supplementedroute
x-router 时间:2021-02-09 阅读:()
WhitepaperImplementremoteaccesstoDunkermotorenwithVPNName|StellenbezeichnungDunkermotorenGmbHWhitepaperImplementremoteaccesstoDunkermotorenwithVPNMarkusWeishaar|ProductManagerIIoTDunkermotorenGmbHwwwVPN2Author:MarkusWeishaarDate:11.
05.
2019ThisWhitepaperdescribestheconfigurationofaVPNconnectionfortheremoteaccessofaDunkermotorendProEthernetengineviatheInternetwiththeDunkermotorenstandardsoftwareDriveAssistant"andtheopensourcesoftwareOpenVPN.
ALinux-basedEdge-GatewayisconfiguredasaVPNserverforthispurpose.
TheEdge-Gatewaycommunicateswiththeengineaswellaswitharouter,whichacceptstheInternetconnection,over2bridgedportsviaEthernet.
OntheothersideisastandardWindowsPConwhichDriveAssistant"andopenVPNareinstalled.
OpenVPNisconfiguredasaclientonthePCwhichsetsupaVPNconnectiontotheVPNserverontheGatewayviatheInternet.
Bymeansofthisconnection,theenginecanbeselectedanddrivenviaDriveAssistant"oraFirmwareUpdatecanbeinstalled.
IftheenginehasaknownstaticIPaddress,theVPNconnectioncanbeconfiguredasatunnelsin-cethelinkingoftwosubnetsviaroutingissufficient.
IftheenginehasnoIPaddressornoknownIPaddress,theVPNconnectionmustbesetupasabridgewhichdrawstheclientintothesamesubnetinwhichtheserverisalsolocated.
ThisisnecessarybecausetheDriveAssistant"usesbroadcastsfordrivesearchandbroadcastsonlyfunctioninthesamesubnet.
Figure1:VPNnetworks3Author:MarkusWeishaarDate:11.
05.
2019Contents:1Requirements/ComparativeConfiguration.
42ConfigurationOpenVPNServer(RaspberryPi/Linux)42.
1InstallationOpenVPN.
4Step1UpdateRaspberryandinstallOpenVPN2.
2Ethernet-Settings.
42.
2.
1VPNTunnel(TUN)52.
2.
2VPNBridge(TAP)62.
3Createcertificateandkey.
82.
4ConfigurationOpenVPNServer.
92.
4.
1VPNTunnel(TUN)92.
4.
2VPNBridge(TAP)112.
5ConfigurationLinux-Firewall.
122.
5.
1VPNTunnel(TUN)132.
5.
2VPNBridge(TAP)142.
5.
3ActivateInit-File.
142.
5.
4StaticallyActivateIPForwarding.
142.
6ConfigurationOpenVPNClient.
152.
6.
1VPNTunnel(TUN)1152.
6.
2VPNBridge(TAP)162.
7GenerationandExportConfigurationsFilesforClients.
163ConfigurationOpenVPNClient(Windows)173.
1InstallationOpenVPN.
173.
2ConfigurationOpenVPNClient.
173.
3ConfigurationTAP-Windows-AdapterV9.
184GeneralNetworkSettings&ConnectionEstablishment.
184.
1ActivatePortForwardingtoRouters.
184.
2EstablishmentofDynamicDNSServer.
184.
3BuildingandTestingVPNConnection.
195DriveAssistant.
1941Requirements/ComparativeConfiguration:DunkermotorenDriveAssistant5"Version8.
0.
0DunkermotorenBGXXdProPN(Ethernet)openVPNVersion2.
4.
7HardwareGateway:KunbusRevolutionPiConnect(RaspberryPiComputeModule3)OperatingsystemVPN-Server:Raspbian(Linux)OperatingsystemVPN-Client:Windows10StaticpublicIPadressordynamicDNSServerforserver-siderouterPermissionforconfigurationoftheserver-siderouter(portforwarding)PermissionofconfigurationoftheopenVPNserver'sfirewall2ConfigurationOpenVPNServer(RaspberryPi/Linux)2.
1InstallationOpenVPStep1UpdateRaspberryandinstallOpenVPNPriortoinstallationofOpenVPN,itisrecommendedtosearchforupdatesfortheRaspberryPioperatingsystemandtoinstallthem:NowtheOpenVPNsoftwareandtheOpenSSLfortheencryptionmustbeloadedandinstalledwiththefollowingcommand:2.
2EthernetSettingsToforgoaroutingbetweenbothRaspberryPiEthernetportsandstillbeabletoaccesstheVPNconnectionateth0totheengineateth1,bothportsarebridgedandprovidedwithacommonad-dressinthisexample.
Alternatively,itisalsopossibletoworkwithonlyoneportandprovideitwithafixedIPaddress.
TheengineandtheVPNconnectioncanbeconnectedtotheportbymeansofaswitch.
Thisscenarioisnotdetailedhere.
ToconfiguretheEthernet-SettingsoftheRaspberryPi,thefileInterfaces"mustbeopenedasfollowsandadjustedaccordingthefollowingchapter:sudonano/etc/network/interfacesThevirtualLoopback-Adapterisalwaysregisteredbydefaultandshouldalsoalwaysberetainedintheconfiguration:autoloifaceloinetloopbackNowtheexistingnetworkinterfacesarecreated.
SinceourGatewayhastwoseparatedEthernetports,thetwointerfaceseth0andeth1arecreated.
Theattachedcommandallow-hotplugAuthor:MarkusWeishaarDate:11.
05.
2019sudoapt-getupdatesudoapt-getupgradesudoapt-getinstallopenvpnopenssl5Author:MarkusWeishaarDate:11.
05.
2019ethX"causestheinterfacetobeautomaticallyactivatedandconfiguredonakernelevent.
Thisentryisimportantbecausetheinterfacemustotherwisebemanuallystartedviathecommandsudoifupeth0".
Theconfigurationfilemustnotbeclosedyetsincetheinterfacesinthecurrentstatehavenoad-dressesandconfigurationandtheRaspberryPiwouldnotbeaccessibleanymore.
Theconfigura-tionisthencarriedoutonacase-specificbasis:2.
2.
1VPNTunnel(TUN)First,bothEthernetadaptersaresettomanual"mode.
Thisisimportantastheyareconfiguredviathebridge.
Forbothadaptersthefollowinglineisadded:ifaceethXinetmanualNext,theBrückebr0iscreatedasadapterandstaticallyconfigured:autobr0ifacebr0inetstaticAfterwards,thenetworksettingsfortheadapteraresetup.
Anexampleconfigurationcouldappearasfollows:IP-Adresse:192.
168.
0.
200Subnetmask:255.
255.
255.
0Standard-Gateway:192.
168.
0.
1Network:192.
168.
0.
0Broadcast:192.
168.
0.
255Intheconfigurationfile,theentriesappearasfollows:addressxxx.
xxx.
xxx.
xxxnetmaskxxx.
xxx.
xxx.
xxxgatewayxxx.
xxx.
xxx.
xxxnetworkxxx.
xxx.
xxx.
xxxbroadcastxxx.
xxx.
xxx.
255Finally,thetwointerfacesareaddedtothebridgeviathefollowingline:bridge_portseth0eth1Thecompletenetworkconfigurationentriestobemadeshouldthenappearasfollows:autoeth0allow-hotplugeth0autoeth1allow-hotplugeth16Author:MarkusWeishaarDate:11.
05.
2019ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
2.
2VPNBridge(TAP)Thefundamentalsettingoftheportsandbridgeareidenticaltothepreviousconfigurationforthisvariant.
OnlythebridgeissupplementedinthisrespectedsothattheVPNadaptertap0islikewiseaddedtothebridge.
Pre-up"commandsaregivenherebeforethebridgeisbuiltandpost-up"commandsareexecutedimmediatelyafterthebridgeiscreated.
Thesameapplieswhenendingthebridgeforthecommandspre-down"andpost-down".
First,thebridgeisgivenadefinedMACaddressthatthebridgeusestoreporttothenetwork.
ThisfacilitatesthediagnosisandenablestheMACaddresstobemadeknownontherouterifMACfilteringisactiveonit.
Ifthecommandisomitted,thebridgereceivestheMACaddressinthebestcasescenariobutwillnotreceiveanyMACaddressintheworstcasescenario.
post-upiplinksetbr0address28:2B:1b:e1:55:2FThenextcommandsfirstaskOpenVPNtocreateavirtualnetworkDevicetap0beforebuildingthebridgeandthenadditafterbuildingthebridge.
pre-upopenvpn--mktun--devtap0post-upbrctladdifbr0tap0Subsequently,acombinedcommandisusedtodeletetheIPaddressesfirstassignedfortheinter-facestothebridgeandthentoputtheinterfacesintopromiscuousmode"sothatthebridgeseesalldatatrafficarrivingattheseinterfaces.
Additionally,anothercommandaddsafixroutetothestandardgatewayforthebridgeviawhichtheInternetisaccessed.
autoloifaceloinetloopbackautoeth0allow-hotplugeth0ifaceeth0inetmanualautoeth1allow-hotplugeth1ifaceeth1inetmanualautobr0ifacebr0inetstaticaddressxxx.
xxx.
xxx.
xxxnetmaskxxx.
xxx.
xxx.
xxxgatewayxxx.
xxx.
xxx.
xxxnetworkxxx.
xxx.
xxx.
xxxbroadcastxxx.
xxx.
xxx.
255bridge_portseth0eth17Author:MarkusWeishaarDate:11.
05.
