cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Community

Please be advised, the GuideMe Wizard is no longer available on the Small Business Support Community. For search capability please use the community search field to find content related to Cisco Small Business documents, videos, and discussions.

OpenVPN on an RV160 and RV260 Router

2499
Views
0
Helpful
2
Comments

Article ID:5879

OpenVPN on an RV160 and RV260 Router

Objective

The objective of this article is to guide you through setting up OpenVPN on your RV160 or RV260 router as well as the VPN client setup of OpenVPN on their computer.

Applicable Devices

  • RV160
  • RV260

Software Version

  • 1.0.00.13

Table of Contents

Setting up a Demo OpenVPN on an RV160/RV260 Router

Setting up OpenVPN on an RV160/RV260 Router

Logging in With a Self-signed Certificate after Setting up Demo OpenVPN

OpenVPN Client Setup on Computer

Introduction

OpenVPN is a free, open-source application that can be set up and used for a Virtual Private Network (VPN). It uses a client-server connection to provide secure communications between a server and a remote client location over the internet.

OpenVPN uses OpenSSL for encryption of UDP and TCP for traffic transmission. A VPN provides a secure tunnel of protection, which is less vulnerable to hackers since it encrypts data sent from your computer through the VPN connection. For example, if you are using WiFi in a public place, such as in an airport, it keeps your data, transactions, and queries from being seen by other users. Much like HTTPS, it encrypts data sent between two end points.

One of the most important steps in setting up OpenVPN is obtaining a Certificate from a Certificate Authority (CA). This is used for authentication. Certificates are purchased from any number of third party sites. It is an official way to prove that your site is secure. Essentially, the CA is a trusted source that verifies that you are a legitimate business and can be trusted. For OpenVPN you only need a lower level certificate at a minimal cost. You get checked out by the CA, and once they verify your information, they will issue the certificate to you. This certificate can be downloaded as a file on your computer. You can then go into your router (or VPN server) and upload it there. Please note, clients don't need a Certificate to use OpenVPN, it is just for verification through the router.

Prerequisites

Install the OpenVPN application onto your system. Click here to go to the OpenVPN page.

More information on OpenVPN can be found here. These websites contain a lot of detail about OpenVPN and answers to many questions you may have.

Note: This setup is specific to Windows 10.

Once you have OpenVPN installed, the application should appear on your desktop or as a small icon on the right side of the task bar. OpenVPN clients will also need this installed.

Ensure you have the proper system time set up on all devices. The proper system time must be completely synced at the router before the creation of a certificate. This is often done automatically, but if you run into issues, this is a good place to check.

Setting up a Demo OpenVPN on an RV160/RV260 Router

If you want to try out OpenVPN before you pay money from a CA, you can create a self-signed certificate. This is a no-cost way to see if OpenVPN is something you would like to deploy for your business. If you already know you would like to purchase a CA, you can skip this section of the article and go directly to Setting up OpenVPN on a RV160/RV260 Router

Step 1. Log into the router using your credentials. The default user name and password are cisco.

Note: It is highly recommended that you change all passwords to something more complex. Otherwise, it is like leaving the key to your locked door on the doorstep.

Step 2. It is a requirement that you obtain a certificate on the router. Navigate to Administration > Certificate >Generate CSR/Certificate... This is how to create the request for a certificate.

Step 3. Make a request for a CA Certificate.

  • Select CA Certificate from the dropdown menu
  • Enter a Certificate Name
  • Enter the IP address, Fully Qualified Domain Name (FQDN), or Email. Entering the IP address is the most common choice.
  • Enter your Country
  • Enter your State
  • Enter your Locality Name, usually your city
  • Enter your Organization Name
  • Enter your Organization Unit Name
  • Enter your email address
  • Enter Key Encryption Length, 2048 is recommended

Click the top right Generate button.

Step 4. You also need a server certificate. This Certificate Signed by CA Certificate will be signed by the CA certificate you just created.

Step 5. Make a request for a Certificate Signed by CA Certificate.

  • Select Certificate Signing Request from the dropdown menu
  • Enter a Certificate Name
  • Enter the IP address, Fully Qualified Domain Name (FQDN), or Email. Entering the IP address is the most common choice.
  • Enter your Country
  • Enter your State
  • Enter your Locality Name, usually your city
  • Enter your Organization Name
  • Enter your Organization Unit Name
  • Enter your email address
  • Enter Key Encryption Length, 2048 is recommended
  • Choose the proper Certificate Authority from the dropdown menu
  • Click the top right Generate button

Step 6. Navigate to System Configuration > User Groups. Select the plus icon to add the new group.

Step 7. Enter the name of the Group, click On for the radio button to turn on OpenVPN. Click Apply.

