL
EMENTING THE REMOTE
ACCESS SCENARIO

................................
................................
....

6

2.

CREATING CERTIFICATE
S (STEP 1)

................................
................................
................................
............

7

3.

CONFIGURING THE ROUT
ERS OF REMOTE NETWOR
KS 1 AND 2 RUNNING
AS OPENVPN
-
SERVER

............


(STEP 2)

................................
................................
................................
................................
...................

7

4.

CONFIGURATION OF THE

SERVICE
-
PC’S RUNNING AS OPEN
VPN
-
CLIENTS (STEP 3)

...............................

17

4.1

P
REPARING THE INSTALL
ATION OF
O
PEN
VPN

SOFTWARE

................................
................................
.................

17

4.2

C
REATING THE CONFIGUR
ATION FILES FOR
S
ERVICE
-
PC

1

................................
................................
.................

19

4.3

C
REATING THE CONFIGUR
ATION FILES FOR
S
ERVICE
-
PC

2

................................
................................
.................

21

4.4

C
REATING THE CONFIGUR
ATION FIL
E FOR
S
ERVICE
-
PC

3
................................
................................
...................

23

5.

TAKE THE TEST SCENAR
IO INTO OPERATION (S
TEP 4)

................................
................................
............

24

5.1

S
TATUS OF THE
O
PEN
VPN
-
S
ERVERS
(R
OUTER
)

................................
................................
..............................

24

5.2

A
CTI
VATING
O
PEN
VPN
-
C
LIENT CONNECTIONS ON

S
ERVICE
-
PC’
S

................................
................................
......

24

5.3

T
ESTING THE REMOTE AC
CESSIBILITY FROM
S
ERVICE
-
PC

1

TO A DEVICE FROM REM
O
TE NETWORK
1

.........................

27

APPENDIX

................................
................................
................................
................................
......................

28

A.

GUIDANCE FOR CREATIN
G AND ADMINISTRATING

CERTIFICATES (X.509)

BY USING THE PROGRAM


........


XCA (RELEASE 0.93)

................................
................................
................................
...............................

28

A1.

D
OWNLOAD AND
I
NSTALLATION OF
XCA

................................
................................
................................
......

28

A2.

C
REATE A NEW
D
ATABASE FOR CERTIF
ICATE MANAGEMENT

................................
................................
..............

2
9

A3.

C
REATING A TEMPLATE F
OR THE
CA

CERTIFICATE
(R
OOT
)

................................
................................
.................

30

A4.

C
REATING THE TEMPLATE

TO BE USED FOR PRODU
CTIVE
S
ERVER CERTIFICATES

................................
......................

32

A5.

C
REATING THE TEMPLATE

TO BE USED FOR PRODU
CTIVE
C
LIENT CERTIFICATES

................................
......................

33

A6.

C
R
EATING THE PRODUCTIV
E
CA

CERTIFICATE
(R
OOT
)

................................
................................
......................

35

A7.


C
REATING THE PRODUCTI
VE
S
ERVER CERTIFICATE

................................
................................
............................

38

A8.


C
REATING THE PRODUCTI
VE
C
LIENT CERTIFICATE FO
R
PC1

................................
................................
................

41

A9.


E
XPORTING THE CERTIFI
CATES FOR
O
PEN
VPN
-
S
ERVER AND
O
PEN
VPN
-
C
LIENTS

................................
..................

45






Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

2

of

47

1.

General

d
escription of
application
requirements

Remote Ethernet devices needs to be accessed by secured VPN connections for maintenance
reasons.
To
generally
allow a connection to
a
remote Ether
net network
it
can be equipped
either
with an DSL
-
based Internet connection or
is
alternatively access
ible by
an Internet mobile
connection.

The Service
-
PC’s should be able to access the remote network by Internet from any location and any
time.

Due to cos
t reasons
,


easy installation/configuration
and flexible use of
the remote access
scenario
the
Open
S
ource software “OpenVPN”
should be
used.


1.1

Technical
requirements

and

solution
a
pproach

In this
scenario
2
remote
machine networks should be able to ge
t maintained by 3
Service
-
PC’s
.
T
he
Router at remote network 1

will be connected to the Internet by
a
DSL connection. You need an
external DSL modem which
has to be

connected to the
WAN
-
Port (configured as PPoE) of the
Ro
ut
er
. The Router at remote network
2 will be connected to the Internet by a mobile (3G)
connection.
Both Routers at remote networks will be configured running as OpenVPN
-
Servers.

Ensure for both cases that the Router
s

(OpenVPN
-
Server) can be accessed by a public IP address
from the Interne
t.

Ideally use static IP addresses.




Currently
the
Weidmüller
-
Routers only support the dynamic DNS
-
Service “dyndns.org” if you
decide to use dynamic Internet IP addresses.


The Service
-
PC’s will be configured as OpenVPN
-
Clients using the free Open Source

software
“OpenVPN”.

PC 1

and
PC
2 should be able to access
both remote
networks while
PC3

should only
have the right to access
remote
network

1
.


Internet
Service
-
PC
1
(
located in network of maintenance company
)
Corporate Firewall
Switched
Network
Machine
1
192
.
168
.
10
.
11
255
.
255
.
255
.
0
GW
:
192
.
168
.
10
.
254
Remote network
1
192
.
168
.
10
.
0
/
24
Mobile Notebook
Service
-
PC
2
with
3
G Internet connection
Home
-
PC
/
Notebook
Service
-
PC
3
located at home office with DSL
-
Internet
Machine
2
192
.
168
.
10
.
12
255
.
255
.
255
.
0
GW
:
192
.
168
.
10
.
254
Machine n
192
.
168
.
10
.
??
255
.
255
.
255
.
0
GW
:
192
.
168
.
10
.
254
DSL
-
Connection
with public
(
static
)
IP address
Service
-
PC with
2
configured VPN
-
Client
-
Sessions to connect to
OpenVPN
-
Servers at
remote networks
1
and
2
3
G
-
Stick
Dynamic IP address provided
by
3
G provider
IP address LAN
e
.
g
.
192
.
168
.
1
.
15
255
.
255
.
255
.
0
IP address
e
.
g
.
10
.
94
.
1
.
15
255
.
255
.
255
.
0
Weidmüller
-
Router
(
configured as
Firewall and OpenVPN
-
Server
)
WAN
-
Port
(
Public IP address
assigned by
Internet provider
)
LAN
-
Port
192
.
168
.
10
.
254
255
.
255
.
255
.
0
DSL modem
(
connect to
WAN
-
Port of
Router by PPoE
)
WAN
-
Port
NOT connected
LAN
-
Port
192
.
168
.
10
.
254
255
.
255
.
255
.
0
Weidmüller
-
Router
(
configured as
Firewall and OpenVPN
-
Server
)
Home
-
Office
DSL
-
Router
/
Firewall
UMTS
/
3
G
-
Port
(
Public IP address
assigned by
3
G
provider
)
Machine
1
192
.
168
.
10
.
11
255
.
255
.
255
.
0
GW
:
192
.
168
.
10
.
254
Machine
2
192
.
168
.
10
.
12
255
.
255
.
255
.
0
GW
:
192
.
168
.
10
.
254
Machine n
192
.
168
.
10
.
??
255
.
255
.
255
.
0
GW
:
192
.
168
.
10
.
254
OpenVPN
-
Client
OpenVPN
-
Client
OpenVPN
-
Client
Illustration of a remote access scenario using a Weidmüller Router as OpenVPN
-
Server
Task
:
Remote Ethernet devices have to be accessed by Service
-
PC’s using OpenVPN
-
based Internet
connections
.
Solution
:

