Upcoming Webinar: Robust Solutions for Connected Systems in Buildings x
COVID-19 Digi Technical Support Response x

OpenVPN Server Advanced Options on DAL routers

When setting UP a DAL router as OpenVPN Server, it could be useful to add some extra OpenVPN parameters, that differ from the default ones used by DAL.
This can be done in the "Advanced Options" section, following the rules below:
 

- All openvpn parameters must start with ‘--’
- If multiple commands, they must be separated by a space

This will create a new line in the OpenVPN config is created for every occurrence of ‘--’, for example, inserting --auth SHA256 --push "route 192.168.2.0 255.255.255.0":

ADvOpt_!.PNG

adds the following lines to the server config file:
auth SHA256
push "route 192.168.2.0 255.255.255.0“

If illegal options are given or format is wrong (for example the "--" is missing), the openvpn server will fail to start and in the System > Logs section there will be an error like the following example:

error.PNG

Override Option:

If the override box is selected, then the config file will consist of only the commands from advanced options section (almost same as using a server config file). This is not usually  recommended as it would be OpenVPN that will manage the network and not the device.

Examples of most commonly used commands:

TLS AUTHENTICATION

Usage: The tls-auth option adds "extra protection" to the TLS channel by requiring that incoming packets have a valid signature generated using a PSK key (that need to be shared between the peers).
This can aid in mitigating denial-of-service attempts from unauthenticated clients, as junk traffic can be dropped much sooner.
Example of Command to add on DAL: -  --tls-auth /etc/config/ta.key 0
Where ta.key is the secret file that must be copied into the /etc/config/ path of the DAL router files system (see how to upload files here:  Upload and download files).
The second parameter should be '0' on the server and '1' on the clients

PUSH OPTIONS

Usage: Push commands can be used to push configuration options to the client for remote execution. (Note: the option must be enclosed in double quotes ("") and the client must specify –pull in its config file).
Some example of most commonly used:
Push routes: this allow the client to reach other private subnets behind the server.
Example of Command to add on DAL: ---push "route 192.168.2.0 255.255.255.0“
Push Default Gateway: this will configure all clients to redirect their default network gateway through the VPN, causing all IP traffic such as web browsing and # and DNS lookups to go through the VPN
Example of Command to add on DAL: - --push "redirect-gateway def1 bypass-dhcp"
Push DNS: set the DNS addresse to the Client:
Example of Command to add on DAL: --push "dhcp-option DNS 8.8.8.8"

AUTHENTICATION
Usage: Specify the message digest algoritm to use to authenticate data channel packets (The default is SHA1 ). 

 

Example of Command to add on DAL:  --auth SHA256

ENCRYPTION
Usage: Define the Cipher Algoritm to use for the encryption of data channel packets.
The default is BF-CBC,  but when cipher negotiation (NCP) is allowed, OpenVPN 2.4 and newer on both client and server side will automatically upgrade to AES-256-GCM.

 

Example of Command to add on DAL: ---cipher AES-128-GCM

CLIENTS COMMUNICATIONS VIA THE TUNNEL

Usage: This allows different clients to be able to "see" each other (By default, clients will only see the server)
Command to add on DAL: --client-to-client
 

Last updated: Sep 20, 2020

Recently Viewed

No recently viewed articles