Client Server
These scenarios show how to configure an OpenVPN tunnel using a client/server topology.
Basic Tunnel
Description
A simple client/server tunnel is created between two devices
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping the IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.610 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.610/0.610/0.610/0.000 ms
Step 4: Run the command interfaces openvpn ovpn1 status on DUT1 and check whether the output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 5: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.707 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.707/0.707/0.707/0.000 ms
Step 6: Run the command interfaces openvpn ovpn1 clients on DUT0 and check whether the output contains the following tokens:
ClientShow output
----------------------------------------------------------------------------------- Common Name Address Endpoint Connected since Last seen ----------------------------------------------------------------------------------- Client 192.168.100.2:1194 10.0.0.2 2026-06-03 18:49:09 2026-06-03 18:49:10
Basic Tunnel With VRF
Description
A simple client/server tunnel with VRF
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces ethernet eth1 vrf JUPITER set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set interfaces openvpn ovpn1 vrf JUPITER set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf JUPITER set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping the IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 vrf JUPITER count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: JUPITER PING 192.168.100.2 (192.168.100.2) from 192.168.100.1 JUPITER: 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.240 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.240/0.240/0.240/0.000 ms
Step 4: Run the command interfaces openvpn ovpn1 status on DUT1 and check whether the output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 5: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.695 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.695/0.695/0.695/0.000 ms
Step 6: Run the command interfaces openvpn ovpn1 clients on DUT0 and check whether the output contains the following tokens:
ClientShow output
----------------------------------------------------------------------------------- Common Name Address Endpoint Connected since Last seen ----------------------------------------------------------------------------------- Client 192.168.100.2:1194 10.0.0.2 2026-06-03 18:49:18 2026-06-03 18:49:19
Client Static IP
Description
A client is given a static IP address based on its common name
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server server-profile SRV set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn server-profile SRV client Client address 10.0.0.3 set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping the IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.270 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.270/0.270/0.270/0.000 ms
Step 4: Run the command interfaces openvpn ovpn1 status on DUT1 and check whether the output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.3:1194 Remote: 192.168.100.1
Step 5: Ping the IP address 10.0.0.3 from DUT0:
admin@DUT0$ ping 10.0.0.3 count 1 size 56 timeout 1Show output
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data. 64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=0.858 ms --- 10.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.858/0.858/0.858/0.000 ms
Disconnect By Common Name
Description
A client is forcefully disconnected by the server by the client’s common name
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping the IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.205 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.205/0.205/0.205/0.000 ms
Step 4: Run the command interfaces openvpn ovpn1 status on DUT1 and check whether the output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 5: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.912 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.912/0.912/0.912/0.000 ms
Step 6: Run the command interfaces openvpn ovpn1 disconnect common-name Client on DUT0 and expect the following output:
Show output
common name 'Client' found, 1 client(s) killed
Step 7: Expect a failure in the following command:
Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 8: Run the command interfaces openvpn ovpn1 clients on DUT0 and check whether the output does not match the following regular expressions:
ClientShow output
---------------------------------------------------------- Common Name Address Endpoint Connected since Last seen ----------------------------------------------------------
Disconnect By Address
Description
A client is forcefully disconnected by the server by the client’s address
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping the IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.372 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.372/0.372/0.372/0.000 ms
Step 4: Run the command interfaces openvpn ovpn1 status on DUT1 and check whether the output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 5: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.762 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.762/0.762/0.762/0.000 ms
Step 6: Run the command interfaces openvpn ovpn1 disconnect address 192.168.100.2 1194 on DUT0 and expect the following output:
Show output
1 client(s) at address 192.168.100.2
Step 7: Expect a failure in the following command:
Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 8: Run the command interfaces openvpn ovpn1 clients on DUT0 and check whether the output does not match the following regular expressions:
ClientShow output
---------------------------------------------------------- Common Name Address Endpoint Connected since Last seen ----------------------------------------------------------
SCEP
Description
A simple client/server tunnel is created between two devices using SCEP to get the necessary keys and certificates
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 192.168.212.0/22 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 10.215.168.65/24 set protocols static route 192.168.212.0/22 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping the IP address 192.168.213.25 from DUT0:
admin@DUT0$ ping 192.168.213.25 count 1 size 56 timeout 1Show output
PING 192.168.213.25 (192.168.213.25) 56(84) bytes of data. 64 bytes from 192.168.213.25: icmp_seq=1 ttl=126 time=1.10 ms --- 192.168.213.25 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.096/1.096/1.096/0.000 ms
Step 4: Ping the IP address 192.168.213.25 from DUT1:
admin@DUT1$ ping 192.168.213.25 count 1 size 56 timeout 1Show output
PING 192.168.213.25 (192.168.213.25) 56(84) bytes of data. 64 bytes from 192.168.213.25: icmp_seq=1 ttl=126 time=9.28 ms --- 192.168.213.25 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 9.276/9.276/9.276/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
set interfaces ethernet eth1 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set system certificate scep csr CSR cgi-path CertSrv/mscep/mscep.dll/pkiclient.exe set system certificate scep csr CSR distinguished-names CN=Server set system certificate scep csr CSR encrypted-password U2FsdGVkX19lCB41+Ul4W+fVPmnm0OchC1ZJ/u6Jep1ulAWbMx7jyQh9O15yzpR0AHBjlOZ0iS5sZgqcKo8YWQ== set system certificate scep csr CSR url 'http://192.168.213.25/' set vpn openvpn tls-profile TLS csr CSR set vpn openvpn tls-profile TLS dhparam 'running://dh.pem'
Step 6: Modify the following configuration lines in DUT1 :
set interfaces ethernet eth1 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system certificate scep csr CSR cgi-path CertSrv/mscep/mscep.dll/pkiclient.exe set system certificate scep csr CSR distinguished-names CN=Client set system certificate scep csr CSR encrypted-password U2FsdGVkX1+iGNCmOHJCRUjq/4grrfXunU9dtd+OXLJI+wqMsCxG4Z8P1+ja3ZhQCdP7SG4Ip9mtnsDw1qnGJQ== set system certificate scep csr CSR url 'http://192.168.213.25/' set vpn openvpn tls-profile TLS csr CSR
Step 7: Run the command pki scep show CSR on DUT0 and check whether the output matches the following regular expressions:
usercert\s+ValidShow output
------------------------------------------------------------------------------------- Certificate Status Usage NotBefore NotAfter ------------------------------------------------------------------------------------- ca Valid Signature Jan 9 09:34:41 2026 GMT Jan 9 09:44:41 2056 GMT ra Valid Encipherment Jan 9 09:37:26 2026 GMT Jan 9 09:37:26 2028 GMT ra-2 Valid Signature Jan 9 09:37:25 2026 GMT Jan 9 09:37:25 2028 GMT usercert Valid - Jun 3 18:20:16 2026 GMT Jun 3 18:30:16 2028 GMT
Step 8: Ping the IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=5.76 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 5.755/5.755/5.755/0.000 ms
Step 9: Run the command interfaces openvpn ovpn1 status on DUT1 and check whether the output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 10: Ping the IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.709 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.709/0.709/0.709/0.000 ms