Client Server
These scenarios show how to configure an OpenVPN tunnel using a client/server topology.
Basic Tunnel
Description
A simple client/server tunnel is created between two devices
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.323 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.323/0.323/0.323/0.000 ms
Step 4: Run command interfaces openvpn ovpn1 status at DUT1 and check if output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 5: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.574 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.574/0.574/0.574/0.000 ms
Step 6: Run command interfaces openvpn ovpn1 clients at DUT0 and check if output contains the following tokens:
ClientShow output
----------------------------------------------------------------------------------- Common Name Address Endpoint Connected since Last seen ----------------------------------------------------------------------------------- Client 192.168.100.2:1194 10.0.0.2 2025-03-18 10:53:50 2025-03-18 10:53:50
Basic Tunnel With VRF
Description
A simple client/server tunnel with VRF
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 vrf JUPITER set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set interfaces openvpn ovpn1 vrf JUPITER set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf JUPITER set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 vrf JUPITER count 1 size 56 timeout 1Show output
ping: Warning: source address might be selected on device other than: JUPITER PING 192.168.100.2 (192.168.100.2) from 192.168.100.1 JUPITER: 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.372 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.372/0.372/0.372/0.000 ms
Step 4: Run command interfaces openvpn ovpn1 status at DUT1 and check if output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 5: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.639 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.639/0.639/0.639/0.000 ms
Step 6: Run command interfaces openvpn ovpn1 clients at DUT0 and check if output contains the following tokens:
ClientShow output
----------------------------------------------------------------------------------- Common Name Address Endpoint Connected since Last seen ----------------------------------------------------------------------------------- Client 192.168.100.2:1194 10.0.0.2 2025-03-18 10:54:01 2025-03-18 10:54:02
Client Static IP
Description
A client is given a static IP address based on its common name
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server server-profile SRV set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn server-profile SRV client Client address 10.0.0.3 set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.266 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.266/0.266/0.266/0.000 ms
Step 4: Run command interfaces openvpn ovpn1 status at DUT1 and check if output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.3:1194 Remote: 192.168.100.1
Step 5: Ping IP address 10.0.0.3 from DUT0:
admin@DUT0$ ping 10.0.0.3 count 1 size 56 timeout 1Show output
PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data. 64 bytes from 10.0.0.3: icmp_seq=1 ttl=64 time=0.661 ms --- 10.0.0.3 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.661/0.661/0.661/0.000 ms
Disconnect By Common Name
Description
A client is forcefully disconnected by the server by the client’s common name
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.453 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.453/0.453/0.453/0.000 ms
Step 4: Run command interfaces openvpn ovpn1 status at DUT1 and check if output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 5: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.506 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.506/0.506/0.506/0.000 ms
Step 6: Run command interfaces openvpn ovpn1 disconnect common-name Client at DUT0 and expect this output:
Show output
common name 'Client' found, 1 client(s) killed
Step 7: Expect a failure in the following command:
Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 8: Run command interfaces openvpn ovpn1 clients at DUT0 and check if output does not match the following regular expressions:
ClientShow output
---------------------------------------------------------- Common Name Address Endpoint Connected since Last seen ----------------------------------------------------------
Disconnect By Address
Description
A client is forcefully disconnected by the server by the client’s address
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://server.crt' set vpn openvpn tls-profile TLS dhparam 'running://dh.pem' set vpn openvpn tls-profile TLS private-key 'running://server.priv.pem'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set vpn openvpn tls-profile TLS ca 'running://ca.crt' set vpn openvpn tls-profile TLS certificate 'running://client.crt' set vpn openvpn tls-profile TLS private-key 'running://client.priv.pem'
