This section covers the setup of the OpenVPN client and server. Generally, the process begins by creating an OpenVPN Server Certificate, which will contain all the client keys used by remote users to connect to the server.
Step 1: Generate the Server Certificate
Navigate to the Virtual Private Networks section.
Under OpenVPN, click on Server Certificates.
Select the option to Generate Server Key.
You will be prompted to enter a Server Certificate Name. In this example, the name is "cgunit." After entering the name, click Generate Certificate.
Step 2: Generate Client Certificates Once the server certificate is created, you can generate client certificates:
Enter a Client Certificate Name (e.g., "tom").
Click Generate Certificate after specifying the name.
Step 3: Configure OpenVPN Now that your server and client certificates are set up, it's time to configure the OpenVPN settings:
Click on Configurations.
Next, click on Add OpenVPN Config
Step 4: Enter Configuration Details
Enter a Config Name (e.g., "cgmain").
For Config Mode, select Server to configure the server.
Set Network Parameters
Ensure that the Network Mask is any private IP range that does not conflict with the WAN or LAN IP ranges.
Under Push Routes, include all LAN ranges or IPs that should be accessible within the OpenVPN network.
Once you've completed these steps, click Create Config to finalize the setup.
Note: For the OpenVPN configuration to work properly, ensure that:
Port 1194 is allowed by your ISP.
The DMZ host on your router is set to the iShield’s WAN IP.
You’re now ready to reload the unit. To apply the configuration, go to System Commands, click on Reload Unit, and then select Soft Reload for the changes to take effect.
Client Setup on the User’s Machine
To set up the client on the user’s machine, follow these steps:
Step 1: Download the Client's Certificate from iShield
Navigate to the Virtual Private Networks section.
Under OpenVPN, click on Server Certificates.
Click on the tool icon next to the user’s certificate (e.g., "tom’s certificate").
Download the certificate, then click Close after the download is complete.
Step 2: Install the OpenVPN Client
Go to https://openvpn.net/client/ and download the appropriate OpenVPN client based on the user’s operating system.
Install the downloaded client.
Step 3: Upload the Certificate (ovpn File)
Open the OpenVPN application and click UPLOAD FILE.
Navigate to the directory where the certificate file (ovpn file) was downloaded and click BROWSE to select it.
Once the certificate is uploaded, you should be able to connect to the server.
WireVPN makes use of WireGuard, which is a modern, lightweight VPN protocol designed to be simple, fast, and highly secure. Unlike traditional VPN protocols like OpenVPN, WireGuard uses state-of-the-art cryptography, resulting in faster performance. When configured on iShield, WireGuard provides a streamlined approach to secure remote access and is the preferred solution for site-to-site deployments.
The steps outlined below assume the following:
The main office network range is 192.168.20.0/24
A domain controller with DNS Server services had a configured IP address of 192.168.20.250.
The branch office network range is 192.168.50.0/24
WireVPN Server (Main Office)
Select the WireVPN tab in the VPN Configuration screen.
Select the Add WireVPN Config button.
Config Name: Enter a name for your WireVPN configuration (e.g. mainoffice).
Listen Port: Set the port for incoming connections (e.g. 51821).
Private Key: Generate your private key. This key should be kept secure and not shared.
Public Key: This is automatically generated based on your private key.
Interface: Choose any available network interface (e.g. wg0).
IP Address: Specify the IP address for the WireGuard interface (e.g. 172.16.16.1) and subnet mask (255.255.255.0/24).
Remote Peers: Select the Add Peer button.
Peer Name: Enter a descriptive name for the peer (e.g. branch1).
Peer Public Key: This key should be obtained from the peer device that will connect to the WireGuard server.
Peer Endpoint: Input the IP address or hostname of the remote peer (e.g. branch1.is5.co.za).
Peer Endpoint Port: Specify the port that the peer will use to connect (e.g. 51822). This would usually be unique to each peer.
Keep Alive: Set the keep-alive interval in seconds (e.g. 25). A value of 0 disables keep-alive.
Select the Add Networks button.
Enter required network ranges located on the remote site (e.g. 192.168.50.0/24). Ensure the remote peer IP is added here as well (e.g. 172.16.16.2/32 for the branch1 peer.
Select the Update Peer button to save changes.
If you're adding another branch peer, click on Add Networks and enter the necessary details.
After entering all the necessary details, click the Update WireVPN Config button to save the changes.
WireVPN Server (Branch Office)
Select the WireVPN tab in the VPN Configuration screen.
Select the Add WireVPN Config button.
Config Name: Enter a name for your WireVPN configuration (e.g. branchoffice).
Listen Port: Set the port for incoming connections (e.g. 51822).
Private Key: Generate your private key. This key should be kept secure and not shared.
Public Key: This is automatically generated based on your private key.
Interface: Choose any available network interface (e.g. wg0).
IP Address: Specify the IP address for the WireGuard interface (e.g. 172.16.16.2) and subnet mask (255.255.255.0/24).
Remote Peers: Select the Add Peer button.
Peer Name: Enter a descriptive name for the peer (e.g. main).
Peer Public Key: This key should be obtained from the peer device that will connect to the WireGuard server.
Peer Endpoint: Input the IP address or hostname of the remote peer (e.g. main.is5.co.za).
Peer Endpoint Port: Specify the port that the peer will use to connect (e.g. 51821). This would usually be unique to each peer.
Keep Alive: Set the keep-alive interval in seconds (e.g. 25). A value of 0 disables keep-alive.
Select the Add Networks button.
Enter required network ranges located on the remote site (e.g. 192.168.20.0/24). Ensure the remote peer IP is added here as well (e.g. 172.16.16.1/32 for the main peer.
Select the Update Peer button to save changes.
If you're adding another branch peer, click on Add Networks and enter the necessary details.
After entering all the necessary details, click the Update WireVPN Config button to save the changes.
WireVPN Client
Navigate to the WireGuard Installation Page to download and install the appropriate client for your device.
Launch the WireGuard app on your device. Select the down arrow next to the Add Tunnel button.
Choose the Create Empty Tunnel option to start with a blank configuration.
Copy the following template and paste it into Edit tunnel window below the last line:
ListenPort = 51825
Address = 172.16.16.5/32
DNS = 192.168.20.250
[Peer]
PublicKey = paste-the-Public-Key-from-mainserver-here
AllowedIPs = 192.168.20.0/24, 172.16.16.1/32
Endpoint = main.is5.co.za:51821
PersistentKeepalive = 25
[Peer]
PublicKey = paste-the-Public-Key-from-branch1server-here
AllowedIPs = 192.168.50.0/24, 172.16.16.2/32
Endpoint = branch1.is5.co.za:51822
PersistentKeepalive = 25
Select save to save the tunnel configuration.
Click on the Activate button to initiate the VPN connection.
Important Note: The client peer must be added to the peer configuration of each WireVPN server to ensure access to their respective networks as required.
WireGuard’s simplicity, speed, and modern encryption make it an ideal solution for secure network communications. By setting up proper peer configurations, you can ensure seamless, secure access to remote networks.
As you continue using WireGuard, remember to maintain your configurations by regularly updating keys and managing peer access for optimal security. WireGuard’s low overhead and robust performance will provide reliable VPN connections for a variety of network environments.