Remote access mode
The following figure illustrates a typical remote access VPN setup in which one OpenVPN endpoint acts as the server. Remote users run OpenVPN as clients to connect to the server and establish VPN tunnels.
Note that OpenVPN requires TLS in remote access mode, and the server takes the passive role while the clients are active. Therefore, it is not necessary to specify the tls role option when operating in this mode. In the preceding figure, assuming that V1 is the server and V2 is a client, the configuration for V1 is shown below.
To configure V1 for remote access with TLS, perform the following steps in configuration mode. The example has the following characteristics.
- The mode option specifies that this endpoint operates in server mode.
- The server subnet option indicates that the tunnel IP address of the client is allocated from the 192.168.200.0/24 subnet and that the tunnel IP address of the server (that is, the address of vtun0 on the server) is 192.168.200.1.
- The remote-host option is not set because the clients are actively contacting the server.
Step | Command |
---|---|
Create the vtun0 configuration node. |
|
Set the OpenVPN mode. |
|
Set the subnet for the OpenVPN tunnel. |
|
Specify the location of the CA certificate file. |
|
Specify the location of the host certificate file. |
|
Specify the location of the CRL parameters file. |
|
Specify the location of the DH file. |
|
Specify the location of the host key file. |
|
Commit the change. |
|
Show the OpenVPN configuration. |
|
To configure V2 for remote access with TLS, perform the following steps in configuration mode. This example has the following characteristics.
- V2 is in client mode and so it needs to actively contact the server; therefore, the remote-host option is needed to indicate the location of the server.
- When the tunnel is established, the tunnel IP address of V2 (that is, the address of vtun0 on V2) is assigned by V1 from the 192.168.200.0/24 subnet.
Step | Command |
---|---|
Create the vtun0 configuration node. |
|
Set the OpenVPN mode. |
|
Specify the physical IP address of the remote host. |
|
Specify the location of the CA certificate file. |
|
Specify the location of the host certificate file. |
|
Specify the location of the host key file. |
|
Commit the change. |
|
Show the OpenVPN configuration. |
|