Prerequisites:
In order to configure your Milesight router to become an OpenVPN server, you will need:
- A Milesight brand UR router
- A PC running Windows and install the following software:
Initializing the environment
copy easy-rsa2 files
The files in the subfolders of the Git easy-rsa2 archive must be:
“\easy-rsa-old-master\easy-rsa-old-master\easy-rsa\2.0”
And
“\easy-rsa-old-master\easy-rsa-old-master\easy-rsa\Windows”
be copied to the location where OpenVPN is located
The folder “ \program files\OpenVPN\easy-rsa” should look like
Initialization commands in the windows shell
Run the following commands in the Windows shell (open it as administrator):
cd C:\Program Files\OpenVPN\easy-rsa
init-config
vars
clean-all
Then finally the command:
build-ca
You will be asked to enter information. Most fields can be left as default except the COMMON Name. It is recommended to fill in all fields correctly.
Generating the server certificate and key
You need to enter the following command:
build-key-server server
As before,
Most fields can be left as default except the COMMON Name. You will need to fill in “server”.
Then to the questions "Sign the certificate?" and "1 out of 1 certificate requests certified, commit? [y/n] ": you will have to answer yes (y)
Create client certificates
To create client certificates, enter the following command:
build-key client1
build-key client2
build-key client3
build-key clientxx , etc..
Remember, for each customer, make sure to type the appropriate common name when prompted, i.e. “customer1”, “customer2”, or “customer3”. Always use a unique common name for each customer.
Do not enter a password for client certificates unless you want authentication to be done by certificate AND by identification. In this case, you will need to replace the build-key-pass script. More information on the OpenVPN site.
Finally, to the questions "Sign the certificate?" and "1 out of 1 certificate requests certified, commit? [y/n] ": you must answer yes (y)
Generate Diffie Hellman Parameters
Diffie Hellman parameters must be generated for the OpenVPN server
with the command:
build-dh
Retrieve certificate and key files
In the /easy-rsa/keys subfolder are the files to put on the Milesight router
These are the files that we will import into the Milesight router.
Setting up OpenVPN server on Milesight router
In Network → VPN → OpenVPN Server , you need to enter the information related to the OpenVPN server configuration.
There is no need to have a .ovpn file
ATTENTION: in Listening IP you must enter the public address of the router. If you are using an M2M SIM card with public IP, you can enter the IP of the SIM card. Otherwise, with a standard SIM card, you must use a Dyndns address.
This is an example configuration, you can find more information about the different settings at this address: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-4/
Importing certification files
In Network → VPN → Certification you can import the files as follows:
Click on “ Browse ” to select the corresponding file and then on “ Import ”.
- CA → “ ca.crt ”
- Public Certificate → “ server.crt ”
- Private Key → “ server.key ”
- DH → “ dh2048.pem ”
- TA → “ ca.key ”
Don't forget to press “Save” and “Apply”
Checking server operation
In the Status → VPN menu you will see if the VPN server is active
Connect another router as a client
In order to connect another router as a client, you must go to said router in:
Network → VPN → OpenVPN Client
And fill in the information according to the server settings.
Please note that the REMOTE IP ADDRESS field must match the value of the LISTENING IP ADDRESS field of the server
and the Remote Tunnel IP field must match the server's Client Subnet field.
It is also necessary to import on the Client router in Network → VPN → Certification the certificates such as:
Checking Client Connectivity
In the Status → VPN menu in the “Connected list” section you will see if the client(s) are connected:
