Remote access mode

The following figure illustrates a typical remote access VPN setup in which one OpenVPN endpoint acts as the server. Remote users run OpenVPN as clients to connect to the server and establish VPN tunnels.

Note that OpenVPN requires TLS in remote access mode, and the server takes the passive role while the clients are active. Therefore, it is not necessary to specify the tls role option when operating in this mode. In the preceding figure, assuming that V1 is the server and V2 is a client, the configuration for V1 is shown below.

To configure V1 for remote access with TLS, perform the following steps in configuration mode. The example has the following characteristics.

The mode option specifies that this endpoint operates in server mode.
The server subnet option indicates that the tunnel IP address of the client is allocated from the 192.168.200.0/24 subnet and that the tunnel IP address of the server (that is, the address of vtun0 on the server) is 192.168.200.1.
The remote-host option is not set because the clients are actively contacting the server.

Table 1. V1 OpenVPN configuration: remote access with TLS (server)
Step	Command
Create the vtun0 configuration node.	`vyatta@V1# set interfaces openvpn vtun0`
Set the OpenVPN mode.	`vyatta@V1# set interfaces openvpn vtun0 mode server`
Set the subnet for the OpenVPN tunnel.	`vyatta@V1# set interfaces openvpn vtun0 server subnet 192.168.200.0/24`
Specify the location of the CA certificate file.	`vyatta@V1# set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt`
Specify the location of the host certificate file.	`vyatta@V1# set interfaces openvpn vtun0 tls cert-file /config/auth/V1.crt`
Specify the location of the CRL parameters file.	`vyatta@V1# set interfaces openvpn vtun0 tls crl-file /config/auth/crl.pem`
Specify the location of the DH file.	`vyatta@V1# set interfaces openvpn vtun0 tls dh-file /config/auth/dh1024.pem`
Specify the location of the host key file.	`vyatta@V1# set interfaces openvpn vtun0 tls key-file /config/auth/V1.key`
Commit the change.	`vyatta@V1# commit`
Show the OpenVPN configuration.	`vyatta@V1# show interfaces openvpn vtun0 mode server server { subnet 192.168.200.0/24 } tls { ca-cert-file /config/auth/ca.crt cert-file /config/auth/V1.crt crl-file /config/auth/cr1.pem dh-file /config/auth/dh1024.pem key-file /config/auth/V1.key }`

To configure V2 for remote access with TLS, perform the following steps in configuration mode. This example has the following characteristics.

V2 is in client mode and so it needs to actively contact the server; therefore, the remote-host option is needed to indicate the location of the server.
When the tunnel is established, the tunnel IP address of V2 (that is, the address of vtun0 on V2) is assigned by V1 from the 192.168.200.0/24 subnet.

Table 2. V2 OpenVPN configuration: remote access with TLS (client)
Step	Command
Create the vtun0 configuration node.	`vyatta@V2# set interfaces openvpn vtun0`
Set the OpenVPN mode.	`vyatta@V2# set interfaces openvpn vtun0 mode client`
Specify the physical IP address of the remote host.	`vyatta@V2# set interfaces openvpn vtun0 remote-host 12.34.56.78`
Specify the location of the CA certificate file.	`vyatta@V2# set interfaces openvpn vtun0 tls ca-cert-file /config/auth/ca.crt`
Specify the location of the host certificate file.	`vyatta@V2# set interfaces openvpn vtun0 tls cert-file /config/auth/V2.crt`
Specify the location of the host key file.	`vyatta@V2# set interfaces openvpn vtun0 tls key-file /config/auth/V2.key`
Commit the change.	`vyatta@V2# commit`
Show the OpenVPN configuration.	`vyatta@V2# show interfaces openvpn vtun0 mode client remote-host 12.34.56.78 tls { ca-cert-file /config/auth/ca.crt cert-file /config/auth/V2.crt key-file /config/auth/V2.key }`

Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Remote access mode

Helpful Links

Key Resources