VPN Configuration Options

Print version

2. VPN Configuration Options

M!DGE/MG102i units support several VPN types. Based on your application, number of clients, topology and other factors, the most suitable option should be selected.

RACOM recommends using either OpenVPN or IPsec. Both are very secure and robust solutions. IPsec is very common for point-to-point tunneling or it’s typically used with some bigger VPN concentrator such as CISCO. OpenVPN is very common for interconnecting large environments and M!DGE/MG102i can serve as the VPN server for up to 25 clients. If higher number of clients is required, a special VPN concentrator needs to be installed.

[Note]Note

A special software feature key (Server extension) must be ordered to provide the support for 25 OpenVPN clients. Our routers support up to 10 OpenVPN clients without this key.

PPTP is a very common solution, usually for connecting Windows PC to the M!DGE/MG102i, but should be used only if other options are not possible. The PPTP security algorithms have already been broken and it’s not as secure as IPsec or OpenVPN. GRE tunnel is useful for routing subnets among the units, because it also creates a special “greX” interface and it’s possible to define as many routes as needed. Keep in mind that GRE is not encrypted, the packets are just wrapped into the GRE header and they can be easily eavesdropped. These notes are not issues of RACOM, but they come from general implementation of those protocols.

See the following examples for details.

2.1. OpenVPN

The OpenVPN tunnel can be operated in two modes – either in the Routed mode or in the Bridged mode. If the VPN network consists of one subnet only, the bridged mode should be used. The whole network seems to be just bridged within the local switches. If you need to interconnect several networks/subnets, you need to utilize the Routed mode. See the detailed examples below.

2.1.1. OpenVPN – Routed mode

Static IP addresses are required for all SIM cards.

OpenVPN Server Configuration

The first step is configuring the Server. Make sure you are connected to the GSM network and so you have the WAN interface active.

[Note]Note

You can also use the Ethernet interface as a WAN interface.

Server WAN status

Fig. 2.1: Server WAN status

With OpenVPN, it is required to have a correct time. One possibility is to set the NTP server synchronization. Go to the SYSTEM – Time & Region menu and configure the unit with a reachable NTP server.

NTP synchronization

Fig. 2.2: NTP synchronization

When you are successfully connected and the time is correct, start configuring the OpenVPN server. The default values can be used or read the manual for parameter descriptions.

OpenVPN Server Configuration

Fig. 2.3: OpenVPN Server Configuration

After applying the configuration, the certificates need to be created. Click on the given link or go to the SYSTEM – Keys & Certificates menu.

Missing certificates

Fig. 2.4: Missing certificates

In this menu, create the certificates. By default, the Action is set to “generate locally”, but you can also upload the certificates or enroll them via SCEP.

Creating certificates

Fig. 2.5: Creating certificates

[Note]Note

If needed, the Certificates can be configured to contain specific Organization, Country, e-mail, etc. in the SYSTEM – Keys & Certificates – Configuration menu.

See the following example where the certificates are created.

Created OpenVPN certificates

Fig. 2.6: Created OpenVPN certificates

In the same menu, you can generate or upload certificates for individual clients or go back to the OpenVPN – Client Management menu, configure required hosts and the certificates will be locally created automatically after downloading the Expert mode file.

OpenVPN Clients

Fig. 2.7: OpenVPN Clients

In the Networking menu, you can define the clients’ networks or leave it empty. Each client can have its own network/mask. In our example, configure the network 192.168.20.0/24 for midge1 and 192.168.30.0/24 for midge2. The tunnel address can be dynamic.

OpenVPN Networking (Client1 example)

Fig. 2.8: OpenVPN Networking (Client1 example)

In the Routes menu, you can add networks which will be pushed into all clients’ Routing menu so that matching packets will be routed back to the server. Routing between the clients can be enabled too. Fill in the Server’s IP subnet 192.168.1.0/24.

OpenVPN Routes (Server's subnet)

Fig. 2.9: OpenVPN Routes (Server’s subnet)

Another step is to download the Expert file for all the configured clients. Fill in the server’s IP address which can be different in your case (the IP address depends on your APN configuration).

OpenVPN downloading Expert file

Fig. 2.10: OpenVPN downloading Expert file

The last step is Enabling the OpenVPN server.

Enabling OpenVPN server

Fig. 2.11: Enabling OpenVPN server

The OpenVPN server configuration is now complete. The server is running and listening for all VPN clients.

OpenVPN server is running

Fig. 2.12: OpenVPN server is running

OpenVPN Client Configuration

The easiest way how to configure the client is to upload the Expert file downloaded from the server. Unzip the file to obtain Expert files for individual clients.

