Tripp Lite 0 Idades Manual

							61
Chapter 4: Serial Port, Device and User Configuration
4.10.1 Enable the OpenVPN 
• Select OpenVPN on the Serial & Networks menu
• Click Add and complete the Add OpenVPN Tunnel screen
• Enter any descriptive name you wish to identify the OpenVPN Tunnel you are adding, for example NorthStOutlet-VPN
 
• Select the Device Driver to be used, either Tun-IP or Tap-Ethernet.  The TUN (network tunnel) and TAP (network tap) 
drivers are virtual network drivers that support IP tunneling and Ethern\
et tunneling, respectively.  TUN and TAP are part of 
the Linux kernel.
• Select either UDP or TCP as the Protocol. UDP is the default and preferred protocol for OpenVPN.\
• In Tunnel Mode, nominate whether this is the Client or Server end of the tunnel.  When running as a server, the Console 
Server supports multiple clients connecting to the VPN server over the s\
ame port.
• In Configuration Method, select the authentication method to be used. \
 To authenticate using certificates select PKI 
(X.509 Certificates) or select Custom Configuration to upload cust\
om configuration files. Custom configurations must be 
stored in /etc/config.
Note: If you select PKI (public key infrastructure) you will need to estab\
lish:
• Separate certificate (also known as a public key). This Certificate File will be a *.crt file type
• Private Key for the server and each client. This Private Key File will be a *.key file type
• Master Certificate Authority (CA) certificate and key which is use\
d to sign each of the server and client certificates. This 
Root CA Certificate will be a *.crt file type
For a server you may also need dh1024.pem (Diffie Hellman parameters). 
Refer http://openvpn.net/easyrsa.html for a guide to basic RSA key management. 
For alternative authentication methods see http://openvpn.net/index.php/documentation/howto.html#auth. 
For more information also see http://openvpn.net/howto.html 
• Check or uncheck the Compression button to enable or disable compression, respectively
   
						

							62
Chapter 4: Serial Port, Device and User Configuration
4.10.2 Configure as Server or Client  
• Complete the Client Details or Server Details depending on the Tunnel Mode selected.  
  o If Client has been selected, the Primary Server Address will be the address of the OpenVPN Server.
 o If Server has been selected, enter the IP Pool Network address and the IP Pool Network mask for the IP Pool. The  
    network defined by the IP Pool Network address/mask is used to provide the addresses for connecting clients.
• Click Apply to save changes
 
• To enter authentication certificates and files Edit the OpenVPN tunnel.
• Select the Manage OpenVPN Files tab. Upload or browse to relevant authentication certificates and fi\
les. 
 
• Apply to save changes. Saved files will be displayed in red on the right-ha\
nd side of the Upload button.  
						

							63
Chapter 4: Serial Port, Device and User Configuration
 
• To enable OpenVPN,  Edit the OpenVPN tunnel
 
• Check the Enabled button.
• Apply to save changes
Note: Please make sure that the console server system time is correct when w\
orking with OpenVPN. Otherwise authentication 
issues may arise
 
• Select Statistics on the Status menu to verify that the tunnel is operational.
   
						

							64
Chapter 4: Serial Port, Device and User Configuration
4.10.3 Windows OpenVPN Client and Server set up
Windows does not come with an OpenVPN server or client. This section outl\
ines the installation and configuration of a 
Windows OpenVPN client or a Windows OpenVPN server and setting up a VPN connection to a console serve\
r.  
The OpenVPN GUI for Windows software (which includes the standard OpenVPN package plus a Windows GUI) can be 
downloaded from http://openvpn.se/download.html.
•  Once installed on the Windows machine, an OpenVPN icon will have been created in the Notifica\
tion Area located in the right 
side of the taskbar. Right click on this icon to start (and stop) VPN connections, and to\
 edit configurations and view logs 
 
When the OpenVPN software is started, the C:\Program Files\OpenVPN\co\
nfig folder will be scanned for “.opvn” files.   This 
folder will be rechecked for new configuration files whenever the Op\
enVPN GUI icon is right-clicked. So once OpenVPN is 
installed, a configuration file will need to be created:
•  Using a text editor, create an xxxx.ovpn file and save in C:\Program Files\OpenVPN\config.  For example, C:\Program Files\
OpenVPN\config\client.ovpn
An example of an OpenVPN Windows client configuration 
file is shown below:
# description: BL_client
client
proto udp
verb 3
dev tun
remote 192.168.250.152
port 1194
ca c:\\openvpnkeys\\ca.crt
cert c:\\openvpnkeys\\client.crt
key c:\\openvpnkeys\\client.key
nobind
persist-key
persist-tun
comp-lzo
An example of an OpenVPN Windows Server configuration file 
is shown below:
server 10.100.10.0 255.255.255.0
port 1194
keepalive 10 120
proto udp
mssfix 1400
persist-key
persist-tun
dev tun
ca c:\\openvpnkeys\\ca.crt
cert c:\\openvpnkeys\\server.crt
key c:\\openvpnkeys\\server.key
dh c:\\openvpnkeys\\dh.pem
comp-lzo
verb 1
syslog BL_OpenVPN_Server  
						