Use a Weidmüller Router with a public accessible IP address configured as OpenVPN
-
Server to
allow a secured communication between the Service
-
PC’s and the Ethernet devices behind the LAN
-
Port of the
Router
.
Service
-
PC with
1
configured VPN
-
Client
-
Session to connect to
OpenVPN
-
Server at
remote network
1
Note
:
Both Routers at customer side must be accessible
via Internet using public IP addresses
.
Service
-
PC with
2
configured VPN
-
Client
-
Sessions to connect to
OpenVPN
-
Servers at
remote networks
1
and
2
Remote network
2
192
.
168
.
10
.
0
/
24
VPN tunnel
VPN tunnel
Physical connection
Physical
connection
VPN tunnel
OpenVPN network
10
.
8
.
1
.
0
/
255
.
255
.
255
.
0
OpenVPN network
10
.
8
.
1
.
0
/
255
.
255
.
255
.
0

Figure

1:
Overview
remote access
scenario
running Weidmüller
-
Routers as
OpenVPN
-
S
erver



Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

3

of

47



















































Figure
2:

Detailed
drawing
of
remote access
applic
ation

s
cenario




Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

4

of

47

1.2

Summary

of t
echnical
aspects to
implement

the
scenario



Remote
access

using
Weidmüller
-
Router as OpenVPN
-
Server


1.
2
.1

The Ope
n
VPN
implementation
is based on
the
same
free Open

S
ource

s
oftware „OpenVPN



and
will be used for Windows
-
based OpenVPN
-
Clients
and
Router
-
OpenVPN
-
Server
.

1.
2
.2

The OpenVPN

t
echnology (Client and Server) is already implemented in the
firmware of the


Wei
dmüller
-
R
outer
s
.

1.
2
.
3

A
ny
standard Windows
c
omputer (XP or Windows 7)
can be
use
d

as
OpenVPN
-
Client
.

1.
2
.
4

Only the OpenVPN
-
Server
s

(Routers)
ha
ve

to be acccessed by
a
public

IP

address

to ensure
that
all
Open
VPN
-
C
lients (
Service
-
PC’s
)
can connect to
the
Open
VPN
-
Server
s.

1.2.5

For security reasons OpenVPN connections always will be configured using X.509
-
based
certificates
(encoded files)

for authentication.
The needed certificates (CA = Root certificate,
Server
-

and Client
-
certificates)

can
be created and

maintained by using the Windows
-
based
freeware XCA.
A detailed explanation about using certificates can be found in appendix A at
the end of this document
.

1.
2
.
6

Each
R
outer

(
Open
VPN
-
Server
)

has to be setup with
the same
server
certificate.

1.
2
.
7


For

Ser
vice
-
PC
1 and
Service
-
PC
2

we
have to configure 2
OpenVPN configuration
file
s

to
access both remote network 1 and 2. On each of
both
PC’s only one
client certificate
will be
used
to access both remote networks.
On
Service
-
PC
3
only
1
OpenVPN configuration fi
le
has
to be configured
be
cause we want only to access remote network 1 with this PC. Also only one
client certificate
is needed.

Generally
on Service
-
PC’s at the
time
1

OpenVPN can be active.


1.
2
.
8


A
Layer
-
3
-
Tunnel (IP
-
Routing)
is
used for
Open
VPN

conne
ctions.

1.
2
.
9


The
IP address
of the physical Ethernet interface
of
a S
ervice
-
PC may not be in the
same
IP
address range of
a
target machine network at customer side (behind Router). In this case a
S
ervice
-
PC would not route to the machine network over VPN

tunnel because this network is
already known as
its

local network.

1.2.1
0

B
y default
the
Service
-
PC’s and the Router
s

are communicating over the Ethernet interfaces
using their configured IP addresses. If these devices are establishing a VPN tunnel the
y

a
dditionally use a new virtual Ethernet interface with their own VPN
-
based IP addresses and
net mask.The IP address and net mask of the virtual VPN
-
Ethernet
-
Interface
of an OpenVPN
-
Client (Service
-
PC)
will be assigned by the OpenVPN
-
Server

(Router)
. In our
example the VPN
IP address range 10.8.
1
.0
with
net mask 255.255.255.0 will be used for communication
between remote networks 1 and 2 and the Service
-
PC’s.
The
IP address of each OpenVPN
client will be assigned
dynamically

by the
Open
VPN
-
Server

using the
range 10.8.1.10 to
10.8.1.20.
The
Open
VPN
-
Server itself always
will
have the first IP address of a defined
OpenVPN network, in this example the IP address 10.8.
1
.1

will be assigned for both Routers of
remote networks 1 and 2.

1.2.1
1

Normally
IP addresses

provided by

3G Internet Providers typically are dynamical and not
visible. They are NATted (masqueraded ) and for this reason they cannot be accessed from the
Internet by other Ethernet devices. Please check if your provider is able to provide a SIM card
with a
static and public

IP address. If the remote networks are located in Germany e.g. the
service provider
mdex

is able to provide public accessible IP addresses for mobile connections.


1.
3

Implement
ing
a simple
t
est

scenario

To easy build up
a

simplif
ied
test
application based on the
above illustrated
scenario
,
the following
pages
describe
an application where
the Internet connection
s

(DSL and 3G)
between the OpenVPN
-
Server
s

(Routers)
and OpenVPN
-
Clients
(Service
-
PC’s) are
replaced
by
a
simple
switch
ed

network. In
this test case all involved
Open
VPN

participants
are
connected directly
to
the
same n
etwork
range
172.16.1.0/24.

The configuration of the Routers and Service
-
PC’s basically are the same as for the
real application
.

The
illustration
in figure 3

will be used as a basis for
implementing
the test scenario.


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

5

of

47




Figure

3:
Illustration of the
t
est

scenario for
doing
an
i
nhouse

t
est




Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

6

of

47

1.
4

General
notes on
implement
ing

the remote access scenario


These are the main steps to be done to implement the scen
ario:


Step 1:

Creat
e
the needed certificates (CA

certificate, Server

c
ertificate and
Client

certificates)
using the freeware tool
XCA.


Step
2
:

Configuration of Router
s

at
remote networks
1
and 2

running as




OpenVPN
-
Server
.


Step 3:

C
onfiguration
of th
e

Service
-
PC’s
(
Windows
XP or
7)

running
as




OpenVPN
-
Clients
.


