supplementedroute
x-router 时间:2021-02-09 阅读:()
WhitepaperImplementremoteaccesstoDunkermotorenwithVPNName|StellenbezeichnungDunkermotorenGmbHWhitepaperImplementremoteaccesstoDunkermotorenwithVPNMarkusWeishaar|ProductManagerIIoTDunkermotorenGmbHwwwVPN2Author:MarkusWeishaarDate:11.
05.
2019ThisWhitepaperdescribestheconfigurationofaVPNconnectionfortheremoteaccessofaDunkermotorendProEthernetengineviatheInternetwiththeDunkermotorenstandardsoftwareDriveAssistant"andtheopensourcesoftwareOpenVPN.
ALinux-basedEdge-GatewayisconfiguredasaVPNserverforthispurpose.
TheEdge-Gatewaycommunicateswiththeengineaswellaswitharouter,whichacceptstheInternetconnection,over2bridgedportsviaEthernet.
OntheothersideisastandardWindowsPConwhichDriveAssistant"andopenVPNareinstalled.
OpenVPNisconfiguredasaclientonthePCwhichsetsupaVPNconnectiontotheVPNserverontheGatewayviatheInternet.
Bymeansofthisconnection,theenginecanbeselectedanddrivenviaDriveAssistant"oraFirmwareUpdatecanbeinstalled.
IftheenginehasaknownstaticIPaddress,theVPNconnectioncanbeconfiguredasatunnelsin-cethelinkingoftwosubnetsviaroutingissufficient.
IftheenginehasnoIPaddressornoknownIPaddress,theVPNconnectionmustbesetupasabridgewhichdrawstheclientintothesamesubnetinwhichtheserverisalsolocated.
ThisisnecessarybecausetheDriveAssistant"usesbroadcastsfordrivesearchandbroadcastsonlyfunctioninthesamesubnet.
Figure1:VPNnetworks3Author:MarkusWeishaarDate:11.
05.
2019Contents:1Requirements/ComparativeConfiguration.
42ConfigurationOpenVPNServer(RaspberryPi/Linux)42.
1InstallationOpenVPN.
4Step1UpdateRaspberryandinstallOpenVPN2.
2Ethernet-Settings.
42.
2.
1VPNTunnel(TUN)52.
2.
2VPNBridge(TAP)62.
3Createcertificateandkey.
82.
4ConfigurationOpenVPNServer.
92.
4.
1VPNTunnel(TUN)92.
4.
2VPNBridge(TAP)112.
5ConfigurationLinux-Firewall.
122.
5.
1VPNTunnel(TUN)132.
5.
2VPNBridge(TAP)142.
5.
3ActivateInit-File.
142.
5.
4StaticallyActivateIPForwarding.
142.
6ConfigurationOpenVPNClient.
152.
6.
1VPNTunnel(TUN)1152.
6.
2VPNBridge(TAP)162.
7GenerationandExportConfigurationsFilesforClients.
163ConfigurationOpenVPNClient(Windows)173.
1InstallationOpenVPN.
173.
2ConfigurationOpenVPNClient.
173.
3ConfigurationTAP-Windows-AdapterV9.
184GeneralNetworkSettings&ConnectionEstablishment.
184.
1ActivatePortForwardingtoRouters.
184.
2EstablishmentofDynamicDNSServer.
184.
3BuildingandTestingVPNConnection.
195DriveAssistant.
1941Requirements/ComparativeConfiguration:DunkermotorenDriveAssistant5"Version8.
0.
0DunkermotorenBGXXdProPN(Ethernet)openVPNVersion2.
4.
7HardwareGateway:KunbusRevolutionPiConnect(RaspberryPiComputeModule3)OperatingsystemVPN-Server:Raspbian(Linux)OperatingsystemVPN-Client:Windows10StaticpublicIPadressordynamicDNSServerforserver-siderouterPermissionforconfigurationoftheserver-siderouter(portforwarding)PermissionofconfigurationoftheopenVPNserver'sfirewall2ConfigurationOpenVPNServer(RaspberryPi/Linux)2.
1InstallationOpenVPStep1UpdateRaspberryandinstallOpenVPNPriortoinstallationofOpenVPN,itisrecommendedtosearchforupdatesfortheRaspberryPioperatingsystemandtoinstallthem:NowtheOpenVPNsoftwareandtheOpenSSLfortheencryptionmustbeloadedandinstalledwiththefollowingcommand:2.
2EthernetSettingsToforgoaroutingbetweenbothRaspberryPiEthernetportsandstillbeabletoaccesstheVPNconnectionateth0totheengineateth1,bothportsarebridgedandprovidedwithacommonad-dressinthisexample.
Alternatively,itisalsopossibletoworkwithonlyoneportandprovideitwithafixedIPaddress.
TheengineandtheVPNconnectioncanbeconnectedtotheportbymeansofaswitch.
Thisscenarioisnotdetailedhere.
ToconfiguretheEthernet-SettingsoftheRaspberryPi,thefileInterfaces"mustbeopenedasfollowsandadjustedaccordingthefollowingchapter:sudonano/etc/network/interfacesThevirtualLoopback-Adapterisalwaysregisteredbydefaultandshouldalsoalwaysberetainedintheconfiguration:autoloifaceloinetloopbackNowtheexistingnetworkinterfacesarecreated.
SinceourGatewayhastwoseparatedEthernetports,thetwointerfaceseth0andeth1arecreated.
Theattachedcommandallow-hotplugAuthor:MarkusWeishaarDate:11.
05.
2019sudoapt-getupdatesudoapt-getupgradesudoapt-getinstallopenvpnopenssl5Author:MarkusWeishaarDate:11.
05.
2019ethX"causestheinterfacetobeautomaticallyactivatedandconfiguredonakernelevent.
Thisentryisimportantbecausetheinterfacemustotherwisebemanuallystartedviathecommandsudoifupeth0".
Theconfigurationfilemustnotbeclosedyetsincetheinterfacesinthecurrentstatehavenoad-dressesandconfigurationandtheRaspberryPiwouldnotbeaccessibleanymore.
Theconfigura-tionisthencarriedoutonacase-specificbasis:2.
2.
1VPNTunnel(TUN)First,bothEthernetadaptersaresettomanual"mode.
Thisisimportantastheyareconfiguredviathebridge.
Forbothadaptersthefollowinglineisadded:ifaceethXinetmanualNext,theBrückebr0iscreatedasadapterandstaticallyconfigured:autobr0ifacebr0inetstaticAfterwards,thenetworksettingsfortheadapteraresetup.
Anexampleconfigurationcouldappearasfollows:IP-Adresse:192.
168.
0.
200Subnetmask:255.
255.
255.
0Standard-Gateway:192.
168.
0.
1Network:192.
168.
0.
0Broadcast:192.
168.
0.
255Intheconfigurationfile,theentriesappearasfollows:addressxxx.
xxx.
xxx.
xxxnetmaskxxx.
xxx.
xxx.
xxxgatewayxxx.
xxx.
xxx.
xxxnetworkxxx.
xxx.
xxx.
xxxbroadcastxxx.
xxx.
xxx.
255Finally,thetwointerfacesareaddedtothebridgeviathefollowingline:bridge_portseth0eth1Thecompletenetworkconfigurationentriestobemadeshouldthenappearasfollows:autoeth0allow-hotplugeth0autoeth1allow-hotplugeth16Author:MarkusWeishaarDate:11.
05.
2019ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
2.
2VPNBridge(TAP)Thefundamentalsettingoftheportsandbridgeareidenticaltothepreviousconfigurationforthisvariant.
OnlythebridgeissupplementedinthisrespectedsothattheVPNadaptertap0islikewiseaddedtothebridge.
Pre-up"commandsaregivenherebeforethebridgeisbuiltandpost-up"commandsareexecutedimmediatelyafterthebridgeiscreated.
Thesameapplieswhenendingthebridgeforthecommandspre-down"andpost-down".
First,thebridgeisgivenadefinedMACaddressthatthebridgeusestoreporttothenetwork.
ThisfacilitatesthediagnosisandenablestheMACaddresstobemadeknownontherouterifMACfilteringisactiveonit.
Ifthecommandisomitted,thebridgereceivestheMACaddressinthebestcasescenariobutwillnotreceiveanyMACaddressintheworstcasescenario.
post-upiplinksetbr0address28:2B:1b:e1:55:2FThenextcommandsfirstaskOpenVPNtocreateavirtualnetworkDevicetap0beforebuildingthebridgeandthenadditafterbuildingthebridge.
pre-upopenvpn--mktun--devtap0post-upbrctladdifbr0tap0Subsequently,acombinedcommandisusedtodeletetheIPaddressesfirstassignedfortheinter-facestothebridgeandthentoputtheinterfacesintopromiscuousmode"sothatthebridgeseesalldatatrafficarrivingattheseinterfaces.
Additionally,anothercommandaddsafixroutetothestandardgatewayforthebridgeviawhichtheInternetisaccessed.
autoloifaceloinetloopbackautoeth0allow-hotplugeth0ifaceeth0inetmanualautoeth1allow-hotplugeth1ifaceeth1inetmanualautobr0ifacebr0inetstaticaddressxxx.
xxx.
xxx.
xxxnetmaskxxx.
xxx.
xxx.
xxxgatewayxxx.
xxx.
xxx.
xxxnetworkxxx.
xxx.
xxx.
xxxbroadcastxxx.
xxx.
xxx.
255bridge_portseth0eth17Author:MarkusWeishaarDate:11.
05.
