Series 3: How do I set up site to site OpenVPN configuration between two CradlePoint routers?

Configuration Difficulty: Intermediate



Summary

Firmware Version

Network Topology

Configuration

Technical

Troubleshooting


Summary


This article is intended to assist the CradlePoint Administrator in configuring two CradlePoints in a site to site OpenVPN configuration.


Firmware Version


This Article was written utilizing firmware version 5.2.0.


Network Topology

User-added image


Configuration

CradlePoint #1 (Local) Configuration

  1. Log in to the Administrative GUI of the Local CradlePoint. For instructions on doing this please refer to the article; Series 3: Accessing the Setup Pages of a CradlePoint router.
  2. Go to INTERNET > OPENVPN TUNNELS.                                                                                                  User-added image
  3. Click ADD. User-added image
  4. Give the Tunnel a familiar name.
  5. Select SITE-TO-SITE from the Tunnel Mode drop down.
  6. Check the TLS-Authentication if you would like the tunnel to use TLS. In this example we will leave it unchecked.
  7. Assign a Local and Remote Endpoint IP address to your tunnel. These address should be in the same subnet and are typically a /30 subnet.
  8. Check the Support IPv6 Tunnels if you will be using IPv6 addresses. In this example we will leave it unchecked.
  9. Choose the protocol you wish your tunnel to use from the Tunnel Protocol drop down. In this example we will use UDP.
  10. Enter the port number you wish your tunnel to connect on. The default is 1194.
  11. Enter the amount of time you wish to wait to send a ping if no traffic has been sent through the tunnel in the Ping field. The value is in seconds, and 10 is the default.
  12. Enter the amount of time to wait if no pings have been received before the tunnel restarts into the Ping Restart field. This value is in seconds and the default is 60.
  13. Ensure the Tunnel Enabled box is checked.
  14. Click NEXT.                                                                                                                         User-added image
  15. Click ADD.
  16. In the REMOTE SERVERS screen, you will add the WAN IP address of the CradlePoint you are attempting to create a tunnel with at this time. This IP address must be reachable across the WAN link by this CradlePoint. You will also enter the port and protocol of the Remote CradlePoint. This much the settings you entered previously on the CradlePoint.
  17. Click SAVE.
  18. Click NEXT.                                                                                                                         User-added image
  19. For this configuration, we will leave the ROUTE section at default. Click NEXT.           User-added image
  20. If during Step 6, you choose to use TLS, you will need to generate a TLS-Authentication Key, by clicking the GENERATE button. In this example, we are not using TLS so we will skip this step.
  21. Click FINISH.                                                                                                                       User-added image
  22. In order to route to any LANs or devices attached to the Remote CradlePoint, we will need to add routes to the CradlePoint. This can be done either statically or with a routing protocol. In this example we will use a Static Route. To enter a Static Route, go to NETWORK SETTINGS > ROUTING.                                                                                                                                                        User-added image
  23. Click ADD.                                                                                                              User-added image
  24. Enter the IP Version.
  25. Enter the IP address or Network Address of the device or LAN you are attempting to route to on the remote side of the tunnel.
  26. Enter the Netmask.
  27. Enter the Gateway, this will be the Local Endpoint Address that you configured in Step 7.
  28. The Device is the Interface that the traffic is being sent out of for this route. In the CradlePoint, you can use either the Gateway or Device, but not both. In this example, we will leave it blank because we are using the Gateway address to route our traffic.
  29. Configure the Metric. By default it is 1, we will leave it 1 for this example.
  30. Check the box for Allow Network Access.
  31. You check the box for Distribute, if you would like this route distributed to a Routing Protocol configured on the CradlePoint. In this example we will leave it blank.
  32. Click SUBMIT.                                                                                                               User-added image

