OpenVPN
OpenVPN is a virtual private network (VPN) system to create secure point-to-point or site-to-site connections with support for client and server modes. It uses a custom security protocol and utilizes SSL/TLS extensively for its encryption and key exchange.
OpenVPN can run over UDP or TCP transports, which makes performance significantly lower than other VPN protocols such as IPSec, but allows it to work through most proxy servers, NATs, and firewalls.
OpenVPN supports authorization and accounting through RADIUS, TACACS+, and the local user database. To learn more about authentication in OSDx check out the AAA article.
Configuration
The OpenVPN configuration in OSDx has two parts: the interface and the VPN profile. The interface configuration refers to interface-specific options such as local address or remote peers and it represents an OpenVPN tunnel. VPN profiles are configurations for different categories of options such as TLS options, client/server options, or tunnel options, which can be shared between tunnel configurations. This scheme closely mirrors the structure of the OpenVPN Reference Manual.
Note that some profiles are only available in specific modes, for example the client profile is only available in client mode.
Administration
OSDx operational commands to monitor and control tunnels and perform operations such as disconnecting a client, reloading a tunnel, showing connected clients, etc.
Examples
OpenVPN examples are available in the Openvpn examples page.
Configuration commands
interfaces openvpn <ifc> dhcp client fallback <ipv4cidr|ipv6cidr>interfaces openvpn <ifc> dhcp client send dhcp-client-identifierinterfaces openvpn <ifc> dhcp client send dhcp-client-identifier base-macinterfaces openvpn <ifc> dhcp client send dhcp-client-identifier serial-numberinterfaces openvpn <ifc> dhcp client send dhcp-client-identifier string <id>interfaces openvpn <ifc> dhcp client send vendor-class-identifierinterfaces openvpn <ifc> dhcp client send vendor-class-identifier string <id>interfaces openvpn <ifc> ip igmp last-member-query-count <u32>interfaces openvpn <ifc> ip igmp last-member-query-interval <u32>interfaces openvpn <ifc> ip igmp query-max-response-time <u32>interfaces openvpn <ifc> ip ospf authentication encrypted-password <password>interfaces openvpn <ifc> ip ospf authentication message-digest <id>interfaces openvpn <ifc> ip ospf authentication message-digest <id> encrypted-password <password>interfaces openvpn <ifc> ip ospf authentication message-digest <id> password <txt>interfaces openvpn <ifc> ip ospf authentication password <txt>interfaces openvpn <ifc> ip rip authentication encrypted-password <password>interfaces openvpn <ifc> ip rip authentication message-digest <u32>interfaces openvpn <ifc> ip rip authentication message-digest <u32> encrypted-password <password>interfaces openvpn <ifc> ip rip authentication message-digest <u32> password <txt>interfaces openvpn <ifc> ip rip authentication password <txt>interfaces openvpn <ifc> ip rip split-horizon poison-reverseinterfaces openvpn <ifc> ipv6 address prefix-from-provider <id>interfaces openvpn <ifc> ipv6 address prefix-from-provider <id> ifc-ID <ipv6net>interfaces openvpn <ifc> ipv6 dup-addr-detect-transmits <u32>interfaces openvpn <ifc> ipv6 ospfv3 authentication hmac-sha-256 <u32>interfaces openvpn <ifc> ipv6 ospfv3 authentication hmac-sha-256 <u32> encrypted-password <password>interfaces openvpn <ifc> ipv6 ospfv3 authentication hmac-sha-256 <u32> password <txt>interfaces openvpn <ifc> ipv6 ospfv3 authentication md5 <u32>interfaces openvpn <ifc> ipv6 ospfv3 authentication md5 <u32> encrypted-password <password>interfaces openvpn <ifc> ipv6 ospfv3 authentication md5 <u32> password <txt>interfaces openvpn <ifc> ipv6 ospfv3 retransmit-interval <u32>interfaces openvpn <ifc> ipv6 ripng split-horizon poison-reverseinterfaces openvpn <ifc> ipv6 router-advert cur-hop-limit <u32>interfaces openvpn <ifc> ipv6 router-advert default-lifetime <u32>interfaces openvpn <ifc> ipv6 router-advert default-preference <txt>interfaces