2019Finally,twocommandlinesfollowwhichremovethevirtualnetworkadapterfromthebridgewhenthebridgeisendedandaskOpenVPNtoclosetheadapter.
pre-downbrctldelifbr0tap0post-downopenvpn--rmtun--devtap0Thecompletenetworkconfigurationshouldthenlookasfollows:autoloifaceloinetloopbackautoeth0allow-hotplugeth0ifaceeth0inetmanualautoeth1allow-hotplugeth1ifaceeth1inetmanualautobr0ifacebr0inetstaticaddressxxx.
xxx.
xxx.
xxxnetmaskxxx.
xxx.
xxx.
xxxgatewayxxx.
xxx.
xxx.
xxxnetworkxxx.
xxx.
xxx.
xxxbroadcastxxx.
xxx.
xxx.
xxxbridge_portseth0eth1post-upiplinksetbr0address28:2B:1b:e1:55:2Fpre-upopenvpn--mktun--devtap0post-upbrctladdifbr0tap0post-upifconfigtap00.
0.
0.
0promiscuppost-upifconfigeth00.
0.
0.
0promiscuppost-upifconfigeth10.
0.
0.
0promiscuppost-uprouteadddefaultgwxxx.
xxx.
xxx.
xxxbr0pre-downbrctldelifbr0tap0post-downopenvpn--rmtun--devtap0ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
Alternatively,theconstructionandconfigurationofthebridgecanalsoberealizedviascripts,whichareexecuteddirectlybyOpenVPNandthusthenetworkconfigurationitselfcanbekeptnarrowandindependent.
Thisvariantisnotconsideredindetailhere.
post-upifconfigtap00.
0.
0.
0promiscuppost-upifconfigeth00.
0.
0.
0promiscuppost-upifconfigeth10.
0.
0.
0promiscuppost-uprouteadddefaultgwxxx.
xxx.
xxx.
xxxbr08Author:MarkusWeishaarDate:11.
05.
20192.
3CreatecertificateandkeyTheencryptionusedinthisexampleisanexampleconfigurationforcreatingafunctioningVPNconnectionquickly.
ProvidingVPNclientswithpasswordsisalsoavoided.
Fortheconcreterealusecase,whichgoesbeyondaconnectiontest,itisrecommendedtoselectandconfigureasuitableencryptiontoachieveandguaranteethedesiredsecuritylevels.
First,theprefabricatedeasy-rsa"scriptiscopiedintotheOpenVPNconfigurationdirectory.
Thiscreatesdifferentcertificatesandkeys.
sudocp-r/usr/share/easy-rsa/etc/openvpn/easy-rsaNext,thefilevars"mustbeopenedinthecreateddirectoryandadjusted:sudonano/etc/openvpn/easy-rsa/varsInthefile,thelineexportEASY_RSA="`pwd`""mustbereplacedbythelineexportEASY_RSA="/etc/openvpn/easy-rsa"".
YoucanalsoadjustthekeylengthinthefileinthelineexportKEY_SIZE="bychangingthevalue.
Thekeylengthdeterminesthesecuritylevel.
ForRaspberryPi3,akeylengthof2048presentsnoproblem.
Forthisreason,itisusedinthisexample.
Nowyouhavetochangebacktotheconfigurationdirectoryeasy-rsa",assignrootprivilegesthe-re,executethescriptvars"andmaketheresultingconfigurationfileaccessibleviaasymboliclink.
Thesefourstepsareaccomplishedviathefollowingfourcommands:cd/etc/openvpn/easy-rsasudosusourcevarsln–sopenssl-1.
0.
0.
cnfopenssl.
cnfThecertificateiscreatedinthenextstep.
TheOpenVPNkeyfilesareresetandcreatedanew:.
/clean-all.
/build-caOpenVPNArequesttoenterthetwoletterCountryName"follows(DEforGermany,ATforAustria,andCHforSwitzerland).
AllfurtherqueriescanbeskippedwithoutentrybypressingEnter.
Finally,thekeyfilefortheserveriscreatedandheretheCountryName"mustalsobeenteredandallfurtherqueriesmustbeskipped.
Attheendofthedialog,thequestiononwhetherthecer-tificateshouldbecreatedshouldbeconfirmedtwicewithY".
.
/build-key-serverserverNext,thekeyfilesfortheclientsiscreated.
It'simportanttonoteherethatakeyfilemustbecrea-tedforeachclientwhowishestoestablishaconnectionwiththeVPNserver.
Inourexamplewerestrictourselvestooneclientremote-pc-1".
Theprocedureforcertificatecreationisanalogoustotheserver(Country-Code,etc.
)9Author:MarkusWeishaarDate:11.
05.
2019.
/build-keyremote-pc-1Ifadditionalclientsarerequired,thekeyfilesfortheseclientsarecreatedaccordingtothesamepattern:.
/build-keyclient_name_xxx.
/build-keyclient_name_yyy.
/build-keyclient_name_zzz…Forclientsequippedwithapassword,.
/build-key-passclient_name"mustbeusedinsteadofthecommandsusedabove.
KeyandcertificatecreationisnowcompletedusingtheDiffie-Hellman-keyexchangecommand.
(Thisprocesstakesapprox.
20min.
).
/build-dhFinally,thetoo-userisloggedoffaftertheendofkeyandcertificatecreation:exit2.
4ConfigurationOpenVPNServerToconfiguretheOpenVPNserver,thefileopenvpn.
conf"mustbeopenedasfollowsandadjustedaccordingthefollowingchapter:sudonano/etc/openvpn/openvpn.
conf2.
4.
1VPNTunnel(TUN)Firsttheroutingoveratunnelisactivatedviadevtun",UDPisselectedastransportprotocolviaprotoudp"andwithport1194"theportisselectedviawhichthetunnelisestablished.
Al-ternatively,TCPcanalsobeusedduringtransportprotocol.
Theportcanbefreelyselected.
TheOpenVPNstandardport1194isusedintheexample.
devtunprotoudpport1194Next,anSSL/TLSrootcertificate(ca),adigitalcertificate(cert),andadigitalkey(key)arecreatedviathedirectoryeasy-rsa".
Thecorrectbit-encryptionisalsoentered.
Inthisexample,Diffie-Hell-manwithkeylength2048.
ca/etc/openvpn/easy-rsa/keys/ca.
crtcert/etc/openvpn/easy-rsa/keys/server.
crtkey/etc/openvpn/easy-rsa/keys/server.
keydh/etc/openvpn/easy-rsa/keys/dh2048.
pem10Author:MarkusWeishaarDate:11.
05.
2019NowtheVPNserverisgivenanIPaddressandasubnetmask.
Forthisvariant,aroutingfromthisvirtualVPNservernetworkintothephysicalRaspberryPinetworkoccurs.
server10.
8.
0.
0255.
255.
255.
0viathecommandpushredirect-gatewaydef1bypass-dhcp"",allIPservertrafficisroutedthroughtheVPNtunneldependingontheapplicationinregardstowhetherthissettingmakessenseornot.
ThefollowingtwocommandsnametheDNSserverstobeusedfornameresolution.
Inourexample,thisisalocalDNSserveroftherouterandthepublicDNSserverfromGoogle(8.
8.
8.
8).
However,thesecanbechosenatyourdiscretion.
pushredirect-gatewaydef1bypass-dhcp"pushdhcp-optionDNSxxx.
xxx.
xxx.
xxx"pushdhcp-optionDNS8.
8.
8.
8"Tosaveloginformationforconnectioninthefile/var/log/openvpn",thefollowinglineisadded:log-append/var/log/openvpnThefollowingisastandardsetofcommands.
Thecommandpersist-key"makesitsothekeyfilesarenotreadagainandpersist-tun"ensuresthattheTUNandTAPnetworkdriversarenotrestarted.
Thecommandsusernobody"andgroupnobody"settherightsofOpenVPNafteraprogramstartandtherebyincreasesecurity.
Thelineclient-to-client"enablescommunicationbetweentheclientsandstatus/var/log/openvpn-status.
log"createsastatusfilewhichdocu-mentsthecurrentconnection.
Thecomprehensivenessofthelogsisdefinedviaverbx".
Value0"meansnooutputsotherthanerrormessages.
Avaluebetween1and4issuitablefornormalusewhereasahighervalueissuitablefortroubleshooting.
Tochecktheconnection,keepalive10120"isadded.
Apingistriggeredevery10secondsandwhenananswerisnotreceivedafter120seconds,aconnectioninterruptionisdiagnosed.
TocompressdataintheVPNtunnelandtoincreasethroughput,anLZOcompressionisactivatedviacomp-lzo".
Thelastcommandscript-securityx"defineswhichapplicationsandscriptsmaybecarriedoutbyOpenVPN.
Value0"indicatesastrictbanonconductingexternalapplications.
Value1"indicatesexclusivelybuilt-in"applicationssuchasifconfig,ip,route,ornetsharetobecarriedout.
ThesearenecessaryforthecorrectfunctionalityofOpenVPN.
Value2"indicatesthatadditionaluser-definedscriptsareall-owedandvalue4"indicatesthatitisadditionallyallowedtodeliveruserpasswords.
11Author:MarkusWeishaarDate:11.
05.
2019persist-keypersist-tunusernobodygroupnogroupclient-to-clientstatus/var/log/openvpn-status.
logverb3keepalive10120comp-lzoscript-security2ThecompleteconfigurationfilefortheserverasVPNtunnelshouldthenappearasfollows:devtunprotoudpport1194ca/etc/openvpn/easy-rsa/keys/ca.
crtcert/etc/openvpn/easy-rsa/keys/server.
crtkey/etc/openvpn/easy-rsa/keys/server.
keydh/etc/openvpn/easy-rsa/keys/dh2048.
pemserver10.
8.
0.
0255.
255.
255.
0pushredirect-gatewaydef1bypass-dhcp"pushdhcp-optionDNSxxx.
xxx.
xxx.
xxx"pushdhcp-optionDNS8.
8.
8.
8"log-append/var/log/openvpnpersist-keypersist-tunusernobodygroupnogroupclient-to-clientstatus/var/log/openvpn-status.
logverb3keepalive10120comp-lzoscript-security2ThechangecanbesavedwithCtrl+O"andtheeditorcanbeclosedwithCtrl+X".
