Configuration Difficulty: Expert
- Log into the Administrative GUI of the CradlePoint. For instructions on doing this please refer to the article; Series 3: Accessing the Setup Pages of a CradlePoint router.
- You will need to generate the following certificates for use by the OpenVPN architecture; A CA, a Server Certificate, and a Client Certificate (you will need a Client Certificate for each client you wish to connect to the CradlePoint). This can be done in the Certificate Manager in the CradlePoint. The Certificate Manager is accessed by clicking SYSTEM SETTINGS > CERTIFICATE MANAGEMENT.
- To Create a CA Certificate; Click on CREATE CERTIFICATE on the left-hand tabs. Fill out the information in the text boxes, it is recommended not to use spaces or special characters in any of the text fields for certificates. In the ISSUER section be sure to check the box for “Set as CA certificate.” Click APPLY. NOTE: The Common Name field for each certificate needs to be unique among all the certificates used for OpenVPN.
- To Create a Server Certificate; Click on CREATE CERTIFICATE on the left-hand tabs. Fill out the information in the text boxes, it is recommended not to use spaces or special characters in any of the text fields for certificates. In the ISSUER, section is sure to check the box for “Sign with a CA certificate” and select your CA from the drop down. NOTE: The Common Name field for each certificate needs to be unique among all the certificates used for OpenVPN.
- To Create a Client Certificate; Click on CREATE CERTIFICATE on the left-hand tabs. Fill out the information in the Text boxes, it is recommended not to use spaces or special characters in any of the text fields for certificates. In the ISSUER section be sure to check the box for “Sign with a CA certificate” and select your CA from the drop down. NOTE: The Common Name field for each certificate needs to be unique among all the certificates used for Open
- You will need to export the CA and Client certificates in order to use them in the configuration for the client. Select EXPORT PEM from the tabs on the left hand screen.
- Export the CA and Client certificates by selecting each certificate in turn from the drop-down and clicking the EXPORT button.
- You will also need to retrieve the Private Key for the Client certificate. As of firmware version 5.2, this is only possible via the CLI. For instructions on how to access the CLI, please refer to the article; Series 3: Command Line Interface (CLI) Overview.
- Once you are logged in to the CLI you will need to navigate to the Certificate Manager directory by issuing the following command cd config/certmgmt/certs.
- To view the certificates, issue the get command from the current directory.
- Locate the Private Key for your Client certificate and copy the text and paste it to a text document. The private key will be above the name of the certificate in the output of the get command as indicated in the screen shot.
- You will need to reformat the key document. In the key text document, you will need to locate all the carriage returns (the character combination in.). Just before each carriage return you will need to press the Enter key and the delete the carriage return. You will also need to remove all unnecessary spaces. Take great care to not delete any other characters, this will invalidate the key. Save the document with a .key extension.
- To configure OpenVPN on the CradlePoint, go to INTERNET > OPENVPN TUNNELS.
- Click ADD.
- Give the Tunnel a familiar name.
- Select SERVER from the Tunnel Mode drop down.
- Select you server certificate from the Certificate Name drop down.
- Check the TLS-Authentication if you would like the tunnel to use TLS. In this example, you will leave it unchecked.
- Assign an IP address and subnet mask to you tunnel network.
- Check the Support IPv6 Tunnels if you will be using IPv6 addresses. In this example, we will leave it unchecked.
- Choose the protocol you wish your tunnel to use from the Tunnel Protocol drop down. In this example, we will use UDP.
- Enter the port number you wish your tunnel to connect on. The default is 1194.
- Enter the amount of time you wish to wait to send a ping if no traffic has been sent through the tunnel in the Ping field. The value is in seconds, and 10 is the default.
- Enter the amount of time to wait if no pings have been received before the tunnel restarts into the Ping Restart field. This value is in seconds, and the default is 60.
- Ensure the Tunnel Enabled box is checked.
- Click NEXT.
- The Remote Server field is unavailable in this configuration because you are the server.
- Click NEXT.
- Enter any networks you would like to advertise via the tunnel by clicking ADD ROUTE, entering the Network IP Address and subnet mask and click Save.
- Click NEXT.
- If in Step 6 you choose to use TLS, you will need to generate a TLS-Authentication Key, by clicking the GENERATE button. In this example, we are not using TLS so we will skip this step.
- Click FINISH.
- On you Windows 7 client, you will need to download the OpenVPN GUI.
- You will need to create a configuration file for your client in a text editor. Below is an example configuration file that corresponds to the settings we have set in our server. In the areas for the CA and Client certificate and the Client key, you will need to open each one of those files in a text editor, and copy and paste the text direct into the configuration file in the appropriate area.
- dev tun
- proto udp
- port 1194
- keepalive 10 60
- verb 3
- remote x.x.x.x(IP address of server) 1194 udp
- (Insert CA cert here)
- (Insert Client cert here)
- (Insert Client key here)
- Save the configuration file with a .ovpn extension in to the config directory of OpenVPN.
- You will need to set OpenVPN GUI to “Run as Administrator”. This can be don by right clicking on OpenVPN GUI and selecting Properties. Under the Compatibility tab, check the box next to “Run this program as an administrator”. Then click OK.
- Launch OpenVPN GUI.
- Right click the OpenVPN GUI icon in the System tray.
- Click Connect.
You will get a message stating you are connected to the OpenVPN server in the CradlePoint. This can be verified by opening a Command Prompt and pinging the OpenVPN IP address of the CradlePoint as well as viewing the routing table on your computer.
- Carriage Return: a control character or mechanism used to reset a device’s position to the beginning of a line of text, for the purpose of this document the control character is \n.
- Certificate Authority (CA): an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate.
- Command Line Interface (CLI): is a type of human-computer interface (i.e., a way for humans to interact with computers) that relies solely on textual input and output. This is accessed via SSH in the CradlePoint.
- OpenVPN: an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL)
- Secure Sockets Layer/Transport Layer Security (TLS): are cryptographic protocols designed to provide communication security over the Internet. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message authentication codes for message integrity and as a by-product, message authentication.
- This feature is found only on the following CradlePoint Products: AER 2100 and MBR1400v2
- OpenVPN requires an Extended Enterprise License (EEL) and Enterprise Cloud Manager (ECM) to use this feature.
To view the status of the OpenVPN tunnels, you will need to access the CLI of the CradlePoint and issue the following command; get status/openvpn.
To view log messages, you will need to enable Debug level logging. Enabling this level of logging will impact router performance and over time can cause unexpected reboots or loss of functionality and should only be enabled at the request of an authorized CradlePoint representative. This enables debug level logging for most of the Router Services. This is enabled by navigating to SYSTEM SETTINGS > ADMINISTRATION > SYSTEM LOGGING and next to the LOGGING LEVEL select DEBUG from the drop down.