Syntax of the CLI command openvpn
Last adaptation to the version: 12.0
This article refers to a Resellerpreview
- If multiple values are passed for a parameter, the values must be enclosed in square brackets with a space(!) between [ . Example: openvpn push_subnet new openvpn_id 4711 push_subnet [ 192.168.176.0/24 192.168.176.1/24 ]
- If no values are to be passed for a parameter, two square brackets must be used. Example openvpn set id "4711" remote [ ]
| Command | Parameter | Description | Example |
|---|---|---|---|
openvpnopenvpn deleteopenvpn delete |
id | Remove an SSL-VPN connection. The id parameter is required | openvpn delete id "6" |
openvpn getopenvpn get |
- | List the SSL-VPN connections | openvpn get |
openvpn newopenvpn new |
Creates a new SSL-VPN connection | openvpn new name "RW-Verbindung" mode "SERVER" proto "UDP" auth "LOCAL" cert "Server_cert" pool "192.168.250.0/24" mtu "1500" interface "tun0" local_port "1194" reneg "3600" push_subnet "192.168.175.0/24" dh_size "2048" | |
| id | Identification number of the connection | ||
| name | Name of the connection | ||
| mode | Mode Server or Client | ||
| proto | Protocol used for the connection UDP or' TCP | ||
| auth | Authentication method. None, local or' radius | ||
| cert | Server certificate that is used for this connection | ||
| dh_size | Size of the Diffie Hellman key | ||
| mtu | Size of the data packets | ||
| pool | Transfer network that is used for this TUN connection e.g. 192-168.250.0/24 | ||
| flags | DISABLED if this connection is not to be used, MULTIHOME if several WAN connections are available, LZO compression, PUSH_DNS for the IP of the DNS server, PUSH_WINS for the IP of the Wins server | ||
| local_addr | IP of the interface to be used for the connection | ||
| local_port | Port used for this connection e.g. 1194 | ||
| remote | Remote address via which the site-to-site client should establish the connection to the server | ||
| max_clients | Maximum number of clients in this connection | ||
| interface | The TUN interface to be used | ||
| push_subnet_id | Identification number of the internal subnet of the server side to be transferred | ||
| push_subnet | IP address of the subnet | ||
openvpn setopenvpn set |
id | Modifies an SSL-VPN connection. The id parameter is required. The other parameters and their syntax are identical when using the command openvpn new | openvpn set id "1" cert "Neues-Server_cert" |
openvpn exportopenvpn export |
user | Exports the user data of a user. | openvpn export user "Benutzername" type "config" |
openvpn statusopenvpn status |
- | Lists the connection status of the individual SSL-VPN instances | openvpn status |
openvpn disconnectopenvpn disconnect |
Terminates an SSL-VPN connection to a client | openvpn disconnect name "RW_Test" c_name "vpnuser" | |
| name | Name of the relevant connection | ||
| c_came | Name of the relevant client | ||
openvpn updateopenvpn update |
- | Updates all SSL-VPN instances | openvpn update |
openvpn cipheropenvpn cipher get_availableopenvpn cipher get_available |
|||
openvpn digest_algorithmopenvpn digest_algorithm get_availableopenvpn digest_algorithm get_available |
|||
openvpn push_subnetopenvpn push_subnet newopenvpn push_subnet new |
Creates a new subnet | openvpn push_subnet new openvpn_id "3" push_subnet 192.168.176.0/24 | |
| openvpn_id | Identification number of the connection | ||
| push_subnet | IP address of the subnet | ||
openvpn push_subnet deleteopenvpn push_subnet delete |
Deletes an existing subnet entry | openvpn push_subnet delete openvpn_id "3" push_subnet_id 15 | |
| openvpn_id | Identification number of the connection | ||
| push_subnet_id | Identification number of the internal subnet of the server side to be transferred | ||
openvpn remoteopenvpn remote getopenvpn remote get |
- | Lists the SSL-VPN remote profiles | openvpn remote get |
openvpn remote newopenvpn remote new |
Anlegen eines neuen SSL-VPN Remote-Profils | openvpn remote new name "Client1" common_name "Client_cert" tunnel_addr "192.168.250.10/24" subnets "192.168.176.0/24" | |