2019Finally,twocommandlinesfollowwhichremovethevirtualnetworkadapterfromthebridgewhenthebridgeisendedandaskOpenVPNtoclosetheadapter.
pre-downbrctldelifbr0tap0post-downopenvpn--rmtun--devtap0Thecompletenetworkconfigurationshouldthenlookasfollows:autoloifaceloinetloopbackautoeth0allow-hotplugeth0ifaceeth0inetmanualautoeth1allow-hotplugeth1ifaceeth1inetmanualautobr0ifacebr0inetstaticaddressxxx.
xxx.
xxx.
xxxnetmaskxxx.
xxx.
xxx.
xxxgatewayxxx.
xxx.
xxx.
xxxnetworkxxx.
xxx.
xxx.
xxxbroadcastxxx.
xxx.
xxx.
xxxbridge_portseth0eth1post-upiplinksetbr0address28:2B:1b:e1:55:2Fpre-upopenvpn--mktun--devtap0post-upbrctladdifbr0tap0post-upifconfigtap00.
0.
0.
0promiscuppost-upifconfigeth00.
0.
0.
0promiscuppost-upifconfigeth10.
0.
0.
0promiscuppost-uprouteadddefaultgwxxx.
xxx.
xxx.
xxxbr0pre-downbrctldelifbr0tap0post-downopenvpn--rmtun--devtap0ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
Alternatively,theconstructionandconfigurationofthebridgecanalsoberealizedviascripts,whichareexecuteddirectlybyOpenVPNandthusthenetworkconfigurationitselfcanbekeptnarrowandindependent.
Thisvariantisnotconsideredindetailhere.
post-upifconfigtap00.
0.
0.
0promiscuppost-upifconfigeth00.
0.
0.
0promiscuppost-upifconfigeth10.
0.
0.
0promiscuppost-uprouteadddefaultgwxxx.
xxx.
xxx.
xxxbr08Author:MarkusWeishaarDate:11.
05.
20192.
3CreatecertificateandkeyTheencryptionusedinthisexampleisanexampleconfigurationforcreatingafunctioningVPNconnectionquickly.
ProvidingVPNclientswithpasswordsisalsoavoided.
Fortheconcreterealusecase,whichgoesbeyondaconnectiontest,itisrecommendedtoselectandconfigureasuitableencryptiontoachieveandguaranteethedesiredsecuritylevels.
First,theprefabricatedeasy-rsa"scriptiscopiedintotheOpenVPNconfigurationdirectory.
Thiscreatesdifferentcertificatesandkeys.
sudocp-r/usr/share/easy-rsa/etc/openvpn/easy-rsaNext,thefilevars"mustbeopenedinthecreateddirectoryandadjusted:sudonano/etc/openvpn/easy-rsa/varsInthefile,thelineexportEASY_RSA="`pwd`""mustbereplacedbythelineexportEASY_RSA="/etc/openvpn/easy-rsa"".
YoucanalsoadjustthekeylengthinthefileinthelineexportKEY_SIZE="bychangingthevalue.
Thekeylengthdeterminesthesecuritylevel.
ForRaspberryPi3,akeylengthof2048presentsnoproblem.
Forthisreason,itisusedinthisexample.
Nowyouhavetochangebacktotheconfigurationdirectoryeasy-rsa",assignrootprivilegesthe-re,executethescriptvars"andmaketheresultingconfigurationfileaccessibleviaasymboliclink.
Thesefourstepsareaccomplishedviathefollowingfourcommands:cd/etc/openvpn/easy-rsasudosusourcevarsln–sopenssl-1.
0.
0.
cnfopenssl.
cnfThecertificateiscreatedinthenextstep.
TheOpenVPNkeyfilesareresetandcreatedanew:.
/clean-all.
/build-caOpenVPNArequesttoenterthetwoletterCountryName"follows(DEforGermany,ATforAustria,andCHforSwitzerland).
AllfurtherqueriescanbeskippedwithoutentrybypressingEnter.
Finally,thekeyfilefortheserveriscreatedandheretheCountryName"mustalsobeenteredandallfurtherqueriesmustbeskipped.
Attheendofthedialog,thequestiononwhetherthecer-tificateshouldbecreatedshouldbeconfirmedtwicewithY".
.
/build-key-serverserverNext,thekeyfilesfortheclientsiscreated.
It'simportanttonoteherethatakeyfilemustbecrea-tedforeachclientwhowishestoestablishaconnectionwiththeVPNserver.
Inourexamplewerestrictourselvestooneclientremote-pc-1".
Theprocedureforcertificatecreationisanalogoustotheserver(Country-Code,etc.
)9Author:MarkusWeishaarDate:11.
05.
2019.
/build-keyremote-pc-1Ifadditionalclientsarerequired,thekeyfilesfortheseclientsarecreatedaccordingtothesamepattern:.
/build-keyclient_name_xxx.
/build-keyclient_name_yyy.
/build-keyclient_name_zzz…Forclientsequippedwithapassword,.
/build-key-passclient_name"mustbeusedinsteadofthecommandsusedabove.
KeyandcertificatecreationisnowcompletedusingtheDiffie-Hellman-keyexchangecommand.
(Thisprocesstakesapprox.
20min.
).
/build-dhFinally,thetoo-userisloggedoffaftertheendofkeyandcertificatecreation:exit2.
4ConfigurationOpenVPNServerToconfiguretheOpenVPNserver,thefileopenvpn.
conf"mustbeopenedasfollowsandadjustedaccordingthefollowingchapter:sudonano/etc/openvpn/openvpn.
conf2.
4.
1VPNTunnel(TUN)Firsttheroutingoveratunnelisactivatedviadevtun",UDPisselectedastransportprotocolviaprotoudp"andwithport1194"theportisselectedviawhichthetunnelisestablished.
Al-ternatively,TCPcanalsobeusedduringtransportprotocol.
Theportcanbefreelyselected.
TheOpenVPNstandardport1194isusedintheexample.
devtunprotoudpport1194Next,anSSL/TLSrootcertificate(ca),adigitalcertificate(cert),andadigitalkey(key)arecreatedviathedirectoryeasy-rsa".
Thecorrectbit-encryptionisalsoentered.
Inthisexample,Diffie-Hell-manwithkeylength2048.
ca/etc/openvpn/easy-rsa/keys/ca.
crtcert/etc/openvpn/easy-rsa/keys/server.
crtkey/etc/openvpn/easy-rsa/keys/server.
keydh/etc/openvpn/easy-rsa/keys/dh2048.
pem10Author:MarkusWeishaarDate:11.
05.
2019NowtheVPNserverisgivenanIPaddressandasubnetmask.
Forthisvariant,aroutingfromthisvirtualVPNservernetworkintothephysicalRaspberryPinetworkoccurs.
server10.
8.
0.
0255.
255.
255.
0viathecommandpushredirect-gatewaydef1bypass-dhcp"",allIPservertrafficisroutedthroughtheVPNtunneldependingontheapplicationinregardstowhetherthissettingmakessenseornot.
ThefollowingtwocommandsnametheDNSserverstobeusedfornameresolution.
Inourexample,thisisalocalDNSserveroftherouterandthepublicDNSserverfromGoogle(8.
8.
8.
8).
However,thesecanbechosenatyourdiscretion.
pushredirect-gatewaydef1bypass-dhcp"pushdhcp-optionDNSxxx.
xxx.
xxx.
xxx"pushdhcp-optionDNS8.
8.
8.
8"Tosaveloginformationforconnectioninthefile/var/log/openvpn",thefollowinglineisadded:log-append/var/log/openvpnThefollowingisastandardsetofcommands.
Thecommandpersist-key"makesitsothekeyfilesarenotreadagainandpersist-tun"ensuresthattheTUNandTAPnetworkdriversarenotrestarted.
Thecommandsusernobody"andgroupnobody"settherightsofOpenVPNafteraprogramstartandtherebyincreasesecurity.
Thelineclient-to-client"enablescommunicationbetweentheclientsandstatus/var/log/openvpn-status.
log"createsastatusfilewhichdocu-mentsthecurrentconnection.
Thecomprehensivenessofthelogsisdefinedviaverbx".
Value0"meansnooutputsotherthanerrormessages.
Avaluebetween1and4issuitablefornormalusewhereasahighervalueissuitablefortroubleshooting.
Tochecktheconnection,keepalive10120"isadded.
Apingistriggeredevery10secondsandwhenananswerisnotreceivedafter120seconds,aconnectioninterruptionisdiagnosed.
TocompressdataintheVPNtunnelandtoincreasethroughput,anLZOcompressionisactivatedviacomp-lzo".
Thelastcommandscript-securityx"defineswhichapplicationsandscriptsmaybecarriedoutbyOpenVPN.
Value0"indicatesastrictbanonconductingexternalapplications.
Value1"indicatesexclusivelybuilt-in"applicationssuchasifconfig,ip,route,ornetsharetobecarriedout.
ThesearenecessaryforthecorrectfunctionalityofOpenVPN.
Value2"indicatesthatadditionaluser-definedscriptsareall-owedandvalue4"indicatesthatitisadditionallyallowedtodeliveruserpasswords.
11Author:MarkusWeishaarDate:11.
05.
2019persist-keypersist-tunusernobodygroupnogroupclient-to-clientstatus/var/log/openvpn-status.
logverb3keepalive10120comp-lzoscript-security2ThecompleteconfigurationfilefortheserverasVPNtunnelshouldthenappearasfollows:devtunprotoudpport1194ca/etc/openvpn/easy-rsa/keys/ca.
crtcert/etc/openvpn/easy-rsa/keys/server.
crtkey/etc/openvpn/easy-rsa/keys/server.
keydh/etc/openvpn/easy-rsa/keys/dh2048.
pemserver10.
8.
0.
0255.
255.
255.
0pushredirect-gatewaydef1bypass-dhcp"pushdhcp-optionDNSxxx.
xxx.
xxx.
xxx"pushdhcp-optionDNS8.
8.
8.
8"log-append/var/log/openvpnpersist-keypersist-tunusernobodygroupnogroupclient-to-clientstatus/var/log/openvpn-status.
logverb3keepalive10120comp-lzoscript-security2ThechangecanbesavedwithCtrl+O"andtheeditorcanbeclosedwithCtrl+X".
