OpenVPN server & client

Updated at 02/05/2025

The steps in this article require using the web interface of a 2N device. Please follow this manual in case this is your first time using the web interface.

This guide describes connecting 2N IP intercom, 2N LTE intercom or 2N Access Unit to the user’s remote LAN by OpenVPN server.

Disclaimer

Please note that this guide and its content is provided "as is" without warranty of any kind, express or implied. Therefore by using it you hereby agree that you are aware of this content functionality, limitations and consequences, you acknowledge that the guide content is provided for limited purpose.

2N TELEKOMUNIKACE a.s. shall not be held liable for function limitations, security limitations or damage, if any, incurred as a result of using this guide.

Please also note that various Linux distributions or versions may not accept all commands shown in this guide and 2N TELEKOMUNIKACE a.s. does not provide support for Linux.

Prerequisites

2N IP Intercom / 2N LTE Intercom / 2N Access Unit with the latest firmware
no additional license is required
Linux PC with this applications:
- openvpn (server)
- stunnel4
- bridge-utils
- lshw
Network requirements:
- Public IP address at the router on local network side where OpenVPN server is,
  accessible from the Internet with a possibility of redirecting TCP port 443 to LAN (DMZ for OpenVPN server optional).
- DHCP at the local network side where OpenVPN server is.
- Intel PRO/1000T Server compatible network controller with enabled Promiscuous Mode
IT knowledge requirements:
- bash scripting,
- certificates,
- Linux command line (bash),
- networking,
- SSL,
- VPN

Technical network information

Solution is designed for OpenVPN to be installed on Linux.
2N OpenVPN server is designed to connect 2N devices exclusively,
3rd party devices or software may not be able to connect properly.
This connection creates network bridge and thus enables connection to 2N device in the same way as it would be in the local network, so it can be used as usual (for calls, video surveillance of its IP camera, 2N Access Commander connection, etc.).

Device which is in the same local network as OpenVPN server does not need to be connected to VPN, since all devices connected over VPN will have local network IP addresses from local DHCP.

OpenVPN topology

2N device obtains IP address from local network DHCP where OpenVPN server is,
uses network protocols like ARP, can perform broadcast and so on.
VPN connection is pushed through stunnel for additional level of security.
In case you cannot put OpenVPN server machine to DMZ and you need to use standard LAN and private address, you need to setup port forwarding so incoming connections from Internet to OpenVPN server reach target machine. You will also need to allow such communication on router's firewall.

- Configure the local network on its router – set DHCP IP reservation for OpenVPN server virtual machine (based on MAC address of virtual machine's ethernet port). DHCP server will always assign the same IP address.
- Configure port forwarding if needed - forward public port to port 443 TCP on IP address assigned by DHCP for OpenVPN server.
- Choose public port number above 1024 TCP to avoid using privileged ports.

OpenVPN - port forwarding

2N OpenVPN server installation

All examples shown in this article are for Debian 10 and require to be run with elevated rights, either login as root or use proper command to gain required rights.

On the Linux machine, deploy stunnel4, openvpn, bridge-utils and lshw via command in the command line.

apt-get install -y stunnel4 openvpn bridge-utils lshw >/dev/null

Create certificates for OpenVPN. You need server certificate, server key, ca and intercom certificate with intercom key. Then you need to put those certificates to correct folders for stunnel, openvpn and intercoms.

You can do it manually or use the script below. This script will generate unique certificates each time it is run and put them in /tmp/certs folder. Then it moves all required certificates to appropriate folders. It also generates client certificates for IP Intercoms / Access Units and place them to folder /root/certs from where you can download them.

To make script run, you need to save it in EOL conversion to UNIX and encoding UTF-8 format as .sh file, then upload it and apply chmod a+x to make script executable.

In the script example, the intercom.key password is set to Test1234, but due to security we recommend to create your own certificates with own password and settings, use this example as a reference only. 2N TELEKOMUNIKACE a.s. does not hold any responsibility if example certificates will not be secure enough.

#!/bin/bash

################################################################################

# Settings #

################################################################################

# Certificates

C_C="" # Country Name (2 letter code)

C_ST="" # State or Province Name

C_L="" # Locality Name

C_O="" # Organization Name

C_OU="" # Organizational Unit Name

C_CN="" # Common Name

################################################################################

VERSION=1.0

################################################################################

print_step()

{

echo -n "${1} ... "

}

print_ok()

{

echo "[ OK ]"

}

check_error()

{

if [ $1 -ne 0 ]; then

echo

echo "Error: $2"

echo

exit $1

fi

}

print_step "Generating certificates"