Step
4
:

Take the
test

scenario into operation





T
o
simulat
e
a
remote m
achine/
PLC

to be accessed by a Service
-
PC you can use an additional
computer which should be connected to the LAN
-
Port

of “Router at

network
1” or “Router at
network
2” alternatively. Configure this device with IP settings of “
M
achine 1” as illustrated in figure

3
.
The aim of the scenario
is

that a remote maintenance computer can reach the IP

a
ddress of this
c
omputer
(
e
.
g
.

192.168.10.11)
.
This can be verified by sending a ping request.




If only 1 Weidmüller
-
Router is available for testing the below described scenario you can omit the
configuration of Router
of remote network
2 and the corresponding OpenVPN
-
Client

confi
guration
files which refer to
Open
VPN access to
remote
network 2.

























Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

7

of

47

Step
-
by
-
Step
-
Guidance

2.

Creati
ng
certificate
s (Step 1)


Due to
security reason
s
the OpenVPN

c
onnections

always
have to be

used
with certificate
authentication.
This h
as
first
to
be
done.

T
he needed certificates (Certificate Authority/CA, Server

c
ertificate and Client

c
ertificate)
eas
il
y
can
be created
by using the
freeware tool
XCA.





Please refer to
the detailed explanation in
appendix A

at the end of this document.



Use
for
this

test application the
below listed names for certificates.


Certificate Authority

(
CA
= root certificate
)

Internal name = myCompany_
OpenVPN_
CA

c
ommonName =
myCompany_OpenVPN_CA


OpenVPN Server certificate

(only 1 i
s

needed for both Routers)

I
nternal name =
Router_Server_RNetworks

c
ommonName =
Router_Server_RNetworks


OpenVPN Client certificates used for…


<
Internal Name
>

<
co
mmonName
>

PC 1

to
access
remote
network

1


PC1_VPN_
RNetworks

PC1_VPN_
RNetworks

PC 1

to access
remote
network

2


PC1_VPN_
RNetworks

PC1_VPN_
RNetworks

PC
2

to access
remote
network

1


PC
2
_VPN_
RNetworks

PC
2
_VPN_
RNetworks

PC
2

to access
remote
network

2


PC
2
_VPN_
RNetworks

PC
2
_VPN_
RNetworks

PC
3

to access
remote
network

1


PC
3
_VPN_
RNetworks

PC
3
_VPN_
RNetworks






Now c
reate
the

n
eeded certificates with XCA and do a file export

of
the


s
erver
certificate

and all
c
lient certificates

according to the guidance

in

appendix A
.



3
.

Configur
ing
the Router
s

of remote networks 1 and 2

running
as OpenVPN
-
Server (Step 2)




The configurati
ons of the Routers (at
remote networks
1 and 2) are mostly identical. The
specific differences will be explicit shown in the following description.


Starting situation

The routers are set to factory default values and can be accessed either using the LAN
port by IP
address 192.168.1.110 or using the WAN port by IP address 192.168.2.110.


3
.1


Connect the configuration PC to the router using the
LAN

Port (this port will be used in the
example).


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

8

of

47





Use autonegotiation on the Ethernet Interface of the PC


3
.
2


Change the IP address of the PC to one of the range 192.168.1.0 / 24





e.g.

IP address

192.168.1.99





Subnet mask

255.255.255.0





Standardgateway

can be left blank due to direct cable connection


3
.3

Start a Web browser and login into the Web
Interface of router (
http://192.168.1.110
)



User:


admin



Password:

Detmold



Figure
4
:
Login page of the router (equivalent with menu Diagnostics


System State)



3
.4

Set the basic IP configuration (according to
the illustration
for inhouse testing in figure 3)






Select menu Configuration


IP configuration



Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

9

of

47


Figure
5
:
Screenshot of menu IP configuration with factory default parameters






Configure the fields of the menu IP configuration as shown below


Value
s for Router 1 (OpenVPN
-
Server
at
remote network 1
)

Operational mode:



IP router

IP address parameters WAN Port:

static










172.16.1.20










255.255.255.0 (Class C)










NAT (masquerading) not set (leave checkbox empty)

IP address parameters

LAN Port:

static










192.168.10.254










255.255.255.0 (Class C)










NAT (masquerading) not set (leave checkbox empty)

Default gateway




can be left blank


Values for Router 2 (
OpenVPN
-
Server
at
remote network 2
)

Operational mode:



IP rou
ter

IP address parameters WAN Port:

static










172.16.1.21










255.255.255.0 (Class C)










NAT (masquerading) not set (leave checkbox empty)

IP address parameters LAN Port:

static










192.168.10.254










255.255.255.0 (Class C)










NAT (masquerading) not set (leave checkbox empty)

Default gateway




can be left blank



Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

10

of

47


Figure
6
:
Screenshot of menu IP configuration with parameters

of Router 1






Click button “Apply settings” to activate the new settings.


Now the configured parameters will be
activated (but not saved)
. Please keep in mind that you now
have lost the router connection due to changing the IP address range of your connected LAN port
.


3
.5


Change the IP address of the PC according to the configured LAN network
192.168.10.0 / 24



To reconnect to the router n
ow set
the IP address of the PC to the new values





IP address:


192.168.10.99




Subnet mask:


255.255.255.0




Standard
-
Ga
teway:

192.168.10.254 (Router’s LAN IP address)


3
.6


Again login to the Web Interface of the router using a Web browser



Use IP address 192.168.10.254 (
http://192.168.10.254
) on LAN port




User:



admin




Password:


Detmold


3
.7


Set date and time of router clock


Now we have to update date and time of the router.
This is necessary due to the fact that the
validity of certificates is based on date and time
.






Select menu Configuration


General settings


Date &
time





Select current date and time





Click button <Apply settings>


Screenshot of
menu IP configuration of the
router

according to the test scenario


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

11

of

47


Figure 7
:
Screenshot of menu “Date & time”


3
.8


Uploading certificate for OpenVPN
-
Client authentication into Router





Goto menu Configuration


General settings


Certificates



Figure 8
: Screenshot of menu Certificates with factory default demo certificates




For Router
of
remote network 1

upload certificate <
Router_
VPN_
Server_RNetworks
.p12
>
created by program XCA.


For Router
remote network
2

upload
the
same

certificate <
Rou
ter_
VPN_
Server_RNetworks
.p12
>
created by program XCA.



Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

12

of

47




Click button “Browse” and s
elect the certificate from upload media (local file direct or USB

stick)




The input field “Certificate password for validation” can be left blank unless you do not have set a
password for the
selected
certificate. A passwor
d can be set when you export the certificate as file
from the program XCA.






Click button <Upload certificate>



Figure 9
:


Screenshot after loading the
Server

certificate <
Router_
VPN_
Server_RNetworks
.p12
>





Note: The loaded certificat
e

file <
Rou
ter
_VPN_
Server_RNetworks.p12
> will be





displayed

with new

extension “.pem”




It is important that the value of valid
ity
status is <valid>. If current date and time of the router are
not matching the validity time of the certificate then the certificat
e will be marked as <not valid>.