Step 3: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.347 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.347/0.347/0.347/0.000 ms
Step 4: Run command interfaces openvpn ovpn1 status at DUT1 and check if output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 5: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.716 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.716/0.716/0.716/0.000 ms
Step 6: Run command interfaces openvpn ovpn1 disconnect address 192.168.100.2 1194 at DUT0 and expect this output:
Show output
1 client(s) at address 192.168.100.2
Step 7: Expect a failure in the following command:
Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms
Step 8: Run command interfaces openvpn ovpn1 clients at DUT0 and check if output does not match the following regular expressions:
ClientShow output
---------------------------------------------------------- Common Name Address Endpoint Connected since Last seen ----------------------------------------------------------
SCEP
Description
A simple client/server tunnel is created between two devices using SCEP to get the necessary keys and certificates
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth1 address 10.215.168.64/24 set protocols static route 192.168.212.0/22 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth1 address 10.215.168.65/24 set protocols static route 192.168.212.0/22 next-hop 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.213.25 from DUT0:
admin@DUT0$ ping 192.168.213.25 count 1 size 56 timeout 1Show output
PING 192.168.213.25 (192.168.213.25) 56(84) bytes of data. 64 bytes from 192.168.213.25: icmp_seq=1 ttl=126 time=0.700 ms --- 192.168.213.25 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.700/0.700/0.700/0.000 ms
Step 4: Ping IP address 192.168.213.25 from DUT1:
admin@DUT1$ ping 192.168.213.25 count 1 size 56 timeout 1Show output
PING 192.168.213.25 (192.168.213.25) 56(84) bytes of data. 64 bytes from 192.168.213.25: icmp_seq=1 ttl=126 time=0.690 ms --- 192.168.213.25 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.690/0.690/0.690/0.000 ms
Step 5: Modify the following configuration lines in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces openvpn ovpn1 local-endpoint 10.0.0.0/29 set interfaces openvpn ovpn1 mode server tls-profile TLS set system certificate scep csr CSR cgi-path CertSrv/mscep/mscep.dll/pkiclient.exe set system certificate scep csr CSR distinguished-names CN=Server set system certificate scep csr CSR encrypted-password U2FsdGVkX19Bn0k0EtgP/ZO5azTClVwr6Sj5bgwM1KgqftHzQ+FLlh/yvJEjcz7cpASz6RNukCnsKR9f7N2XVg== set system certificate scep csr CSR url 'http://192.168.213.25/' set vpn openvpn tls-profile TLS csr CSR set vpn openvpn tls-profile TLS dhparam 'running://dh.pem'
Step 6: Modify the following configuration lines in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set interfaces openvpn ovpn1 mode client tls-profile TLS set interfaces openvpn ovpn1 peer 1 address 192.168.100.1 set system certificate scep csr CSR cgi-path CertSrv/mscep/mscep.dll/pkiclient.exe set system certificate scep csr CSR distinguished-names CN=Client set system certificate scep csr CSR encrypted-password U2FsdGVkX1+HW3AH1zTcQYQBlVj/fDeXItntSt9MPqSmsqm/uK6sdiMhe3r4cZHe1/7JstN/OW6GDNHNcWLqrQ== set system certificate scep csr CSR url 'http://192.168.213.25/' set vpn openvpn tls-profile TLS csr CSR
Step 7: Run command pki scep show CSR at DUT0 and check if output matches the following regular expressions:
usercert\s+ValidShow output
------------------------------------------------------------------------------------- Certificate Status Usage NotBefore NotAfter ------------------------------------------------------------------------------------- ca Valid Signature Dec 14 10:00:35 2023 GMT Dec 14 10:10:34 2053 GMT ra Valid Encipherment Dec 21 09:33:45 2023 GMT Dec 20 09:33:45 2025 GMT ra-2 Valid Signature Dec 21 09:33:43 2023 GMT Dec 20 09:33:43 2025 GMT usercert Valid - Mar 18 10:36:11 2025 GMT Mar 18 14:36:11 2025 GMT
Step 8: Ping IP address 192.168.100.2 from DUT0:
admin@DUT0$ ping 192.168.100.2 count 1 size 56 timeout 1Show output
PING 192.168.100.2 (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=0.345 ms --- 192.168.100.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.345/0.345/0.345/0.000 ms
Step 9: Run command interfaces openvpn ovpn1 status at DUT1 and check if output contains the following tokens:
CONNECTEDShow output
OpenVPN interface ovpn1 State: CONNECTED (SUCCESS) Local endpoint: 10.0.0.2:1194 Remote: 192.168.100.1
Step 10: Ping IP address 10.0.0.1 from DUT1:
admin@DUT1$ ping 10.0.0.1 count 1 size 56 timeout 1Show output
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.525 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.525/0.525/0.525/0.000 ms