2.
4.
2VPNBridge(TAP)ComparedtothesettingforaVPNtunnel,thebridgedmodeisactivatedfirstviadevtapX".
TapXisthetapdeviceassignedintheEthernetconfiguration,inourcasetap0.
devtap0Furthermore,afreelyselectableVPNserverisnotassigned,buttheserverbridgethatwasconfigu-redinthenetworksettingsisspecified(intheexample,thedefaultrange192.
168.
0.
200).
TogetherwithanaddressrangefromwhichtheVPNservercanassignaddressestotheclients,because12Author:MarkusWeishaarDate:11.
05.
2019withabridgetheclientispulled"intothesubnetoftheserver.
HereitmustbeensuredthattheaddressrangedoesnotoverlapwiththeaddressrangethattherouterassignsontheservicesideviaDHCP.
OtherwiseitcanhappenthatthereareduplicateIPaddresses.
server-bridge192.
168.
0.
200255.
255.
255.
0192.
168.
0.
201192.
168.
0.
220Sothatclientsarealwaysallocatedthesameaddressesagain,thecommandifconfig-pool-persistipp.
txt"isadded.
Thisensuresthataclientthatdialsinagaingetstheirpreviousaddressfromtheaddresspool.
TheclientsarethusindirectlyassignedfixedIPaddresses.
ifconfig-pool-persistipp.
txtOtherwise,comparedtotheconfigurationofaVPNtunnel,onlythepush"commandsaredrop-ped.
Thesearenotneeded,becauseweareonthesamesubnetastheserver.
Allotherstandardcommandsareusedidentically.
ThecompleteconfigurationfilefortheserverasVPNbridgeshouldthenappearasfollows:devtap0protoudpport1194ca/etc/openvpn/easy-rsa/keys/ca.
crtcert/etc/openvpn/easy-rsa/keys/server.
crtkey/etc/openvpn/easy-rsa/keys/server.
keydh/etc/openvpn/easy-rsa/keys/dh2048.
pemifconfig-pool-persistipp.
txtserver-bridge192.
168.
0.
200255.
255.
255.
0192.
168.
0.
201192.
168.
0.
220log-append/var/log/openvpnpersist-keypersist-tunusernobodygroupnogroupclient-to-clientstatus/var/log/openvpn-status.
logverb3keepalive10120comp-lzoscript-security2ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
5ConfigurationLinux-FirewallAforwardingtothelocalnetworkInternetconnectionmustbearrangedforthefirewalloftheRasp-berryPi.
Thefilerpivpn"mustbecreatedasfollowsandadjustedaccordingthefollowingchapter:sudonano/etc/init.
d/rpivpnAheaderforaLinux-Init-Scriptiscreatedbyinsertingthefollowingcomments:13Author:MarkusWeishaarDate:11.
05.
2019#!
/bin/sh###BEGININITINFO#Provides:rpivpn#Required-Start:$remote_fs$syslog#Required-Stop:$remote_fs$syslog#Default-Start:2345#Default-Stop:016#Short-Description:VPNinitializationscript###ENDINITINFO2.
5.
1VPNTunnel(TUN)Inthisvariant,theIP-forwardingisinitiallyactivatedviathefollowingcommand:echoecho1">/proc/sys/net/ipv4/ip_forward'|sudo-sNext,aforwardingforVPNpacketsiscreatedwiththepacketfilteriptables":iptables-AINPUT-itun+-jACCEPTiptables-AFORWARD-itun+-jACCEPTFinally,theclientsareguaranteedaccesstothelocalnetworkandtotheInternetviathefollowingcommands:iptables-AFORWARD-mstate--stateESTABLISHED,RELATED-jACCEPTiptables-tnat-FPOSTROUTINGiptables-tnat-APOSTROUTING-o10.
8.
0.
0-obr0-jMASQUERADEThecompleteInit-filefortheserverasVPNbridgeshouldthenappearasfollows:#!
/bin/sh###BEGININITINFO#Provides:rpivpn#Required-Start:$remote_fs$syslog#Required-Stop:$remote_fs$syslog#Default-Start:2345#Default-Stop:016#Short-Description:VPNinitializationscript###ENDINITINFOechoecho1">/proc/sys/net/ipv4/ip_forward'|sudo-siptables-AINPUT-itun+-jACCEPTiptables-AFORWARD-itun+-jACCEPTiptables-AFORWARD-mstate--stateESTABLISHED,RELATED-jACCEPTiptables-tnat-FPOSTROUTINGiptables-tnat-APOSTROUTING-o10.
8.
0.
0-obr0-jMASQUERADEThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
14Author:MarkusWeishaarDate:11.
05.
20192.
5.
2VPNBridge(TAP)Inthiscase,theconfigurationissomewhatsimpler;here,apartfromIPforwardingviathefollowingthreelines,onlytheconfiguredbridgeisgrantedaccesstothelocalnetworkandtheInternet.
iptables-AINPUT-itap0-jACCEPTiptables-AINPUT-ibr0-jACCEPTiptables-AFORWARD-ibr0-jACCEPTThecompleteInit-filefortheserverasVPNbridgeshouldthenappearasfollows:#!
/bin/sh###BEGININITINFO#Provides:rpivpn#Required-Start:$remote_fs$syslog#Required-Stop:$remote_fs$syslog#Default-Start:2345#Default-Stop:016#Short-Description:VPNinitializationscript###ENDINITINFOechoecho1">/proc/sys/net/ipv4/ip_forward'|sudo-siptables-AINPUT-itap0-jACCEPTiptables-AINPUT-ibr0-jACCEPTiptables-AFORWARD-ibr0-jACCEPTThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
Alternatively,theconfigurationofthefirewallcanalsoberealizedviascripts,whicharedirectlyexecutedbyOpenVPNandthusmakeanindependentscriptunnecessary.
Thisvariantisnotcon-sideredindetailhere.
2.
5.
3ActivateInit-FileIftheInit-filetothefirewall-configurationiscompleted,therequiredrightsmustassignedtothefileandthefilemustbeinstalledasInit-script.
Thisisdonewiththefollowingtwocommands:sudochmod+x/etc/init.
d/rpivpnsudoupdate-rc.
drpivpndefaultsFinally,thescriptmustbecarriedoutandtheOpenVPNservermustberestarted:sudo/etc/init.
d/rpivpnsudo/etc/init.
d/openvpnrestart2.
5.
4StaticallyActivateIPForwardingAsanalternativetothecommandecho1"/proc/sys/net/ipv4/ip_forward'|sudo-s",whichtem-porarilyactivatestheIP-forwardinguponeachsystemstart,theIP-forwardingcanalsobeperman-entlyactivatedstatically.
Forthis,thesystemfilesysctl.
conf"mustbeopened:15Author:MarkusWeishaarDate:11.
05.
2019sudonano/etc/sysctl.
confThefollowinglinemustthenbeactivatedbyremovingthecommenting#.
net.
ipv4.
ip_forward=1ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
6ConfigurationOpenVPNClientAftertheserverhasbeenconfigured,theconfigurationsfortheclientmustbecreatedorcorrectlyadapted.
Althoughtheconfigurationfilecanalsobecreateddirectlyontheclient,creationontheserverofferstheadvantagethatbothconfigurationsarealwaysmaintainedthereforboththeserverandtheclient.
First,root-rightsmustbegivenagain.
Thenthecorrespondingclientfileisopened.
Inourcase,remote-pc-1".
sudosucd/etc/openvpn/easy-rsa/keysnanoremote-pc-1.
ovpnTheserveraddressandtheportthroughwhichtheVPNserverisaccessiblemustbeenteredviathecommandremote.
.
.
".
ThiscanbedoneeitherviaastaticpublicIPaddressorviaaproviderforadynamicDNSwhichupdatestheaddressifthisisnewlygivenbytheprovider:remotexyz.
dynDNSServer.
com1194//oderStatischeIP1194ItisimportantthattheClientSettingsfordev",proto",verb"andscript-security"correspondtothoseoftheserver.
Ifcomp-lzo",persist-key"andpersist-tun"areactivatedontheserver,thesemustalsobeusedontheclient.
Thecommandnobind"isusedtoselectthatnoportbin-dingisforcedlocallyandthattheportcanbearbitrary.
Thelineremote-cert-tlsserver"ensuresthatitisexplicitlycheckedwhethertheoppositecertificatehasthetypeserver.
Thelineresolv-retryinfinite"isaddedsothataDNSresolutionisexecutedagainafteraserver-sideconnectiontermination.
Intheclientconfiguration,dettun"asopposedtotap0"istheonlydifferencebet-weentunnelandbridge.
Thecompleteconfigurationsfilesfortheclientarepresentedforbothcasesinthefollowingchap-ters.
2.
6.
1VPNTunnel(TUN)Clientdevtunprotoudpremotexyz.
dynDNSServer.
com1194//oderStatischeIP119416Author:MarkusWeishaarDate:11.
05.
2019resolv-retryinfinitenobindpersist-keypersist-tuncaca.
crtcertremote-pc-1.
crtremote-cert-tlsserverkeyremote-pc-1.
keycomp-lzoverb3script-security2ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
6.
2VPNBridge(TAP)Clientdevtap0protoudpremotexyz.
dynDNSServer.
com1194//oderStatischeIP1194resolv-retryinfinitenobindpersist-keypersist-tuncaca.
crtcertdesktop-pc.
crtremote-cert-tlsserverkeydesktop-pc.
keycomp-lzoverb3script-security2ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
7GenerationandExportConfigurationsFilesforClientsFinally,theconfigurationfilefortheclientiscollectedtogetherwiththerelevantkeysandcertifi-catesinaZIP-file.
SolongasnoZIP-packetisinstalledontheRaspberryPi,thiscanbedoneasfollows.
apt-getinstallzipNext,theZIPfileiscreatedperclientasfollows.