CradlePoint #2 (Remote) Configuration

  1. Log into the Administrative GUI of the Remote CradlePoint.
  2. Go to INTERNET > OPENVPN TUNNELS.                                                                                                  User-added image
  3. Click ADD.                                                                                                                User-added image
  4. Give the Tunnel a familiar name.
  5. Select the SITE-TO-SITE option from the Tunnel Mode drop-down.
  6. Check the TLS-Authentication if you would like the tunnel to use TLS. In this example, we will leave it unchecked. This setting must match the setting in the Local CradlePoint.
  7. Assign a Local and Remote Endpoint IP address to your tunnel. This address should be in the same subnet and are typically a /30 subnet. In this CradlePoint, the addresses will be the opposite of how they were configured in Step 7 of Router #1 configuration.
  8. Check the Support IPv6 Tunnels if you will be using IPv6 addresses. In this example, we will leave it unchecked.
  9. Choose the protocol you wish your tunnel to use from the Tunnel Protocol drop down. In this example, we will use UDP. This setting must match the setting in the Local CradlePoint.
  10. Enter the port number you wish your tunnel to connect on. The default is 1194. This setting must match the setting in the Local CradlePoint.
  11. Enter the amount of time you wish to wait to send a ping if no traffic has been sent through the tunnel in the Ping field. The value is in seconds, and 10 is the default.
  12. Enter the amount of time to wait if no pings have been received before the tunnel restarts into the Ping Restart field. This value is in seconds and the default is 60.
  13. Ensure the Tunnel Enabled box is checked.
  14. Click NEXT.                                                                                                                          User-added image
  15. Click ADD.
  16. In the REMOTE SERVERS screen, you will add the WAN IP address of the CradlePoint you are attempting to create a tunnel with. This IP address must be reachable across the WAN link by this CradlePoint. You will also enter the port and protocol of the Local CradlePoint. This much the settings you entered previously on the CradlePoint.
  17. Click SAVE.
  18. Click NEXT.                                                                                                                           User-added image
  19. For this configuration, we will leave the ROUTE section at default. Click NEXT.    User-added image
  20. If in Step 6 of Router #1 configuration you choose to use TLS, you will need to generate a TLS-Authentication Key, by clicking the GENERATE button. In this example, we are not using TLS so we will skip this step. This setting must match the setting in the Local CradlePoint.
  21. Click FINISH.                                                                                                                        User-added image
  22. In order to route to any LANs or devices attached to the Local CradlePoint, we will need to add routes to the CradlePoint. This can be done either statically or with a routing protocol. In this example we will use a Static Route. The enter a Static Route, go to NETWORK SETTINGS > ROUTING.                                                                                                                                                      User-added image
  23. Click ADD. User-added image
  24. Enter the IP Version.
  25. Enter the IP address or Network Address of the device or LAN you are attempting to route to on the remote side of the tunnel.
  26. Enter the Netmask.
  27. Enter the Gateway, this will be the Local Endpoint Address that you configured in Step 7 of Router #1 configuration.
  28. The Device is the Interface that the traffic is being sent out of for this route. In the CradlePoint, you can use either the Gateway or Device, but not both. In this example, we will leave it blank because we are using the Gateway address to route our traffic.
  29. Configure the Metric. By default it is 1, we will leave it 1 for this example.
  30. Check the box for Allow Network Access.
  31. You check the box for Distribute, if you would like this route distributed to a Routing Protocol configured on the CradlePoint. In this example, we will leave it blank.
  32. Click SUBMIT.                                                                                                          User-added image

Technical

Terms

  • OpenVPN: an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol[2] that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL)
  • Secure Sockets Layer/Transport Layer Security (TLS): are cryptographic protocols designed to provide communication security over the Internet.[1] They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and exchanging a symmetric key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message authentication codes for message integrity and as a by-product, message authentication.

System Requirements

  • This feature is available only on the following CradlePoint Products:  AER 2100 and MBR1400v2.
  • OpenVPN requires an Extended Enterprise License (EEL) and Enterprise Cloud Manager (ECM) to use this feature.

Troubleshooting


To view the status of the OpenVPN tunnels, you will need to access the CLI of the CradlePoint and issue the following command; get status/openvpn.

To view log messages, you will need to enable Debug level logging. Enabling this level of logging will impact router performance and over time can cause unexpected reboots or loss of functionality and should only be enabled at the request of an authorized CradlePoint representative. This enables debug level logging for most of the Router Services. This is enabled by navigating to SYSTEM SETTINGS > ADMINISTRATION > SYSTEM LOGGING and next to the LOGGING LEVEL select DEBUG from the drop down.


CradlePoint Knowledgebase

CradlePoint Manual: Network Settings → Routing Protocol

OpenVPN

OpenVPN How To


Published Date:
7/1/2014


Category: Cradlepoint Series 3

← FAQs