Configuring SSL/TLS Server Side

Before the VPN can be configured, a certificate structure for this VPN is required. Create a CA unique to this VPN and from that CA create a server certificate, and then a user certificate for each remote site. For the client sites, use a CN that identifies them uniquely in some way, such as their fully qualified domain name or a shortened site or hostname. For the specifics of creating a CA and Certificates. For this example, the CA will be called S2SCA, the Server CN will be serverA, the clients will be clientB and clientC.

  • Navigate to VPN > OpenVPN, Servers tab
  • Click Add to create a new server
  • Fill in the fields as described below, with everything else left at defaults. These options are discussed in detail earlier in the chapter. Use values appropriate for this network, or the defaults if unsure.

Server Mode Select Peer to Peer (SSL/TLS)

Protocol Select UDP Device Mode Select tun Interface Select WAN

Local Port Enter 1194 unless there is another active OpenVPN server, in which case use a different port

Description Enter text here to describe the connection

TLS Authentication Check this box to also do TLS authentication as well as SSL Peer Certificate Authority Select the CA created at the beginning of this process Peer Certificate Revocation List If a CRL was created, select it here

Server Certificate Select the server certificate created at the beginning of this process

IPv4 Tunnel Network Enter the chosen tunnel network, 10.3.101.0/24

IPv4 Local Network Enter the LAN networks for all sites including the server: 10.3.0.0/24,10.5.0.0/24, 10.7.0.0/24

Note: If there are more networks on the server side that need to be reached by the clients, such as networks reachable via static routes, other VPNs, and so on, add them as additional entries in the IPv4 Local Network box.

IPv4 Remote Network Enter only the client LAN networks: 10.5.0.0/24, 10.7.0.0/24

  • Click Save.
  • Click to edit the new server instance
  • Find the TLS Authentication box
  • Select all of the text inside
  • Copy the text to the clipboard
  • Save this to a file or paste it into a text editor such as Notepad temporarily Next, add a firewall rule on WAN allowing access to the OpenVPN server.
  • Navigate to Firewall > Rules, WAN tab
  • Click  Add to create a new rule at the top of the list
  • Set Protocol to UDP
  • Leave the Source set to any since multiple sites will need to connect. Alternately, an alias can be made which contains the IP addresses of each remote site if they have static addresses.
  • Set the Destination to WAN Address
  • Set the Destination port to 1194 in this instance
  • Enter a Description, such as OpenVPN Multi-Site VPN
  • Click Save
  • Click Apply Changes

A rule must also be added to the OpenVPN interface to pass traffic over the VPN from the Client-side LAN to the Server-side LAN. An “Allow all” style rule may be used, or a set of stricter rules. In this example allowing all traffic is OK so the following rule is made:

  • Navigate to Firewall > Rules, OpenVPN tab
  • Click  Add to create a new rule at the top of the list
  • Set Protocol to any
  • Enter a Description such as Allow all on OpenVPN
  • Click Save
  • Click Apply Changes

The last piece of the puzzle is to add Client Specific Overrides for each client site. These are needed to tie a client subnet to a particular certificate for a site so that it may be properly routed.

  • Navigate to VPN > OpenVPN, Client Specific Overrides tab
  • Click  + to add a new override
  • Fill in the fields on this screen as follows:

Common Name Enter the CN of the first client site. In this example, that is clientB.

IPv4 Remote Network This field sets up the required iroute so enter the clientB LAN subnet, 10.5.0.0/24

  • Click Save

Add an override for the second site, adjusting the Common Name and IPv4 Remote Network as needed. In the example for site C, these values would be clientC and 10.7.0.0/24 respectively.

The next task is to export the certificates and keys needed for clients.

  • Navigate to System > Cert Manager
  • Click the links to export the following items:
    • CA Certificate
    • Client site certificate (.crt) for each client location.
    • Client site key (.key) for each client location.
Warning: Do not export the CA key, server certificate, or server key. They are not needed on the clients, and copying them unnecessarily significantly weakens the security of the VPN.

That completes the server setup, next, now move on to configure the clients.

© Copyright 2025 . All Rights Reserved. AZTCO-FW| Developed By AZTCO-FW. Powered by AZTCO.