Hereitisimportantthatthecorrectclientnameisimplemented.
zip/home/pi/remote-pc-1.
zipca.
crtremote-pc-1.
crtremote-pc-1.
keyremote-pc-1.
ovpnFinally,thefilerightsmustbeadjustedandtherootrightsmustbeloggedoff.
17Author:MarkusWeishaarDate:11.
05.
2019chownpi:pi/home/pi/remote-pc-1.
zipexitThefinishedZIPfilecannowbycopiedfromtheRaspberryPitotheclientviaanFTPprogramsuchasFilezillaorviaUSBstick.
3ConfigurationOpenVPNClient(Windows)3.
1InstallationOpenVPNTheOpenVPNcanbeobtaineddirectlyfromthehomepagewww.
openvpn.
net.
Forthetestset-upservingasanexample,OpenSourceversion2.
4.
7wasusedhere.
Foruseinacommercialapplication,theappropriatelicensesandsoftwarepacketscanalsobeacquiredviatheOpenVPNhomepage.
Afterdownloadingthecorrectsoftware,thiscanbeinstalleddirectlyontheclientPCandisacces-sibleafterwardsasOpenVPNGUI"viathestartmenu.
3.
2ConfigurationOpenVPNClientAfterstartingOpenVPNGUI",thefollowingsymbolappearsinthetaskbarwhichindicatesthatAfterstartingOpenVPNGUI",thefollowingsymbolappearsinthetaskbarwhichindicatesthatOpenVPN"hasstarted.
OpenVPN"hasstarted.
First,thecontentsoftheZip-fileswhichwerecopiedfromtheservermustbeunpackedandstoredFirst,thecontentsoftheZip-fileswhichwerecopiedfromtheservermustbeunpackedandstoredintheconfigurationdirectoryofOpenVPN.
ThedirectoryofOpenVPNthatwascreatedintheuserintheconfigurationdirectoryofOpenVPN.
ThedirectoryofOpenVPNthatwascreatedintheuserfoldermustbeusedhere,notthegeneraldirectoryintheprogramfolder.
Thedirectorytreeshouldfoldermustbeusedhere,notthegeneraldirectoryintheprogramfolder.
Thedirectorytreeshouldlooksomethinglikethis:looksomethinglikethis:C:\Users\XYZ\OpenVPN\config\remote-pc-1Theunpackedfolder,thefollowingfourfilesforkey,certificate,andconfigurationshouldbeavai-lable:Thedesiredconfigurationcannowbeselectedfromallregisteredconfigurationsviaright-clickingontheOpenVPNsymbolinthetaskbar.
Intheappearingsubmenu,theconnectiontotheservercanthenbestarted,loginformationcanberead,thepasswordmaybechangedifnecessary,oreventheconfigurationfileitselfcanbeadjusted.
Ifconfigurationchangesaremadetotheserver,eitherthenewfilefromtheservercanbecopiedtotheclientortheexistingfileontheclientcanbeadapteddirectlyinparallel.
Figure3:FilesOpenVPNClientFigure2:TaskbarsymbolOpenVPN18Author:MarkusWeishaarDate:11.
05.
20193.
3ConfigurationTAP-Windows-AdapterV9TheTAP-Windows-AdapterV9isavirtualnetworkadapterwhichisalreadyinstalledonmanyWin-dowscomputersandifnot,itisinstalledwiththeinstallationofOpenVPN.
OpenVPNbuildstheconnectiontotheselectedserverviathisadapter.
Theadaptercanbeconfiguredthesameasanyotherrealnetworkadapterinprinciple.
InthecaseofaVPNconnection,however,theVPNserverassignstheconfigurationwithregardtoIPaddressindependentlyofitsownsettings.
FortheconnectiontoaBGXXdProPNandtheuseoftheDriveAssistant",however,itisimport-antthattheadapterisassignedafixedIPaddressinthenormalsettingandisnotsettoDHCP,otherwiseitwillnotberecognizedbytheDriveAssistant".
Itdoesnotmatterwhichaddressisassigned,becauseitisoverwrittenasdescribed.
4GeneralNetworkSettings&ConnectionEstablishmentBeforetheconnectioncanbeestablished,afewgeneralsettingsmustbemadeontheserver-sideITinfrastructureandthemappinginthepublicIPaddressspacemustbeensured.
4.
1ActivatePortForwardingtoRoutersOntherouterorallhigher-levelroutersviawhichtheOpenVPNservercommunicateswiththeInternet,theportforwardingoftheVPNport(1194intheexample)mustbeactivatedsothatVPNrequestsarrivingattherouterareforwardedtotheserver.
Forwardingcanbeactivateddevicespe-cificallyfortheindividualgateway.
Thespecificconfigurationdependshereontherouterusedwhichiswhytheprocessisnotdescri-bedhereindetailonprinciple.
4.
2EstablishmentofDynamicDNS-ServerSothattheOpenVPNservercanalwaysbeaddressed,itmustalwaysbeaccessibleattheidenticaladdresseveninthepublicIPaddressrange.
OnepossibilityherewouldbetouseastaticpublicIPaddressortheuseofadynamicDNSprovider,whichensuresthateveniftheInternetproviderassignsnewaddressestotherouterandthusalsototheenddevicesafter24hoursorafteradis-connection,theVPNserverstillremainsidenticallyaccessible.
Forthispurpose,anaccountmustfirstbeopenedwithanappropriateprovider,e.
g.
SecurePoint(www.
spdyn.
de)andtheroutetotheserver-sideroutermustbemadeknown.
Afterwards,thecorrespondingdynamicDNSprovidermustalsobemadeknownontherouter,sothatitcanbetransmittediftheaddresseshavechangedanditcanfollowtheroute.
ThespecificconfigurationheredependsontherouterusedandtheselecteddynamicDNSprovider,whichiswhytheprocedureisdescribedhereonlyinprincipleandnotindetail.
Figure4:OptionenOpenVPNClient19Author:MarkusWeishaarDate:11.
05.
20194.
3BuildingandTestingVPNConnectionIfallsettingshavebeenexecutedasdescribed,theconnectiontotheVPNservercanbeestablis-hed.
Ontheclient,right-clickontheOpenVPNsymbolandselectthecorrectconfigurationofthemenuitemConnect".
TheOpenVPNsymbolinthetaskbarnowturnsyellowandalogwindowappearswhichdisplaysthecurrentstatusoftheconnectionestablishment.
Ifnoerroroccurs,thelogwindowclosesagainautomaticallyassoonastheconnectionhasbeensuccessfullyestablishedandtheOpenVPNsymbolinthetaskbarturnsgreen.
TheconnectiontotheOpenVPNserverhasnowbeenestablished.
Asafirstcheck,itmakessensetocheckwhathasbeenassignedtothevirtualnetworkadapterforanIPaddress.
ForaVPNtunnel,theaddressmustbeintherangeoftheVPNserver(10.
8.
8.
X).
ForaVPNbridge,itmustbeanaddressfromthefreeaddresspooloftheVPNbridgeandcorrespondtothenetworkthere.
Finally,theconnectioncanstillbetestedusingping.
HereitisrecommendedtopingtheVPNser-verfirst.
Ifthisisaccessible,theconnectiontotheGatewayisalreadyestablished.
Ifthepingdoesnotgothrough,itisrecommendedtofirstlychecktherouterandfirewallsettingsandsecondlytopingaregistereddeviceintheVPNserver'snetwork.
Ifthispinggoesthrough,theVPNconnectionisfullyfunctional.
Ifthesecondpingdoesnotgothrough,therecommendationistofirstlychecktheroutingandthefirewallsettingontheVPNserver.
5DriveAssistantNospecialsettingsneedtobecarriedoutinDriveAssistant5".
IfeverythinghasbeenconfiguredasaVPNbridgeaccordingtotheinstructionsandtheVPNconnectionisestablished,theTAP-WindowsAdapterV9"canbeselectedunderAvailableAdaptersforConnectionTypeIndustrialEthernet"andafterstartingtheDriveSearch,driveslocatedinthenetworkarefound.
SincetheDriveAssistant5"recognizesunknownmotorsviabroadcastcommands,itisimportantthattheconnectionisimplementedasaVPNbridge.
IftheIPaddressofthedriveispermanentlyassignedandknown,aVPNtunnelcanbeused.
However,inthiscasethedrivesearchdoesnotworkandtheIPaddressofthemotormustbesetpermanentlyinthecorrespondingfield.
20YourContactForPublicRelations:JaninaDietsche|janina.
dietsche@ametek.
comTel:+49(0)7703/930-546Figure5:DriveAssistant5:NetworkAdapterSelectionAuthor:MarkusWeishaarDate:11.
05.
2019
05.
2019ThisWhitepaperdescribestheconfigurationofaVPNconnectionfortheremoteaccessofaDunkermotorendProEthernetengineviatheInternetwiththeDunkermotorenstandardsoftwareDriveAssistant"andtheopensourcesoftwareOpenVPN.
ALinux-basedEdge-GatewayisconfiguredasaVPNserverforthispurpose.
TheEdge-Gatewaycommunicateswiththeengineaswellaswitharouter,whichacceptstheInternetconnection,over2bridgedportsviaEthernet.
OntheothersideisastandardWindowsPConwhichDriveAssistant"andopenVPNareinstalled.
OpenVPNisconfiguredasaclientonthePCwhichsetsupaVPNconnectiontotheVPNserverontheGatewayviatheInternet.
Bymeansofthisconnection,theenginecanbeselectedanddrivenviaDriveAssistant"oraFirmwareUpdatecanbeinstalled.
IftheenginehasaknownstaticIPaddress,theVPNconnectioncanbeconfiguredasatunnelsin-cethelinkingoftwosubnetsviaroutingissufficient.
