Client Server
These scenarios show how to configure an OpenVPN tunnel using a client/server topology.
Basic Tunnel
Description
A simple client/server tunnel is created between two devices
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.230 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.230/0.230/0.230/0.000 ms
Step 4: Run command interfaces openvpn ovpn1 status at DUT1 and check if output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 5: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.413 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.413/0.413/0.413/0.000 ms
Step 6: Run command interfaces openvpn ovpn1 clients at DUT0 and check if output contains the following tokens:
ClientShow output
----------------------------------------------------------------------------------- Common Name Address Endpoint Connected since Last seen ----------------------------------------------------------------------------------- Client 192.168.100.2:1194 10.0.0.2 2024-10-30 14:41:21 2024-10-30 14:41:21
Client Static IP
Description
A client is given a static IP address based on its common name
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server server-profile SRV set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn server-profile SRV client Client address 10.0.0.3 set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.211 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.211/0.211/0.211/0.000 ms
Step 4: Run command interfaces openvpn ovpn1 status at DUT1 and check if output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.3:1194 Remote: 192.168.100.1
Step 5: Ping IP address 10.0.0.3 from DUT0:
admin@DUT0$ ping 10.0.0.3 count 1 size 56 timeout 1Show output
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data. 64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=0.483 ms --- 10.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.483/0.483/0.483/0.000 ms
Disconnect By Common Name
Description
A client is forcefully disconnected by the server by the client’s common name
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.241 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.241/0.241/0.241/0.000 ms
Step 4: Run command interfaces openvpn ovpn1 status at DUT1 and check if output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 5: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.524 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.524/0.524/0.524/0.000 ms
Step 6: Run command interfaces openvpn ovpn1 disconnect common-name Client at DUT0 and expect this output:
Show output
common name 'Client' found, 1 client(s) killed
Step 7: Expect a failure in the following command:
Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 8: Run command interfaces openvpn ovpn1 clients at DUT0 and check if output does not match the following regular expressions:
ClientShow output
---------------------------------------------------------- Common Name Address Endpoint Connected since Last seen ----------------------------------------------------------
Disconnect By Address
Description
A client is forcefully disconnected by the server by the client’s address
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.205 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.205/0.205/0.205/0.000 ms
Step 4: Run command interfaces openvpn ovpn1 status at DUT1 and check if output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 5: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.490 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.490/0.490/0.490/0.000 ms
Step 6: Run command interfaces openvpn ovpn1 disconnect address 192.168.100.2 1194 at DUT0 and expect this output:
Show output
1 client(s) at address 192.168.100.2
Step 7: Expect a failure in the following command:
Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 8: Run command interfaces openvpn ovpn1 clients at DUT0 and check if output does not match the following regular expressions:
ClientShow output
---------------------------------------------------------- Common Name Address Endpoint Connected since Last seen ----------------------------------------------------------
SCEP
Description
A simple client/server tunnel is created between two devices using SCEP to get the necessary keys and certificates
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth1 address 10.215.168.64/24 set protocols static route 192.168.212.0/22 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth1 address 10.215.168.65/24 set protocols static route 192.168.212.0/22 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.213.25 from DUT0:
admin@DUT0$ ping 192.168.213.25 count 1 size 56 timeout 1Show output
PING 192.168.213.25 (192.168.213.25) 56(84) bytes of data. 64 bytes from 192.168.213.25: icmp_seq=1 ttl=126 time=0.626 ms --- 192.168.213.25 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.626/0.626/0.626/0.000 ms
Step 4: Ping IP address 192.168.213.25 from DUT1:
admin@DUT1$ ping 192.168.213.25 count 1 size 56 timeout 1Show output
PING 192.168.213.25 (192.168.213.25) 56(84) bytes of data. 64 bytes from 192.168.213.25: icmp_seq=1 ttl=126 time=0.482 ms --- 192.168.213.25 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.482/0.482/0.482/0.000 ms
Step 5: Modify the following configuration lines in DUT0:
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set system certificate scep csr CSR cgi-path CertSrv/mscep/mscep.dll/pkiclient.exe set system certificate scep csr CSR distinguished-names CN=Server set system certificate scep csr CSR encrypted-password U2FsdGVkX1+Qf9erf+LcooJ9/uwaUzEzd6CIV709m4SieV4o1W4WMzShO0t5NfWxzIOgSiCnJTePx2nc4KoBzg== set system certificate scep csr CSR url 'http://192.168.213.25/' set vpn openvpn tls-profile TLS csr CSR set vpn openvpn tls-profile TLS dhparam 'running://dh.pem'
Step 6: Modify the following configuration lines in DUT1:
set interfaces ethernet eth0 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system certificate scep csr CSR cgi-path CertSrv/mscep/mscep.dll/pkiclient.exe set system certificate scep csr CSR distinguished-names CN=Client set system certificate scep csr CSR encrypted-password U2FsdGVkX197l104KHIk24wgF94LaX3duREdGpfg2LMXPs2O/hjkP4ftE2XFbd3UTZY8tnWiA5CjPeHjyOBQ5Q== set system certificate scep csr CSR url 'http://192.168.213.25/' set vpn openvpn tls-profile TLS csr CSR
Step 7: Run command pki scep show CSR at DUT0 and check if output matches the following regular expressions:
USER_CERT\s+ValidShow output
----------------------------------------------------------------------- Certificate Status NotBefore NotAfter ----------------------------------------------------------------------- CA_CERT Valid Dec 14 10:00:35 2023 GMT Dec 14 10:10:34 2053 GMT USER_CERT Valid Oct 30 14:26:57 2024 GMT Oct 30 14:26:57 2026 GMT
Step 8: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.379 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.379/0.379/0.379/0.000 ms
Step 9: Run command interfaces openvpn ovpn1 status at DUT1 and check if output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 10: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.423 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.423/0.423/0.423/0.000 ms