CLI command: Openvpn

notempty Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!
notempty Der Artikel für die neueste Version steht hier

notempty Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Beta-Version bezieht

Syntax of the CLI command openvpn

Last adaptation to the version: 12.0

notemptyThis article refers to a Beta version

v11

If multiple values are passed for a parameter, the values must be enclosed in square brackets with a space(!) between [ . Example: openvpn push_subnet new openvpn_id 4711 push_subnet [ 192.168.176.0/24 192.168.176.1/24 ]

If no values are to be passed for a parameter, two square brackets must be used. Example openvpn set id "4711" remote [ ]

Command	Parameter	Description	Example
openvpn openvpn delete openvpn delete	id	Remove an SSL-VPN connection. The id parameter is required	openvpn delete id "6"
openvpn get openvpn get	-	List the SSL-VPN connections	openvpn get
openvpn new openvpn new		Creates a new SSL-VPN connection	openvpn new name "RW-Verbindung" mode "SERVER" proto "UDP" auth "LOCAL" cert "Server_cert" pool "192.168.250.0/24" mtu "1500" interface "tun0" local_port "1194" reneg "3600" push_subnet "192.168.175.0/24" dh_size "2048"
	id	Identification number of the connection
	name	Name of the connection
	mode	Mode Server or Client
	proto	Protocol used for the connection UDP or' TCP
	auth	Authentication method. None, local or' radius
	cert	Server certificate that is used for this connection
	dh_size	Size of the Diffie Hellman key
	mtu	Size of the data packets
	pool	Transfer network that is used for this TUN connection e.g. 192-168.250.0/24
	flags	DISABLED if this connection is not to be used, MULTIHOME if several WAN connections are available, LZO compression, PUSH_DNS for the IP of the DNS server, PUSH_WINS for the IP of the Wins server
	local_addr	IP of the interface to be used for the connection
	local_port	Port used for this connection e.g. 1194
	remote	Remote address via which the site-to-site client should establish the connection to the server
	max_clients	Maximum number of clients in this connection
	interface	The TUN interface to be used
	push_subnet_id	Identification number of the internal subnet of the server side to be transferred
	push_subnet	IP address of the subnet
openvpn set openvpn set	id	Modifies an SSL-VPN connection. The id parameter is required. The other parameters and their syntax are identical when using the command openvpn new	openvpn set id "1" cert "Neues-Server_cert"
openvpn export openvpn export	user	Exports the user data of a user.	openvpn export user "Benutzername" type "config"
openvpn status openvpn status	-	Lists the connection status of the individual SSL-VPN instances	openvpn status
openvpn disconnect openvpn disconnect		Terminates an SSL-VPN connection to a client	openvpn disconnect name "RW_Test" c_name "vpnuser"
	name	Name of the relevant connection
	c_came	Name of the relevant client
openvpn update openvpn update	-	Updates all SSL-VPN instances	openvpn update
openvpn cipher openvpn cipher get_available openvpn cipher get_available
openvpn digest_algorithm openvpn digest_algorithm get_available openvpn digest_algorithm get_available
openvpn push_subnet openvpn push_subnet new openvpn push_subnet new		Creates a new subnet	openvpn push_subnet new openvpn_id "3" push_subnet 192.168.176.0/24
	openvpn_id	Identification number of the connection
	push_subnet	IP address of the subnet
openvpn push_subnet delete openvpn push_subnet delete		Deletes an existing subnet entry	openvpn push_subnet delete openvpn_id "3" push_subnet_id 15
	openvpn_id	Identification number of the connection
	push_subnet_id	Identification number of the internal subnet of the server side to be transferred
openvpn remote openvpn remote get openvpn remote get	-	Lists the SSL-VPN remote profiles	openvpn remote get
openvpn remote new openvpn remote new		Creating a new SSL-VPN remote profile	openvpn remote new name "Client1" common_name "Client_cert" tunnel_addr "192.168.250.10/24" subnets "192.168.176.0/24"
	id	Identification number of the site to site client connection
	openvpn_id
	name	Name of the site to site connection
	common_name	Client certificate used for this connection
	tunnel_addr	IP address of the TUN interface on the client side
	hosts	Public address at which the SSL-VPN server can be reached
	subnets	Internal network on the client side
	push_subnets	Internal network on the server side
openvpn remote set openvpn remote set	id	Change SSL-VPN remote profiles. The id parameter is required. The other parameters and their syntax are identical when using the command openvpn remote new	openvpn remote set id "3" tunnel_addr "192.168.250.2/24"
openvpn remote delete openvpn remote delete	id	Deletes an existing SSL-VPN remote profile. The id parameter is required.	openvpn remote delete id "3"
openvpn option openvpn option get openvpn option get		option get
	id
	name
	value
	description

