Scribd
Upload
107 views

VPN Server Configruation Guide en

This document provides instructions for configuring a VPN server on a Yeastar S-Series PBX using OpenVPN. It outlines the main steps which are to: 1. Generate certificates and keys for the OpenVPN server and clients using the Easy-RSA tool on a Windows PC. 2. Configure the OpenVPN server on the S-Series PBX. 3. Access the VPN server from Windows and Android clients, and connect two S-Series PBXs via the VPN. It then provides detailed steps for installing OpenVPN, generating certificates and keys for the server and multiple clients, and configuring the server and client access.

Uploaded by

DC Fan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
107 views

VPN Server Configruation Guide en

This document provides instructions for configuring a VPN server on a Yeastar S-Series PBX using OpenVPN. It outlines the main steps which are to: 1. Generate certificates and keys for the OpenVPN server and clients using the Easy-RSA tool on a Windows PC. 2. Configure the OpenVPN server on the S-Series PBX. 3. Access the VPN server from Windows and Android clients, and connect two S-Series PBXs via the VPN. It then provides detailed steps for installing OpenVPN, generating certificates and keys for the server and multiple clients, and configuring the server and client access.

Uploaded by

DC Fan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 30

VPN Server Configuration Guide

Version 1.3

Date: November 14, 2016

Yeastar Information Technology Co. Ltd.


1
VPN Server Configuration Guide

Contents

Introduction................................................................................................................................................. 3

Main Steps to Configure VPN .................................................................................................................. 3

In This Guide ............................................................................................................................................ 3

Install OpenVPN ......................................................................................................................................... 4

Generate Certificates and Keys ................................................................................................................ 7

Key Files ................................................................................................................................................. 13

Setup OpenVPN Server on S-Series PBX .............................................................................................. 15

Access the OpenVPN Server via Windows PC ..................................................................................... 18

Access the OpenVPN Server via Android Phone ................................................................................. 21

Connect Two S-Series PBXs via VPN Network ..................................................................................... 25

Manage VPN Clients................................................................................................................................. 27

Clients List .............................................................................................................................................. 27

Username/Password Authentication ...................................................................................................... 27

2
VPN Server Configuration Guide

Introduction
A Virtual Private Network (VPN) allows you to traverse networks privately and securely as if you
were on a private network. The VPN server application on Yeastar S-Series PBX will help you
configure the PBX as a VPN server. You can setup multiple VPN clients to access Yeastar S-Series
VPN server safely and securely.

Note:
 Yeastar S-Series PBX supports OpenVPN.
 VPN Sever App is supported on S-Series PBX version 30.2.0.8 or later.

Main Steps to Configure VPN

STEP 1. Set up certificates and keys for OpenVPN server and multiple clients. (In this guide, we will
introduce how to make the certificates and keys on Windows PC.)
STEP 2. Make configurations for OpenVPN server and clients.

In This Guide

This guide gives instructions of how to setup OpenVPN server on S100 and how to access to the
S100 via multiple clients:
 Windows PC
 Android phone
 Another S-Series PBX – S20

3
VPN Server Configuration Guide

Install OpenVPN
To begin, we need to install OpenVPN onto our windows PC. We will get sample configuration files
and make OpenVPN keys and certificates after installing OpenVPN.

Check the OpenVPN installer download link below:


 Installer (32-bit), Windows XP
 Installer (64-bit), Windows XP
 Installer (32-bit), Windows Vista and later
 Installer (64-bit), Windows Vista and later

Note:
 Remember that OpenVPN will only run on Windows XP or later. Also note that OpenVPN
must be installed and run by a user who has administrative privileges.

STEP 1. Double click the OpenVPN installer to start installing.


STEP 2. Click Next.

4
VPN Server Configuration Guide

STEP 3. Click I Agree.

STEP 4. Check OpenSSL Utilities and OpenVPN RSA Certificate Management Scripts, click
Next.

5
VPN Server Configuration Guide

STEP 5. Choose the install location. Here we install OpenVPN in the destination folder D:\OpenVPN,
click Install to start installing.

STEP 6. Click Finish.

6
VPN Server Configuration Guide

Generate Certificates and Keys


After the OpenVPN installation, we will start making certificates and keys now.

STEP 1. Change vars.bat.sample file.

Use notepad tool to open the vars.bat.sample file under %OpenVPN installation directory%\easy-rsa
folder. In this guide, we installed OpenVPN in the destination folder D:\OpenVPN, we can find the file
via D:\OpenVPN \easy-rsa.