							65
Chapter 4: Serial Port, Device and User Configuration
The Windows client/server configuration file options are:
OptionsDescription
#description:This is a comment describing the configuration.
Comment lines start with a ‘#’ and are ignored by OpenVPN.
Client
server
Specify whether this will be a client or server configuration file. \
In the server configuration file, 
define the IP address pool and netmask. For example, server 10.100.10.0 255.255.255.0
proto udp
proto tcp
Set the protocol to UDP or TCP.  The client and server must use the same settings.
mssfix Mssfix sets the maximum size of the packet.  This is only useful for U\
DP if problems occur.
verb Set log file verbosity level.  Log verbosity level can be set from 0 (\
minimum) to 15 (maximum). 
For example,
0 = silent except for fatal errors
3 = medium output, good for general usage
5 = helps with debugging connection problems
9 = extremely verbose, excellent for troubleshooting
dev tun
dev tap
Select ‘dev tun’ to create a routed IP tunnel or ‘dev tap’ t\
o create an Ethernet tunnel. The 
client and server must use the same settings.
remote The hostname/IP of OpenVPN server when operating as a client.  Enter eit\
her the DNS 
hostname or the static IP address of the server. 
PortThe UDP/TCP port of the server.  
KeepaliveKeepalive uses ping to keep the OpenVPN session alive.  'Keepalive 10 120' pings every 10 
seconds and assumes the remote peer is down if no ping has been received\
 over a 120 
second time period.
http-proxy  

If a proxy is required to access the server, enter the proxy server DNS name or IP and port 
number. 
ca Enter the CA certificate file name and location. The same CA certifi\
cate file can be used by the 
server and all clients.
Note: Ensure each ‘\’ in the directory path is replaced with ‘\
 \\’.  For example, c:\openvpnkeys\
ca.crt will become c:\\openvpnkeys\\ca.crt
cert Enter the client’s or servers’s certificate file name and loca\
tion. Each client should have its 
own certificate and key files.Note: Ensure each ‘\’ in the di\
rectory path is replaced with ‘ \\’.  
key Enter the file name and location of the client’s or server’s key\
. Each client should have its own 
certificate and key files.
Note: Ensure each ‘\’ in the directory path is replaced with ‘\
 \\’.  
dh This is used by the server only.
Enter the path to the key with the Diffie-Hellman parameters.
Nobind‘Nobind’ is used when clients do not need to bind to a local addre\
ss or specific local port 
number. This is the case in most client configurations.
persist-keyThis option prevents the reloading of keys across restarts.
persist-tunThis option prevents the close and reopen of TUN/TAP devices across restarts.
cipher BF-CBC Blowfish 
(default)
cipher AES-128-CBC  AES
cipher DES-EDE3-CBC 
Triple-DES
Select a cryptographic cipher. The client and server must use the same settings.
comp-lzoEnable compression on the OpenVPN link. This must be enabled on both the\
 client and the 
server.
syslogBy default, logs are located in syslog or, if running as a service on Window, in \Program Files\
OpenVPN\log directory.   
						

							66
Chapter 4: Serial Port, Device and User Configuration
To initiate the OpenVPN tunnel following the creation of the client/serve\
r configuration files:
• Right click on the OpenVPN icon in the Notification Area
• Select the newly created client or server configuration.  For example, BL_client
• Click ‘Connect’ as shown below
 
• The log file will be displayed as the connection is established
• Once established, the OpenVPN icon will display a message notifying of t\
he successful connection and assigned IP. This 
information, as well as the time the connection was established, is avai\
lable anytime by scrolling over the OpenVPN icon.
 