2.
4.
2VPNBridge(TAP)ComparedtothesettingforaVPNtunnel,thebridgedmodeisactivatedfirstviadevtapX".
TapXisthetapdeviceassignedintheEthernetconfiguration,inourcasetap0.
devtap0Furthermore,afreelyselectableVPNserverisnotassigned,buttheserverbridgethatwasconfigu-redinthenetworksettingsisspecified(intheexample,thedefaultrange192.
168.
0.
200).
TogetherwithanaddressrangefromwhichtheVPNservercanassignaddressestotheclients,because12Author:MarkusWeishaarDate:11.
05.
2019withabridgetheclientispulled"intothesubnetoftheserver.
HereitmustbeensuredthattheaddressrangedoesnotoverlapwiththeaddressrangethattherouterassignsontheservicesideviaDHCP.
OtherwiseitcanhappenthatthereareduplicateIPaddresses.
server-bridge192.
168.
0.
200255.
255.
255.
0192.
168.
0.
201192.
168.
0.
220Sothatclientsarealwaysallocatedthesameaddressesagain,thecommandifconfig-pool-persistipp.
txt"isadded.
Thisensuresthataclientthatdialsinagaingetstheirpreviousaddressfromtheaddresspool.
TheclientsarethusindirectlyassignedfixedIPaddresses.
ifconfig-pool-persistipp.
txtOtherwise,comparedtotheconfigurationofaVPNtunnel,onlythepush"commandsaredrop-ped.
Thesearenotneeded,becauseweareonthesamesubnetastheserver.
Allotherstandardcommandsareusedidentically.
ThecompleteconfigurationfilefortheserverasVPNbridgeshouldthenappearasfollows:devtap0protoudpport1194ca/etc/openvpn/easy-rsa/keys/ca.
crtcert/etc/openvpn/easy-rsa/keys/server.
crtkey/etc/openvpn/easy-rsa/keys/server.
keydh/etc/openvpn/easy-rsa/keys/dh2048.
pemifconfig-pool-persistipp.
txtserver-bridge192.
168.
0.
200255.
255.
255.
0192.
168.
0.
201192.
168.
0.
220log-append/var/log/openvpnpersist-keypersist-tunusernobodygroupnogroupclient-to-clientstatus/var/log/openvpn-status.
logverb3keepalive10120comp-lzoscript-security2ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
5ConfigurationLinux-FirewallAforwardingtothelocalnetworkInternetconnectionmustbearrangedforthefirewalloftheRasp-berryPi.
Thefilerpivpn"mustbecreatedasfollowsandadjustedaccordingthefollowingchapter:sudonano/etc/init.
d/rpivpnAheaderforaLinux-Init-Scriptiscreatedbyinsertingthefollowingcomments:13Author:MarkusWeishaarDate:11.
05.
2019#!
/bin/sh###BEGININITINFO#Provides:rpivpn#Required-Start:$remote_fs$syslog#Required-Stop:$remote_fs$syslog#Default-Start:2345#Default-Stop:016#Short-Description:VPNinitializationscript###ENDINITINFO2.
5.
1VPNTunnel(TUN)Inthisvariant,theIP-forwardingisinitiallyactivatedviathefollowingcommand:echoecho1">/proc/sys/net/ipv4/ip_forward'|sudo-sNext,aforwardingforVPNpacketsiscreatedwiththepacketfilteriptables":iptables-AINPUT-itun+-jACCEPTiptables-AFORWARD-itun+-jACCEPTFinally,theclientsareguaranteedaccesstothelocalnetworkandtotheInternetviathefollowingcommands:iptables-AFORWARD-mstate--stateESTABLISHED,RELATED-jACCEPTiptables-tnat-FPOSTROUTINGiptables-tnat-APOSTROUTING-o10.
8.
0.
0-obr0-jMASQUERADEThecompleteInit-filefortheserverasVPNbridgeshouldthenappearasfollows:#!
/bin/sh###BEGININITINFO#Provides:rpivpn#Required-Start:$remote_fs$syslog#Required-Stop:$remote_fs$syslog#Default-Start:2345#Default-Stop:016#Short-Description:VPNinitializationscript###ENDINITINFOechoecho1">/proc/sys/net/ipv4/ip_forward'|sudo-siptables-AINPUT-itun+-jACCEPTiptables-AFORWARD-itun+-jACCEPTiptables-AFORWARD-mstate--stateESTABLISHED,RELATED-jACCEPTiptables-tnat-FPOSTROUTINGiptables-tnat-APOSTROUTING-o10.
8.
0.
0-obr0-jMASQUERADEThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
14Author:MarkusWeishaarDate:11.
05.
20192.
5.
2VPNBridge(TAP)Inthiscase,theconfigurationissomewhatsimpler;here,apartfromIPforwardingviathefollowingthreelines,onlytheconfiguredbridgeisgrantedaccesstothelocalnetworkandtheInternet.
iptables-AINPUT-itap0-jACCEPTiptables-AINPUT-ibr0-jACCEPTiptables-AFORWARD-ibr0-jACCEPTThecompleteInit-filefortheserverasVPNbridgeshouldthenappearasfollows:#!
/bin/sh###BEGININITINFO#Provides:rpivpn#Required-Start:$remote_fs$syslog#Required-Stop:$remote_fs$syslog#Default-Start:2345#Default-Stop:016#Short-Description:VPNinitializationscript###ENDINITINFOechoecho1">/proc/sys/net/ipv4/ip_forward'|sudo-siptables-AINPUT-itap0-jACCEPTiptables-AINPUT-ibr0-jACCEPTiptables-AFORWARD-ibr0-jACCEPTThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
Alternatively,theconfigurationofthefirewallcanalsoberealizedviascripts,whicharedirectlyexecutedbyOpenVPNandthusmakeanindependentscriptunnecessary.
Thisvariantisnotcon-sideredindetailhere.
2.
5.
3ActivateInit-FileIftheInit-filetothefirewall-configurationiscompleted,therequiredrightsmustassignedtothefileandthefilemustbeinstalledasInit-script.
Thisisdonewiththefollowingtwocommands:sudochmod+x/etc/init.
d/rpivpnsudoupdate-rc.
drpivpndefaultsFinally,thescriptmustbecarriedoutandtheOpenVPNservermustberestarted:sudo/etc/init.
d/rpivpnsudo/etc/init.
d/openvpnrestart2.
5.
4StaticallyActivateIPForwardingAsanalternativetothecommandecho1"/proc/sys/net/ipv4/ip_forward'|sudo-s",whichtem-porarilyactivatestheIP-forwardinguponeachsystemstart,theIP-forwardingcanalsobeperman-entlyactivatedstatically.
Forthis,thesystemfilesysctl.
conf"mustbeopened:15Author:MarkusWeishaarDate:11.
05.
2019sudonano/etc/sysctl.
confThefollowinglinemustthenbeactivatedbyremovingthecommenting#.
net.
ipv4.
ip_forward=1ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
6ConfigurationOpenVPNClientAftertheserverhasbeenconfigured,theconfigurationsfortheclientmustbecreatedorcorrectlyadapted.
Althoughtheconfigurationfilecanalsobecreateddirectlyontheclient,creationontheserverofferstheadvantagethatbothconfigurationsarealwaysmaintainedthereforboththeserverandtheclient.
First,root-rightsmustbegivenagain.
Thenthecorrespondingclientfileisopened.
Inourcase,remote-pc-1".
sudosucd/etc/openvpn/easy-rsa/keysnanoremote-pc-1.
ovpnTheserveraddressandtheportthroughwhichtheVPNserverisaccessiblemustbeenteredviathecommandremote.
.
.
".
ThiscanbedoneeitherviaastaticpublicIPaddressorviaaproviderforadynamicDNSwhichupdatestheaddressifthisisnewlygivenbytheprovider:remotexyz.
dynDNSServer.
com1194//oderStatischeIP1194ItisimportantthattheClientSettingsfordev",proto",verb"andscript-security"correspondtothoseoftheserver.
Ifcomp-lzo",persist-key"andpersist-tun"areactivatedontheserver,thesemustalsobeusedontheclient.
Thecommandnobind"isusedtoselectthatnoportbin-dingisforcedlocallyandthattheportcanbearbitrary.
Thelineremote-cert-tlsserver"ensuresthatitisexplicitlycheckedwhethertheoppositecertificatehasthetypeserver.
Thelineresolv-retryinfinite"isaddedsothataDNSresolutionisexecutedagainafteraserver-sideconnectiontermination.
Intheclientconfiguration,dettun"asopposedtotap0"istheonlydifferencebet-weentunnelandbridge.
Thecompleteconfigurationsfilesfortheclientarepresentedforbothcasesinthefollowingchap-ters.
2.
6.
1VPNTunnel(TUN)Clientdevtunprotoudpremotexyz.
dynDNSServer.
com1194//oderStatischeIP119416Author:MarkusWeishaarDate:11.
05.
2019resolv-retryinfinitenobindpersist-keypersist-tuncaca.
crtcertremote-pc-1.
crtremote-cert-tlsserverkeyremote-pc-1.
keycomp-lzoverb3script-security2ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
6.
2VPNBridge(TAP)Clientdevtap0protoudpremotexyz.
dynDNSServer.
com1194//oderStatischeIP1194resolv-retryinfinitenobindpersist-keypersist-tuncaca.
crtcertdesktop-pc.
crtremote-cert-tlsserverkeydesktop-pc.
keycomp-lzoverb3script-security2ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
7GenerationandExportConfigurationsFilesforClientsFinally,theconfigurationfilefortheclientiscollectedtogetherwiththerelevantkeysandcertifi-catesinaZIP-file.