Create new connection

Create TUN interface + zone

interface new name "tun0" type "TUN"
interface zone new name "vpn-openvpn-server_conn" interface tun0}}

Create certificates

cert new common_name "myCA" 
cert new common_name "Server_cert" issuer_id 130
cert new common_name "Client_cert" issuer_id 130

id |common_name|bits|valid_since        |valid_till         |issuer|flags |status
---+-----------+----+-------------------+-------------------+------+------+------
130|myCA       |1024|2011-08-25-10-41-16|2012-08-24-10-41-16|myCA  |KEY,CA|OK    
131|Server_cert|1024|2011-08-25-10-41-43|2012-08-24-10-41-43|myCA  |KEY   |OK    
132|Client_cert|1024|2011-08-25-10-42-04|2012-08-24-10-42-04|myCA  |KEY   |OK

For a site-to-site connection, the CA and the client_cert must then be exported.

cert export x509 id 130
cert export x509 id 132

Define Openvpn remote profiles

Define Openvpn remote profiles (only for site-to-site connections)

Server site

openvpn remote new name "Client1" common_name "Client_cert" tunnel_addr "192.168.250.10" subnets 192.168.176.0/24

Server site

openvpn remote new name "s2s-Server" hosts 192.168.4.143

Create Openvpn connection

Roadwarrior

openvpn new name "RW-Verbindung" mode "SERVER" proto "UDP" auth "LOCAL" cert "Server_cert" pool "192.168.250.0/24" mtu "1500" interface "tun0" local_port "1194" reneg "3600" push_subnet "192.168.175.0/24" dh_size "2048"

Site to Site

Import certificates
Server site

openvpn new name "s2s-conn" mode "SERVER" proto "UDP" auth "NONE" cert "Server_cert" dh_size "2048" mtu "1400" pool "192.168.250.0/24" interface tun0

Client site

openvpn new name "s2s-client" mode "CLIENT" proto "UDP" auth "NONE" cert "Client_cert" dh_size "2048" mtu "1400" interface "tun0" remote s2s-Server

notempty

Pools may not be assigned more than once
The local_port must not be used more than once (per interface)
A Tun interface may not be used more than once

Multiple OpenvpnServer

Several Openvpn servers can be transferred via the remote profiles, e.g:

openvpn remote set id 2 hosts 192.168.4.143,192.168.176.1

firewall.foo.local> openvpn remote get 
id|name            |hosts                      
--+----------------+---------------------------
2 |remote_sslserver|192.168.4.143,192.168.176.1

If no ports are specified, the default port 1194 is used.
If other ports are to be used, these can be specified after the IP with a preceding colon.

firewall.foo.local> openvpn remote set id 2 hosts 192.168.4.143:1195,192.168.176.1:1196

id|name            |hosts                             
--+----------------+----------------------------------
2 |remote_sslserver|192.168.4.143:1195,192.168.176.1:1196

An attempt is first made to establish a connection to 192.168.4.143 (28 connection attempts with UDP / 3 attempts with TCP).
If no connection can be established to 192.168.4.143, an attempt is made to establish a connection to 192.168.176.1 (27 connection attempts for UDP / 1 attempt for TCP).
If it is also not possible to establish a connection to 192.168.176.1, an attempt is made to establish a connection to 192.168.4.143 again.

openvpn

openvpn delete

openvpn get

openvpn new

openvpn set

openvpn export

openvpn status

openvpn disconnect

openvpn update

openvpn cipher

openvpn cipher get_available

openvpn digest_algorithm

openvpn digest_algorithm get_available

openvpn push_subnet

openvpn push_subnet new

openvpn push_subnet delete

openvpn remote

openvpn remote get

openvpn remote new

openvpn remote set

openvpn remote delete

openvpn option

openvpn option get