Configure the APN on both clients and set the correct NTP server for time synchronization. Afterwards, go to the OpenVPN menu and upload the expert file.

OpenVPN client configuration (midge1)

Fig. 2.13: OpenVPN client configuration (midge1)

The Expert mode file should be installed. Now, enable the OpenVPN client and check the VPN status.

OpenVPN client – connected successfully

Fig. 2.14: OpenVPN client – connected successfully

Testing OpenVPN tunnel

On both the client and the server, you should see the updated Routing menu. There is a new TUN interface. See the Server’s Routing menu.

OpenVPN Routing

Fig. 2.15: OpenVPN Routing

You can define new routes in the Routing menu manually, just choose the correct TUN interface. Note that adding routes this way is not possible with the Bridged tunnel type or with IPsec.

Check the reachability of remote network by issuing the PING command from the SYSTEM – Troubleshooting – Network Debugging menu. Ping the remote M!DGE Ethernet IP address or you can even try to ping a device behind the remote M!DGE. In the example below, a ping from the server to the client is displayed.

Checking OpenVPN tunnel via ping

Fig. 2.16: Checking OpenVPN tunnel via ping

2.1.2. OpenVPN – Bridged mode

OpenVPN Bridged mode

Fig. 2.17: OpenVPN Bridged mode

The Bridge type of the OpenVPN tunnel used when you need to interconnect the devices within one IP subnet so we create “transparent” network. In our example, we will use the 192.168.1.0/24 subnet. The center has the IP address 192.168.1.1. The clients have 192.168.1.2 and .1.3. You can attach any device (e.g. notebook) to any M!DGE so you can test the reachability of not just M!DGE units, but even the connected devices.

[Note]Note

Make sure you have the correct IP addresses on all M!DGE units (INTERFACES – Ethernet – IP settings).

OpenVPN Server Configuration

The configuration is very similar to the previous example. In the Tunnel configuration, set the Type to “TAP”, Network mode to “bridged” and select the correct LAN interface.

OpenVPN Server – bridged mode

Fig. 2.18: OpenVPN Server – bridged mode

Create the required certificates and enable two clients in the Management menu. See the details in Section 2.1.1, “OpenVPN – Routed mode”.

The Networking and Routes menus do not require anything to change. We are NOT defining any routes in this mode.

OpenVPN Networking – bridged mode

Fig. 2.19: OpenVPN Networking – bridged mode

OpenVPN Routes – bridged mode

Fig. 2.20: OpenVPN Routes – bridged mode

Download the Expert file and Enable the tunnel.

Enabling OpenVPN server

Fig. 2.21: Enabling OpenVPN server

Finally, you check the OpenVPN status in the HOME menu.

OpenVPN Client Configuration

The client’s configuration is very simple, just upload the Expert file.

[Note]Note

You could, of course, use the Standard Operation mode, but using Expert file is simpler.

OpenVPN client configuration – bridged mode

Fig. 2.22: OpenVPN client configuration – bridged mode

Enable the tunnel and check the VPN status.

OpenVPN client HOME menu

Fig. 2.23: OpenVPN client HOME menu

Testing OpenVPN tunnel

Test the tunnel using the Ping functionality.

Testing OpenVPN (ping from the client to the server)

Fig. 2.24: Testing OpenVPN (ping from the client to the server)

Remember that there is no route in the Routing menu, because we are using TAP interface instead of TUN.

Routing menu – bridged mode

Fig. 2.25: Routing menu – bridged mode

[Note]Note

You can ping among the devices connected via M!DGE units. The link should be transparent and no extra routes are needed on the devices.

$ ping -c 5 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=1636 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=1327 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=1477 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=1207 ms
64 bytes from 192.168.1.1: icmp_seq=5 ttl=64 time=1097 ms

--- 192.168.1.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 1097.632/1349.279/1636.959/191.392 ms, pipe 2

OpenVPN is a very powerful tool. If you need to know more about the possible options, use the M!DGE/MG102i manual for more details.

2.2. IPsec

IPsec can be used in a network of any size. A dedicated router (or several routers) serve(s) as the VPN concentrator. The choice of vendor and type depends on the SLA requirements and the size of the network – RACOM has positive experience with Cisco routers (IOS or ASA based), however routers from other vendors (e.g. Juniper, Netgear, WatchGuard or others) can certainly be used.