TMP_CERTS=/tmp/certs

EC=prime256v1

EC_PARAMS=ec-${EC}-params.crt

PASS=Test1234

rm -rf ${TMP_CERTS}

mkdir ${TMP_CERTS}

check_error $? "can't generate certificates"

touch ${TMP_CERTS}/index.txt ${TMP_CERTS}/index.txt.attr

check_error $? "can't generate certificates"

echo "01" > ${TMP_CERTS}/serial.txt

check_error $? "can't generate certificates"

cat <<EOF >${TMP_CERTS}/openssl.cnf

[ ca ]

default_ca = CA_default

[ CA_default ]

database = ${TMP_CERTS}/index.txt

serial = ${TMP_CERTS}/serial.txt

policy = policy_default

[ policy_default ]

commonName = supplied

EOF

check_error $? "can't generate certificates"

openssl ecparam -name ${EC} -out ${TMP_CERTS}/${EC_PARAMS} &>/dev/null

check_error $? "can't generate certificates"

subj="/C=${C_C}/ST=${C_ST}/L=${C_L}/O=${C_O}/OU=${C_OU}/CN=${C_CN:-Certificate Authority}"

openssl req -subj "${subj}" \

-passout pass:${PASS} \

-new -x509 -newkey ec:${TMP_CERTS}/${EC_PARAMS} \

-days 3650 -sha256 \

-keyout ${TMP_CERTS}/ca.key -out ${TMP_CERTS}/ca.crt \

&>/dev/null

check_error $? "can't generate certificates"

subj="/C=${C_C}/ST=${C_ST}/L=${C_L}/O=${C_O}/OU=${C_OU}/CN=${C_CN:-Server Certificate}"

openssl req -subj "${subj}" \

-new -nodes -newkey ec:${TMP_CERTS}/${EC_PARAMS} \

-keyout ${TMP_CERTS}/server.key -out ${TMP_CERTS}/server.csr \

&>/dev/null

check_error $? "can't generate certificates"

subj="/C=${C_C}/ST=${C_ST}/L=${C_L}/O=${C_O}/OU=${C_OU}/CN=${C_CN:-Intercom Certificate}"

openssl req -subj "${subj}" \

-new -nodes -newkey ec:${TMP_CERTS}/${EC_PARAMS} \

-keyout ${TMP_CERTS}/intercom.key -out ${TMP_CERTS}/intercom.csr \

&>/dev/null

check_error $? "can't generate certificates"

openssl ca -config ${TMP_CERTS}/openssl.cnf \

-passin pass:${PASS} \

-cert ${TMP_CERTS}/ca.crt -keyfile ${TMP_CERTS}/ca.key \

-outdir ${TMP_CERTS} -days 3650 -md sha256 -batch \

-in ${TMP_CERTS}/server.csr -out ${TMP_CERTS}/server.crt \

&>/dev/null

check_error $? "can't generate certificates"

openssl ca -config ${TMP_CERTS}/openssl.cnf \

-passin pass:${PASS} \

-cert ${TMP_CERTS}/ca.crt -keyfile ${TMP_CERTS}/ca.key \

-outdir ${TMP_CERTS} -days 3650 -md sha256 -batch \

-in ${TMP_CERTS}/intercom.csr -out ${TMP_CERTS}/intercom.crt \

&>/dev/null

check_error $? "can't generate certificates"

print_ok

################################################################################

rm -rf /etc/stunnel/keys

mkdir /etc/stunnel/keys

cp ${TMP_CERTS}/ca.crt /etc/stunnel/keys/ca.crt

check_error $? "can't set stunnel service"

cat ${TMP_CERTS}/server.crt >/etc/stunnel/keys/server.pem

check_error $? "can't set stunnel service"

cat ${TMP_CERTS}/server.key >>/etc/stunnel/keys/server.pem

check_error $? "can't set stunnel service"

rm -rf /etc/openvpn/server/keys

mkdir /etc/openvpn/server/keys

cp ${TMP_CERTS}/ca.crt /etc/openvpn/server/keys/ca.crt

check_error $? "can't set openvpn service"

cp ${TMP_CERTS}/server.crt /etc/openvpn/server/keys/server.crt

check_error $? "can't set openvpn service"

cp ${TMP_CERTS}/server.key /etc/openvpn/server/keys/server.key

check_error $? "can't set openvpn service"

rm -rf /root/certs

mkdir /root/certs

cp ${TMP_CERTS}/ca.crt /root/certs

check_error $? "can't copy intercom certificates"

cp ${TMP_CERTS}/intercom.key /root/certs

check_error $? "can't copy intercom certificates"

cp ${TMP_CERTS}/intercom.crt /root/certs

check_error $? "can't copy intercom certificates"

Configure stunnel via command in the command line.