3
.9


Configuring the OpenVPN
-
Server
connection





Goto menu Configuration


VPN


OpenVPN


This entry shows the par
t o
f

the Root
-
CA
(certificate authority) from which the
server

certificate is derived. Only for information.

This is the real

server c
ertificate

which
will used for the VPN connections


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

13

of

47


Figure 10
:
Screenshot of factory default setting of menu OpenVPN


Now we are going to add a new OpenVPN
-
Server

connection
.






Goto section “Add a new OpenVPN entry” and enter following data:





Values for
bot
h
Router
s

1
and 2
(OpenVPN
-
Server
at
remote network
1)



Server/Client:

Server



Protocol:



UDP



Layer:




L3 IP standalone Interface



Certificate:


Router_
VPN_
Server_RN
etwork
s
_cl
.pem




This scenario is based on
f
irmware version 2.2.7 / Build 62350. In

this firmware the OpenVPN
port 1194 automatically will be set
be
cause this is the standard port number for OpenVPN
connections. The upcoming firmware update will allow
using
any port number to be
used

for
OpenVPN connections.





Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

14

of

47


Figure 11
: Screenshot
showing where to add new
OpenVPN

connection






Click button

<Add entry>



Figure
1
2
: Screenshot of added OpenVPN
-
Server
connection


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

15

of

47






Click entry

<
Not yet configured

> to
set the VPN IP address of the OpenVPN
-
Server
.


The menu <IP configuration> wi
ll be displayed to enter the VPN
-
IP
-
address of the VPN
-
Server



Figure 13
: Screenshot
of menu <IP configuration> showing the new VPN network interface L3
-
VPN
1





A
dd VPN
-
IP
-
address 10.8.1.1 and network mask
255.255.255.0
of

the
virtual
OpenVPN
-



Serve
r

interface (L3
-
VPN1)
as shown above





Click button <Apply settings>





Go back
to the
menu “
OpenVPN


(
<IP configuration>


<VPN>


<OpenVPN>
)


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

16

of

47


Figure 1
4
: Screenshot
showing additional OpenVPN parameters






Open the
2

sections

<IP address pool set
tings for OpenVPN
-
Server>

and
<Additional settings>




Fill the entries as
marked in the screenshot above




Click button
<
Apply settings
> to activate the OpenVPN
-
Server session
.




Now the Router
is ready to accept an incoming
OpenVPN
-
Client connection.





Change to tab
<State> to
verify that the OpenVPN
-
Server (Master) is active

now
.



Figure
15
: Tab <State> of menu <OpenVPN> showing
a
n active Master but without client
connections



Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

17

of

4
7

3
.10

Saving the router configuration






Goto menu System


Save






Click button
<Save settings> to store the current configuration into the flash memory of the



router.



Figure
16
: Screenshot of menu <System>


<Save> showing a currently saved configuration





If you have changed and activated a configuration
param
eter then a blinking disc
-
icon will be displayed in the
left upper corner of the menu tree.

By clicking this icon the Webinterface directly jumps into
the menu “Save”.

The blinking of the disc
-
icon will be turned off as soon as
the configuration is saved
.





The configuration of the Router is now completed!


4
.

Configuration of
t
he
Service
-
PC’s running
as OpenVPN
-
Client
s


(Step 3)




This chapter describes the configuration of all Service
-
PC’s

running as OpenVPN
-
Clients
.
In this
example
the use of
a note
book with operating system Windows 7 will be explained. The d
ifferences
between the Service
-
PC’s will

be

indicated explicitly.


4.1

Preparing the installation of OpenVPN software


4.1
.1

Download the software OpenVPN 2.2.2 from the internet (or a newer rele
ased Version).




Before installation please consider following aspects:





You need administration rights for installation.



Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

18

of

47




The configuration of an OpenVPN client generally will not be done by a graphical user
interface.


OpenVPN

connections have to
be configured by creating and editing text files using
the extension “.ovpn”.

A created

configuration file (e.g. Open
VPN_Client.ovpn) has to be stored
into a subdirectory named



config
” of the installed OpenVPN software. By default the software
will be i
nstalled in
C:
\
Program Files
\
OpenVPN

with subdirectory
config
.





If you are using a Windows 7 PC then first you have to grant the rights for saving files into the
config

directory. I you do not want to change the access rights of the “config” directory
a
lternatively the

OpenVPN software can be installed in a separate directory (eg c:
\
OpenVPN
instead of c:
\
program

files
\
OpenVPN).


4.1.
2

Install the software “OpenVPN” with default parameters. If required only change as described
above the target directory f
or program installation. Afterwards you will find a new menu entry
“OpenVPN” (with several submenus) under programs.

Additionally a new virtual Ethernet
interface named “Tap
-
Win32 Adapter V9” will be installed during installation of the OpenVPN
-
Software (s
ee Control Panel


Network and Sharing Center


Change adapter settings).


Now configure the OpenVPN
-
Client
sessions
according to the following description.


4.1
.3

Click button Start


All Programs


OpenVPN


Shortcuts


OpenVPN configuration file


direc
tory







Figure
17
: OpenVPN i
n

the Start
-
Menu

after the installation


The
<
config
>
directory will be shown, which only contains the file Readme.txt after the installation.

This file can be deleted.



Figure
18
:
Empty
config
-
directory after

i
nstallati
on
of the

OpenVPN
-
Software






Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

19

of

47

4.2

Creating the configuration file
s

for Service
-
PC 1


First we c
reate
the
file <PC1_VPN_
RN
1.ovpn> which
will be used to access
Remote network
1


4.2.1


Start a text editor to create
a new text
-
based file

4.2.2

Copy the belo
w grey marked lines into the open file


Content of file <
PC1_VPN_
RN1
.ovpn
>


##################################################################

# Configuration of OpenVPN
-
Client PC 1 to access
remote
network 1

###############################################
###################


# This session will run as OpenVPN
-
Client

client


# Use TAP
-
device for VPN
-
Interface (will always be used for Point
-
to
-
Multipoint connections)

dev tap


#
We will use
p
rotocol
UDP
for VPN traffic

proto
udp


# Physical IP address of remo
te OpenVPN
-
Server

(Router of network 1) is 172.16.1.20

# We will use the standard Open VPN port 1194

remote 172.16.1.
2
0

1194


# Use this certificate (must be located in the config directory)

pkcs12
PC1_VPN_
RN
etwo
r
ks
.p12


# General parameters for OpenVPN c
onnections

resolv
-
retry infinite

nobind


# If

a temporarily interrupted
connection
between
OpenVPN
-
Client
and OpenVPN
-
Server can

#
be reactivated

then
the

previously

negotiated

key

and session parameters will be used again.

persist
-
key

persist
-
tun



# Us
e adaptive data compression (default)

comp
-
lzo



# Parameter how detailed status messages will be displayed and stored into the logging

#
file (between 1 to 6)

verb 3

##################################################################


4.2.3

Save the edit
ed file as <
PC1_VPN_
RN
1.ovpn
> into the subdirectory <
config
>

4.2.4

Copy the client certificate <
PC1_VPN_
RN1
.p12
>, created by program XCA, into subdirectory
<
config
>






Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

20

of

47

Now

we create

the

file <PC1_VPN_
RN2
.ovpn> which
will be used to access
Remote network
2


4.2.
5


Start a text editor to create
a new text
-
based file

4.2.
6

Copy the below grey marked lines into the open file


Content of file <
PC1_VPN_
RN2
.ovpn
>


##################################################################

# Configuration of OpenVPN
-
Clien
t PC 1 to access
remote
network
2

##################################################################


# This session will run as OpenVPN
-
Client

client


# Use TAP
-
device for VPN
-
Interface (will always be used for Point
-
to
-
Multipoint connections)

dev tap


#
We will use p
rotocol
UDP
for VPN traffic

proto
udp


# Physical IP address of remote OpenVPN
-
Server

(Router of network 2) is 172.16.1.21

# We will use the standard Open VPN port 1194

remote 172.16.1.
21

1194


# Use this certificate (must be located in the c
onfig directory)

pkcs12
PC1_VPN_
RN
etworks
.p12


# General parameters for OpenVPN connections

resolv
-
retry infinite

nobind


# If

a temporarily interrupted
connection between OpenVPN
-
Client and OpenVPN
-
Server can

#
be reactivated

then
the

previously

negotia
ted

key

and session parameters will be used again.

persist
-
key

persist
-
tun



# Use adaptive data compression (default)

comp
-
lzo



# Parameter how detailed status messages will be displayed and stored into the logging

#
file (between 1 to 6)

verb 3

######
############################################################


4.2.
7

Save the edited file as <
PC1_VPN_
RN2
.ovpn
> into the subdirectory <
config
>

4.2.
8

Copy the client certificate <
PC1_VPN_
RN2
.p12
>, created by program XCA, into subdirectory
<
config
>





Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

21

of

47


Fig
ure 19
:
Screenshot of finished <config> directory of Service
-
PC 1


4
.
3

Creating the configuration file
s

for Service
-
PC 2


First we create
the
file <PC
2
_VPN_
RN
1.ovpn> which
will be used to access
Remote network
1


4.
3
.1

Start a text editor to create
a new
text
-
based file

4.
3
.2

Copy the below grey marked lines into the open file


Content of file <
PC
2
_VPN_
RN1
.ovpn
>


##################################################################

# Configuration of OpenVPN
-
Client PC
2

to access
remote
network 1

###########
#######################################################


# This session will run as OpenVPN
-
Client

client


# Use TAP
-
device for VPN
-
Interface (will always be used for Point
-
to
-
Multipoint connections)

dev tap


#
We will use p
rotocol
UDP
for VPN traffic

prot
o
udp


# Physical IP address of remote OpenVPN
-
Server

(Router of network 1) is 172.16.1.20

# We will use the standard Open VPN port 1194

remote 172.16.1.
2
0
1194


# Use this certificate (must be located in the config directory)

pkcs12
PC
2
_VPN_
RN
etworks
.p12


# General parameters for OpenVPN connections

resolv
-
retry infinite

nobind


# If

a temporarily interrupted
connection between OpenVPN
-
Client and OpenVPN
-
Server can

#
be reactivated

then
the

previously

negotiated

key

and session parameters will be used a
gain.

persist
-
key

persist
-
tun



# Use adaptive data compression (default)


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

22

of

47

comp
-
lzo



# Parameter how detailed status messages will be displayed and stored into the logging

#
file (between 1 to 6)

verb 3

###################################################
###############


4.
3
.3

Save the edited file as <
PC
2
_VPN_
RN
1.ovpn
> into the subdirectory <
config
>

4.
3
.4

Copy the client certificate <
PC
2
_VPN_
RN1
.p12
>, created by program XCA, into subdirectory
<
config
>


Now

we create

the

file <PC
2
_VPN_
RN2
.ovpn> which
will b
e used to access
Remote network
2


4.
3
.
5


Start a text editor to create
a new text
-
based file

4.
3
.
6

Copy the below grey marked lines into the open file


Content of file <
PC
2
_VPN_
RN2
.ovpn
>


##################################################################

# Configuration of OpenVPN
-
Client PC
2

to access
remote
network
2

##################################################################


# This session will run as OpenVPN
-
Client

client


# Use TAP
-
device for VPN
-
Interface (will always be used for Point
-
to
-
Mu
ltipoint connections)

dev tap


#
We will use p
rotocol
UDP
for VPN traffic

proto
udp


# Physical IP address of remote OpenVPN
-
Server

(Router of network 2) is 172.16.1.21

# We will use the standard Open VPN port 1194

remote 172.16.1.
21

1194


# Use this cert
ificate (must be located in the config directory)

pkcs12
PC
2
_VPN_
RN
etworks
.p12


# General parameters for OpenVPN connections

resolv
-
retry infinite

nobind


# If

a temporarily interrupted
connection between OpenVPN
-
Client and OpenVPN
-
Server can

#
be reactiv
ated

then
the

previously

negotiated

key

and session parameters will be used again.

persist
-
key

persist
-
tun



# Use adaptive data compression (default)

comp
-
lzo



# Parameter how detailed status messages will be displayed and stored into the logging

#
fil
e (between 1 to 6)

verb 3

##################################################################


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

23

of

47

4.
3
.
7

Save the edited file as <
PC
2
_VPN_
RN2
.ovpn
> into the subdirectory <
config
>

4.
3
.
8

Copy the client certificate <
PC
2
_VPN_
RN2
.p12
>, created by program XCA, into
subdirectory
<
config
>



4
.
4

Creating the configuration file
for Service
-
PC
3


Now
we create file <PC
3
_VPN_
RN
1.ovpn> which
will be used to access
Remote network
1


4.
4
.1

Start a text editor to create
a new text
-
based file

4.
4
.2

Copy the below grey marked
lines into the open file


Content of file <
PC
3
_VPN_
RN1
.ovpn
>


##################################################################

# Configuration of OpenVPN
-
Client PC
3

to access
remote
network 1

#############################################################
#####


# This session will run as OpenVPN
-
Client

client


# Use TAP
-
device for VPN
-
Interface (will always be used for Point
-
to
-
Multipoint connections)

dev tap


#
We will use p
rotocol
UDP
for VPN traffic

proto
udp


# Physical IP address of remote OpenVPN
-
Ser
ver

(Router of network 1) is 172.16.1.20

# We will use the standard Open VPN port 1194

remote 172.16.1.
2
0
1194


# Use this certificate (must be located in the config directory)

pkcs12
PC
3
_VPN_
RN
etworks
.p12


# General parameters for OpenVPN connections

res
olv
-
retry infinite

nobind


# If

a temporarily interrupted
connection between OpenVPN
-
Client and OpenVPN
-
Server can

#
be reactivated

then
the

previously

negotiated

key

and session parameters will be used again.

persist
-
key

persist
-
tun



# Use adaptive dat
a compression (default)

comp
-
lzo



# Parameter how detailed status messages will be displayed and stored into the logging

#
file (between 1 to 6)

verb 3

##################################################################


4.
4
.3

Save the edited file as <
PC
3
_VPN_
RN
1.ovpn
> into the subdirectory <
config
>


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

24

of

47

4.
4
.4

Copy the client certificate <
PC
3
_VPN_
RN1
.p12
>, created by program XCA, into subdirectory
<
config
>





N
ow the configuration of the
3 Service
-
PC’s running as
OpenVPN
-
Clients


is
complete
d
!