IftheenginehasnoIPaddressornoknownIPaddress,theVPNconnectionmustbesetupasabridgewhichdrawstheclientintothesamesubnetinwhichtheserverisalsolocated.
ThisisnecessarybecausetheDriveAssistant"usesbroadcastsfordrivesearchandbroadcastsonlyfunctioninthesamesubnet.
Figure1:VPNnetworks3Author:MarkusWeishaarDate:11.
05.
2019Contents:1Requirements/ComparativeConfiguration.
42ConfigurationOpenVPNServer(RaspberryPi/Linux)42.
1InstallationOpenVPN.
4Step1UpdateRaspberryandinstallOpenVPN2.
2Ethernet-Settings.
42.
2.
1VPNTunnel(TUN)52.
2.
2VPNBridge(TAP)62.
3Createcertificateandkey.
82.
4ConfigurationOpenVPNServer.
92.
4.
1VPNTunnel(TUN)92.
4.
2VPNBridge(TAP)112.
5ConfigurationLinux-Firewall.
122.
5.
1VPNTunnel(TUN)132.
5.
2VPNBridge(TAP)142.
5.
3ActivateInit-File.
142.
5.
4StaticallyActivateIPForwarding.
142.
6ConfigurationOpenVPNClient.
152.
6.
1VPNTunnel(TUN)1152.
6.
2VPNBridge(TAP)162.
7GenerationandExportConfigurationsFilesforClients.
163ConfigurationOpenVPNClient(Windows)173.
1InstallationOpenVPN.
173.
2ConfigurationOpenVPNClient.
173.
3ConfigurationTAP-Windows-AdapterV9.
184GeneralNetworkSettings&ConnectionEstablishment.
184.
1ActivatePortForwardingtoRouters.
184.
2EstablishmentofDynamicDNSServer.
184.
3BuildingandTestingVPNConnection.
195DriveAssistant.
1941Requirements/ComparativeConfiguration:DunkermotorenDriveAssistant5"Version8.
0.
0DunkermotorenBGXXdProPN(Ethernet)openVPNVersion2.
4.
7HardwareGateway:KunbusRevolutionPiConnect(RaspberryPiComputeModule3)OperatingsystemVPN-Server:Raspbian(Linux)OperatingsystemVPN-Client:Windows10StaticpublicIPadressordynamicDNSServerforserver-siderouterPermissionforconfigurationoftheserver-siderouter(portforwarding)PermissionofconfigurationoftheopenVPNserver'sfirewall2ConfigurationOpenVPNServer(RaspberryPi/Linux)2.
1InstallationOpenVPStep1UpdateRaspberryandinstallOpenVPNPriortoinstallationofOpenVPN,itisrecommendedtosearchforupdatesfortheRaspberryPioperatingsystemandtoinstallthem:NowtheOpenVPNsoftwareandtheOpenSSLfortheencryptionmustbeloadedandinstalledwiththefollowingcommand:2.
2EthernetSettingsToforgoaroutingbetweenbothRaspberryPiEthernetportsandstillbeabletoaccesstheVPNconnectionateth0totheengineateth1,bothportsarebridgedandprovidedwithacommonad-dressinthisexample.
Alternatively,itisalsopossibletoworkwithonlyoneportandprovideitwithafixedIPaddress.
TheengineandtheVPNconnectioncanbeconnectedtotheportbymeansofaswitch.
Thisscenarioisnotdetailedhere.
ToconfiguretheEthernet-SettingsoftheRaspberryPi,thefileInterfaces"mustbeopenedasfollowsandadjustedaccordingthefollowingchapter:sudonano/etc/network/interfacesThevirtualLoopback-Adapterisalwaysregisteredbydefaultandshouldalsoalwaysberetainedintheconfiguration:autoloifaceloinetloopbackNowtheexistingnetworkinterfacesarecreated.
SinceourGatewayhastwoseparatedEthernetports,thetwointerfaceseth0andeth1arecreated.
Theattachedcommandallow-hotplugAuthor:MarkusWeishaarDate:11.
05.
2019sudoapt-getupdatesudoapt-getupgradesudoapt-getinstallopenvpnopenssl5Author:MarkusWeishaarDate:11.
05.
2019ethX"causestheinterfacetobeautomaticallyactivatedandconfiguredonakernelevent.
Thisentryisimportantbecausetheinterfacemustotherwisebemanuallystartedviathecommandsudoifupeth0".
Theconfigurationfilemustnotbeclosedyetsincetheinterfacesinthecurrentstatehavenoad-dressesandconfigurationandtheRaspberryPiwouldnotbeaccessibleanymore.
Theconfigura-tionisthencarriedoutonacase-specificbasis:2.
2.
1VPNTunnel(TUN)First,bothEthernetadaptersaresettomanual"mode.
Thisisimportantastheyareconfiguredviathebridge.
Forbothadaptersthefollowinglineisadded:ifaceethXinetmanualNext,theBrückebr0iscreatedasadapterandstaticallyconfigured:autobr0ifacebr0inetstaticAfterwards,thenetworksettingsfortheadapteraresetup.
Anexampleconfigurationcouldappearasfollows:IP-Adresse:192.
168.
0.
200Subnetmask:255.
255.
255.
0Standard-Gateway:192.
168.
0.
1Network:192.
168.
0.
0Broadcast:192.
168.
0.
255Intheconfigurationfile,theentriesappearasfollows:addressxxx.
xxx.
xxx.
xxxnetmaskxxx.
xxx.
xxx.
xxxgatewayxxx.
xxx.
xxx.
xxxnetworkxxx.
xxx.
xxx.
xxxbroadcastxxx.
xxx.
xxx.
255Finally,thetwointerfacesareaddedtothebridgeviathefollowingline:bridge_portseth0eth1Thecompletenetworkconfigurationentriestobemadeshouldthenappearasfollows:autoeth0allow-hotplugeth0autoeth1allow-hotplugeth16Author:MarkusWeishaarDate:11.
05.
2019ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
2.
2VPNBridge(TAP)Thefundamentalsettingoftheportsandbridgeareidenticaltothepreviousconfigurationforthisvariant.
OnlythebridgeissupplementedinthisrespectedsothattheVPNadaptertap0islikewiseaddedtothebridge.
Pre-up"commandsaregivenherebeforethebridgeisbuiltandpost-up"commandsareexecutedimmediatelyafterthebridgeiscreated.
Thesameapplieswhenendingthebridgeforthecommandspre-down"andpost-down".
First,thebridgeisgivenadefinedMACaddressthatthebridgeusestoreporttothenetwork.
ThisfacilitatesthediagnosisandenablestheMACaddresstobemadeknownontherouterifMACfilteringisactiveonit.
Ifthecommandisomitted,thebridgereceivestheMACaddressinthebestcasescenariobutwillnotreceiveanyMACaddressintheworstcasescenario.
post-upiplinksetbr0address28:2B:1b:e1:55:2FThenextcommandsfirstaskOpenVPNtocreateavirtualnetworkDevicetap0beforebuildingthebridgeandthenadditafterbuildingthebridge.
pre-upopenvpn--mktun--devtap0post-upbrctladdifbr0tap0Subsequently,acombinedcommandisusedtodeletetheIPaddressesfirstassignedfortheinter-facestothebridgeandthentoputtheinterfacesintopromiscuousmode"sothatthebridgeseesalldatatrafficarrivingattheseinterfaces.
Additionally,anothercommandaddsafixroutetothestandardgatewayforthebridgeviawhichtheInternetisaccessed.
autoloifaceloinetloopbackautoeth0allow-hotplugeth0ifaceeth0inetmanualautoeth1allow-hotplugeth1ifaceeth1inetmanualautobr0ifacebr0inetstaticaddressxxx.
xxx.
xxx.
xxxnetmaskxxx.
xxx.
xxx.
xxxgatewayxxx.
xxx.
xxx.
xxxnetworkxxx.
xxx.
xxx.
xxxbroadcastxxx.
xxx.
xxx.
255bridge_portseth0eth17Author:MarkusWeishaarDate:11.
05.
2019Finally,twocommandlinesfollowwhichremovethevirtualnetworkadapterfromthebridgewhenthebridgeisendedandaskOpenVPNtoclosetheadapter.
pre-downbrctldelifbr0tap0post-downopenvpn--rmtun--devtap0Thecompletenetworkconfigurationshouldthenlookasfollows:autoloifaceloinetloopbackautoeth0allow-hotplugeth0ifaceeth0inetmanualautoeth1allow-hotplugeth1ifaceeth1inetmanualautobr0ifacebr0inetstaticaddressxxx.
xxx.
xxx.
xxxnetmaskxxx.
xxx.
xxx.
xxxgatewayxxx.
xxx.
xxx.
xxxnetworkxxx.
xxx.
xxx.
xxxbroadcastxxx.
xxx.
xxx.
xxxbridge_portseth0eth1post-upiplinksetbr0address28:2B:1b:e1:55:2Fpre-upopenvpn--mktun--devtap0post-upbrctladdifbr0tap0post-upifconfigtap00.
0.
0.
0promiscuppost-upifconfigeth00.
0.
0.
0promiscuppost-upifconfigeth10.
0.
0.
0promiscuppost-uprouteadddefaultgwxxx.
xxx.
xxx.
xxxbr0pre-downbrctldelifbr0tap0post-downopenvpn--rmtun--devtap0ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
Alternatively,theconstructionandconfigurationofthebridgecanalsoberealizedviascripts,whichareexecuteddirectlybyOpenVPNandthusthenetworkconfigurationitselfcanbekeptnarrowandindependent.
Thisvariantisnotconsideredindetailhere.
post-upifconfigtap00.
0.
0.
0promiscuppost-upifconfigeth00.
0.
0.
0promiscuppost-upifconfigeth10.
0.
0.
0promiscuppost-uprouteadddefaultgwxxx.
xxx.
xxx.
xxxbr08Author:MarkusWeishaarDate:11.
