Asentria SiteBoss 530 User Manual
66
The "server 10.8.0.0 255.255.255.0" item specifies the addressing method; again this is used only for the server,
but impacts the unit in that the unit typically is assigned its address on the VPN from the server.
The "client-config-dir /etc/openvpn/ccd" item specifies the directory for client-specific configuration. Each client
(including units) are identified in the client config directory by the common name of its certificate (loaded onto the
unit by the SSLC command).
The "tls-auth /etc/openvpn/tlsauth.key" item specifies the key used for the additional HMAC layer. If the server
uses this, then the unit must use this too. Specify this key with the SSLC command.
The "cipher AES-256-CBC" item specifies the cipher to use on the VPN; it must match the unit VPN configuration.
Specify this item with a generic key, for example:
sec.vpn[x].ssl.conf[7]
="cipher AES-256-CBC".
The "comp-lzo" item specifies LZO compression to be used on the VPN; it must match the unit VPN configuration.
Specify this item with a generic key, for example:
sec.vpn[x].ssl.conf[7]
="comp-lzo".
The "max-clients" item specifies the maximum number of clients that can connect. This is used only the server so
we don't have to configure anything on the unit.
The "ping 15" and "ping-restart 60" items specify that the server will send a frame to the client no less often than
15 seconds and restart the VPN after 60 seconds. This does not require the unit to have a similar configuration,
although it is recommended that the unit is configured with the "ping" and "ping-restart" items so that the unit does
not think the VPN is up when the physical connection is broken.
The "verb 3" item specifies the verbosity level of the OpenVPN syslog output. This configuration on the server is
independent of the client. If you want to configure it on the unit then use a generic key to specify it.
The "client-connect", "client-disconnect, "learn-address", and "up" items specify scripts to invoke on the server
upon certain client events. This cannot be configured on the unit.
The "tmp-dir" item specifies a temporary directory; again, this is not configurable on the unit.
The "daemon" item specifies that OpenVPN is to run as a daemon on the server. Daemon mode is mandated on
the unit, so this is automatically configured and not user-configurable.
The "management 127.0.0.1 7385" item specifies that OpenVPN is to run a management interface accessible on
the server's loopback interface via TCP port 7385. This is not configurable on the unit.
The "writepid" item specifies that OpenVPN is to record its process ID to a file; again, this is not configurable on
the unit.
In sum, the server configuration file in this example is by no means exhaustive, but it does cover what a typical
OpenVPN configuration may look like and how to make the unit work with it in SSL CLIENT VPN mode.
Summary of Contents for SiteBoss 530
Page 6: ......