1) Change the HOME and KEY_SIZE variables as the following figure shows.

 Variable HOME means the easy-rsa folder path.


 Variable KEY_SIZE means the generated key size. Usually, we set the key size to 1024 or
2048. The default value is 1024, change it according to your needs.

2) You can also change some variables shows as the figure below. Later, when we are making
certificates and keys, we will be asked to enter the registration information. If we change the
default variable values, we don’t have to enter the registration information every time.

7
VPN Server Configuration Guide

STEP 2. Initialize the PKI (Public Key Infrastructure).

1) Open the Start Menu on Windows PC, type cmd and press Enter key to open Command
Prompt window.

2) Enter %OpenVPN installation directory%\easy-rsa folder. In this guide, we installed OpenVPN in


the destination folder D:\OpenVPN, so we need to enter D:\OpenVPN \easy-rsa.

3) Type the following commands:


init-config //* Initialize the configurations, copy the vars.bat.sample configurations to
vars.bat file. *//
 vars //* Use the variables we set in vars.bat.sample. *//
 clean-all //* Make sure we are operating in a clean environment. *//

STEP 3. Build root Certificate Authority (CA) certificate/key.

1) Execute command build-ca.


2) Enter the registration information.

Note:
 In the following sequence, most queried parameters are defaulted to the values set in the
vars.bat file. The only parameter which must explicitly entered is the Common Name. In the
example below, we used “OpenVPN-CA”.

8
VPN Server Configuration Guide

STEP 4. Generate certificate & key for server: build-key-server server.

As in the previous step, most parameters can be defaulted. When the Common Name is queried,
enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1
out of 1 certificate requests certified, commit? [y/n]".

9
VPN Server Configuration Guide

10
VPN Server Configuration Guide

STEP 5. Generate certificate & key for clients by the command build-key client.

Here we make certificates and keys for 3 clients:

 build-key windows
build-key android
 build-key s20

Note:
 Remember that for each client, make sure to type the appropriate Common Name when
prompted, i.e. “windows”, “android”, or “s20”. Always use a unique common name for each
client.

11
VPN Server Configuration Guide

STEP 6. Generate Diffie Hellman parameters: build-dh.

Build Diffie-Hellman parameters MUST be generated for the OpenVPN server.

12
VPN Server Configuration Guide

STEP 7. Generate ta.key: openvpn --genkey --secret keys/ta.key. (OPTIONAL)

The parameter keys/ta.key in the command means the generated file name and file path.

IMPORTANT
All of the commands above are executed in one Command Prompt window. If you want to open a
new Command Prompt window to execute commands (i.e. create certificates for new client), please
pay attention:
 You don’t need to execute init-config command unless you edit vars.bat.sample file again.
 Each time you open a new Command Prompt window, you need to execute vars command first,
then execute other commands.

Key Files

Now we will find our newly generated keys and certificates in the easy-rsa/keys folder. You need to
copy the relevant files to the machines (server and clients) which need them. For different machines,
you will need different files:

Machine Needed Files


 ca.crt
 ca.key
 dh1024.pem
S100 PBX (Sever)
 server.crt
 server.key
 ta.key
 ca.crt
 windows.crt
Windows PC  windows.key
 ta.key

13
VPN Server Configuration Guide

 ca.crt
 Android.crt
Android Phone  Android.key
 ta.key

 ca.crt
 s20.crt
S20 PBX (Client)  s20.key
 ta.key

14
VPN Server Configuration Guide

Setup OpenVPN Server on S-Series PBX


STEP 1. Log in S-Series web user interface, click Main Menu and enter App Center.

STEP 2. Find VPN Sever, click Install to install the application. Once finished, click Main Menu, you
can see VPN Sever there.

STEP 3. Click VPN Server application, check the option Enable VPN Sever.

STEP 4. Make the VPN server configurations. Here we use the default settings as the figure shows
below.

Check the description of VPN server configuration parameters below.


Option Description
Server Port Specify which TCP/UDP port should OpenVPN listen on. The
default port is 1194.
Enable Compression Whether to compression on the VPN link.
If you enable it here, you must also enable it in the VPN client.
Protocol Choose the protocol:
 UDP
 TCP
Address pool Define the address pool.
Subnet mask Set the subnet mask.
Global Traffic Forwarding If enabled, this directive will configure all clients to redirect their
default network gateway through the VPN, causing all IP traffic
such as web browsing and DNS lookups to go through the VPN.
(The OpenVPN server machine may need to NAT or bridge the

15
VPN Server Configuration Guide

TUN/TAP interface to the internet in order for this to work properly).