5
.

T
ake
the
test

scenario
into operation

(Step

4
)


Ensure that you have considered following technical aspects:





A
ll
involved
components

(OpenVPN
-
Server
,
Service
-
PC’s and the
Router
s
)
are wired as
illustrated
in
figure
3
.






Make sure that all

OpenVPN

devices wil
l
have the following IP

address settings:



Device




LAN
IP
ad
dress
/net mask

WAN
IP address
/net mask

Gateway


Service
-
PC
1



172.16.1.11

/
255.255.255.0



no entry


Service
-
PC
2



172.16.1.12

/
255.255.255.0



no entry


Service
-
PC
3



172.16.1.13

/
255.2
55.255.0



no entry


Router (
RNetwork
1)

192.168.10.254 / 255.255.255.0

172.16.1.20 / 255.255.255.0

no entry


Router (
RNetwork 2
)

192.168.10.254 / 255.255.255.0


172.16.1.21 / 255.255.255.0

no entry





Verify
by ping request
if the OpenVPN
-
S
erver
s (Routers) are accessible
by
all OpenVPN
-
Clients
to initiate a VPN connection.


5
.1

S
tatus of the
OpenVPN
-
Server
s (Router)


The
Routers (OpenVPN
-
Server)
already
should be
able
to accept incoming OpenVPN
-
Client

connection
s

cause this ha
ve

been done
when you have configured the devices (see chapter 3)
.


5
.
2

Activating OpenVPN
-
Client connections on Service
-
PC’s




If the OpenVPN
-
Software is running on a Windows 7 computer then you have to start the
program with th
e option “Run as administrator”.

A

Windows 7 PC
here
will be used to run as
OpenVPN
-
Client.




In this example the
procedure to establish an
OpenVPN
-
Client connection of Service
-
PC 1 to
access
an Ethernet device of remote
network 1

will
be des
cribed.

Th
e

b
elow explained
procedure
can be applied
for
all
Service
-
PC’s
.






Click button Start


All Programs


OpenVPN (a submenu will be displayed)





Click

with
right mouse button

on “OpenVPN GUI” and select menu point <
Run as




Administrator
>



Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

25

of

47

Figure 2
0
:


Figure
21
:



The OpenVPN software is now running and a new icon will be displayed
in
the task bar. At this time
no OpenVPN connection is started.


Now we will start the OpenVPN
-
Client connection
to get access to remote network 1 by using the
configur
atio
n file
PC1_VPN_
RN
1.ovpn
.






Click

with
right mouse button

on the icon “OpenVPN” in the task bar and select menu




point

<
PC1_VPN_
RN
1
>
.





Figure
22
:







Figure
23
:



The OpenVPN
-
Client connection
will be started now. The start activities will be shown in a status
window.



Figure 24
:

Screenshot showing messages during
initialization

of an OpenVPN tunnel



Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

26

of

47

After about 10 seconds, the status window will
be
close
d

and the
assigned
OpenVPN
-
IP
-
address will
be shown if the
OpenVPN
-
Client succeed
ed

to connect to the OpenVPN
-
Server
. The color of the
OpenVPN task icon changes
from “red” over “yellow” to “green”.

The name which will be displayed
is the name of the
OpenVPN configuration file without the extension „.ovpn“
.



Figure
25
: Screenshot
of showing a successful connection to t
he OpenVPN
-
Server




Only 1 OpenVPN
-
Client connection can be startet at
a

time (either PC1_VPN_
RN1

or
PC1_VPN_
RN2
). Before starting a second VPN tunnel the current connection must be disconnected.





The OpenVPN
-
Client now is
connected to the OpenVPN
-
Serv
er!


Based on
VPN IP address settings of the Op
enVPN
-
Server (Router)
the
IP address of Open
VPN
-
Client

will be set to 10.8.
1
.10 (first address of Client address pool).

Please
verify
this by running the
command
ipconfig

in a DOS box.


Additionally the Servic
e
-
PC
(OpenVPN
-
Client)
has received a new entry in

the routing table which
allows the Service
-
PC to access any device of the machine network 192.168.10.0 by using the
R
outer

(OpenVPN
-
Server)
with
IP address
10.8.
1
.1 as gateway.

This can be verified by runn
ing the command
route print
in a DOS box.



Figure
26
: Screenshot
of
the
routing table of connected Service
-
PC 1


If the VPN tunnel will
be
disconnected then the routing table will be reset to original status.

The
entry of the
red marked line
(
192.16
8.10.0 …..
)

will be deleted

again after di
sconnecting
.







Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

27

of

47

In
the
Webinterface of the Router a connected OpenVPN
-
Client will be displayed as shown below.




Figure
27
: Screenshot
of tab “State” showing a connected OpenVPN
-
Client



5
.
3

Testing
the remote accessibility
from Ser
vice
-
PC 1 to a device
from remote
network
1







Connect a test device (which is able to reply a ping request) to the LAN port of Router of
remote network
1






Configure the IP param
e
ters as shown below:





IP address:


192.168.10.11





Network mask:

255.255.255.0





Standard
-
Gateway:

192.168.10.25
4






Open the DOS box on Service
-
PC 1 and start a Ping request to the IP address





192.168.10.11.






䅳A牥獵st t桥hSe牶楣r
-
偃P獨su汤 牥捥楶攠愠灩a朠g捨c 晲潭⁴oe test





摥癩捥
.






Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

28

of

47

A
ppendix

A
.

Guidance for creating and administrating certificates

(X.509) by using the program XCA (Release 0.93)



The certificates
will
be used for certificate based OpenVPN
-
connections.



A1
.

Download and Installation of XCA

A
1.1

Please download the freeware XCA from the
I
nternet (latest version 0.93)

A
1.2

Start the

program
setup_xca
-
0.9.3.exe


A
1.3

Choose the language for

the installation.








Important:


To install the
English

version you
must
deactivate

the checkbox

Translations
” as shown in the
screenshot below.

If you want to install the
German

version, yo
u have to
select the
language “German” and
activate

the
checkbox

Translations


(is the
Default
-
Value).


A
1.4


Click
button “
Next


and
finish the installation.




A
1.5

Start the program
XCA.










Screenshot of software
XCA after installation





Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

29

of

47

A
2.

Create a new Database for certificate management




Important:

You can protect the database access against unauthorized users by setting a password before
saving.

Please ensure that you never forget the password, otherwise you cannot create further
certif
icates
based on the CA (Root certificate) inside of the database.

Be aware that you always
have a safety copy of the database, because these certificates (especially the CA certificate) are
the basement for all used VPN

scenarios.



