Topology Diagram

 

Alotcer openvpn Topology Diagram

1. OpenVPN Software Download and Installation

Software Download
You can consult Alotcer 5G Industrial Gateway/Router technical personnel (seo@alotcer.com) for the installation package of the OPENVPN server. There is a strong demand for IoT network security. The VPN networking solution based on 5G Industrial VPN Gateway/Router is more flexible and convenient. However, traditional VPN solutions are costly and technically challenging. Therefore, the low-cost self-built OPENVPN solution based on Windows is favored by users, addressing the network security needs of many small and medium-sized projects. The stable and reliable 5G Industrial Gateway/Router plays a crucial role in the solution.

Software Installation

The OpenVPN software server and client both use the same installation package. For this demonstration, we will install the server on Windows and include the certificate generation tool, EasyRSA3. We will be using OpenVPN version 2.5.7 for the installation.

During the installation, choose ‘Customize’ and select ‘OpenVPN service’ and ‘EasyRSA3’ for server configuration and certificate generation purposes.

openvpn setup

Remember to change the default installation location to a non-C drive, as it may affect the subsequent certificate generation. For this installation, we will be using the D drive.

opnevpn setup 2
opnevpn setup 3
opnevpn setup 4
opnevpn setup 5
opnevpn setup 6

After installation, the software will be located in the D:\OpenVPN directory.

 

OpenVPN directory

2. Certificate and Key Generation

(This example is for the version without a password. For the version with a password, please contact Alotcer technical support)

Prepare the CA (Certificate Authority) issuing environment.
In the directory “D:\OpenVPN\easy-rsa”, copy the file named “vars.example” to a file named “vars”. The “vars” file contains built-in Easy-RSA configuration settings. Subsequent certificate generation will follow the configuration specified in that file.
The main parameters to be modified are as follows:

main parameters
main parameters

After making the changes, save the file. Double-click on the “EasyRSA-Start.bat” file to enter the EasyRSA shell environment in the DOS window. In the pop-up DOS window, type “./easyrsa init-pki” to initialize the certificate generation program. Once the initialization is successful, a new folder named “kpi” will be created in the “D:\OpenVPN\easy-rsa” directory, as shown in the following illustration:

easy-rsa directory

Generate the public CA certificate

In the DOS window, type “./easyrsa build-ca nopass” to generate a CA certificate without a password. During the generation process, you will be prompted to enter a certificate name. You can enter any name you like; for this instance, we’ll use “CA” as the name. After the generation is complete, the certificate will be located at “D:\OpenVPN\easy-rsa\pki\ca.crt”.

public CA certificate

To generate the server certificate and key:

Enter ‘./easyrsa build-server-full server nopass’ to generate a passwordless server certificate named ‘server’. After generation, the certificate file will be located in the ‘D:\OpenVPN\easy-rsa\pki\issued’ folder.

server certificate

Generate Client Certificate Key

Enter ‘./easyrsa build-client-full client nopass’ to generate a passwordless client certificate named ‘client’. After generation, the certificate will be located in the ‘D:\OpenVPN\easy-rsa\pki\issued’ folder.

Generate Client Certificate Key

To add another client in the future, simply double-click on the EasyRSA-Start.bat file, and directly input ‘./easyrsa build-client-full client2 nopass’. No further action is required. The highlighted portion represents the corresponding certificate name, distinguishing different clients, ensuring one machine per certificate. As shown in the image below:

another client

Generate Diffie-Hellman Key Exchange Protocol

Enter ‘./easyrsa gen-dh’ to generate the Diffie-Hellman key exchange protocol file. The generated file will be located in the ‘D:\OpenVPN\easy-rsa\pki’ directory.

Exchange Protocol

The certificate key files are located under the directory ‘D:\OpenVPN\easy-rsa\pki\private’.

certificate key

3. Configuration of the Windows Server

To set up an OpenVPN server, you need a public IP address or a fixed IP address in a private network environment. You can set it up on a router with OpenVPN server functionality or on a Windows computer with port forwarding enabled. This demonstration is for setting up on a computer.

(The example is for UDP mode. If you need TCP mode, refer to the appendix for detailed instructions on configuring the OpenVPN server-side file, or consult our technical support.)

Modify Server Configuration File

The server configuration file template is ‘server.ovpn’, located in the ‘D:\OpenVPN\sample-config’ directory. Copy the ‘server.ovpn’ file to the ‘D:\OpenVPN\config’ directory, and open it using Notepad, a built-in Windows application, to modify it with the following configuration:

Server Configuration File

The image below serves as a caption. For detailed comments on other configurations, please refer to the appendix for a comprehensive explanation of the OpenVPN server-side configuration file.

other configurations

Create a ‘ccd’ folder in the ‘D:\OpenVPN\config’ directory. Within this folder, create files without extensions, with each file name corresponding to a client certificate name. Inside the files, input the subnet range and specify the tunnel IP as shown in the image below:

other configurations

Copy the certificates into the configuration

Copy the server certificate, server key, CA certificate, and DH file into the ‘D:\OpenVPN\config’ folder.

Copy the certificates

Share network to the VPN virtual adapter.

Share network to the VPN virtual adapter.

Connect

Connect

Right-click on the small computer icon with a lock in the taskbar, then click ‘Connect’. Once the connection is successful, it will turn green, and the system will prompt for IP assignment.

4. 5G OPENVPN Industrial Gateway/ Industrial Router Client Configuration

Import client key, client certificate, and CA certificate

Import client key, client certificate, and CA certificate
Import client key, client certificate, and CA certificate
Import client key, client certificate, and CA certificate

Configure as shown in the image below

Configure as shown in the image below

Local time synchronization for 5G Industrial OPENVPN gateway/router is crucial. Mismatched time between client and server can result in communication issues.

Local time synchronization

Verification

Alotcer 5G Industrial OPENVPN Gateway/Router Connected Successfully Status

Router Connected Successfully Status

Server pings client subnet

Server pings client subnet

Client pings server subnet

Client pings server subnet

Achieve seamless and secure connectivity as well as subnet interaction between multiple Alotcer 5G Industrial OPENVPN gateways/routers and a self-hosted Windows OPENVPN server.