05.
20192.
3CreatecertificateandkeyTheencryptionusedinthisexampleisanexampleconfigurationforcreatingafunctioningVPNconnectionquickly.
ProvidingVPNclientswithpasswordsisalsoavoided.
Fortheconcreterealusecase,whichgoesbeyondaconnectiontest,itisrecommendedtoselectandconfigureasuitableencryptiontoachieveandguaranteethedesiredsecuritylevels.
First,theprefabricatedeasy-rsa"scriptiscopiedintotheOpenVPNconfigurationdirectory.
Thiscreatesdifferentcertificatesandkeys.
sudocp-r/usr/share/easy-rsa/etc/openvpn/easy-rsaNext,thefilevars"mustbeopenedinthecreateddirectoryandadjusted:sudonano/etc/openvpn/easy-rsa/varsInthefile,thelineexportEASY_RSA="`pwd`""mustbereplacedbythelineexportEASY_RSA="/etc/openvpn/easy-rsa"".
YoucanalsoadjustthekeylengthinthefileinthelineexportKEY_SIZE="bychangingthevalue.
Thekeylengthdeterminesthesecuritylevel.
ForRaspberryPi3,akeylengthof2048presentsnoproblem.
Forthisreason,itisusedinthisexample.
Nowyouhavetochangebacktotheconfigurationdirectoryeasy-rsa",assignrootprivilegesthe-re,executethescriptvars"andmaketheresultingconfigurationfileaccessibleviaasymboliclink.
Thesefourstepsareaccomplishedviathefollowingfourcommands:cd/etc/openvpn/easy-rsasudosusourcevarsln–sopenssl-1.
0.
0.
cnfopenssl.
cnfThecertificateiscreatedinthenextstep.
TheOpenVPNkeyfilesareresetandcreatedanew:.
/clean-all.
/build-caOpenVPNArequesttoenterthetwoletterCountryName"follows(DEforGermany,ATforAustria,andCHforSwitzerland).
AllfurtherqueriescanbeskippedwithoutentrybypressingEnter.
Finally,thekeyfilefortheserveriscreatedandheretheCountryName"mustalsobeenteredandallfurtherqueriesmustbeskipped.
Attheendofthedialog,thequestiononwhetherthecer-tificateshouldbecreatedshouldbeconfirmedtwicewithY".
.
/build-key-serverserverNext,thekeyfilesfortheclientsiscreated.
It'simportanttonoteherethatakeyfilemustbecrea-tedforeachclientwhowishestoestablishaconnectionwiththeVPNserver.
Inourexamplewerestrictourselvestooneclientremote-pc-1".
Theprocedureforcertificatecreationisanalogoustotheserver(Country-Code,etc.
)9Author:MarkusWeishaarDate:11.
05.
2019.
/build-keyremote-pc-1Ifadditionalclientsarerequired,thekeyfilesfortheseclientsarecreatedaccordingtothesamepattern:.
/build-keyclient_name_xxx.
/build-keyclient_name_yyy.
/build-keyclient_name_zzz…Forclientsequippedwithapassword,.
/build-key-passclient_name"mustbeusedinsteadofthecommandsusedabove.
KeyandcertificatecreationisnowcompletedusingtheDiffie-Hellman-keyexchangecommand.
(Thisprocesstakesapprox.
20min.
).
/build-dhFinally,thetoo-userisloggedoffaftertheendofkeyandcertificatecreation:exit2.
4ConfigurationOpenVPNServerToconfiguretheOpenVPNserver,thefileopenvpn.
conf"mustbeopenedasfollowsandadjustedaccordingthefollowingchapter:sudonano/etc/openvpn/openvpn.
conf2.
4.
1VPNTunnel(TUN)Firsttheroutingoveratunnelisactivatedviadevtun",UDPisselectedastransportprotocolviaprotoudp"andwithport1194"theportisselectedviawhichthetunnelisestablished.
Al-ternatively,TCPcanalsobeusedduringtransportprotocol.
Theportcanbefreelyselected.
TheOpenVPNstandardport1194isusedintheexample.
devtunprotoudpport1194Next,anSSL/TLSrootcertificate(ca),adigitalcertificate(cert),andadigitalkey(key)arecreatedviathedirectoryeasy-rsa".
Thecorrectbit-encryptionisalsoentered.
Inthisexample,Diffie-Hell-manwithkeylength2048.
ca/etc/openvpn/easy-rsa/keys/ca.
crtcert/etc/openvpn/easy-rsa/keys/server.
crtkey/etc/openvpn/easy-rsa/keys/server.
keydh/etc/openvpn/easy-rsa/keys/dh2048.
pem10Author:MarkusWeishaarDate:11.
05.
2019NowtheVPNserverisgivenanIPaddressandasubnetmask.
Forthisvariant,aroutingfromthisvirtualVPNservernetworkintothephysicalRaspberryPinetworkoccurs.
server10.
8.
0.
0255.
255.
255.
0viathecommandpushredirect-gatewaydef1bypass-dhcp"",allIPservertrafficisroutedthroughtheVPNtunneldependingontheapplicationinregardstowhetherthissettingmakessenseornot.
ThefollowingtwocommandsnametheDNSserverstobeusedfornameresolution.
Inourexample,thisisalocalDNSserveroftherouterandthepublicDNSserverfromGoogle(8.
8.
8.
8).
However,thesecanbechosenatyourdiscretion.
pushredirect-gatewaydef1bypass-dhcp"pushdhcp-optionDNSxxx.
xxx.
xxx.
xxx"pushdhcp-optionDNS8.
8.
8.
8"Tosaveloginformationforconnectioninthefile/var/log/openvpn",thefollowinglineisadded:log-append/var/log/openvpnThefollowingisastandardsetofcommands.
Thecommandpersist-key"makesitsothekeyfilesarenotreadagainandpersist-tun"ensuresthattheTUNandTAPnetworkdriversarenotrestarted.
Thecommandsusernobody"andgroupnobody"settherightsofOpenVPNafteraprogramstartandtherebyincreasesecurity.
Thelineclient-to-client"enablescommunicationbetweentheclientsandstatus/var/log/openvpn-status.
log"createsastatusfilewhichdocu-mentsthecurrentconnection.
Thecomprehensivenessofthelogsisdefinedviaverbx".
Value0"meansnooutputsotherthanerrormessages.
Avaluebetween1and4issuitablefornormalusewhereasahighervalueissuitablefortroubleshooting.
Tochecktheconnection,keepalive10120"isadded.
Apingistriggeredevery10secondsandwhenananswerisnotreceivedafter120seconds,aconnectioninterruptionisdiagnosed.
TocompressdataintheVPNtunnelandtoincreasethroughput,anLZOcompressionisactivatedviacomp-lzo".
Thelastcommandscript-securityx"defineswhichapplicationsandscriptsmaybecarriedoutbyOpenVPN.
Value0"indicatesastrictbanonconductingexternalapplications.
Value1"indicatesexclusivelybuilt-in"applicationssuchasifconfig,ip,route,ornetsharetobecarriedout.
ThesearenecessaryforthecorrectfunctionalityofOpenVPN.
Value2"indicatesthatadditionaluser-definedscriptsareall-owedandvalue4"indicatesthatitisadditionallyallowedtodeliveruserpasswords.
11Author:MarkusWeishaarDate:11.
05.
2019persist-keypersist-tunusernobodygroupnogroupclient-to-clientstatus/var/log/openvpn-status.
logverb3keepalive10120comp-lzoscript-security2ThecompleteconfigurationfilefortheserverasVPNtunnelshouldthenappearasfollows:devtunprotoudpport1194ca/etc/openvpn/easy-rsa/keys/ca.
crtcert/etc/openvpn/easy-rsa/keys/server.
crtkey/etc/openvpn/easy-rsa/keys/server.
keydh/etc/openvpn/easy-rsa/keys/dh2048.
pemserver10.
8.
0.
0255.
255.
255.
0pushredirect-gatewaydef1bypass-dhcp"pushdhcp-optionDNSxxx.
xxx.
xxx.
xxx"pushdhcp-optionDNS8.
8.
8.
8"log-append/var/log/openvpnpersist-keypersist-tunusernobodygroupnogroupclient-to-clientstatus/var/log/openvpn-status.
logverb3keepalive10120comp-lzoscript-security2ThechangecanbesavedwithCtrl+O"andtheeditorcanbeclosedwithCtrl+X".
2.
4.
2VPNBridge(TAP)ComparedtothesettingforaVPNtunnel,thebridgedmodeisactivatedfirstviadevtapX".
TapXisthetapdeviceassignedintheEthernetconfiguration,inourcasetap0.
devtap0Furthermore,afreelyselectableVPNserverisnotassigned,buttheserverbridgethatwasconfigu-redinthenetworksettingsisspecified(intheexample,thedefaultrange192.
168.
0.
200).
TogetherwithanaddressrangefromwhichtheVPNservercanassignaddressestotheclients,because12Author:MarkusWeishaarDate:11.
05.
2019withabridgetheclientispulled"intothesubnetoftheserver.
HereitmustbeensuredthattheaddressrangedoesnotoverlapwiththeaddressrangethattherouterassignsontheservicesideviaDHCP.
OtherwiseitcanhappenthatthereareduplicateIPaddresses.
server-bridge192.
168.
0.
200255.
255.
255.
0192.
168.
0.
201192.
168.
0.
220Sothatclientsarealwaysallocatedthesameaddressesagain,thecommandifconfig-pool-persistipp.
txt"isadded.
Thisensuresthataclientthatdialsinagaingetstheirpreviousaddressfromtheaddresspool.
TheclientsarethusindirectlyassignedfixedIPaddresses.
ifconfig-pool-persistipp.
txtOtherwise,comparedtotheconfigurationofaVPNtunnel,onlythepush"commandsaredrop-ped.
