Virtual PrivateNetworks(VPN) OpenVPN
IX20 User Guide
546
OpenVPN
OpenVPN is an open-source Virtual Private Network (VPN) technology that creates secure point-to-
point or site-to-site connectionsin routed or bridged configurations. OpenVPNuses a custom security
protocol that is Secure Socket Layer (SSL) / Transport Layer Security (TLS) for key exchange. It uses
standard encryption and authentication algorithms for data privacy and authentication over TCPor
UDP.
The OpenVPNserver can push the network configuration, such asthe topology and IProutes, to
OpenVPN clients. This makes OpenVPNsimpler to configure as it reducesthe chances of a
configuration mismatch between the client and server. OpenVPNalso supports cipher negotiation
between the client and server. This means you can configure the OpenVPNserver and clients with a
range of different cipher optionsand the server will negotiate with the client on the cipher to use for
the connection.
For more information on OpenVPN, see www.openvpn.net.
OpenVPN modes:
There are two modesfor running OpenVPN:
n
Routing mode, also known as TUN.
n
Bridging mode, also known as TAP.
Routing (TUN) mode
In routing mode, each OpenVPN client isassigned a different IPsubnet from the OpenVPNserver and
other OpenVPNclients. OpenVPNclients use Network AddressTranslation (NAT) to route traffic from
devices connected on its LAN interfacesto the OpenVPNserver.
The manner in which the IPsubnets are defined dependson the OpenVPNtopology in use. TheIX20
device supportstwo typesof OpenVPN topology:
OpenVPN Topology Subnet definition method
net30
Each OpenVPN client is assigned a /30 subnet within the IPsubnet specified
in the OpenVPN server configuration. With net30 topology, pushed routes
are used, with the exception of the default route. Automatic route pushing
(exec) is not allowed, because thiswould not inform the firewall and would
be blocked.
subnet Each OpenVPN client connected to the OpenVPNserver isassigned an IP
addresswithin the IPsubnet specified in the OpenVPNserver configuration.
For the
IX20
device, pushed routes are not allowed; you will need to
manually configure routes on the device.
For more information on OpenVPN topologies, see OpenVPN topology.
Bridging (TAP) mode
In bridging mode, a LAN interface on the OpenVPNserver is assigned to OpenVPN. The LAN interfaces
of the OpenVPNclients are on the same IPsubnet as the OpenVPNserver’s LAN interface. Thismeans
that devicesconnected to the OpenVPNclient’s LAN interface are on the same IPsubnet as devices.
The IX20 device supports two mechanismsfor configuring an OpenVPN server in TAPmode:
To Next Page
Loading...
Need help?
General