A
2.1

Click menu
File


New
Database


A
2.2

Select the directory and
enter the database name
(e.g.
Database_XCA_Certificates)


A
2.
3

Click button “
Save











A
2.4

Optional you can enter a password to
protect the database access


A
2.
5

Click button “Okay” to finish the
creatio
n of the database

(with or without
Passwor
d
)





The d
atabase now is created
and the window
as shown in
the screenshot
should be
displayed.















The current
ly

open
ed

d
atabase
is shown here
.


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

30

of

47

A
3.

Creating a template for the CA certificate (Root)


A
3.1

Click on the tab

Templates





We a
re going to create 3
t
emplates for

the
certificate

types
“CA c
ertifi
c
at
e”
,

Server

c
ertifi
c
at
e” and “
Client

c
ertifi
c
at
e”
.
The productive
certificates then will be
created based on these
templates.


A
3.2

Click on the button

New Template





A
3.
3


S
elect

the entry
“CA” and click “
OK

.









Now the input mask for creating a new CA will be displayed.



3.3

Fill the fields
e.g.
as shown in the
screenshot
.



















1

2

3

4

5

6

7

8


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

31

of

47

Comments to the
input fields 1 to 8:

1. Internal name:


has to

be filled,
is used for identification of this template

2. Country name:


The field is optional for the Country code (
can be empty
)

3. state or Province name:

The field is optional
for the

Region

identification

(
can be empty
)

4. locality Name:


The field is optiona
l

for the

Company position

(
can be empty
)

5. organization Name:


The field is optional
for the

Company name

(
can be empty
)

6. organizational Unit Name:

The field is optional
for the department

(
can be empty
)

7. common Name:


This field must be blank in
this template but has to be filled for a

production
CA certificate

based on this template. The

commonName is the unique identifcation of a certificate

8. Email Address:


The field is optional
for the email address

(
can be empty
)



A
3.4

Click on tab

E
xtensions


and
ensure that
“T
ype
” is
Certification
authority

and that the time
range is set at least
10 years

from today´s date.





There is no need
to edit
anything
else
here and you
can just apply the default
settings.




The entries in the other
tabs
(Key usage, Netscape,…)
do not
need
to

be
edit
ed

and
can be applied without
changing anything.




A
3.5

Now click button

OK


to create
the
CA
-
Template.


Following
window

will

be

displayed:












乯眠t桥h
捲e慴e搠
䍁 te浰m慴e 楳i
摩s灬a祥搠



OpenVPN_C
A_
t
emplate

.






Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

32

of

47

A
4.

Creating the template to be used for productive Server
certificates


A
4.1

Click on button

New template
”, select
the en
t
ry

HTTPS_server


and click
“OK”
.






The same input mask as
shown
by the creation
of
t
he CA

template
will be
displayed
now.


A
4
.
2

Fill the fields
e.g.
as
shown in the screenshot
.










Comments to the
input fields 1 to 8:

1. Internal name:


has to

be filled, is used for identification of this template

2. Country name:


The field is optional for the Cou
ntry code (
can be empty
)

3. state or Province name:

The field is optional
for the

Region

identification

(
can be empty
)

4. locality Name:


The field is optional

for the

Company position

(
can be empty
)

5. organization Name:


The field is optional
for the

Company name

(
can be empty
)

6. organizational Unit Name:

The field is optional
for the department

(
can be empty
)

7. common Name:


This field must be blank in this template but has to be filled for a

production
Server certificate

based on this template.
The

commonName is the unique identifcation of a certificate

8. Email Address:


The field is optional
for the email address

(
can be empty
)


A
4.3

Click on tab

Extensions


and
ensure
that “T
ype
” is
E
nd Entity



A
4.4

C
hange the time
range
similar

to the
CA
-
Template

from
365 days

to
10 years

that
all certificate
templates have the same
time range.




The entries in the other
tabs
(Key usage, Netscape,
…)
do not have to

be edited
and can be applied without
changing anything.


1

2

3

4

5

6

7

8


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

33

of

47


A
4.5

Click button

OK


to cre
ate the
Server
-
template
.





Now the
created
Server template
will be shown as
OpenVPN_Server_
t
emplate.



A
5.

Creating the template to be used for productive Client
certificates


A
5
.1

Click button

New template
”, select
the en
t
ry

HTTPS_
client”

and click

OK”
.









The same input mask as
shown
by the creation
of t
he
CA
-

and Server
-
templates
will be
displayed
now.


A
5
.
2

Fill the fields
as shown
in the screenshot
.







Comments to the
input fields 1 to 8:

1. Internal name:


has to

be filled, is
used for identification of this template

2. Country name:


The field is optional for the Country code (
can be empty
)

3. state or Province name:

The field is optional
for the

Region

identification

(
can be empty
)

4. locality Name:


The field is optional

f
or the

Company position

(
can be empty
)

5. organization Name:


The field is optional
for the

Company name

(
can be empty
)

6. organizational Unit Name:

The field is optional
for the department

(
can be empty
)

7. common Name:


This field must be blank in thi
s template but has to be filled for a

production
Client

certificate

based on this template. The

commonName is the unique identifcation of a certificate

8. Email Address:


The field is optional
for the email address

(
can be empty
)



1

2

3

4

5

6

7

8


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

34

of

47

A
5.3

Click on tab

E
xtensions


and
ensure
that “T
ype
” is
E
nd Entity



A
5
.4

C
hange the time range
similar
to the
Server
-
Template

from
365 days

to
10 years

that
all certificate
templates have the same
time range.


A
5.
5

Change the time range
analog to the CA
-
template
into

a va
lue of
10
Years
, that
all certificates have the
same time

range.





The entries in the other tabs
(Key usage, Netscape, Advanced)
do not have to

be edited and can
be applied without changing anything.


A
5.6

Click button

OK


to create the
Client
template
.






Now the created
Client
template will be shown as OpenVPN_
Client
_
t
emplate.







The XCA window should look
as shown below
.






All certificate templates are created now. Based on these templates
next
we
create the productive certificate
s.






Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

35

of

47

A
6.

Creating the productive CA certificate

(Root)

First of all we are going to
create the
root
certificate
(CA)
.
All
server and client
certificates
which will be
created later
are based on this
CA certificate.


A
6.1

Click
tab

Certificates

.


A
6.2

Click bu
tton

New
Certificate

.
A new window
appears as shown.














A
6.3

Select in section
“Template for the
new certificate”
the entry

OpenVPN_CA_
t
emplate

which

we

just
have
created.




No
other entries
have to be
edited.


A
6.
4

C
lick button

Apply all





By clicking
“Apply all”
the data from the
tab “Subject” of the
CA template

will be copied to the
tab “Subject” of this CA certificate.


A
6.5

Change to
the tab
“S
ubject
” (now filled
with
data from the CA template)


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

36

of

47




A
6.6

Enter in both fields <
Inter
nal Name
> and <
commonName
> the same entry

OpenVPN_CA
_R
N
etworks


(=
n
ame of your

productive

CA certificate
).


A
6.7

Next
press button

Generate a new key
” and
window
“New key”
will be
displayed
.





The

default values can be
used
.