| id | Identification number of the site to site client connection | ||
| openvpn_id | |||
| name | Name of the site to site connection | ||
| common_name | Client certificate used for this connection | ||
| tunnel_addr | IP address of the TUN interface on the client side | ||
| hosts | Public address at which the SSL-VPN server can be reached | ||
| subnets | Internal network on the client side | ||
| push_subnets | Internal network on the server side | ||
openvpn remote setopenvpn remote set |
id | Change SSL-VPN remote profiles. The id parameter is required. The other parameters and their syntax are identical when using the command openvpn remote new | openvpn remote set id "3" tunnel_addr "192.168.250.2/24" |
openvpn remote deleteopenvpn remote delete |
id | Deletes an existing SSL-VPN remote profile. The id parameter is required. | openvpn remote delete id "3" |
openvpn optionopenvpn option getopenvpn option get |
option get | ||
| id | |||
| name | |||
| value | |||
| description |
Create new connection
Create TUN interface + zone
interface new name "tun0" type "TUN" interface zone new name "vpn-openvpn-server_conn" interface tun0}}
Create certificates
cert new common_name "myCA" cert new common_name "Server_cert" issuer_id 130 cert new common_name "Client_cert" issuer_id 130 id |common_name|bits|valid_since |valid_till |issuer|flags |status ---+-----------+----+-------------------+-------------------+------+------+------ 130|myCA |1024|2011-08-25-10-41-16|2012-08-24-10-41-16|myCA |KEY,CA|OK 131|Server_cert|1024|2011-08-25-10-41-43|2012-08-24-10-41-43|myCA |KEY |OK 132|Client_cert|1024|2011-08-25-10-42-04|2012-08-24-10-42-04|myCA |KEY |OK
For a site-to-site connection, the CA and the client_cert must then be exported.
cert export x509 id 130 cert export x509 id 132
Define Openvpn remote profiles
Define Openvpn remote profiles (only for site-to-site connections)
- Server site
openvpn remote new name "Client1" common_name "Client_cert" tunnel_addr "192.168.250.10" subnets 192.168.176.0/24
- Server site
openvpn remote new name "s2s-Server" hosts 192.168.4.143
Create Openvpn connection
Roadwarrior
openvpn new name "RW-Verbindung" mode "SERVER" proto "UDP" auth "LOCAL" cert "Server_cert" pool "192.168.250.0/24" mtu "1500" interface "tun0" local_port "1194" reneg "3600" push_subnet "192.168.175.0/24" dh_size "2048"
Site to Site
- Import certificates
- Server site
openvpn new name "s2s-conn" mode "SERVER" proto "UDP" auth "NONE" cert "Server_cert" dh_size "2048" mtu "1400" pool "192.168.250.0/24" interface tun0
- Client site
openvpn new name "s2s-client" mode "CLIENT" proto "UDP" auth "NONE" cert "Client_cert" dh_size "2048" mtu "1400" interface "tun0" remote s2s-Server
- Pools may not be assigned more than once
- The local_port must not be used more than once (per interface)
- A Tun interface may not be used more than once
Multiple OpenvpnServer
Several Openvpn servers can be transferred via the remote profiles, e.g:
openvpn remote set id 2 hosts 192.168.4.143,192.168.176.1
firewall.foo.local> openvpn remote get id|name |hosts --+----------------+--------------------------- 2 |remote_sslserver|192.168.4.143,192.168.176.1
If no ports are specified, the default port 1194 is used.
If other ports are to be used, these can be specified after the IP with a preceding colon.
firewall.foo.local> openvpn remote set id 2 hosts 192.168.4.143:1195,192.168.176.1:1196 id|name |hosts --+----------------+---------------------------------- 2 |remote_sslserver|192.168.4.143:1195,192.168.176.1:1196
An attempt is first made to establish a connection to 192.168.4.143 (28 connection attempts with UDP / 3 attempts with TCP).
If no connection can be established to 192.168.4.143, an attempt is made to establish a connection to 192.168.176.1 (27 connection attempts for UDP / 1 attempt for TCP).
If it is also not possible to establish a connection to 192.168.176.1, an attempt is made to establish a connection to 192.168.4.143 again.