Ctrl+K

Tunnel OpenVPN

Tunnel OpenVPN#

I tunnel net-to-net OpenVPN stabiliscono connessioni sicure tra due reti separate, come le filiali di una società, attraverso Internet. Queste connessioni utilizzano protocolli SSL/TLS per la crittografia e l’autenticazione, garantendo la riservatezza e l’integrità dei dati.

La connessione è gestita da 2 firewall NethSecurity, ognuno con un ruolo specifico. Quando si crea una connessione OpenVPN net2net, un firewall avrà il ruolo di server, mentre l’altro si connetterà ad esso come client. Un singolo NethSecurity può contemporaneamente fungere da server e client per tunnel diversi. Tutti i tunnel utilizzano la modalità routed.

L’interfaccia dei tunnel OpenVPN è stata progettata per facilitare la connessione tra due dispositivi NethSecurity. Per questo motivo, è deliberatamente limitata e non espone tutti i parametri configurabili su OpenVPN. Per connettersi a un dispositivo di terze parti, si consiglia di utilizzare il protocollo IPsec.

Configurazione#

To connect two firewalls via an OpenVPN tunnel, first configure the server firewall, then configure the client one. The server needs at least one public IP address to be reachable by the client, while the client may not even have public IPs. The configuration of the firewall server requires only a very few parameters, where possible all the parameters are already filled in automatically to avoid errors and speed up the process. Once the server firewall has been configured, it will be possible to download the client configuration to import onto the other firewall.

Procedere come segue:#

Access the OpenVPN tunnels page, move to Server tunnel tab and click on Add server tunnel.

Insert all required fields, but please note:

  • Public endpoints it’s a list of IP addresses or hostnames that clients can use to reach the OpenVPN tunnel server

  • Local networks it’s a list of local networks that will be accessible from the remote server. If topology is set to p2p, the same list will be reported inside the client Remote networks field

  • Remote networks, it’s a list of networks behind the remote server which will be accessible from hosts in the local network

  • After the configuration is saved, click on the Download action and select Client configuration

  • Access the client firewall, OpenVPN tunnel, move to Client tunnel tab, click on Import configuration

Topology#

Tunnels can have two kinds of topologies: subnet and p2p (Point to Point).

Subnet#

Subnet is the default topology and the recommended one: in subnet topology, the server will accept connections and will act as a DHCP server for every connected client.

In this scenario the server will authenticate clients using TLS certificates and will push local routes to remote client.

P2P#

In a p2p topology, the administrator must configure one server for each client, in this scenario the only supported authentication method is the PSK (Pre-Shared Key).

  • make sure to exchange the PSK using a secure channel (like SSH or HTTPS)

  • the administrator must select an IP for both endpoints

  • routes to remote networks must be configured on each endpoint

Advanced features#

The web interface allows the configuration of advanced features like:

  • Multiple remote host: multiple remote server addresses can be specified for redundancy; the OpenVPN client will try to connect to each host in the given order

  • Protocol: OpenVPN is designed to operate optimally over UDP, but TCP capability is provided for situations where UDP cannot be used

  • Compression: if enabled, data to be sent through the VPN tunnel will be compressed. This option is disabled by default both for security reasons. Compression is rarely essential nowadays, as internet traffic is typically already highly compressed and optimized

  • Digest: the digest algorithm used to transform an arbitrarily large block of data into a fixed-size output. If not explicitly selected, the server and client will try to negotiate the best digest available on both sides

  • Cipher: the cryptographic algorithm used to encrypt all the traffic. If not explicitly selected, the server and client will try to negotiate the best cipher available on both sides

  • Enforce a minimum TLS version: Allows you to choose a minimum version of TLS, in which case connections will only be allowed from devices that use a version greater than or equal to the one selected

Contenuti