The following routers were used as IPsec VPN concentrators:

  • M!DGE/MG102i – up to 4 tunnels

  • Cisco 1700 – up to 100

  • Cisco ASA 5510 – up to 250

  • Cisco 871-K9 – up to 10 tunnels

  • Cisco 1841-HSEC/ K9 – up to 800 tunnels

Please follow the instruction in the user manual of the specific router for IPsec tunnel settings. RACOM support team can assist you with basic settings for Cisco routers. A short description of the IPsec tunnel configuration in M!DGE/MG102i follows.

IPsec

Fig. 2.26: IPsec

The topology is the same as with the routed OpenVPN example. Remember that it is not possible to have a bridged mode of IPsec as it was possible with OpenVPN.

Both remote M!DGE/MG102i units in the example have dynamic mobile IP addresses. We will set the center’s peer IP to 0.0.0.0 so it will accept the connections from any IP address.

With IPsec, the most common way to authenticate each other is via a pre-shared key. Due to this, it is not essential to have a correct time using the NTP server.

2.2.1. IPsec Configuration

Server’s configuration

Go to the VPN – IPsec – Tunnel Configuration menu and create a new tunnel by pressing the “+” sign.

Creating IPsec tunnel

Fig. 2.27: Creating IPsec tunnel

In the General tab, fill in 0.0.0.0 into the IP address field. Due to this address, any remote unit can establish the connection with the central unit if the credentials are correct. The remote unit’s IP address is not an issue.

[Note]Note

From our experience, change the Action to “restart”.

IPsec server's General configuration

Fig. 2.28: IPsec server’s General configuration

Apply the changes and go to the next tab, IKE Proposal. Define any pre-shared key, which must be the same on the center and the remote sites. Fill in the Local and Peer IDs. In our example, FQDNs are used. The central ID is “midge-central” and the ID for the first client is “midge-client1”.

[Note]Note

You need to add a second tunnel if you need to connect M!DGE “client2”.

Other parameters can stay in defaults or you can enable PFS for higher security.

IPsec central's IKE Proposal tab

Fig. 2.29: IPsec central’s IKE Proposal tab

After applying the changes, you can leave everything in defaults within the IPsec Proposal tab.

IPsec central's IPsec Proposal tab

Fig. 2.30: IPsec central’s IPsec Proposal tab

In the last tab, define the required routable networks. In our example, we interconnect server’s 192.168.1.0/24 subnet with client’s 192.168.20.0/24 subnet. Leave the “NAT address” blank.

IPsec central's Networks tab

Fig. 2.31: IPsec central’s Networks tab

Return back to the Administration menu and enable the tunnel. Check both parameters – Propose NAT traversal and Restart on link change.

Enabling IPsec tunnel

Fig. 2.32: Enabling IPsec tunnel

The pop-up window will appear asking you to confirm the MSS to be decreased due to IPsec overhead. Confirm this change.

MSS Adjustment

Fig. 2.33: MSS Adjustment

If you now check the tunnel status, it will be “down”, because the client’s configuration is not yet finished.

Client’s configuration

The client’s configuration must follow the server’s one. The Peer IP address must be the server’s IP address.

Client's IPsec General tab

Fig. 2.34: Client’s IPsec General tab

In the IKE Proposal tab, the PSK must be the same as on the server’s side and switch the IDs. Do not forget to enable PFS if checked on the server.

Client's IPsec IKE Proposal

Fig. 2.35: Client’s IPsec IKE Proposal

Leave IPsec proposal in defaults and configure the Networks. Just switch the subnets (compared to the central’s configuration).

Client's IPsec Networks tab

Fig. 2.36: Client’s IPsec Networks tab

We can now Enable the tunnel and confirm the MSS adjustment.

After the algorithmcompletes the tunnel establishment, the tunnel should be marked “up” on both units. Check the HOME menu.

IPsec is established successfully

Fig. 2.37: IPsec is established successfully

Once the tunnel is UP, you can check the functionality via the ping, e.g. from the command shell:

~ $ ping -I 192.168.1.1 192.168.20.1
PING 192.168.20.1 (192.168.20.1) from 192.168.1.1: 56 data bytes
64 bytes from 192.168.20.1: seq=0 ttl=64 time=849.734 ms
64 bytes from 192.168.20.1: seq=1 ttl=64 time=1058.866 ms
64 bytes from 192.168.20.1: seq=2 ttl=64 time=918.134 ms

You need to set the source IP address so the IPsec routing would work. Otherwise, there could be no route back from the remote M!DGE.

Use M!DGE/MG102i manual for more details.

2.3. GRE

The description is being prepared.

2.4. PPTP

The description is being prepared.