Asentria SiteBoss 530 User Manual
65
Example
Here is an example OpenVPN server configuration. It discusses what it means for the server and what it means
for the unit. To get a better understanding of OpenVPN configuration, consult the documentation at
tls-server
local 10.0.5.171
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/myserver.crt
key /etc/openvpn/myserver.key
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
client-config-dir /etc/openvpn/ccd
tls-auth /etc/openvpn/tlsauth.key
cipher AES-256-CBC
comp-lzo
max-clients 8190
ping 15
ping-restart 60
verb 3
client-connect /etc/openvpn/openvpn.connect.sh
client-disconnect /etc/openvpn/openvpn.disconnect.sh
learn-address /etc/openvpn/openvpn.updown.sh
up /etc/openvpn/openvpn.up.sh
tmp-dir /etc/openvpn/tmp
daemon
management 127.0.0.1 1195
writepid /var/run/openvpn.pid
The "tls-server" item specifies that the server will operate in the mode secured by SSL/TLS. This the only mode
the unit supports, so if the server does not use tls-server mode then the unit is incompatible with it.
The "local 10.0.5.171" item specifies the address the server listens on. The only impact this has on the unit is that
the unit must connect to the server such that its connection ultimately arrives on 10.0.5.171 on the server. Use the
net.vpn[x].remote.host
key to specify this address. Also, if firewalls separate the unit and the server, you
should be aware of the firewall configuration, so that the firewall routes traffic to the address on which the server is
listening.
The "port" and "proto" items specify what TCP/UDP port is used. The values for these items should match the
values for the
net.vpn[x].ssl.port
and
net.vpn.ssl[x].proto
keys on the unit.
The "dev" item specifies whether the server uses bridging or routing. The unit supports routing only (dev tun). If
the server says "dev tap" then the unit is incompatible with the server.
The "ca" item specifies the CA certificate. Use the SSLC command to load the CA certificate on the unit.
The "cert" and "key" items specify the server certificate and key. This is only for the server so there is nothing we
have to change on the unit to support this. However, note that the unit must be configured with a certificate (and
key) (dedicated to the unit, not the same certificate and key used by the server) using the SSLC command. Note
also that if the server certificate is generated with the "nsCertType" value of "server", then you can add the "ns-
cert-type server" config item to the unit (using the generic
net.vpn[x].ssl.conf[y]
key).
The "dh" item specifies the Diffie Hellman parameters. This is used only on the server so we don't have to
configure anything on the unit. (The SSLC command allows for adding DH parameters, but that is used when the
unit is in
mode, not SSL VPN client mode as is discussed here.
Содержание SiteBoss 530
Страница 6: ......