SolongasnoZIP-packetisinstalledontheRaspberryPi,thiscanbedoneasfollows.
apt-getinstallzipNext,theZIPfileiscreatedperclientasfollows.
Hereitisimportantthatthecorrectclientnameisimplemented.
zip/home/pi/remote-pc-1.
zipca.
crtremote-pc-1.
crtremote-pc-1.
keyremote-pc-1.
ovpnFinally,thefilerightsmustbeadjustedandtherootrightsmustbeloggedoff.
17Author:MarkusWeishaarDate:11.
05.
2019chownpi:pi/home/pi/remote-pc-1.
zipexitThefinishedZIPfilecannowbycopiedfromtheRaspberryPitotheclientviaanFTPprogramsuchasFilezillaorviaUSBstick.
3ConfigurationOpenVPNClient(Windows)3.
1InstallationOpenVPNTheOpenVPNcanbeobtaineddirectlyfromthehomepagewww.
openvpn.
net.
Forthetestset-upservingasanexample,OpenSourceversion2.
4.
7wasusedhere.
Foruseinacommercialapplication,theappropriatelicensesandsoftwarepacketscanalsobeacquiredviatheOpenVPNhomepage.
Afterdownloadingthecorrectsoftware,thiscanbeinstalleddirectlyontheclientPCandisacces-sibleafterwardsasOpenVPNGUI"viathestartmenu.
3.
2ConfigurationOpenVPNClientAfterstartingOpenVPNGUI",thefollowingsymbolappearsinthetaskbarwhichindicatesthatAfterstartingOpenVPNGUI",thefollowingsymbolappearsinthetaskbarwhichindicatesthatOpenVPN"hasstarted.
OpenVPN"hasstarted.
First,thecontentsoftheZip-fileswhichwerecopiedfromtheservermustbeunpackedandstoredFirst,thecontentsoftheZip-fileswhichwerecopiedfromtheservermustbeunpackedandstoredintheconfigurationdirectoryofOpenVPN.
ThedirectoryofOpenVPNthatwascreatedintheuserintheconfigurationdirectoryofOpenVPN.
ThedirectoryofOpenVPNthatwascreatedintheuserfoldermustbeusedhere,notthegeneraldirectoryintheprogramfolder.
Thedirectorytreeshouldfoldermustbeusedhere,notthegeneraldirectoryintheprogramfolder.
Thedirectorytreeshouldlooksomethinglikethis:looksomethinglikethis:C:\Users\XYZ\OpenVPN\config\remote-pc-1Theunpackedfolder,thefollowingfourfilesforkey,certificate,andconfigurationshouldbeavai-lable:Thedesiredconfigurationcannowbeselectedfromallregisteredconfigurationsviaright-clickingontheOpenVPNsymbolinthetaskbar.
Intheappearingsubmenu,theconnectiontotheservercanthenbestarted,loginformationcanberead,thepasswordmaybechangedifnecessary,oreventheconfigurationfileitselfcanbeadjusted.
Ifconfigurationchangesaremadetotheserver,eitherthenewfilefromtheservercanbecopiedtotheclientortheexistingfileontheclientcanbeadapteddirectlyinparallel.
Figure3:FilesOpenVPNClientFigure2:TaskbarsymbolOpenVPN18Author:MarkusWeishaarDate:11.
05.
20193.
3ConfigurationTAP-Windows-AdapterV9TheTAP-Windows-AdapterV9isavirtualnetworkadapterwhichisalreadyinstalledonmanyWin-dowscomputersandifnot,itisinstalledwiththeinstallationofOpenVPN.
OpenVPNbuildstheconnectiontotheselectedserverviathisadapter.
Theadaptercanbeconfiguredthesameasanyotherrealnetworkadapterinprinciple.
InthecaseofaVPNconnection,however,theVPNserverassignstheconfigurationwithregardtoIPaddressindependentlyofitsownsettings.
FortheconnectiontoaBGXXdProPNandtheuseoftheDriveAssistant",however,itisimport-antthattheadapterisassignedafixedIPaddressinthenormalsettingandisnotsettoDHCP,otherwiseitwillnotberecognizedbytheDriveAssistant".
Itdoesnotmatterwhichaddressisassigned,becauseitisoverwrittenasdescribed.
4GeneralNetworkSettings&ConnectionEstablishmentBeforetheconnectioncanbeestablished,afewgeneralsettingsmustbemadeontheserver-sideITinfrastructureandthemappinginthepublicIPaddressspacemustbeensured.
4.
1ActivatePortForwardingtoRoutersOntherouterorallhigher-levelroutersviawhichtheOpenVPNservercommunicateswiththeInternet,theportforwardingoftheVPNport(1194intheexample)mustbeactivatedsothatVPNrequestsarrivingattherouterareforwardedtotheserver.
Forwardingcanbeactivateddevicespe-cificallyfortheindividualgateway.
Thespecificconfigurationdependshereontherouterusedwhichiswhytheprocessisnotdescri-bedhereindetailonprinciple.
4.
2EstablishmentofDynamicDNS-ServerSothattheOpenVPNservercanalwaysbeaddressed,itmustalwaysbeaccessibleattheidenticaladdresseveninthepublicIPaddressrange.
OnepossibilityherewouldbetouseastaticpublicIPaddressortheuseofadynamicDNSprovider,whichensuresthateveniftheInternetproviderassignsnewaddressestotherouterandthusalsototheenddevicesafter24hoursorafteradis-connection,theVPNserverstillremainsidenticallyaccessible.
Forthispurpose,anaccountmustfirstbeopenedwithanappropriateprovider,e.
g.
SecurePoint(www.
spdyn.
de)andtheroutetotheserver-sideroutermustbemadeknown.
Afterwards,thecorrespondingdynamicDNSprovidermustalsobemadeknownontherouter,sothatitcanbetransmittediftheaddresseshavechangedanditcanfollowtheroute.
ThespecificconfigurationheredependsontherouterusedandtheselecteddynamicDNSprovider,whichiswhytheprocedureisdescribedhereonlyinprincipleandnotindetail.
Figure4:OptionenOpenVPNClient19Author:MarkusWeishaarDate:11.
05.
20194.
3BuildingandTestingVPNConnectionIfallsettingshavebeenexecutedasdescribed,theconnectiontotheVPNservercanbeestablis-hed.
Ontheclient,right-clickontheOpenVPNsymbolandselectthecorrectconfigurationofthemenuitemConnect".
TheOpenVPNsymbolinthetaskbarnowturnsyellowandalogwindowappearswhichdisplaysthecurrentstatusoftheconnectionestablishment.
Ifnoerroroccurs,thelogwindowclosesagainautomaticallyassoonastheconnectionhasbeensuccessfullyestablishedandtheOpenVPNsymbolinthetaskbarturnsgreen.
TheconnectiontotheOpenVPNserverhasnowbeenestablished.
Asafirstcheck,itmakessensetocheckwhathasbeenassignedtothevirtualnetworkadapterforanIPaddress.
ForaVPNtunnel,theaddressmustbeintherangeoftheVPNserver(10.
8.
8.
X).
ForaVPNbridge,itmustbeanaddressfromthefreeaddresspooloftheVPNbridgeandcorrespondtothenetworkthere.
Finally,theconnectioncanstillbetestedusingping.
HereitisrecommendedtopingtheVPNser-verfirst.
Ifthisisaccessible,theconnectiontotheGatewayisalreadyestablished.
Ifthepingdoesnotgothrough,itisrecommendedtofirstlychecktherouterandfirewallsettingsandsecondlytopingaregistereddeviceintheVPNserver'snetwork.
Ifthispinggoesthrough,theVPNconnectionisfullyfunctional.
Ifthesecondpingdoesnotgothrough,therecommendationistofirstlychecktheroutingandthefirewallsettingontheVPNserver.
5DriveAssistantNospecialsettingsneedtobecarriedoutinDriveAssistant5".
IfeverythinghasbeenconfiguredasaVPNbridgeaccordingtotheinstructionsandtheVPNconnectionisestablished,theTAP-WindowsAdapterV9"canbeselectedunderAvailableAdaptersforConnectionTypeIndustrialEthernet"andafterstartingtheDriveSearch,driveslocatedinthenetworkarefound.
SincetheDriveAssistant5"recognizesunknownmotorsviabroadcastcommands,itisimportantthattheconnectionisimplementedasaVPNbridge.
IftheIPaddressofthedriveispermanentlyassignedandknown,aVPNtunnelcanbeused.
However,inthiscasethedrivesearchdoesnotworkandtheIPaddressofthemotormustbesetpermanentlyinthecorrespondingfield.
20YourContactForPublicRelations:JaninaDietsche|janina.
dietsche@ametek.
comTel:+49(0)7703/930-546Figure5:DriveAssistant5:NetworkAdapterSelectionAuthor:MarkusWeishaarDate:11.
05.
2019
05.
2019ThisWhitepaperdescribestheconfigurationofaVPNconnectionfortheremoteaccessofaDunkermotorendProEthernetengineviatheInternetwiththeDunkermotorenstandardsoftwareDriveAssistant"andtheopensourcesoftwareOpenVPN.
ALinux-basedEdge-GatewayisconfiguredasaVPNserverforthispurpose.
TheEdge-Gatewaycommunicateswiththeengineaswellaswitharouter,whichacceptstheInternetconnection,over2bridgedportsviaEthernet.
OntheothersideisastandardWindowsPConwhichDriveAssistant"andopenVPNareinstalled.
OpenVPNisconfiguredasaclientonthePCwhichsetsupaVPNconnectiontotheVPNserverontheGatewayviatheInternet.
Bymeansofthisconnection,theenginecanbeselectedanddrivenviaDriveAssistant"oraFirmwareUpdatecanbeinstalled.
IftheenginehasaknownstaticIPaddress,theVPNconnectioncanbeconfiguredasatunnelsin-cethelinkingoftwosubnetsviaroutingissufficient.
