openvpn

vpn openvpn
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

OpenVPN profiles

vpn openvpn client-profile <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • id – Client options

Instances:

Multiple

vpn openvpn client-profile <id> allow-pull-fqdn
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Allow client to pull DNS names from server

vpn openvpn client-profile <id> authentication
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Client authentication

Required:

Required:

vpn openvpn client-profile <id> authentication encrypted-password <password>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • password – VPN encrypted password

vpn openvpn client-profile <id> authentication password <txt>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • txt – VPN password

vpn openvpn client-profile <id> authentication username <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • id – VPN username

vpn openvpn client-profile <id> pull
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Option pulling parameters

vpn openvpn client-profile <id> pull filter <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Option filter parameters

Values:
  • u32 – Filter index

Instances:

Multiple

Required:

Required:

vpn openvpn client-profile <id> pull filter <u32> policy <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Filter policy

Values:
  • accept – Allow option

  • ignore – Remove option

  • reject – Flag option as error and restart tunnel

vpn openvpn client-profile <id> pull filter <u32> text <txt>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • txt – Filter rules that start with this text

vpn openvpn encryption-profile <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • id – Data channel encryption options

Instances:

Multiple

vpn openvpn encryption-profile <id> auth <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Digest algorithms to authenticate data channel packets with

Values:
  • u32 – Digest index

Instances:

Multiple

Required:

vpn openvpn encryption-profile <id> auth <u32> algorithm <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Digest algorithm

Values:
  • none – Disable data channel authentication

vpn openvpn encryption-profile <id> cipher <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Cipher algorithms to encrypt data channel packets with

Values:
  • u32 – Cipher index

Instances:

Multiple

Required:

vpn openvpn encryption-profile <id> cipher <u32> algorithm <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Cipher algorithm

Values:
  • none – Disable data channel encryption

vpn openvpn encryption-profile <id> ncp
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Negotiable Crypto Parameters (client/server mode)

vpn openvpn encryption-profile <id> ncp cipher <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Cipher negotiation proposals

Values:
  • u32 – Cipher index

Instances:

Multiple

Required:

vpn openvpn encryption-profile <id> ncp cipher <u32> algorithm <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • id – Cipher algorithm

vpn openvpn encryption-profile <id> ncp disable
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Disable cipher negotiation

vpn openvpn encryption-profile <id> secret
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Static key encryption mode (p2p mode)

Required:

vpn openvpn encryption-profile <id> secret direction <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • u32 – Data flow direction

vpn openvpn encryption-profile <id> secret static-key <file>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • file – Static key file

vpn openvpn server-profile <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • id – Server options

Instances:

Multiple

vpn openvpn server-profile <id> authentication <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Authentication list

Reference:

system aaa list <id>

vpn openvpn server-profile <id> client <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • id

    Client parameters

    Client Common Name

Instances:

Multiple

vpn openvpn server-profile <id> client <id> address <ipv4|fqdn>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • ipv4 – Static IP address

  • fqdn – Static IP address

vpn openvpn server-profile <id> client <id> disable
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Disable client

vpn openvpn server-profile <id> client <id> push
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Option pushing parameters

vpn openvpn server-profile <id> client <id> push reset
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Ignore global push list for client

vpn openvpn server-profile <id> client <id> push route
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Routing parameters

vpn openvpn server-profile <id> client <id> push route delay <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • u32 – Delay after connection establishment before adding routes

vpn openvpn server-profile <id> client <id> push route destination <ipv4cidr|ipv4net|id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Route destination

Values:
  • ipv4cidr – IPv4 address

  • ipv4net – IPv4 network

  • vpn_gateway – Remote VPN endpoint address

  • net_gateway – Pre-existing IP default gateway

  • remote_host – Remote host

Instances:

Multiple

vpn openvpn server-profile <id> client <id> push route destination <ipv4cidr|ipv4net|id> gateway <ipv4|id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Route gateway