Step 8. Navigate within the System Configuration menu and click on User Accounts. Under Local Users, Click on the plus icon.

Step 9. Fill out the information below. Make sure to select OpenVPN from the dropdown menu. Click Apply.

All of the dependencies are complete and the router can now be configured for OpenVPN.

Step 10. Navigate to VPN > OpenVPN. The OpenVPN page opens. Complete each box on the page, making sure to select the previously created certificates from the dropdown menu.

  • Check the Enable box. Select the Interface that is going to allow in traffic. In this case a Wide Area Network (WAN), and select a Certificate Authority (CA) Certificate.
  • Select the CA Certificate from the dropdown menu
  • Select the Server Certificate you downloaded from the dropdown menu
  • Select Client Authentication. If you select Password they need to authenticate with a password. If you select Password + Certificate, the client must also have a certificate. This is more secure but adds to the cost of the VPN as they would need to purchase a separate CA.
  • Enter the Client Address Pool. Choose an IP address on a Network subnet that isn't used anywhere else in the company. You select out of the reserved ranges and choose a range not used anywhere else.
  • Choose the form of Encryption. Make sure the encryption is the same as the client. DES and 3DES are not recommended and should only be used for backwards compatibility.
  • Choose Split tunnel if you only want to specify which traffic goes through the VPN. For a VPN, a split tunnel is necessary. Full Tunnel Mode is selected in other situations when you want all client traffic to go through the VPN.

Step 11. Scroll down the page and fill out the following

  • The DNS1 IP address could be a dedicated internal DNS server, the same IP address of your default gateway provided by your Internet Service Provider (ISP), on a virtual machine, or a trusted DNS server out on the internet.

Step 12. Click Apply to save the configuration at the router.

Step 13. Stay on the same page and scroll further. Generate the configuration template that is to be installed on the OpenVPN client. This file has an .ovpn extension and will be used by the OpenVPN client. Check the box to Export client configuration template (.ovpn) and click Generate. This downloads the file onto your computer.

Step 14. Navigate to Status and Statistics > VPN Status. You have the ability to scroll down for more detailed information.

The next section of this article is important to review, as it explains how to log in with a self-signed certificate.

Logging in With a Self-signed Certificate after setting up Demo OpenVPN

When you log in with a self-signed certificate, you may see a warning popup when you attempt to log in. You will need to click Advanced, Proceed, Trust, or another option depending on your web browser in order to proceed.

At this point you may receive a warning that it is unsafe. You can choose to proceed, add exception, or advanced. This will vary by web browser.

In this example, Chrome was used for a web browser. This message appears, click Advanced.

A new screen will open and you need to click on Proceed to yourwebsite.net (unsafe)

Here is an example of accessing the device warning when using Firefox as a web browser. Click on Advanced.

Click Add Exception...

Finally, you will have to click on Confirm Security Exception.

The router is now configured with all the parameters necessary to support an OpenVPN Client connection. Since you have already downloaded the client configuration template to your device, the one that ends in .ovpn, you can move on to the section Open VPN Client Setup on Computer. If you decide to deploy OpenVPN for your company, you can follow the steps in this next section.

Setting up OpenVPN on an RV160/RV260 Router

This is a more complicated process as it involves getting a CA from a third party, which costs money. You also need to send the VPN client configuration template, ending in .ovpn, to all clients so they can set up on their device. Clients need several settings the same as the router in order for them to communicate. The best part is that for minimal cost, you and your employees can use the internet and conduct business more securely.

Step 1. Log into the router using your credentials. The default user name and password are cisco.

Note: It is highly recommended that you change all passwords to something more complex. Otherwise, it is like leaving the key to your locked door on the doorstep.

Step 2. It is a requirement that you obtain a certificate. Navigate to Administration > Certificate > Generate CSR/Certificate... This is how to create the request for a certificate.

Step 3. Make a request for a Certificate Signed by CA Certificate. This can be found by navigating to Administration > Certificate.

  • Select Certificate Signing Request from the dropdown menu
  • Enter a Certificate Name
  • Enter the IP address, Fully Qualified Domain Name (FQDN), or Email. Entering the IP address is the most common choice.
  • Enter your Country
  • Enter your State
  • Enter your Locality Name, usually your city
  • Enter your Organization Name
  • Enter your Organization Unit Name
  • Enter your email address
  • Enter Key Encryption Length, 2048 is recommended
  • Click the top right Generate button

Step 4. Select to Export it by clicking the up arrow under Action.

Step 5. This screen will appear. Click Export.

Step 6. Select Open with and Notepad (default) from the dropdown menu. Click OK.

Step 7. An XML File will open.

Note: Make sure the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST are each on their own lines as shown above.