cat <<EOF >/etc/stunnel/stunnel.conf

[openvpn]

accept = 443

connect = 1194

CAfile = /etc/stunnel/keys/ca.crt

cert = /etc/stunnel/keys/server.pem

verify = 2

EOF

Configure OpenVPN service via command in the command line.

cat <<EOF >/etc/openvpn/server/server.conf

local 127.0.0.1
server-bridge
dev   tap
proto tcp-server
port  1194
ca   /etc/openvpn/server/keys/ca.crt
cert /etc/openvpn/server/keys/server.crt
key  /etc/openvpn/server/keys/server.key
dh   none
tun-mtu 1500
script-security 2
auth-user-pass-verify /bin/true via-file
client-to-client
duplicate-cn
auth   none
cipher none
up   "/etc/openvpn/server/up.sh"
down "/etc/openvpn/server/down.sh"
verb 0
EOF

Configure scripts for OpenVPN service and give them the proper file rights via commands in the command line.

cat <<EOF >/etc/openvpn/server/up.sh

#!/bin/bash
TAP="\${1}"
MTU="\${2}"
. ./settings.sh
dhclient -x \${ETH}
ip link set \${ETH} promisc on mtu \${MTU}
ip link set \${TAP} promisc on mtu \${MTU} up
brctl addbr \${BR}
brctl setfd \${BR} 0
brctl addif \${BR} \${ETH} \${TAP}
dhclient \${BR}
EOF

chmod +x /etc/openvpn/server/up.sh

cat <<EOF >/etc/openvpn/server/down.sh

#!/bin/bash
. ./settings.sh
dhclient -x \${BR}
ip link set \${BR} down
brctl delbr \${BR}
ip link set \${ETH} promisc off
dhclient \${ETH}
EOF

chmod +x /etc/openvpn/server/down.sh

cat <<EOF >/etc/openvpn/server/settings.sh

ETH=$(lshw -quiet -class network -short | awk '/^\/0\//{print $2}')
ETH=${ETH}
BR=br0
EOF

chmod +x /etc/openvpn/server/settings.sh

Bridge network traffic properly via commands in the command line.
Do not run commands in this step over SSH as they include bringing ETH interface down which will result in connection loss.

sed -i 's/inet dhcp/inet manual/' /etc/network/interfaces

sed -i '/br0/d' /etc/network/interfaces

cat <<EOF >>/etc/network/interfaces

# openvpn bridge br0

allow-hotplug br0

iface br0 inet manual

EOF

ifdown ${ETH} &>/dev/null

ifup ${ETH} &>/dev/null

systemctl enable stunnel4.service &>/dev/null

systemctl enable openvpn-server@server.service &>/dev/null

Restart OpenVPN and asociated services via commands in the command line.

systemctl restart openvpn-server@server.service

systemctl restart stunnel4.service

Check if stunnel and openvpn service are running via commands in the command line,
otherwise repeat previous step.

lsof -i 4

If firewall is installed, enable ports 1149 and 443 to be accepted via commands in the command line.
(example configuration uses TCP protocol for OpenVPN)

ufw allow 1149/tcp

ufw allow 443/tcp

systemctl restart ufw

Connect 2N device to 2N OpenVPN server

You need to upload certificates downloaded from OpenVPN server to 2N device and configure OpenVPN connection in 2N device. You will use same client certificates for every 2N device connecting to this VPN. After successful connection, 2N device will receive DHCP address from local network where 2N OpenVPN server is and will appear to local network as local device.

Go to 2N device (you want to connect to 2N OpenVPN server over Internet) web interface, section System - Certificates,
Upload ca.crt file to CA Certificates, upload intercom.crt and intercom.key files to User Certificates.

2N IP Intercom - System - Certificates - CA Certificates

2N IP Intercom - System - Certificates - CA Certificates - Certificate Upload

2N IP Intercom - System - Certificates - User Certificates

2N IP Intercom - System - Certificates - User Certificates - Certificate Upload

Go to section System - Network - OpenVPN,
enable it, set the following and save.
- Default Interface: No
  
  Set to Yes if 2N device connected via VPN is supposed to communicate outside local network connected over VPN.
  Otherwise, 2N device will route such traffic via its own connection and will not route it to VPN.
- Server Address: Public IP (which belongs to router where 2N OpenVPN server is)
- Server Port: Public Port (port used for forwarding on router where 2N OpenVPN server is - for example 1443)
- Trusted Certificate: Select the uploaded certificate
- Client Certificate: Select the uploaded certificate

2N IP Intercom - System - Network - OpenVPN

Press Start button to connect to 2N OpenVPN server.

2N IP Intercom - System - Network - OpenVPN - Start

Was this page helpful?

Need more help?

We are sorry that you are having problems with our product. Let’s find a solution to the situation together.

Contact support

Contact sales

Ask AI