Values:
  • vpn_gateway – Remote VPN endpoint address

  • net_gateway – Pre-existing IP default gateway

  • remote_host – Remote host

vpn openvpn server-profile <id> client <id> push route destination <ipv4cidr|ipv4net|id> metric <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • u32 – Route metric

vpn openvpn server-profile <id> client <id> push route gateway <ipv4|id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Default gateway to use with pushed routes

Values:
  • ipv4 – IPv4 address

  • dhcp – Extract the gateway address from a DHCP negotiation

vpn openvpn server-profile <id> client-to-client
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Allow connected clients to reach each other

vpn openvpn server-profile <id> duplicate-cn
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Allow multiple clients with the same common name to concurrently connect

vpn openvpn server-profile <id> push
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Push configuration options to the clients

vpn openvpn server-profile <id> push route
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Routing parameters

vpn openvpn server-profile <id> push route delay <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • u32 – Delay after connection establishment before adding routes

vpn openvpn server-profile <id> push route destination <ipv4net|id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Route destination

Values:
  • ipv4net – IPv4 network

  • vpn_gateway – Remote VPN endpoint address

  • net_gateway – Pre-existing IP default gateway

  • remote_host – Remote host

Instances:

Multiple

vpn openvpn server-profile <id> push route destination <ipv4net|id> gateway <ipv4|id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Route gateway

Values:
  • vpn_gateway – Remote VPN endpoint address

  • net_gateway – Pre-existing IP default gateway

  • remote_host – Remote host

vpn openvpn server-profile <id> push route destination <ipv4net|id> metric <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • u32 – Route metric

vpn openvpn server-profile <id> push route gateway <ipv4|id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Default gateway to use with pushed routes

Values:
  • ipv4 – IPv4 address

  • dhcp – Extract the gateway address from a DHCP negotiation

vpn openvpn tls-profile <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • id – TLS options

Instances:

Multiple

vpn openvpn tls-profile <id> auth
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Additional layer of HMAC authentication on top of the TLS control channel

Required:

vpn openvpn tls-profile <id> auth direction <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • u32 – Data flow direction

vpn openvpn tls-profile <id> auth static-key <file>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • file – Static key to use for HMAC authentication

vpn openvpn tls-profile <id> ca <file>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • file – Certificate Authority certificate in PEM format

vpn openvpn tls-profile <id> certificate <file>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • file – Local certificate in PEM format

vpn openvpn tls-profile <id> crl <file>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • file – Certificate Revocation List in PEM format

vpn openvpn tls-profile <id> crypt
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Encrypt and authenticate all control channel packets

Required:

vpn openvpn tls-profile <id> crypt static-key <file>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • file – Static key to use for HMAC authentication

vpn openvpn tls-profile <id> csr <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Certificate Signing Request instance (SCEP)

Reference:

system certificate scep csr <id>

vpn openvpn tls-profile <id> dhparam <file|id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Diffie-Hellman parameters in PEM format (server mode)

Values:
  • none – Do not use dhparam file

vpn openvpn tls-profile <id> private-key <file>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • file – Local certificate’s private key in PEM format

vpn openvpn tunnel-profile <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • id – Tunnel options

Instances:

Multiple

vpn openvpn tunnel-profile <id> compression <id>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Compression algorithm to use

Values:
  • lzo – Better compatibility

  • lz4 – Better performance

vpn openvpn tunnel-profile <id> float
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Allow remote peer to change its IP address and/or port number

vpn openvpn tunnel-profile <id> keepalive
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

Keepalive parameters

Required:

Required:

vpn openvpn tunnel-profile <id> keepalive interval <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • u32 – Ping interval

vpn openvpn tunnel-profile <id> keepalive timeout <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE
Values:
  • u32 – Ping timeout to restart

vpn openvpn tunnel-profile <id> log-level <u32>
AresC640 Atlas840 H5-Rail M10-Smart M2 M20 RS420 RXL15000 SDE

OpenVPN log level

Values:
  • u32 – Disable all logging except fatal errors (0)

  • u32 – Normal usage range (1-4)

  • u32 – Output R and W for each packet read and write (5)

  • u32 – Debug info range (6-11)