Thesearenotneeded,becauseweareonthesamesubnetastheserver.
Allotherstandardcommandsareusedidentically.
ThecompleteconfigurationfilefortheserverasVPNbridgeshouldthenappearasfollows:devtap0protoudpport1194ca/etc/openvpn/easy-rsa/keys/ca.
crtcert/etc/openvpn/easy-rsa/keys/server.
crtkey/etc/openvpn/easy-rsa/keys/server.
keydh/etc/openvpn/easy-rsa/keys/dh2048.
pemifconfig-pool-persistipp.
txtserver-bridge192.
168.
0.
200255.
255.
255.
0192.
168.
0.
201192.
168.
0.
220log-append/var/log/openvpnpersist-keypersist-tunusernobodygroupnogroupclient-to-clientstatus/var/log/openvpn-status.
logverb3keepalive10120comp-lzoscript-security2ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
5ConfigurationLinux-FirewallAforwardingtothelocalnetworkInternetconnectionmustbearrangedforthefirewalloftheRasp-berryPi.
Thefilerpivpn"mustbecreatedasfollowsandadjustedaccordingthefollowingchapter:sudonano/etc/init.
d/rpivpnAheaderforaLinux-Init-Scriptiscreatedbyinsertingthefollowingcomments:13Author:MarkusWeishaarDate:11.
05.
2019#!
/bin/sh###BEGININITINFO#Provides:rpivpn#Required-Start:$remote_fs$syslog#Required-Stop:$remote_fs$syslog#Default-Start:2345#Default-Stop:016#Short-Description:VPNinitializationscript###ENDINITINFO2.
5.
1VPNTunnel(TUN)Inthisvariant,theIP-forwardingisinitiallyactivatedviathefollowingcommand:echoecho1">/proc/sys/net/ipv4/ip_forward'|sudo-sNext,aforwardingforVPNpacketsiscreatedwiththepacketfilteriptables":iptables-AINPUT-itun+-jACCEPTiptables-AFORWARD-itun+-jACCEPTFinally,theclientsareguaranteedaccesstothelocalnetworkandtotheInternetviathefollowingcommands:iptables-AFORWARD-mstate--stateESTABLISHED,RELATED-jACCEPTiptables-tnat-FPOSTROUTINGiptables-tnat-APOSTROUTING-o10.
8.
0.
0-obr0-jMASQUERADEThecompleteInit-filefortheserverasVPNbridgeshouldthenappearasfollows:#!
/bin/sh###BEGININITINFO#Provides:rpivpn#Required-Start:$remote_fs$syslog#Required-Stop:$remote_fs$syslog#Default-Start:2345#Default-Stop:016#Short-Description:VPNinitializationscript###ENDINITINFOechoecho1">/proc/sys/net/ipv4/ip_forward'|sudo-siptables-AINPUT-itun+-jACCEPTiptables-AFORWARD-itun+-jACCEPTiptables-AFORWARD-mstate--stateESTABLISHED,RELATED-jACCEPTiptables-tnat-FPOSTROUTINGiptables-tnat-APOSTROUTING-o10.
8.
0.
0-obr0-jMASQUERADEThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
14Author:MarkusWeishaarDate:11.
05.
20192.
5.
2VPNBridge(TAP)Inthiscase,theconfigurationissomewhatsimpler;here,apartfromIPforwardingviathefollowingthreelines,onlytheconfiguredbridgeisgrantedaccesstothelocalnetworkandtheInternet.
iptables-AINPUT-itap0-jACCEPTiptables-AINPUT-ibr0-jACCEPTiptables-AFORWARD-ibr0-jACCEPTThecompleteInit-filefortheserverasVPNbridgeshouldthenappearasfollows:#!
/bin/sh###BEGININITINFO#Provides:rpivpn#Required-Start:$remote_fs$syslog#Required-Stop:$remote_fs$syslog#Default-Start:2345#Default-Stop:016#Short-Description:VPNinitializationscript###ENDINITINFOechoecho1">/proc/sys/net/ipv4/ip_forward'|sudo-siptables-AINPUT-itap0-jACCEPTiptables-AINPUT-ibr0-jACCEPTiptables-AFORWARD-ibr0-jACCEPTThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
Alternatively,theconfigurationofthefirewallcanalsoberealizedviascripts,whicharedirectlyexecutedbyOpenVPNandthusmakeanindependentscriptunnecessary.
Thisvariantisnotcon-sideredindetailhere.
2.
5.
3ActivateInit-FileIftheInit-filetothefirewall-configurationiscompleted,therequiredrightsmustassignedtothefileandthefilemustbeinstalledasInit-script.
Thisisdonewiththefollowingtwocommands:sudochmod+x/etc/init.
d/rpivpnsudoupdate-rc.
drpivpndefaultsFinally,thescriptmustbecarriedoutandtheOpenVPNservermustberestarted:sudo/etc/init.
d/rpivpnsudo/etc/init.
d/openvpnrestart2.
5.
4StaticallyActivateIPForwardingAsanalternativetothecommandecho1"/proc/sys/net/ipv4/ip_forward'|sudo-s",whichtem-porarilyactivatestheIP-forwardinguponeachsystemstart,theIP-forwardingcanalsobeperman-entlyactivatedstatically.
Forthis,thesystemfilesysctl.
conf"mustbeopened:15Author:MarkusWeishaarDate:11.
05.
2019sudonano/etc/sysctl.
confThefollowinglinemustthenbeactivatedbyremovingthecommenting#.
net.
ipv4.
ip_forward=1ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
6ConfigurationOpenVPNClientAftertheserverhasbeenconfigured,theconfigurationsfortheclientmustbecreatedorcorrectlyadapted.
Althoughtheconfigurationfilecanalsobecreateddirectlyontheclient,creationontheserverofferstheadvantagethatbothconfigurationsarealwaysmaintainedthereforboththeserverandtheclient.
First,root-rightsmustbegivenagain.
Thenthecorrespondingclientfileisopened.
Inourcase,remote-pc-1".
sudosucd/etc/openvpn/easy-rsa/keysnanoremote-pc-1.
ovpnTheserveraddressandtheportthroughwhichtheVPNserverisaccessiblemustbeenteredviathecommandremote.
.
.
".
ThiscanbedoneeitherviaastaticpublicIPaddressorviaaproviderforadynamicDNSwhichupdatestheaddressifthisisnewlygivenbytheprovider:remotexyz.
dynDNSServer.
com1194//oderStatischeIP1194ItisimportantthattheClientSettingsfordev",proto",verb"andscript-security"correspondtothoseoftheserver.
Ifcomp-lzo",persist-key"andpersist-tun"areactivatedontheserver,thesemustalsobeusedontheclient.
Thecommandnobind"isusedtoselectthatnoportbin-dingisforcedlocallyandthattheportcanbearbitrary.
Thelineremote-cert-tlsserver"ensuresthatitisexplicitlycheckedwhethertheoppositecertificatehasthetypeserver.
Thelineresolv-retryinfinite"isaddedsothataDNSresolutionisexecutedagainafteraserver-sideconnectiontermination.
Intheclientconfiguration,dettun"asopposedtotap0"istheonlydifferencebet-weentunnelandbridge.
Thecompleteconfigurationsfilesfortheclientarepresentedforbothcasesinthefollowingchap-ters.
2.
6.
1VPNTunnel(TUN)Clientdevtunprotoudpremotexyz.
dynDNSServer.
com1194//oderStatischeIP119416Author:MarkusWeishaarDate:11.
05.
2019resolv-retryinfinitenobindpersist-keypersist-tuncaca.
crtcertremote-pc-1.
crtremote-cert-tlsserverkeyremote-pc-1.
keycomp-lzoverb3script-security2ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
6.
2VPNBridge(TAP)Clientdevtap0protoudpremotexyz.
dynDNSServer.
com1194//oderStatischeIP1194resolv-retryinfinitenobindpersist-keypersist-tuncaca.
crtcertdesktop-pc.
crtremote-cert-tlsserverkeydesktop-pc.
keycomp-lzoverb3script-security2ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
7GenerationandExportConfigurationsFilesforClientsFinally,theconfigurationfilefortheclientiscollectedtogetherwiththerelevantkeysandcertifi-catesinaZIP-file.
SolongasnoZIP-packetisinstalledontheRaspberryPi,thiscanbedoneasfollows.
apt-getinstallzipNext,theZIPfileiscreatedperclientasfollows.
Hereitisimportantthatthecorrectclientnameisimplemented.
zip/home/pi/remote-pc-1.
zipca.
crtremote-pc-1.
crtremote-pc-1.
keyremote-pc-1.
ovpnFinally,thefilerightsmustbeadjustedandtherootrightsmustbeloggedoff.
17Author:MarkusWeishaarDate:11.
05.
2019chownpi:pi/home/pi/remote-pc-1.
zipexitThefinishedZIPfilecannowbycopiedfromtheRaspberryPitotheclientviaanFTPprogramsuchasFilezillaorviaUSBstick.
3ConfigurationOpenVPNClient(Windows)3.
1InstallationOpenVPNTheOpenVPNcanbeobtaineddirectlyfromthehomepagewww.
openvpn.
net.
Forthetestset-upservingasanexample,OpenSourceversion2.
4.
7wasusedhere.
Foruseinacommercialapplication,theappropriatelicensesandsoftwarepacketscanalsobeacquiredviatheOpenVPNhomepage.
Afterdownloadingthecorrectsoftware,thiscanbeinstalleddirectlyontheclientPCandisacces-sibleafterwardsasOpenVPNGUI"viathestartmenu.
3.
2ConfigurationOpenVPNClientAfterstartingOpenVPNGUI",thefollowingsymbolappearsinthetaskbarwhichindicatesthatAfterstartingOpenVPNGUI",thefollowingsymbolappearsinthetaskbarwhichindicatesthatOpenVPN"hasstarted.