IftheenginehasnoIPaddressornoknownIPaddress,theVPNconnectionmustbesetupasabridgewhichdrawstheclientintothesamesubnetinwhichtheserverisalsolocated.
ThisisnecessarybecausetheDriveAssistant"usesbroadcastsfordrivesearchandbroadcastsonlyfunctioninthesamesubnet.
Figure1:VPNnetworks3Author:MarkusWeishaarDate:11.
05.
2019Contents:1Requirements/ComparativeConfiguration.
42ConfigurationOpenVPNServer(RaspberryPi/Linux)42.
1InstallationOpenVPN.
4Step1UpdateRaspberryandinstallOpenVPN2.
2Ethernet-Settings.
42.
2.
1VPNTunnel(TUN)52.
2.
2VPNBridge(TAP)62.
3Createcertificateandkey.
82.
4ConfigurationOpenVPNServer.
92.
4.
1VPNTunnel(TUN)92.
4.
2VPNBridge(TAP)112.
5ConfigurationLinux-Firewall.
122.
5.
1VPNTunnel(TUN)132.
5.
2VPNBridge(TAP)142.
5.
3ActivateInit-File.
142.
5.
4StaticallyActivateIPForwarding.
142.
6ConfigurationOpenVPNClient.
152.
6.
1VPNTunnel(TUN)1152.
6.
2VPNBridge(TAP)162.
7GenerationandExportConfigurationsFilesforClients.
163ConfigurationOpenVPNClient(Windows)173.
1InstallationOpenVPN.
173.
2ConfigurationOpenVPNClient.
173.
3ConfigurationTAP-Windows-AdapterV9.
184GeneralNetworkSettings&ConnectionEstablishment.
184.
1ActivatePortForwardingtoRouters.
184.
2EstablishmentofDynamicDNSServer.
184.
3BuildingandTestingVPNConnection.
195DriveAssistant.
1941Requirements/ComparativeConfiguration:DunkermotorenDriveAssistant5"Version8.
0.
0DunkermotorenBGXXdProPN(Ethernet)openVPNVersion2.
4.
7HardwareGateway:KunbusRevolutionPiConnect(RaspberryPiComputeModule3)OperatingsystemVPN-Server:Raspbian(Linux)OperatingsystemVPN-Client:Windows10StaticpublicIPadressordynamicDNSServerforserver-siderouterPermissionforconfigurationoftheserver-siderouter(portforwarding)PermissionofconfigurationoftheopenVPNserver'sfirewall2ConfigurationOpenVPNServer(RaspberryPi/Linux)2.
1InstallationOpenVPStep1UpdateRaspberryandinstallOpenVPNPriortoinstallationofOpenVPN,itisrecommendedtosearchforupdatesfortheRaspberryPioperatingsystemandtoinstallthem:NowtheOpenVPNsoftwareandtheOpenSSLfortheencryptionmustbeloadedandinstalledwiththefollowingcommand:2.
2EthernetSettingsToforgoaroutingbetweenbothRaspberryPiEthernetportsandstillbeabletoaccesstheVPNconnectionateth0totheengineateth1,bothportsarebridgedandprovidedwithacommonad-dressinthisexample.
Alternatively,itisalsopossibletoworkwithonlyoneportandprovideitwithafixedIPaddress.
TheengineandtheVPNconnectioncanbeconnectedtotheportbymeansofaswitch.
Thisscenarioisnotdetailedhere.
ToconfiguretheEthernet-SettingsoftheRaspberryPi,thefileInterfaces"mustbeopenedasfollowsandadjustedaccordingthefollowingchapter:sudonano/etc/network/interfacesThevirtualLoopback-Adapterisalwaysregisteredbydefaultandshouldalsoalwaysberetainedintheconfiguration:autoloifaceloinetloopbackNowtheexistingnetworkinterfacesarecreated.
SinceourGatewayhastwoseparatedEthernetports,thetwointerfaceseth0andeth1arecreated.
Theattachedcommandallow-hotplugAuthor:MarkusWeishaarDate:11.
05.
2019sudoapt-getupdatesudoapt-getupgradesudoapt-getinstallopenvpnopenssl5Author:MarkusWeishaarDate:11.
05.
2019ethX"causestheinterfacetobeautomaticallyactivatedandconfiguredonakernelevent.
Thisentryisimportantbecausetheinterfacemustotherwisebemanuallystartedviathecommandsudoifupeth0".
Theconfigurationfilemustnotbeclosedyetsincetheinterfacesinthecurrentstatehavenoad-dressesandconfigurationandtheRaspberryPiwouldnotbeaccessibleanymore.
Theconfigura-tionisthencarriedoutonacase-specificbasis:2.
2.
1VPNTunnel(TUN)First,bothEthernetadaptersaresettomanual"mode.
Thisisimportantastheyareconfiguredviathebridge.
Forbothadaptersthefollowinglineisadded:ifaceethXinetmanualNext,theBrückebr0iscreatedasadapterandstaticallyconfigured:autobr0ifacebr0inetstaticAfterwards,thenetworksettingsfortheadapteraresetup.
Anexampleconfigurationcouldappearasfollows:IP-Adresse:192.
168.
0.
200Subnetmask:255.
255.
255.
0Standard-Gateway:192.
168.
0.
1Network:192.
168.
0.
0Broadcast:192.
168.
0.
255Intheconfigurationfile,theentriesappearasfollows:addressxxx.
xxx.
xxx.
xxxnetmaskxxx.
xxx.
xxx.
xxxgatewayxxx.
xxx.
xxx.
xxxnetworkxxx.
xxx.
xxx.
xxxbroadcastxxx.
xxx.
xxx.
255Finally,thetwointerfacesareaddedtothebridgeviathefollowingline:bridge_portseth0eth1Thecompletenetworkconfigurationentriestobemadeshouldthenappearasfollows:autoeth0allow-hotplugeth0autoeth1allow-hotplugeth16Author:MarkusWeishaarDate:11.
05.
2019ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
2.
2VPNBridge(TAP)Thefundamentalsettingoftheportsandbridgeareidenticaltothepreviousconfigurationforthisvariant.
OnlythebridgeissupplementedinthisrespectedsothattheVPNadaptertap0islikewiseaddedtothebridge.
Pre-up"commandsaregivenherebeforethebridgeisbuiltandpost-up"commandsareexecutedimmediatelyafterthebridgeiscreated.
Thesameapplieswhenendingthebridgeforthecommandspre-down"andpost-down".
First,thebridgeisgivenadefinedMACaddressthatthebridgeusestoreporttothenetwork.
ThisfacilitatesthediagnosisandenablestheMACaddresstobemadeknownontherouterifMACfilteringisactiveonit.
Ifthecommandisomitted,thebridgereceivestheMACaddressinthebestcasescenariobutwillnotreceiveanyMACaddressintheworstcasescenario.
post-upiplinksetbr0address28:2B:1b:e1:55:2FThenextcommandsfirstaskOpenVPNtocreateavirtualnetworkDevicetap0beforebuildingthebridgeandthenadditafterbuildingthebridge.
pre-upopenvpn--mktun--devtap0post-upbrctladdifbr0tap0Subsequently,acombinedcommandisusedtodeletetheIPaddressesfirstassignedfortheinter-facestothebridgeandthentoputtheinterfacesintopromiscuousmode"sothatthebridgeseesalldatatrafficarrivingattheseinterfaces.
Additionally,anothercommandaddsafixroutetothestandardgatewayforthebridgeviawhichtheInternetisaccessed.
autoloifaceloinetloopbackautoeth0allow-hotplugeth0ifaceeth0inetmanualautoeth1allow-hotplugeth1ifaceeth1inetmanualautobr0ifacebr0inetstaticaddressxxx.
xxx.
xxx.
xxxnetmaskxxx.
xxx.
xxx.
xxxgatewayxxx.
xxx.
xxx.
xxxnetworkxxx.
xxx.
xxx.
xxxbroadcastxxx.
xxx.
xxx.
255bridge_portseth0eth17Author:MarkusWeishaarDate:11.
05.
2019Finally,twocommandlinesfollowwhichremovethevirtualnetworkadapterfromthebridgewhenthebridgeisendedandaskOpenVPNtoclosetheadapter.
pre-downbrctldelifbr0tap0post-downopenvpn--rmtun--devtap0Thecompletenetworkconfigurationshouldthenlookasfollows:autoloifaceloinetloopbackautoeth0allow-hotplugeth0ifaceeth0inetmanualautoeth1allow-hotplugeth1ifaceeth1inetmanualautobr0ifacebr0inetstaticaddressxxx.
xxx.
xxx.
xxxnetmaskxxx.
xxx.
xxx.
xxxgatewayxxx.
xxx.
xxx.
xxxnetworkxxx.
xxx.
xxx.
xxxbroadcastxxx.
xxx.
xxx.
xxxbridge_portseth0eth1post-upiplinksetbr0address28:2B:1b:e1:55:2Fpre-upopenvpn--mktun--devtap0post-upbrctladdifbr0tap0post-upifconfigtap00.
0.
0.
0promiscuppost-upifconfigeth00.
0.
0.
0promiscuppost-upifconfigeth10.
0.
0.
0promiscuppost-uprouteadddefaultgwxxx.
xxx.
xxx.
xxxbr0pre-downbrctldelifbr0tap0post-downopenvpn--rmtun--devtap0ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
Alternatively,theconstructionandconfigurationofthebridgecanalsoberealizedviascripts,whichareexecuteddirectlybyOpenVPNandthusthenetworkconfigurationitselfcanbekeptnarrowandindependent.
Thisvariantisnotconsideredindetailhere.
post-upifconfigtap00.
0.
0.
0promiscuppost-upifconfigeth00.
0.
0.
0promiscuppost-upifconfigeth10.
0.
0.