A
6.8

Click button

Creat
e
” and
following window will be displayed:




After creation of

the RSA key you should see
a new entry in the field “Private key”.


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

37

of

47



A
6
.
9


Change to
the tab
“Extensions”

A
6
.
10


Change
the
Validity date/time to 2000
-
01
-
01

A
6
.
11


Verify that checkbox “N
o well
-
defined expiration” is set






The other tabs
(Key usage, Netscape, Advanced)
do not have to be edited and can be
used
like
they are.


A
6.
12


Click button

OK

to create the
productive
CA

certificate
.



Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

38

of

47

Now the
created
root
certificate
(CA)
will
be displayed in
tab “Certificates”.






Note on column <Revocation> with the red colored entry <CRL expires….>

CRL means

Certificate Revocation List.
With this
list
you can
ensure that
a certificate should not
be valid even if it is not expired yet

by ti
me range
.
In this example
we are not using a
“black”

list
for
invalid
certificates (typically Client
-
certificates) so we do not need to care about this entry
right now.


A
7.

Creating
the

productive Server certificate


A
7.1

Click on button

New Certificate


and the shown input mask
will be
displayed.



A7.2

Activ
at
e in section

Signing


the checkbox
Use this certificate for signing

and s
elect the entry
OpenVPN_
CA
_RNetworks
.


A7.
3

Select in section
Template for the new certificate

the entry
OpenVPN_
Serve
r
_
t
emplate

which

we

just
have
created.


A7.4

Now click on the button <
Apply all
>


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

39

of

47



D
o not forget, otherwise the template data will
not
be filled into fields of tab <Subject>


A
7.5

Now
change to
the tab

Subject
” and

fol
lowing screen will be displayed.




A
7.6

Enter in both fields <
Internal Name
> and <
commonName
> the
value

Router_VPN_Server_RNetworks

(= Name of your

productive

Server certificate
).



A
7.7

Now press button

Generate a new key


and a
window
as shown
will be
displayed.






All default val
ues can be adopted.

The name
Router_VPN_Server_RNetworks

automatically is
set if the entries “Internal name” and “commonName” are filled.


A
7.8

Click button

Create


to generate a new key.


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

40

of

47





A
7.9


Change to
the tab
“Extensions”

A
7.10
Change
the
Vali
dity date/time to 2000
-
01
-
01

A
7.11
Verify that checkbox “No well
-
defined expiration” is set




Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

41

of

47




The other tabs
(Key Usage, Netscape, Advanced)
do not have to be edited and can be adopted
like they are.


A
7
.
12
Click button

OK


to
finish the
creat
ion of

the
Server

certificate
.


Now the
created
server
certificate

Router_VPN_RNetworks

will be displayed in
tab
“Certificates”.






A
8
.

Creating
the

productive
Client
certificate

for PC1


A
8
.1

Click on button

New Certificate
” and the shown input mask
will

be
displayed.



A8
.2

Activate in section “Signing” the checkbox
Use this certificate for signing

and select the entry
OpenVPN_
CA_RNetworks
.



Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

42

of

47

A
8
.3

Select in section
Template for the new certificate

the entry
OpenVPN_
Client
_
t
emplate

which

we

just
have
c
reated.


A
8
.4

Now click on the button <
Apply all
>




D
o not forget, otherwise the template data will not be filled into fields of tab <Subject>


A
8
.5

Now
change to
the tab

Subject
” and

fol
lowing screen will be displayed.




A
8
.6

Enter in both fields <
I
nternal Name
> and <
commonName
> the
value “
PC1
_VPN_ RNetworks

(= Name of your

productive

Client
certificate
).



A
8
.7

Now press button

Generate a new key


and a
window
as shown
will be
displayed.






All default values can be adopted.

The name
PC1
_VPN_ R
Networks

automatically is set if the
entries “Internal name” and “commonName” are filled.


A
8
.8

Click button

Create
” to generate a new key.


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

43

of

47





A
8.9

Change to
the tab
“Extensions”

A
8.10
Change
the
Validity date/time to 2000
-
01
-
01

A
8.11
Verify that ch
eckbox “No well
-
defined expiration” is set



Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

44

of

47





The other tabs
(Key Usage, Netscape, Advanced)
do not have to be edited and can be adopted
like they are.


A
8
.
12
Click button

OK


to
finish the
creat
ion of
the
Client

certificate
.


Now the
created
client
certificate

PC1_
VPN_
RNetworks
” will be displayed in
tab “Certificates”.








Please create the productive
client

certificates for PC2 and PC2

according
to
the above
described method.

For PC 2 use as
<c
ommonN
a
me
>

and
<
Internal Name
> :
PC2_VPN_RNetworks

For PC 3 use as <commonName> and <Internal Name> :
PC3_VPN_RNetworks


If you have finished creating all needed certificates the tab “Certificates” should look this:




Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

45

of

47


A
9.

Export
ing the
certificates for OpenVPN
-
Server
and
OpenVPN
-
Clients




To export a c
ertificate as file you have to mark the certificate you want to export and after that
click

on the button <Export>.




In this example the export of the „
Router_V
PN_Server
_RNetworks
“ certificate will be explained.


A
9.1

Mark the line with entry „

Router_V
P
N_Server
_RNetworks
“ as shown below

A
9.
2

Click button “Export”



Following
message
wil
l pop up.





Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

46

of

47



First of all you have to
select
the export

format of
t
he
certificate
file.
If you are using
OpenVPN

sc
enarios with Weidmüller

R
outers and
Windows
-
based
OpenVPN

c
lients
/se
rver

you have to use
one of
the
export formats





<PKCS #12 with Certificate Chain>

or

<PEM Cert + Key>





In this example we export the certificate as type PKCS#12 with file
extension .p12


A
9.
3

Select
the export format <
PKCS #12 with

Certificate Chain
> as shown

below








After
selection of format PKCS#12 the
file
extension
will change from .crt
into .
p12.




Please do not change the name
of t
he file
.
If necessary o
nly select
the
target
directory
of the
export file
.


A
9.
4

Click
button “OK”




A
window
will be displayed to enter
a
p
assword for this certificate.

If you set a password then
the behaviour is as below described.

1.


If you are using the password
-
protected certificate with a Windows based PC then the
OpenVPN software wi
ll ask for this password when you start an OpenVPN connection
(Client or Server)
.


Technical
note „Remote access using a
Router as
OpenVPN
-
Server“


Version 1.00,
November 20, 2012

/ HJH



Copyright
©
2
012 Weidmüller Interface GmbH & Co. KG









All rights reserved. Reproduction without permission is prohibited.


Page

47

of

47


2. If you are using the password
-
protected certificate with a Weidmüller Router then this
password will be requested by the Router if you try to import the certificate into
the
R
outer.




A
9.
5

C
lick button

“OK” (
Do not
enter
a password
).




Now the Server

certificate is
saved
into the
s
e
lected
directory and can be used
for VPN
authentication.




Use this described method to export
also
the
client
certificates

for the 3 Serv
ice
-
PC’s
.
You do not need to export the CA certificate for authentication of VPN connections.