Device Mode Choose the device mode:
 TUN: a TUN device is a virtual point-point IP link.
 TAP: a TAP device is a virtual Ethernet adapter.
Note: Android clients don’t support TAP mode, please set the
device mode to TUN if you uses Android VPN client.
Encryption Choose encryption method:
 BlowFish
 AES-128
 AES-256
 Triple-DES
Key Length Set the key length.
The value must be the same with KEY_SIZE which were set in the
vars.bat.sample file
Maximum Number of Clients Set the maximum number of clients that could connect to the VPN
server.
Verification Mode Select the verification mode of clients.
 CA Cert + Client Cert (recommended)
 CA Cert + Client Cert + Account & Password
 CA Cert + Account & Password

STEP 5. Upload certificates and keys.

Option Description
CA Cert Upload ca.crt.
Public Server Cert Upload the VPN server certificate server.crt.
Private Server Key Upload the VPN server key server.key.
DH PEM Upload the DH file dh1024.pem.
If the KEY_SIZE is set to 2048, then you should upload
dh2048.pem.
Enable SSL/TLS If enabled, please upload ta.key file.
If you enable SSL/TLS on the VPN server, you must also enable

16
VPN Server Configuration Guide

SSL/TLS on VPN client, and upload ta.key in the client.

STEP 6. Click Save, you can see the VPN server status shows running.

STEP 7. Go to Resource Monitor > Network, check the VPN server status and the private IP
address. As the figure shows below, the VPN server IP address is 10.8.0.1.

STEP 8. Forward the VPN server port on the router which is connected to S100 PBX.
The default VPN Server port is 1194. Here we forward the internal port 1194 to remote port 5087.
Please do the port forwarding according to your network environment.

17
VPN Server Configuration Guide

Access the OpenVPN Server via Windows PC


Now, we will setup our windows PC as an OpenVPN client, and access the OpenVPN via windows
PC. Here, the S100 PBX (OpenVPN server) is setup in the head office, and we will access the S100
via windows PC in the branch office.

STEP 1. Install OpenVPN on the windows PC.

Refer to Install OpenVPN for details.

Note:
 An OpenVPN GUI will appear on the windows desktop after the installation, we will use the
OpenVPN GUI to connect to VPN server later.

STEP 2. Copy certificates and keys to config folder.

Copy the certificates and keys for windows PC to %OpenVPN installation directory%\config folder. In
this guide, we installed OpenVPN in the destination folder D:\OpenVPN, so we copy the following
files to D:\OpenVPN \config.
 ca.crt
 windows.crt
 windows.key
 ta.key

STEP3. Edit OpenVPN client configuration file for the windows PC.

Go to D:\OpenVPN\sample-config, we can find a sample file client.ovpn. Double click the file to edit it.
We need to change the configurations according to the VPN server. Check the figures below to see
what to edit in the configuration file.

Note:
 Comments are preceded with “#” or “,” in the configuration file.

18
VPN Server Configuration Guide

Edit the cryptographic cipher according to


the server setting.
cipher BF-CBC #BlowFish
cipher AES-128-CBC # AES-128
cipher AES-256-CBC #AES-256
cipher DES-EDE3-CBC # Triple-DES

19
VPN Server Configuration Guide

STEP 4. Copy the client.ovpn file to config folder.

Now we have client configuration file, certificates and keys in the config folder.

STEP 5. Connect to the OpenVPN server.

1) Right click the OpenVPN GUI on the desktop, run as administrator.


2) Find the OpenVPN GUI in the bottom right corner, right click the icon, and click Connect.

3) Once connected, you can see the status shows as below.

STEP 6. Access S100 using the VPN IP address.

Now, we can access S100 using the VPN IP address. In this guide, the VPN server address is
10.8.0.1. Type the IP in the address bar in your browser, and click enter, we can see the S100 login
page.

20
VPN Server Configuration Guide

Access the OpenVPN Server via Android Phone


Now, we will set up our Android phone as an OpenVPN client, and access the OpenVPN via the
phone.

STEP 1. Install OpenVPN Connect application on the Android phone.

STEP 2. Create a folder in the Android phone SD card.

1) Connect the Android phone to a PC using USB cable, and open device to view files.
2) Create a folder in the SD card. Here we name the folder as “OpenVPN”.

STEP 3. Copy the certificates and keys to the created folder.