0promiscuppost-uprouteadddefaultgwxxx.
xxx.
xxx.
xxxbr08Author:MarkusWeishaarDate:11.
05.
20192.
3CreatecertificateandkeyTheencryptionusedinthisexampleisanexampleconfigurationforcreatingafunctioningVPNconnectionquickly.
ProvidingVPNclientswithpasswordsisalsoavoided.
Fortheconcreterealusecase,whichgoesbeyondaconnectiontest,itisrecommendedtoselectandconfigureasuitableencryptiontoachieveandguaranteethedesiredsecuritylevels.
First,theprefabricatedeasy-rsa"scriptiscopiedintotheOpenVPNconfigurationdirectory.
Thiscreatesdifferentcertificatesandkeys.
sudocp-r/usr/share/easy-rsa/etc/openvpn/easy-rsaNext,thefilevars"mustbeopenedinthecreateddirectoryandadjusted:sudonano/etc/openvpn/easy-rsa/varsInthefile,thelineexportEASY_RSA="`pwd`""mustbereplacedbythelineexportEASY_RSA="/etc/openvpn/easy-rsa"".
YoucanalsoadjustthekeylengthinthefileinthelineexportKEY_SIZE="bychangingthevalue.
Thekeylengthdeterminesthesecuritylevel.
ForRaspberryPi3,akeylengthof2048presentsnoproblem.
Forthisreason,itisusedinthisexample.
Nowyouhavetochangebacktotheconfigurationdirectoryeasy-rsa",assignrootprivilegesthe-re,executethescriptvars"andmaketheresultingconfigurationfileaccessibleviaasymboliclink.
Thesefourstepsareaccomplishedviathefollowingfourcommands:cd/etc/openvpn/easy-rsasudosusourcevarsln–sopenssl-1.
0.
0.
cnfopenssl.
cnfThecertificateiscreatedinthenextstep.
TheOpenVPNkeyfilesareresetandcreatedanew:.
/clean-all.
/build-caOpenVPNArequesttoenterthetwoletterCountryName"follows(DEforGermany,ATforAustria,andCHforSwitzerland).
AllfurtherqueriescanbeskippedwithoutentrybypressingEnter.
Finally,thekeyfilefortheserveriscreatedandheretheCountryName"mustalsobeenteredandallfurtherqueriesmustbeskipped.
Attheendofthedialog,thequestiononwhetherthecer-tificateshouldbecreatedshouldbeconfirmedtwicewithY".
.
/build-key-serverserverNext,thekeyfilesfortheclientsiscreated.
It'simportanttonoteherethatakeyfilemustbecrea-tedforeachclientwhowishestoestablishaconnectionwiththeVPNserver.
Inourexamplewerestrictourselvestooneclientremote-pc-1".
Theprocedureforcertificatecreationisanalogoustotheserver(Country-Code,etc.
)9Author:MarkusWeishaarDate:11.
05.
2019.
/build-keyremote-pc-1Ifadditionalclientsarerequired,thekeyfilesfortheseclientsarecreatedaccordingtothesamepattern:.
/build-keyclient_name_xxx.
/build-keyclient_name_yyy.
/build-keyclient_name_zzz…Forclientsequippedwithapassword,.
/build-key-passclient_name"mustbeusedinsteadofthecommandsusedabove.
KeyandcertificatecreationisnowcompletedusingtheDiffie-Hellman-keyexchangecommand.
(Thisprocesstakesapprox.
20min.
).
/build-dhFinally,thetoo-userisloggedoffaftertheendofkeyandcertificatecreation:exit2.
4ConfigurationOpenVPNServerToconfiguretheOpenVPNserver,thefileopenvpn.
conf"mustbeopenedasfollowsandadjustedaccordingthefollowingchapter:sudonano/etc/openvpn/openvpn.
conf2.
4.
1VPNTunnel(TUN)Firsttheroutingoveratunnelisactivatedviadevtun",UDPisselectedastransportprotocolviaprotoudp"andwithport1194"theportisselectedviawhichthetunnelisestablished.
Al-ternatively,TCPcanalsobeusedduringtransportprotocol.
Theportcanbefreelyselected.
TheOpenVPNstandardport1194isusedintheexample.
devtunprotoudpport1194Next,anSSL/TLSrootcertificate(ca),adigitalcertificate(cert),andadigitalkey(key)arecreatedviathedirectoryeasy-rsa".
Thecorrectbit-encryptionisalsoentered.
Inthisexample,Diffie-Hell-manwithkeylength2048.
ca/etc/openvpn/easy-rsa/keys/ca.
crtcert/etc/openvpn/easy-rsa/keys/server.
crtkey/etc/openvpn/easy-rsa/keys/server.
keydh/etc/openvpn/easy-rsa/keys/dh2048.
pem10Author:MarkusWeishaarDate:11.
05.
2019NowtheVPNserverisgivenanIPaddressandasubnetmask.
Forthisvariant,aroutingfromthisvirtualVPNservernetworkintothephysicalRaspberryPinetworkoccurs.
server10.
8.
0.
0255.
255.
255.
0viathecommandpushredirect-gatewaydef1bypass-dhcp"",allIPservertrafficisroutedthroughtheVPNtunneldependingontheapplicationinregardstowhetherthissettingmakessenseornot.
ThefollowingtwocommandsnametheDNSserverstobeusedfornameresolution.
Inourexample,thisisalocalDNSserveroftherouterandthepublicDNSserverfromGoogle(8.
8.
8.
8).
However,thesecanbechosenatyourdiscretion.
pushredirect-gatewaydef1bypass-dhcp"pushdhcp-optionDNSxxx.
xxx.
xxx.
xxx"pushdhcp-optionDNS8.
8.
8.
8"Tosaveloginformationforconnectioninthefile/var/log/openvpn",thefollowinglineisadded:log-append/var/log/openvpnThefollowingisastandardsetofcommands.
Thecommandpersist-key"makesitsothekeyfilesarenotreadagainandpersist-tun"ensuresthattheTUNandTAPnetworkdriversarenotrestarted.
Thecommandsusernobody"andgroupnobody"settherightsofOpenVPNafteraprogramstartandtherebyincreasesecurity.
Thelineclient-to-client"enablescommunicationbetweentheclientsandstatus/var/log/openvpn-status.
log"createsastatusfilewhichdocu-mentsthecurrentconnection.
Thecomprehensivenessofthelogsisdefinedviaverbx".
Value0"meansnooutputsotherthanerrormessages.
Avaluebetween1and4issuitablefornormalusewhereasahighervalueissuitablefortroubleshooting.
Tochecktheconnection,keepalive10120"isadded.
Apingistriggeredevery10secondsandwhenananswerisnotreceivedafter120seconds,aconnectioninterruptionisdiagnosed.
TocompressdataintheVPNtunnelandtoincreasethroughput,anLZOcompressionisactivatedviacomp-lzo".
Thelastcommandscript-securityx"defineswhichapplicationsandscriptsmaybecarriedoutbyOpenVPN.
Value0"indicatesastrictbanonconductingexternalapplications.
Value1"indicatesexclusivelybuilt-in"applicationssuchasifconfig,ip,route,ornetsharetobecarriedout.
ThesearenecessaryforthecorrectfunctionalityofOpenVPN.
Value2"indicatesthatadditionaluser-definedscriptsareall-owedandvalue4"indicatesthatitisadditionallyallowedtodeliveruserpasswords.
11Author:MarkusWeishaarDate:11.
05.
2019persist-keypersist-tunusernobodygroupnogroupclient-to-clientstatus/var/log/openvpn-status.
logverb3keepalive10120comp-lzoscript-security2ThecompleteconfigurationfilefortheserverasVPNtunnelshouldthenappearasfollows:devtunprotoudpport1194ca/etc/openvpn/easy-rsa/keys/ca.
crtcert/etc/openvpn/easy-rsa/keys/server.
crtkey/etc/openvpn/easy-rsa/keys/server.
keydh/etc/openvpn/easy-rsa/keys/dh2048.
pemserver10.
8.
0.
0255.
255.
255.
0pushredirect-gatewaydef1bypass-dhcp"pushdhcp-optionDNSxxx.
xxx.
xxx.
xxx"pushdhcp-optionDNS8.
8.
8.
8"log-append/var/log/openvpnpersist-keypersist-tunusernobodygroupnogroupclient-to-clientstatus/var/log/openvpn-status.
logverb3keepalive10120comp-lzoscript-security2ThechangecanbesavedwithCtrl+O"andtheeditorcanbeclosedwithCtrl+X".
2.
4.
2VPNBridge(TAP)ComparedtothesettingforaVPNtunnel,thebridgedmodeisactivatedfirstviadevtapX".
TapXisthetapdeviceassignedintheEthernetconfiguration,inourcasetap0.
devtap0Furthermore,afreelyselectableVPNserverisnotassigned,buttheserverbridgethatwasconfigu-redinthenetworksettingsisspecified(intheexample,thedefaultrange192.
168.
0.
200).
TogetherwithanaddressrangefromwhichtheVPNservercanassignaddressestotheclients,because12Author:MarkusWeishaarDate:11.
05.
2019withabridgetheclientispulled"intothesubnetoftheserver.
HereitmustbeensuredthattheaddressrangedoesnotoverlapwiththeaddressrangethattherouterassignsontheservicesideviaDHCP.
OtherwiseitcanhappenthatthereareduplicateIPaddresses.
server-bridge192.
168.
0.
200255.
255.
255.
0192.
168.
0.
201192.
168.
0.
220Sothatclientsarealwaysallocatedthesameaddressesagain,thecommandifconfig-pool-persistipp.
txt"isadded.
Thisensuresthataclientthatdialsinagaingetstheirpreviousaddressfromtheaddresspool.
TheclientsarethusindirectlyassignedfixedIPaddresses.
ifconfig-pool-persistipp.
txtOtherwise,comparedtotheconfigurationofaVPNtunnel,onlythepush"commandsaredrop-ped.