Step 8. At the top of the screen click Edit and select Copy from the dropdown menu.

Step 9. Choose a reputable third party site to make the certificate request. You will need to paste the copied XML file as part of the request.

Note: If you have an internal certificate server on your network you can use that instead, however this is not common.

Step 10. Once you have been verified, you can choose Download certificate.

Step 11. Click the radio button to Save File and Click OK.

Step 12. Once it has been saved, select the radio button for that certificate and click on the down arrow.

Step 13. This screen will open. Select Browse....

Step 14. Choose the file of the certificate and click Open.

Step 15. Enter the Certificate Name to import and click Upload.

Step 16. You will receive a notification that the certificate successfully imported. Click OK.

Step 17. Navigate to Administration > Certificate. The certificate has been loaded.

Note: In this example, a local certificate server was used.

Step 18. Navigate to VPN > OpenVPN. The OpenVPN page opens. Complete the following with your information.

  • Check the Enable box. Select the Interface that is going to allow in traffic. In this case a Wide Area Network (WAN), and select a Certificate Authority (CA) Certificate.
  • Select the CA Certificate from the dropdown menu
  • Select the Server Certificate you downloaded from the dropdown menu
  • Select Client Authentication. If you select Password they need to authenticate with a password. If you select Password + Certificate, the client must also have a certificate. This is more secure but adds to the cost of the VPN as they would need to purchase a separate CA.
  • Enter the Client Address Pool. Choose an IP address on a Network subnet that isn't used anywhere else in the company. You select out of the reserved ranges and choose a range not used anywhere else.
  • Choose the form of Encryption. Make sure the encryption is the same as the client. DES and 3DES are not recommended and should only be used for backwards compatibility.
  • Choose Full Tunnel Mode if you want all client traffic to go through the VPN or Split tunnel if you only want to specify which traffic goes through the VPN
  • The DNS1 IP address could be a dedicated internal DNS server, the same IP address of your default gateway provided by your Internet Service Provider (ISP), on a virtual machine, or a trusted DNS server out on the internet.

Click Apply to save the configuration.

Step 19 (Option 1). You can email this configuration to the client. Check the box Send Email. Enter an email address. Add a Subject title for the email. Click Generate.

Step 20. (Option 2). Select Export client configuration template (.ovpn) and click Generate.

Step 21. You will receive confirmation that is was successful. Click OK.

Step 22. Click Save.

Step 23. At the bottom right of your desktop and click to OpenVPN. Right click to open up dropdown menu. Click Import File.

Step 24. Select the OpenVPN file that ends in .ovpn.

Step 25.Click on the radio button Save File and click OK.

Step 26. Change the name of the file if you choose, but leave .ovpn at the end of the file name. Click Save.

Step 27. Navigate to Status and Statistics > VPN Status. You have the ability to scroll down for more detailed information.

The router is now configured with all the parameters necessary to support an OpenVPN Client connection for your personal trial.

OpenVPN Client Setup on Computer

Each OpenVPN client needs to perform the following tasks as a prerequisite:

  • Download the OpenVPN application on their device.
  • Open and save the configuration file that was sent in steps 19-22 in the previous section. The configuration file ends in .ovpn.

Note: This setup is specifically for Windows 10.

Step 1. Navigate to the arrow icon on the bottom right of the desktop and click to open the OpenVPN icon. Right click and select Import File.

Note: The icon is black and white, indicating that it is not currently running. Once it is running the icon will show in color.

Step 2. Click on the up arrow. Click on the OpenVPN icon. Right click and select Connect from the dropdown menu.

Step 3. Enter the Username and Password.

Step 4. The window will show the OpenVPN connecting along with some log data.

Step 5. A system log should alert that there is a connection.

Step 6. The VPN client should safely be able to tunnel incoming and outgoing information through OpenVPN. This can be set to automatically connect in the OpenVPN settings.

Step 7. The administrator can confirm the VPN Status by navigating to Status and Statistics > VPN Status on the router.

Conclusion

You should now have successfully installed OpenVPN on your RV160 or RV260 router and at the VPN client site.

For community discussions on OpenVPN, go to the Cisco Small Business Support Community page and do a search for OpenVPN.

Comments
Beginner

Hi all,

 

I'm having a problem configuring an RV260 VPN router. I have followed all steps in Cisco tutorial and my openvpn client is connected and working. My problem is I can just see router IP, local and pool. I'm not able to get to any server at remote network.

 

My client has IP 192.168.0.50/255.255.255.0. My remote router has IP 10.1.50.1/255.255.255.0

I'm posting image so you can see my OpenVPN configuration. I'm not sure how to get this to work.

 

foto.png

Thank you

Beginner
Why the pictures is unavailable? BR, Michał
CreatePlease to create content