openvpn <ifc> ipv6 router-advert managed-flag <txt>interfaces openvpn <ifc> ipv6 router-advert max-interval <u32>interfaces openvpn <ifc> ipv6 router-advert min-interval <u32>interfaces openvpn <ifc> ipv6 router-advert name-server <ipv6>interfaces openvpn <ifc> ipv6 router-advert other-config-flag <txt>interfaces openvpn <ifc> ipv6 router-advert prefix <ipv6net>interfaces openvpn <ifc> ipv6 router-advert prefix <ipv6net> autonomous-flag <txt>interfaces openvpn <ifc> ipv6 router-advert prefix <ipv6net> on-link-flag <txt>interfaces openvpn <ifc> ipv6 router-advert prefix <ipv6net> preferred-lifetime <u32|id>interfaces openvpn <ifc> ipv6 router-advert prefix <ipv6net> valid-lifetime <u32|id>interfaces openvpn <ifc> ipv6 router-advert reachable-time <u32>interfaces openvpn <ifc> ipv6 router-advert retrans-timer <u32>interfaces openvpn <ifc> ipv6 router-advert send-advert <txt>interfaces openvpn <ifc> ipv6 router-advert used-prefixes autonomous-flag <txt>interfaces openvpn <ifc> ipv6 router-advert used-prefixes on-link-flag <txt>interfaces openvpn <ifc> ipv6 router-advert used-prefixes preferred-lifetime <u32|id>interfaces openvpn <ifc> ipv6 router-advert used-prefixes valid-lifetime <u32|id>interfaces openvpn <ifc> mode client encryption-profile <id>interfaces openvpn <ifc> mode server encryption-profile <id>interfaces openvpn <ifc> peer <u32> address <fqdn|ipv4|ipv6>interfaces openvpn <ifc> traffic nat destination rule <u32> address <ipv4|ipv4net|ipv4range|id>interfaces openvpn <ifc> traffic nat destination rule <u32> description <txt>interfaces openvpn <ifc> traffic nat destination rule <u32> loginterfaces openvpn <ifc> traffic nat destination rule <u32> log level <txt>interfaces openvpn <ifc> traffic nat destination rule <u32> log prefix <txt>interfaces openvpn <ifc> traffic nat destination rule <u32> network <ipv4net>interfaces openvpn <ifc> traffic nat destination rule <u32> port <u32|id>interfaces openvpn <ifc> traffic nat destination rule <u32> protocol <txt>interfaces openvpn <ifc> traffic nat destination rule <u32> selector <txt>interfaces openvpn <ifc> traffic nat source rule <u32> address <ipv4|ipv4net|ipv4range|id>interfaces openvpn <ifc> traffic nat source rule <u32> description <txt>interfaces openvpn <ifc> traffic nat source rule <u32> log level <txt>interfaces openvpn <ifc> traffic nat source rule <u32> log prefix <txt>interfaces openvpn <ifc> traffic nat source rule <u32> network <ipv4net>interfaces openvpn <ifc> traffic nat source rule <u32> port <u32|id>interfaces openvpn <ifc> traffic nat source rule <u32> protocol <txt>interfaces openvpn <ifc> traffic nat source rule <u32> selector <txt>interfaces openvpn <ifc> traffic policy in <txt> priority <txt>interfaces openvpn <ifc> traffic policy local-in <txt> priority <txt>interfaces openvpn <ifc> traffic policy local-out <txt> priority <txt>interfaces openvpn <ifc> traffic policy out <txt> priority <txt>vpn openvpn client-profile <id> authentication encrypted-password <password>vpn openvpn client-profile <id> authentication password <txt>vpn openvpn client-profile <id> authentication username <id>vpn openvpn client-profile <id> pull filter <u32> policy <id>vpn openvpn client-profile <id> pull filter <u32> text <txt>vpn openvpn encryption-profile <id> auth <u32> algorithm <id>vpn openvpn encryption-profile <id> cipher <u32> algorithm <id>vpn openvpn encryption-profile <id> ncp cipher <u32> algorithm <id>vpn openvpn encryption-profile <id> secret static-key <file>vpn openvpn server-profile <id> client <id> address <ipv4|fqdn>vpn openvpn server-profile <id> client <id> push route delay <u32>vpn openvpn server-profile <id> client <id> push route destination <ipv4cidr|ipv4net|id>vpn openvpn server-profile <id> client <id> push route gateway <ipv4|id>vpn openvpn server-profile <id> push route destination <ipv4net|id>vpn openvpn server-profile <id> push route destination <ipv4net|id> gateway <ipv4|id>vpn openvpn server-profile <id> push route destination <ipv4net|id> metric <u32>vpn openvpn server-profile <id> push route gateway <ipv4|id>