Thesearenotneeded,becauseweareonthesamesubnetastheserver.
Allotherstandardcommandsareusedidentically.
ThecompleteconfigurationfilefortheserverasVPNbridgeshouldthenappearasfollows:devtap0protoudpport1194ca/etc/openvpn/easy-rsa/keys/ca.
crtcert/etc/openvpn/easy-rsa/keys/server.
crtkey/etc/openvpn/easy-rsa/keys/server.
keydh/etc/openvpn/easy-rsa/keys/dh2048.
pemifconfig-pool-persistipp.
txtserver-bridge192.
168.
0.
200255.
255.
255.
0192.
168.
0.
201192.
168.
0.
220log-append/var/log/openvpnpersist-keypersist-tunusernobodygroupnogroupclient-to-clientstatus/var/log/openvpn-status.
logverb3keepalive10120comp-lzoscript-security2ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
5ConfigurationLinux-FirewallAforwardingtothelocalnetworkInternetconnectionmustbearrangedforthefirewalloftheRasp-berryPi.
Thefilerpivpn"mustbecreatedasfollowsandadjustedaccordingthefollowingchapter:sudonano/etc/init.
d/rpivpnAheaderforaLinux-Init-Scriptiscreatedbyinsertingthefollowingcomments:13Author:MarkusWeishaarDate:11.
05.
2019#!
/bin/sh###BEGININITINFO#Provides:rpivpn#Required-Start:$remote_fs$syslog#Required-Stop:$remote_fs$syslog#Default-Start:2345#Default-Stop:016#Short-Description:VPNinitializationscript###ENDINITINFO2.
5.
1VPNTunnel(TUN)Inthisvariant,theIP-forwardingisinitiallyactivatedviathefollowingcommand:echoecho1">/proc/sys/net/ipv4/ip_forward'|sudo-sNext,aforwardingforVPNpacketsiscreatedwiththepacketfilteriptables":iptables-AINPUT-itun+-jACCEPTiptables-AFORWARD-itun+-jACCEPTFinally,theclientsareguaranteedaccesstothelocalnetworkandtotheInternetviathefollowingcommands:iptables-AFORWARD-mstate--stateESTABLISHED,RELATED-jACCEPTiptables-tnat-FPOSTROUTINGiptables-tnat-APOSTROUTING-o10.
8.
0.
0-obr0-jMASQUERADEThecompleteInit-filefortheserverasVPNbridgeshouldthenappearasfollows:#!
/bin/sh###BEGININITINFO#Provides:rpivpn#Required-Start:$remote_fs$syslog#Required-Stop:$remote_fs$syslog#Default-Start:2345#Default-Stop:016#Short-Description:VPNinitializationscript###ENDINITINFOechoecho1">/proc/sys/net/ipv4/ip_forward'|sudo-siptables-AINPUT-itun+-jACCEPTiptables-AFORWARD-itun+-jACCEPTiptables-AFORWARD-mstate--stateESTABLISHED,RELATED-jACCEPTiptables-tnat-FPOSTROUTINGiptables-tnat-APOSTROUTING-o10.
8.
0.
0-obr0-jMASQUERADEThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
14Author:MarkusWeishaarDate:11.
05.
20192.
5.
2VPNBridge(TAP)Inthiscase,theconfigurationissomewhatsimpler;here,apartfromIPforwardingviathefollowingthreelines,onlytheconfiguredbridgeisgrantedaccesstothelocalnetworkandtheInternet.
iptables-AINPUT-itap0-jACCEPTiptables-AINPUT-ibr0-jACCEPTiptables-AFORWARD-ibr0-jACCEPTThecompleteInit-filefortheserverasVPNbridgeshouldthenappearasfollows:#!
/bin/sh###BEGININITINFO#Provides:rpivpn#Required-Start:$remote_fs$syslog#Required-Stop:$remote_fs$syslog#Default-Start:2345#Default-Stop:016#Short-Description:VPNinitializationscript###ENDINITINFOechoecho1">/proc/sys/net/ipv4/ip_forward'|sudo-siptables-AINPUT-itap0-jACCEPTiptables-AINPUT-ibr0-jACCEPTiptables-AFORWARD-ibr0-jACCEPTThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
Alternatively,theconfigurationofthefirewallcanalsoberealizedviascripts,whicharedirectlyexecutedbyOpenVPNandthusmakeanindependentscriptunnecessary.
Thisvariantisnotcon-sideredindetailhere.
2.
5.
3ActivateInit-FileIftheInit-filetothefirewall-configurationiscompleted,therequiredrightsmustassignedtothefileandthefilemustbeinstalledasInit-script.
Thisisdonewiththefollowingtwocommands:sudochmod+x/etc/init.
d/rpivpnsudoupdate-rc.
drpivpndefaultsFinally,thescriptmustbecarriedoutandtheOpenVPNservermustberestarted:sudo/etc/init.
d/rpivpnsudo/etc/init.
d/openvpnrestart2.
5.
4StaticallyActivateIPForwardingAsanalternativetothecommandecho1"/proc/sys/net/ipv4/ip_forward'|sudo-s",whichtem-porarilyactivatestheIP-forwardinguponeachsystemstart,theIP-forwardingcanalsobeperman-entlyactivatedstatically.
Forthis,thesystemfilesysctl.
conf"mustbeopened:15Author:MarkusWeishaarDate:11.
05.
2019sudonano/etc/sysctl.
confThefollowinglinemustthenbeactivatedbyremovingthecommenting#.
net.
ipv4.
ip_forward=1ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
6ConfigurationOpenVPNClientAftertheserverhasbeenconfigured,theconfigurationsfortheclientmustbecreatedorcorrectlyadapted.
Althoughtheconfigurationfilecanalsobecreateddirectlyontheclient,creationontheserverofferstheadvantagethatbothconfigurationsarealwaysmaintainedthereforboththeserverandtheclient.
First,root-rightsmustbegivenagain.
Thenthecorrespondingclientfileisopened.
Inourcase,remote-pc-1".
sudosucd/etc/openvpn/easy-rsa/keysnanoremote-pc-1.
ovpnTheserveraddressandtheportthroughwhichtheVPNserverisaccessiblemustbeenteredviathecommandremote.
.
.
".
ThiscanbedoneeitherviaastaticpublicIPaddressorviaaproviderforadynamicDNSwhichupdatestheaddressifthisisnewlygivenbytheprovider:remotexyz.
dynDNSServer.
com1194//oderStatischeIP1194ItisimportantthattheClientSettingsfordev",proto",verb"andscript-security"correspondtothoseoftheserver.
Ifcomp-lzo",persist-key"andpersist-tun"areactivatedontheserver,thesemustalsobeusedontheclient.
Thecommandnobind"isusedtoselectthatnoportbin-dingisforcedlocallyandthattheportcanbearbitrary.
Thelineremote-cert-tlsserver"ensuresthatitisexplicitlycheckedwhethertheoppositecertificatehasthetypeserver.
Thelineresolv-retryinfinite"isaddedsothataDNSresolutionisexecutedagainafteraserver-sideconnectiontermination.
Intheclientconfiguration,dettun"asopposedtotap0"istheonlydifferencebet-weentunnelandbridge.
Thecompleteconfigurationsfilesfortheclientarepresentedforbothcasesinthefollowingchap-ters.
2.
6.
1VPNTunnel(TUN)Clientdevtunprotoudpremotexyz.
dynDNSServer.
com1194//oderStatischeIP119416Author:MarkusWeishaarDate:11.
05.
2019resolv-retryinfinitenobindpersist-keypersist-tuncaca.
crtcertremote-pc-1.
crtremote-cert-tlsserverkeyremote-pc-1.
keycomp-lzoverb3script-security2ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
6.
2VPNBridge(TAP)Clientdevtap0protoudpremotexyz.
dynDNSServer.
com1194//oderStatischeIP1194resolv-retryinfinitenobindpersist-keypersist-tuncaca.
crtcertdesktop-pc.
crtremote-cert-tlsserverkeydesktop-pc.
keycomp-lzoverb3script-security2ThechangecanbesavedwithCtrl+O"adntheeditorcanbeclosedwithCtrl+X".
2.
7GenerationandExportConfigurationsFilesforClientsFinally,theconfigurationfilefortheclientiscollectedtogetherwiththerelevantkeysandcertifi-catesinaZIP-file.
SolongasnoZIP-packetisinstalledontheRaspberryPi,thiscanbedoneasfollows.
apt-getinstallzipNext,theZIPfileiscreatedperclientasfollows.
Hereitisimportantthatthecorrectclientnameisimplemented.
zip/home/pi/remote-pc-1.
zipca.
crtremote-pc-1.
crtremote-pc-1.
keyremote-pc-1.
ovpnFinally,thefilerightsmustbeadjustedandtherootrightsmustbeloggedoff.
17Author:MarkusWeishaarDate:11.
05.
2019chownpi:pi/home/pi/remote-pc-1.
zipexitThefinishedZIPfilecannowbycopiedfromtheRaspberryPitotheclientviaanFTPprogramsuchasFilezillaorviaUSBstick.
3ConfigurationOpenVPNClient(Windows)3.
1InstallationOpenVPNTheOpenVPNcanbeobtaineddirectlyfromthehomepagewww.
openvpn.
net.
Forthetestset-upservingasanexample,OpenSourceversion2.
4.
7wasusedhere.
Foruseinacommercialapplication,theappropriatelicensesandsoftwarepacketscanalsobeacquiredviatheOpenVPNhomepage.
Afterdownloadingthecorrectsoftware,thiscanbeinstalleddirectlyontheclientPCandisacces-sibleafterwardsasOpenVPNGUI"viathestartmenu.
3.
