Client Server
These scenarios show how to configure an OpenVPN tunnel using a client/server topology.
Basic Tunnel
Description
A simple client/server tunnel is created between two devices
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.351 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.351/0.351/0.351/0.000 ms
Step 4: Run command interfaces openvpn ovpn1 status at DUT1 and check if output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 5: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.652 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.652/0.652/0.652/0.000 ms
Step 6: Run command interfaces openvpn ovpn1 clients at DUT0 and check if output contains the following tokens:
ClientShow output
----------------------------------------------------------------------------------- Common Name Address Endpoint Connected since Last seen ----------------------------------------------------------------------------------- Client 192.168.100.2:1194 10.0.0.2 2025-05-11 20:39:09 2025-05-11 20:39:09
Client Static IP
Description
A client is given a static IP address based on its common name
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server server-profile SRV set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn server-profile SRV client Client address 10.0.0.3 set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.355 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.355/0.355/0.355/0.000 ms
Step 4: Run command interfaces openvpn ovpn1 status at DUT1 and check if output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.3:1194 Remote: 192.168.100.1
Step 5: Ping IP address 10.0.0.3 from DUT0:
admin@DUT0$ ping 10.0.0.3 count 1 size 56 timeout 1Show output
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data. 64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=0.618 ms --- 10.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.618/0.618/0.618/0.000 ms
Disconnect By Common Name
Description
A client is forcefully disconnected by the server by the client’s common name
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.381 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.381/0.381/0.381/0.000 ms
Step 4: Run command interfaces openvpn ovpn1 status at DUT1 and check if output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 5: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.750 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.750/0.750/0.750/0.000 ms
Step 6: Run command interfaces openvpn ovpn1 disconnect common-name Client at DUT0 and expect this output:
Show output
common name 'Client' found, 1 client(s) killed
Step 7: Expect a failure in the following command:
Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 8: Run command interfaces openvpn ovpn1 clients at DUT0 and check if output does not match the following regular expressions:
ClientShow output
---------------------------------------------------------- Common Name Address Endpoint Connected since Last seen ----------------------------------------------------------
Disconnect By Address
Description
A client is forcefully disconnected by the server by the client’s address
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.313 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.313/0.313/0.313/0.000 ms
Step 4: Run command interfaces openvpn ovpn1 status at DUT1 and check if output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 5: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.547 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.547/0.547/0.547/0.000 ms
Step 6: Run command interfaces openvpn ovpn1 disconnect address 192.168.100.2 1194 at DUT0 and expect this output:
Show output
1 client(s) at address 192.168.100.2
Step 7: Expect a failure in the following command:
Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 8: Run command interfaces openvpn ovpn1 clients at DUT0 and check if output does not match the following regular expressions:
ClientShow output
---------------------------------------------------------- Common Name Address Endpoint Connected since Last seen ----------------------------------------------------------
SCEP
Description
A simple client/server tunnel is created between two devices using SCEP to get the necessary keys and certificates
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth1 address 10.215.168.64/24 set interfaces ethernet eth1 tcp-mss 1200 set protocols static route 192.168.212.0/22 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth1 address 10.215.168.65/24 set interfaces ethernet eth1 tcp-mss 1200 set protocols static route 192.168.212.0/22 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.213.25 from DUT0:
admin@DUT0$ ping 192.168.213.25 count 1 size 56 timeout 1Show output
PING 192.168.213.25 (192.168.213.25) 56(84) bytes of data. 64 bytes from 192.168.213.25: icmp_seq=1 ttl=126 time=3.70 ms --- 192.168.213.25 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.700/3.700/3.700/0.000 ms
Step 4: Ping IP address 192.168.213.25 from DUT1:
admin@DUT1$ ping 192.168.213.25 count 1 size 56 timeout 1Show output
PING 192.168.213.25 (192.168.213.25) 56(84) bytes of data. 64 bytes from 192.168.213.25: icmp_seq=1 ttl=126 time=0.644 ms --- 192.168.213.25 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.644/0.644/0.644/0.000 ms
Step 5: Modify the following configuration lines in DUT0:
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set system certificate scep csr CSR cgi-path CertSrv/mscep/mscep.dll/pkiclient.exe set system certificate scep csr CSR distinguished-names CN=Server set system certificate scep csr CSR encrypted-password U2FsdGVkX18ECekqU43s06trbZ7RtlXPz9vKRu8OTb0rstsIeGlhup6bUNiHJJWmFLmbQDAF9LI5XNCVe+6CaA== set system certificate scep csr CSR url 'http://192.168.213.25/' set vpn openvpn tls-profile TLS csr CSR set vpn openvpn tls-profile TLS dhparam 'running://dh.pem'
Step 6: Modify the following configuration lines in DUT1:
set interfaces ethernet eth0 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system certificate scep csr CSR cgi-path CertSrv/mscep/mscep.dll/pkiclient.exe set system certificate scep csr CSR distinguished-names CN=Client set system certificate scep csr CSR encrypted-password U2FsdGVkX18iQf9uofDN8vCjWwsaaEwXl0qBfJ8KTRjZa93z9JJG6IcU7egxdTo4CJmxF7pGnR/QNYpD3TJX8A== set system certificate scep csr CSR url 'http://192.168.213.25/' set vpn openvpn tls-profile TLS csr CSR
Step 7: Run command pki scep show CSR at DUT0 and check if output matches the following regular expressions:
USER_CERT\s+ValidShow output
----------------------------------------------------------------------- Certificate Status NotBefore NotAfter ----------------------------------------------------------------------- CA_CERT Valid Dec 14 10:00:35 2023 GMT Dec 14 10:10:34 2053 GMT USER_CERT Valid May 11 20:21:03 2025 GMT May 12 00:21:03 2025 GMT
Step 8: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.453 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.453/0.453/0.453/0.000 ms
Step 9: Run command interfaces openvpn ovpn1 status at DUT1 and check if output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 10: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.780 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.780/0.780/0.780/0.000 ms