OpenVPN"hasstarted.
First,thecontentsoftheZip-fileswhichwerecopiedfromtheservermustbeunpackedandstoredFirst,thecontentsoftheZip-fileswhichwerecopiedfromtheservermustbeunpackedandstoredintheconfigurationdirectoryofOpenVPN.
ThedirectoryofOpenVPNthatwascreatedintheuserintheconfigurationdirectoryofOpenVPN.
ThedirectoryofOpenVPNthatwascreatedintheuserfoldermustbeusedhere,notthegeneraldirectoryintheprogramfolder.
Thedirectorytreeshouldfoldermustbeusedhere,notthegeneraldirectoryintheprogramfolder.
Thedirectorytreeshouldlooksomethinglikethis:looksomethinglikethis:C:\Users\XYZ\OpenVPN\config\remote-pc-1Theunpackedfolder,thefollowingfourfilesforkey,certificate,andconfigurationshouldbeavai-lable:Thedesiredconfigurationcannowbeselectedfromallregisteredconfigurationsviaright-clickingontheOpenVPNsymbolinthetaskbar.
Intheappearingsubmenu,theconnectiontotheservercanthenbestarted,loginformationcanberead,thepasswordmaybechangedifnecessary,oreventheconfigurationfileitselfcanbeadjusted.
Ifconfigurationchangesaremadetotheserver,eitherthenewfilefromtheservercanbecopiedtotheclientortheexistingfileontheclientcanbeadapteddirectlyinparallel.
Figure3:FilesOpenVPNClientFigure2:TaskbarsymbolOpenVPN18Author:MarkusWeishaarDate:11.
05.
20193.
3ConfigurationTAP-Windows-AdapterV9TheTAP-Windows-AdapterV9isavirtualnetworkadapterwhichisalreadyinstalledonmanyWin-dowscomputersandifnot,itisinstalledwiththeinstallationofOpenVPN.
OpenVPNbuildstheconnectiontotheselectedserverviathisadapter.
Theadaptercanbeconfiguredthesameasanyotherrealnetworkadapterinprinciple.
InthecaseofaVPNconnection,however,theVPNserverassignstheconfigurationwithregardtoIPaddressindependentlyofitsownsettings.
FortheconnectiontoaBGXXdProPNandtheuseoftheDriveAssistant",however,itisimport-antthattheadapterisassignedafixedIPaddressinthenormalsettingandisnotsettoDHCP,otherwiseitwillnotberecognizedbytheDriveAssistant".
Itdoesnotmatterwhichaddressisassigned,becauseitisoverwrittenasdescribed.
4GeneralNetworkSettings&ConnectionEstablishmentBeforetheconnectioncanbeestablished,afewgeneralsettingsmustbemadeontheserver-sideITinfrastructureandthemappinginthepublicIPaddressspacemustbeensured.
4.
1ActivatePortForwardingtoRoutersOntherouterorallhigher-levelroutersviawhichtheOpenVPNservercommunicateswiththeInternet,theportforwardingoftheVPNport(1194intheexample)mustbeactivatedsothatVPNrequestsarrivingattherouterareforwardedtotheserver.
Forwardingcanbeactivateddevicespe-cificallyfortheindividualgateway.
Thespecificconfigurationdependshereontherouterusedwhichiswhytheprocessisnotdescri-bedhereindetailonprinciple.
4.
2EstablishmentofDynamicDNS-ServerSothattheOpenVPNservercanalwaysbeaddressed,itmustalwaysbeaccessibleattheidenticaladdresseveninthepublicIPaddressrange.
OnepossibilityherewouldbetouseastaticpublicIPaddressortheuseofadynamicDNSprovider,whichensuresthateveniftheInternetproviderassignsnewaddressestotherouterandthusalsototheenddevicesafter24hoursorafteradis-connection,theVPNserverstillremainsidenticallyaccessible.
Forthispurpose,anaccountmustfirstbeopenedwithanappropriateprovider,e.
g.
SecurePoint(www.
spdyn.
de)andtheroutetotheserver-sideroutermustbemadeknown.
Afterwards,thecorrespondingdynamicDNSprovidermustalsobemadeknownontherouter,sothatitcanbetransmittediftheaddresseshavechangedanditcanfollowtheroute.
ThespecificconfigurationheredependsontherouterusedandtheselecteddynamicDNSprovider,whichiswhytheprocedureisdescribedhereonlyinprincipleandnotindetail.
Figure4:OptionenOpenVPNClient19Author:MarkusWeishaarDate:11.
05.
20194.
3BuildingandTestingVPNConnectionIfallsettingshavebeenexecutedasdescribed,theconnectiontotheVPNservercanbeestablis-hed.
Ontheclient,right-clickontheOpenVPNsymbolandselectthecorrectconfigurationofthemenuitemConnect".
TheOpenVPNsymbolinthetaskbarnowturnsyellowandalogwindowappearswhichdisplaysthecurrentstatusoftheconnectionestablishment.
Ifnoerroroccurs,thelogwindowclosesagainautomaticallyassoonastheconnectionhasbeensuccessfullyestablishedandtheOpenVPNsymbolinthetaskbarturnsgreen.
TheconnectiontotheOpenVPNserverhasnowbeenestablished.
Asafirstcheck,itmakessensetocheckwhathasbeenassignedtothevirtualnetworkadapterforanIPaddress.
ForaVPNtunnel,theaddressmustbeintherangeoftheVPNserver(10.
8.
8.
X).
ForaVPNbridge,itmustbeanaddressfromthefreeaddresspooloftheVPNbridgeandcorrespondtothenetworkthere.
Finally,theconnectioncanstillbetestedusingping.
HereitisrecommendedtopingtheVPNser-verfirst.
Ifthisisaccessible,theconnectiontotheGatewayisalreadyestablished.
Ifthepingdoesnotgothrough,itisrecommendedtofirstlychecktherouterandfirewallsettingsandsecondlytopingaregistereddeviceintheVPNserver'snetwork.
Ifthispinggoesthrough,theVPNconnectionisfullyfunctional.
Ifthesecondpingdoesnotgothrough,therecommendationistofirstlychecktheroutingandthefirewallsettingontheVPNserver.
5DriveAssistantNospecialsettingsneedtobecarriedoutinDriveAssistant5".
IfeverythinghasbeenconfiguredasaVPNbridgeaccordingtotheinstructionsandtheVPNconnectionisestablished,theTAP-WindowsAdapterV9"canbeselectedunderAvailableAdaptersforConnectionTypeIndustrialEthernet"andafterstartingtheDriveSearch,driveslocatedinthenetworkarefound.
SincetheDriveAssistant5"recognizesunknownmotorsviabroadcastcommands,itisimportantthattheconnectionisimplementedasaVPNbridge.
IftheIPaddressofthedriveispermanentlyassignedandknown,aVPNtunnelcanbeused.
However,inthiscasethedrivesearchdoesnotworkandtheIPaddressofthemotormustbesetpermanentlyinthecorrespondingfield.
20YourContactForPublicRelations:JaninaDietsche|janina.
dietsche@ametek.
comTel:+49(0)7703/930-546Figure5:DriveAssistant5:NetworkAdapterSelectionAuthor:MarkusWeishaarDate:11.
05.
2019
- supplementedroute相关文档
- 缓存x-router
- x-routerX-TRAlL是什么意思
- x-routerX-Router这个软件有什么用
- x-routerx-arcsinx的等价无穷小是什么?
- x-routerx-0.4x等于多少?
- x-router思科路由器有线端无法上网,而无线段却可以,用的是PPPOE拨号上网,一开始两种方法都不可以,检查宽
pacificrack:超级秒杀,VPS低至$7.2/年,美国洛杉矶VPS,1Gbps带宽
pacificrack又追加了3款特价便宜vps搞促销,而且是直接7折优惠(一次性),低至年付7.2美元。这是本月第3波便宜vps了。熟悉pacificrack的知道机房是QN的洛杉矶,接入1Gbps带宽,KVM虚拟,纯SSD RAID10,自带一个IPv4。官方网站:https://pacificrack.com支持PayPal、支付宝等方式付款7折秒杀优惠码:R3UWUYF01T内存CPUSS...
安徽BGP云服务器 1核 1G 5M 29元/月 香港云服务器 1核 1G 19元首月 麻花云
麻花云怎么样?麻花云公司成立于2007年,当前主打产品为安徽移动BGP线路,数据中心连入移动骨干网。提供5M,10M大带宽云主机,香港云服务器产品,数据中心为香港将军澳机房,香港宽频机房 cn2-GIA优质线路、采用HYPER-V,KVM虚拟技术架构一、麻花云官网点击直达麻花云官方网站合肥网联网络科技有限公司优惠码: 专属优惠码:F1B07B 享受85折优惠。最新活动 :双11 云上嗨购 香港云主...
快云科技:夏季大促销,香港VPS7.5折特惠,CN2 GIA线路; 年付仅不到五折巨惠,续费永久同价
快云科技怎么样?快云科技是一家成立于2020年的新起国内主机商,资质齐全 持有IDC ICP ISP等正规商家。我们秉承着服务于客户服务于大众的理念运营,机器线路优价格低。目前已注册用户达到5000+!主营产品有:香港弹性云服务器,美国vps和日本vps,香港物理机,国内高防物理机以及美国日本高防物理机!产品特色:全配置均20M带宽,架构采用KVM虚拟化技术,全盘SSD硬盘,RAID10阵列, 国...
x-router为你推荐
-
平板ipad敬请参阅最后一页特别声明空调iphone支持ipad支持ipad支持ipadtracerouteping命令和traceroute(tracert )在功能上的区别有哪些?ipad如何上网ipad如何允许app使用网络ipad连不上wifiiPad mini WiFi开关成灰色无法连接,怎么办ipad上网ipad上网速度很慢怎么回事?