2ConfigurationOpenVPNClientAfterstartingOpenVPNGUI",thefollowingsymbolappearsinthetaskbarwhichindicatesthatAfterstartingOpenVPNGUI",thefollowingsymbolappearsinthetaskbarwhichindicatesthatOpenVPN"hasstarted.
OpenVPN"hasstarted.
First,thecontentsoftheZip-fileswhichwerecopiedfromtheservermustbeunpackedandstoredFirst,thecontentsoftheZip-fileswhichwerecopiedfromtheservermustbeunpackedandstoredintheconfigurationdirectoryofOpenVPN.
ThedirectoryofOpenVPNthatwascreatedintheuserintheconfigurationdirectoryofOpenVPN.
ThedirectoryofOpenVPNthatwascreatedintheuserfoldermustbeusedhere,notthegeneraldirectoryintheprogramfolder.
Thedirectorytreeshouldfoldermustbeusedhere,notthegeneraldirectoryintheprogramfolder.
Thedirectorytreeshouldlooksomethinglikethis:looksomethinglikethis:C:\Users\XYZ\OpenVPN\config\remote-pc-1Theunpackedfolder,thefollowingfourfilesforkey,certificate,andconfigurationshouldbeavai-lable:Thedesiredconfigurationcannowbeselectedfromallregisteredconfigurationsviaright-clickingontheOpenVPNsymbolinthetaskbar.
Intheappearingsubmenu,theconnectiontotheservercanthenbestarted,loginformationcanberead,thepasswordmaybechangedifnecessary,oreventheconfigurationfileitselfcanbeadjusted.
Ifconfigurationchangesaremadetotheserver,eitherthenewfilefromtheservercanbecopiedtotheclientortheexistingfileontheclientcanbeadapteddirectlyinparallel.
Figure3:FilesOpenVPNClientFigure2:TaskbarsymbolOpenVPN18Author:MarkusWeishaarDate:11.
05.
20193.
3ConfigurationTAP-Windows-AdapterV9TheTAP-Windows-AdapterV9isavirtualnetworkadapterwhichisalreadyinstalledonmanyWin-dowscomputersandifnot,itisinstalledwiththeinstallationofOpenVPN.
OpenVPNbuildstheconnectiontotheselectedserverviathisadapter.
Theadaptercanbeconfiguredthesameasanyotherrealnetworkadapterinprinciple.
InthecaseofaVPNconnection,however,theVPNserverassignstheconfigurationwithregardtoIPaddressindependentlyofitsownsettings.
FortheconnectiontoaBGXXdProPNandtheuseoftheDriveAssistant",however,itisimport-antthattheadapterisassignedafixedIPaddressinthenormalsettingandisnotsettoDHCP,otherwiseitwillnotberecognizedbytheDriveAssistant".
Itdoesnotmatterwhichaddressisassigned,becauseitisoverwrittenasdescribed.
4GeneralNetworkSettings&ConnectionEstablishmentBeforetheconnectioncanbeestablished,afewgeneralsettingsmustbemadeontheserver-sideITinfrastructureandthemappinginthepublicIPaddressspacemustbeensured.
4.
1ActivatePortForwardingtoRoutersOntherouterorallhigher-levelroutersviawhichtheOpenVPNservercommunicateswiththeInternet,theportforwardingoftheVPNport(1194intheexample)mustbeactivatedsothatVPNrequestsarrivingattherouterareforwardedtotheserver.
Forwardingcanbeactivateddevicespe-cificallyfortheindividualgateway.
Thespecificconfigurationdependshereontherouterusedwhichiswhytheprocessisnotdescri-bedhereindetailonprinciple.
4.
2EstablishmentofDynamicDNS-ServerSothattheOpenVPNservercanalwaysbeaddressed,itmustalwaysbeaccessibleattheidenticaladdresseveninthepublicIPaddressrange.
OnepossibilityherewouldbetouseastaticpublicIPaddressortheuseofadynamicDNSprovider,whichensuresthateveniftheInternetproviderassignsnewaddressestotherouterandthusalsototheenddevicesafter24hoursorafteradis-connection,theVPNserverstillremainsidenticallyaccessible.
Forthispurpose,anaccountmustfirstbeopenedwithanappropriateprovider,e.
g.
SecurePoint(www.
spdyn.
de)andtheroutetotheserver-sideroutermustbemadeknown.
Afterwards,thecorrespondingdynamicDNSprovidermustalsobemadeknownontherouter,sothatitcanbetransmittediftheaddresseshavechangedanditcanfollowtheroute.
ThespecificconfigurationheredependsontherouterusedandtheselecteddynamicDNSprovider,whichiswhytheprocedureisdescribedhereonlyinprincipleandnotindetail.
Figure4:OptionenOpenVPNClient19Author:MarkusWeishaarDate:11.
05.
20194.
3BuildingandTestingVPNConnectionIfallsettingshavebeenexecutedasdescribed,theconnectiontotheVPNservercanbeestablis-hed.
Ontheclient,right-clickontheOpenVPNsymbolandselectthecorrectconfigurationofthemenuitemConnect".
TheOpenVPNsymbolinthetaskbarnowturnsyellowandalogwindowappearswhichdisplaysthecurrentstatusoftheconnectionestablishment.
Ifnoerroroccurs,thelogwindowclosesagainautomaticallyassoonastheconnectionhasbeensuccessfullyestablishedandtheOpenVPNsymbolinthetaskbarturnsgreen.
TheconnectiontotheOpenVPNserverhasnowbeenestablished.
Asafirstcheck,itmakessensetocheckwhathasbeenassignedtothevirtualnetworkadapterforanIPaddress.
ForaVPNtunnel,theaddressmustbeintherangeoftheVPNserver(10.
8.
8.
X).
ForaVPNbridge,itmustbeanaddressfromthefreeaddresspooloftheVPNbridgeandcorrespondtothenetworkthere.
Finally,theconnectioncanstillbetestedusingping.
HereitisrecommendedtopingtheVPNser-verfirst.
Ifthisisaccessible,theconnectiontotheGatewayisalreadyestablished.
Ifthepingdoesnotgothrough,itisrecommendedtofirstlychecktherouterandfirewallsettingsandsecondlytopingaregistereddeviceintheVPNserver'snetwork.
Ifthispinggoesthrough,theVPNconnectionisfullyfunctional.
Ifthesecondpingdoesnotgothrough,therecommendationistofirstlychecktheroutingandthefirewallsettingontheVPNserver.
5DriveAssistantNospecialsettingsneedtobecarriedoutinDriveAssistant5".
IfeverythinghasbeenconfiguredasaVPNbridgeaccordingtotheinstructionsandtheVPNconnectionisestablished,theTAP-WindowsAdapterV9"canbeselectedunderAvailableAdaptersforConnectionTypeIndustrialEthernet"andafterstartingtheDriveSearch,driveslocatedinthenetworkarefound.
SincetheDriveAssistant5"recognizesunknownmotorsviabroadcastcommands,itisimportantthattheconnectionisimplementedasaVPNbridge.
IftheIPaddressofthedriveispermanentlyassignedandknown,aVPNtunnelcanbeused.
However,inthiscasethedrivesearchdoesnotworkandtheIPaddressofthemotormustbesetpermanentlyinthecorrespondingfield.
20YourContactForPublicRelations:JaninaDietsche|janina.
dietsche@ametek.
comTel:+49(0)7703/930-546Figure5:DriveAssistant5:NetworkAdapterSelectionAuthor:MarkusWeishaarDate:11.
05.
2019
- supplementedroute相关文档
- 缓存x-router
- x-routerX-TRAlL是什么意思
- x-routerX-Router这个软件有什么用
- x-routerx-arcsinx的等价无穷小是什么?
- x-routerx-0.4x等于多少?
- x-router思科路由器有线端无法上网,而无线段却可以,用的是PPPOE拨号上网,一开始两种方法都不可以,检查宽
Sharktech:无限流量服务器丹佛,洛杉矶,荷兰$49/月起,1Gbps带宽哦!
鲨鱼机房(Sharktech)我们也叫它SK机房,是一家成立于2003年的老牌国外主机商,提供的产品包括独立服务器租用、VPS主机等,自营机房在美国洛杉矶、丹佛、芝加哥和荷兰阿姆斯特丹等,主打高防产品,独立服务器免费提供60Gbps/48Mpps攻击防御。机房提供1-10Gbps带宽不限流量服务器,最低丹佛/荷兰机房每月49美元起,洛杉矶机房最低59美元/月起。下面列出部分促销机型的配置信息。机房...
HostYun 新增可选洛杉矶/日本机房 全场9折月付19.8元起
关于HostYun主机商在之前也有几次分享,这个前身是我们可能熟悉的小众的HostShare商家,主要就是提供廉价主机,那时候官方还声称选择这个品牌的机器不要用于正式生产项目,如今这个品牌重新转变成Hostyun。目前提供的VPS主机包括KVM和XEN架构,数据中心可选日本、韩国、香港和美国的多个地区机房,电信双程CN2 GIA线路,香港和日本机房,均为国内直连线路,访问质量不错。今天和大家分享下...
PacificRack(19.9美元/年)内存1Gbps带vps1GB洛杉矶QN机房,七月特价优惠
pacificrack怎么样?pacificrack商家发布了七月最新优惠VPS云服务器计划方案,推出新款优惠便宜VPS云服务器采用的是国产魔方管理系统,也就是PR-M系列,全系基于KVM虚拟架构,这次支持Windows server 2003、2008R2、2012R2、2016、2019、Windows 7、Windows 10以及Linux等操作系统,最低配置为1核心2G内存1Gbps带宽1...
x-router为你推荐
-
legraph更新ios模式ios8支持ipad支持ipad支持ipad支持ipad您的iphoneipad连不上wifi苹果ipad突然连不上网了,是怎么回事?网络是好的,手机能上网。ipad连不上wifiipad无法加入网络怎么回事