Copy the certificates and keys for Android to OpenVPN folder:


 ca.crt
 Android.crt
 Android.key
 ta.key

STEP 4. Edit OpenVPN client configuration file for the Android phone

Edit the sample file client.ovpn.

Where to get the sample file?


We have uploaded the sample configuration file on our website, click here to get the file.

Note:
 Comments are preceded with “#” or “,” in the configuration file.
 Android clients don’t support TAP device mode.

We need to change the configurations according to the VPN server ’s settings. Check the figures
below to see what to edit in the configuration file.

21
VPN Server Configuration Guide

Edit the cryptographic cipher according to


the server setting.
cipher BF-CBC #BlowFish
cipher AES-128-CBC # AES-128
cipher AES-256-CBC #AES-256
cipher DES-EDE3-CBC # Triple-DES

22
VPN Server Configuration Guide

STEP 5. Copy the client.ovpn file to OpenVPN folder.

Now we have client configuration file, certificates and keys in the OpenVPN folder.

STEP 6. Connect to the OpenVPN server.

1) Run OpenVPN Connect application on the Android phone.

2) Click the icon on the top right corner. Click Import > Import Profile from SD card.

3) Select client.ovpn file from OpenVPN folder. Click client.ovpn, then click SELECT.

23
VPN Server Configuration Guide

4) Click Connect. If connected to the VPN server, you can see the status shows connected.

STEP 7. Access S100 using the VPN IP address.

Now, we can access S100 using the VPN IP address. In this guide, the VPN server address is
10.8.0.1. Type the IP in the address bar in your browser, and click enter, we can see the S100 login
page.

24
VPN Server Configuration Guide

Connect Two S-Series PBXs via VPN Network


We can configure another S-Series PBX as a VPN client, and connect the two PBXs using VoIP
trunk via VPN network.

STEP 1. Enable OpenVPN feature on S20.

Go to Settings > System > Network > OpenVPN, check the option Enable OpenVPN. The S20 will
act as an OpenVPN client.

STEP 2. Configure the OpenVPN client settings on S20.

1) Choose Type as “Manual Configuration”.

2) Configure the client settings according to server settings.


 Server address: enter the public IP address of the S100.
 Server port: enter the forwarded OpenVPN server port on the router.
 Protocol: choose the same protocol with that of the server.
 Device Mode: choose the same mode with that of the server.
 Encryption: choose the same mode with that of the server.
 Username: enter the username if the sever set verification mode as “CA Cert + Client Cert
+ Account & Password”.
 Password: enter the password if the sever set verification mode as “CA Cert + Client Cert +
Account & Password”.
3) Upload the certificates and keys to the PBX.
Option Description
CA Cert Upload ca.crt.
Cert Upload the client certificate s20.crt.
Key Upload the VPN server key s20.key.
Enable SSL/TLS If enabled, please upload ta.key file.
If you enable SSL/TLS on the VPN server, you must also enable
SSL/TLS on VPN client, and upload ta.key in the client.

4) Click Save.

25
VPN Server Configuration Guide

STEP 3. Check the VPN network status and IP address.

26
VPN Server Configuration Guide

Manage VPN Clients

Clients List

On the VPN Sever, we can check all the connected clients in Client List.

Username/Password Authentication

Choosing Verification Mode as “CA Cert + Client Cert + Account & Password” or “CA Cert + Account
& Password” on the VPN server will enable two-factor authentication, requiring both client-certificate
and username/password authentication to succeed in order for the client to be authenticated.

STEP 1. Choose Verification Mode as “CA Cert + Client Cert + Account & Password” or “CA Cert +
Account & Password”.

27
VPN Server Configuration Guide

STEP 2. Add accounts and specify usernames and passwords.

 For the S-Series PBX client

Enter the username and password directly on the OpenVPN edit page.

 For Android and Windows Clients


STEP 1. Add auth-user-pass passfile in the client configuration file client.ovpn.

28
VPN Server Configuration Guide

STEP 2. Add passfile file into the client.


1) Create a new text document.
2) Enter the username and password according to the account settings on VPN server.
 Line 1: enter username.
 Line 2: enter password.

3) Save the file.


4) Rename the file as “passfile”. Note: change the file name extension, do not contain .txt in
the file name.

29
VPN Server Configuration Guide

5) Copy the file to clients.


 For windows: copy the passfile file to config folder.
 For Android phone: copy the passfile file to OpenVPN folder.
6) When you try to connect to the VPN server, you will be required to enter username and
password.

30

You might also like