Note: An alternate OpenVPN Windows client can be downloaded from http://www.openvpn.net/index.php/openvpn-client/
downloads.html. Refer to http://www.openvpn.net/index.php/openvpn-client/howto-openvpn-client.html for help  
						

							67
Chapter 4: Serial Port, Device and User Configuration
4.11 PPTP VPN
Console Servers with Firmware V3.5.2 and later, include a PPTP (Point-to-Point Tunneling Protocol) server. PPTP is typically 
used for communications over a physical or virtual serial link. The PPP \
endpoints define a virtual IP address to themselves. 
Routes to networks can then be defined with these IP addresses as the \
gateway, which results in traffic being sent across the 
tunnel. PPTP establishes a tunnel between the physical PPP endpoints and\
 securely transports data across the tunnel. 
The strength of PPTP is its ease of configuration and integration into\
 existing Microsoft infrastructure. It is generally used for 
connecting single remote Windows clients. If you take your portable computer on a business trip, y\
ou can dial a local number 
to connect to your Internet service provider (ISP) and then create a s\
econd connection (tunnel) into your office network across 
the Internet and have the same access to your corporate network as if yo\
u were connected directly from your office. Similarly, 
telecommuters can also set up a VPN tunnel over their cable modem or DSL\
 links to their local ISP. 
To set up a PPTP connection from a remote Windows client to your appliance and local network:
1. Enable and configure the PPTP VPN server on your appliance 
2. Set up VPN user accounts on your appliance and enable the appropriate au\
thentication
3. Configure the VPN clients at the remote sites. The client does not req\
uire special software as the PPTP Server supports 
the standard PPTP client software included with Windows XP/ NT/ 2000/ 7 and Vista
4. Connect to the remote VPN   
						

							68
Chapter 4: Serial Port, Device and User Configuration
4.11.1 Enable the PPTP VPN server 
• Select PPTP VPN on the Serial & Networks menu
• Select the Enable check box to enable the PPTP Server
• Select the Minimum Authentication Required. Access is denied to remote users attempting to connect using an 
authentication scheme weaker than the selected scheme. The schemes are d\
escribed below, from strongest to weakest.
 o Encrypted Authentication (MS-CHAP v2): The strongest type of authentication to use; this is the recommended o\
ption
 o Weakly Encrypted Authentication (CHAP): This is the weakest type of encrypted password authentication to use. \
 
 It is not recommended that clients connect using this as it provides ver\
y little password protection. Also note that  
 clients connecting using CHAP are unable to encrypt traffic
 o Unencrypted Authentication (PAP): This is plain text password authentication. When using this type of  
 authentication, the client password is transmitted unencrypted.
 o None
• Select the Required Encryption Level. Access is denied to remote users attempting to connect not using this \
encryption 
level. Strong 40 bit or 128 bit encryption is recommended
• In Local Address, enter IP address to assign to the server's end of the VPN connection
• In Remote Addresses, enter the pool of IP addresses to assign to the incoming client's VPN \
connections (e.g. 
192.168.1.10-20). This must be a free IP address (or a range of free I\
P addresses), from the network (typically the LAN) 
that remote users are assigned while connected to the appliance
• Enter the desired value of the Maximum Transmission Unit (MTU) for the PPTP interfaces into the MTU field (defaults to 1400) 
• In the DNS Server field, enter the IP address of the DNS server that assigns IP address\
es to connecting PPTP clients
• In the WINS Server field, enter the IP address of the WINS server that assigns IP addres\
ses to connecting PPTP client
• Enable Verbose Logging to assist in debugging connection problems 
• Click Apply Settings  
						

							69
Chapter 4: Serial Port, Device and User Configuration
4.11.2 Add a PPTP user  
• Select Users & Groups on the Serial & Networks menu and complete the fields as covered in section 4.2.
• Ensure the pptpd Group has been checked, to allow access to the PPTP VPN server. Note - users in this group will have 
their password stored in clear text.
• Keep note of the username and password for when you need to connect to th\
e VPN connection
• Click Apply  
						

							70
Chapter 4: Serial Port, Device and User Configuration
4.11.3 Set up a remote PPTP client  
Ensure the remote VPN client PC has Internet connectivity. To create a VPN connection across the Internet, you must set up 
two networking connections. One connection is for the ISP, and the other connection is for the VPN tunnel to the appliance. 
Note: This procedure sets up a PPTP client in the Windows 7 Professional operating system. The steps may vary slightly 
depending on your network access or if you are using an alternate versio\
n of Windows. More detailed instructions are available 
from the Microsoft web site.
• Login to your Windows client with administrator privileges
• From the Network & Sharing Center on the Control Panel select Network Connections and create a new connection 
• Select Use My Internet Connection (VPN) and enter the IP Address of the appliance
Note: To connect remote VPN clients to the local network, you need to know the \
user name and password for the PPTP 
account you added, as well as the Internet IP address of the appliance. \
If your ISP has not allocated you a static IP address, 
consider using a dynamic DNS service. Otherwise you must modify the PPTP\
 client configuration each time your Internet IP 
address changes.