VPN(Virtual Private Networking): Difference between revisions

From Phobos Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 3: Line 3:
=== VPN Setups ===
=== VPN Setups ===
We have two typical configuration possibilities: site to site and remote access. Site to site is more suited when persistent connectivity is needed. For instance from RTU to Network Control Center(NCC). Remote access is provided for cases when non persistent access is needed or when persistent tunnel is not needed. For example remote management(configuration changes or etc) from different locations with dynamic IP address. Figure 1 illustrates this general concept.
We have two typical configuration possibilities: site to site and remote access. Site to site is more suited when persistent connectivity is needed. For instance from RTU to Network Control Center(NCC). Remote access is provided for cases when non persistent access is needed or when persistent tunnel is not needed. For example remote management(configuration changes or etc) from different locations with dynamic IP address. Figure 1 illustrates this general concept.
[[Pilt:vpn.png|629px|thumb|left|Figure 1: General Model for VPN Deploiments]]
[[Pilt:vpn.png|629px|thumb|center|Figure 1: General Model for VPN Deploiments]]
 
=== Site to Site With OpenVPN ===
 
In order to configure site to site VPN with OpenVPN open Common → OpenVPN. From opened dialog box click on Add. “Server address” and “Server port” are the WAN address and UDP port of the server. That means that we support OpenVPN's mode tls-client over UDP. Click on buttons “CA cert”, “Cert” and “Key” in order to select certificates for client. By default routes are pulled from server. This is needed in order the device knows what to send to VPN tunnels and what IP address to use for tunnel interface. “Fragment” 0 means that default setting for OpenVPN is used.
[[Pilt:OpenVPN-Default.png|342px|thumb|center|Figure 2: Default OpenVPN Client Configuration Dialog]]
Figure 2 shows default configuration dialog box. Note that pink fields are mandatory and that default “Server address”, “Local IP” and “Remote IP ” are probably not suitable for your needs. Figure 3 shows production configuration where WAN IP and port and certificates are selected and configured.
[[Pilt:OpenVPN-NonDefault.png|342px|thumb|center|Figure 3: Configuration for interface tun0]]

Revision as of 06:23, 27 May 2013

This page is not a tutorial on OpenVPN or on IPsec. It gives general overview of different setups and shows options found from configuration software gws.exe. It is assumed that reader is familiar with TELEM-GWM configuration software gws.exe and understands how to secure the device. Securing the device is described in Basic Security.

VPN Setups

We have two typical configuration possibilities: site to site and remote access. Site to site is more suited when persistent connectivity is needed. For instance from RTU to Network Control Center(NCC). Remote access is provided for cases when non persistent access is needed or when persistent tunnel is not needed. For example remote management(configuration changes or etc) from different locations with dynamic IP address. Figure 1 illustrates this general concept. 629px|thumb|center|Figure 1: General Model for VPN Deploiments

Site to Site With OpenVPN

In order to configure site to site VPN with OpenVPN open Common → OpenVPN. From opened dialog box click on Add. “Server address” and “Server port” are the WAN address and UDP port of the server. That means that we support OpenVPN's mode tls-client over UDP. Click on buttons “CA cert”, “Cert” and “Key” in order to select certificates for client. By default routes are pulled from server. This is needed in order the device knows what to send to VPN tunnels and what IP address to use for tunnel interface. “Fragment” 0 means that default setting for OpenVPN is used. 342px|thumb|center|Figure 2: Default OpenVPN Client Configuration Dialog Figure 2 shows default configuration dialog box. Note that pink fields are mandatory and that default “Server address”, “Local IP” and “Remote IP ” are probably not suitable for your needs. Figure 3 shows production configuration where WAN IP and port and certificates are selected and configured. 342px|thumb|center|Figure 3: Configuration for interface tun0