VPN Server Configruation Guide en

VPN Server Configuration Guide
Version 1.3
Date: November 14, 2016
Yeastar Information Technology Co. Ltd.

1
Contents
Introduction................................................................................................................................................. 3
Main Steps to Configure VPN .................................................................................................................. 3
In This Guide ............................................................................................................................................ 3
Install OpenVPN ......................................................................................................................................... 4
Generate Certificates and Keys ................................................................................................................ 7
Key Files ................................................................................................................................................. 13
Setup OpenVPN Server on S-Series PBX .............................................................................................. 15
Access the OpenVPN Server via Windows PC ..................................................................................... 18
Access the OpenVPN Server via Android Phone ................................................................................. 21
Connect Two S-Series PBXs via VPN Network ..................................................................................... 25
Manage VPN Clients................................................................................................................................. 27
Clients List .............................................................................................................................................. 27
Username/Password Authentication ...................................................................................................... 27
2
Introduction
A Virtual Private Network (VPN) allows you to traverse networks privately and securely as if you
were on a private network. The VPN server application on Yeastar S-Series PBX will help you
configure the PBX as a VPN server. You can setup multiple VPN clients to access Yeastar S-Series
VPN server safely and securely.
Note:
 Yeastar S-Series PBX supports OpenVPN.
 VPN Sever App is supported on S-Series PBX version 30.2.0.8 or later.
Main Steps to Configure VPN
STEP 1. Set up certificates and keys for OpenVPN server and multiple clients. (In this guide, we will
introduce how to make the certificates and keys on Windows PC.)
STEP 2. Make configurations for OpenVPN server and clients.
In This Guide
This guide gives instructions of how to setup OpenVPN server on S100 and how to access to the
S100 via multiple clients:
 Windows PC
 Android phone
 Another S-Series PBX – S20
3
Install OpenVPN
To begin, we need to install OpenVPN onto our windows PC. We will get sample configuration files
and make OpenVPN keys and certificates after installing OpenVPN.
Check the OpenVPN installer download link below:

 Installer (32-bit), Windows XP
 Installer (64-bit), Windows XP
 Installer (32-bit), Windows Vista and later
 Installer (64-bit), Windows Vista and later
Note:
 Remember that OpenVPN will only run on Windows XP or later. Also note that OpenVPN
must be installed and run by a user who has administrative privileges.
STEP 1. Double click the OpenVPN installer to start installing.

STEP 2. Click Next.
4
STEP 3. Click I Agree.
STEP 4. Check OpenSSL Utilities and OpenVPN RSA Certificate Management Scripts, click
Next.
5
STEP 5. Choose the install location. Here we install OpenVPN in the destination folder D:\OpenVPN,
click Install to start installing.
STEP 6. Click Finish.
6
Generate Certificates and Keys

After the OpenVPN installation, we will start making certificates and keys now.
STEP 1. Change vars.bat.sample file.
Use notepad tool to open the vars.bat.sample file under %OpenVPN installation directory%\easy-rsa
folder. In this guide, we installed OpenVPN in the destination folder D:\OpenVPN, we can find the file
via D:\OpenVPN \easy-rsa.
1) Change the HOME and KEY_SIZE variables as the following figure shows.
 Variable HOME means the easy-rsa folder path.

 Variable KEY_SIZE means the generated key size. Usually, we set the key size to 1024 or
2048. The default value is 1024, change it according to your needs.
2) You can also change some variables shows as the figure below. Later, when we are making
certificates and keys, we will be asked to enter the registration information. If we change the
default variable values, we don’t have to enter the registration information every time.
7
STEP 2. Initialize the PKI (Public Key Infrastructure).
1) Open the Start Menu on Windows PC, type cmd and press Enter key to open Command
Prompt window.
2) Enter %OpenVPN installation directory%\easy-rsa folder. In this guide, we installed OpenVPN in

the destination folder D:\OpenVPN, so we need to enter D:\OpenVPN \easy-rsa.
3) Type the following commands:

init-config //* Initialize the configurations, copy the vars.bat.sample configurations to
vars.bat file. *//
 vars //* Use the variables we set in vars.bat.sample. *//
 clean-all //* Make sure we are operating in a clean environment. *//
STEP 3. Build root Certificate Authority (CA) certificate/key.
1) Execute command build-ca.

2) Enter the registration information.
Note:
 In the following sequence, most queried parameters are defaulted to the values set in the
vars.bat file. The only parameter which must explicitly entered is the Common Name. In the
example below, we used “OpenVPN-CA”.
8
STEP 4. Generate certificate & key for server: build-key-server server.
As in the previous step, most parameters can be defaulted. When the Common Name is queried,
enter "server". Two other queries require positive responses, "Sign the certificate? [y/n]" and "1
out of 1 certificate requests certified, commit? [y/n]".
9
10
STEP 5. Generate certificate & key for clients by the command build-key client.
Here we make certificates and keys for 3 clients:
 build-key windows
build-key android
 build-key s20
Note:
 Remember that for each client, make sure to type the appropriate Common Name when
prompted, i.e. “windows”, “android”, or “s20”. Always use a unique common name for each
client.
11
STEP 6. Generate Diffie Hellman parameters: build-dh.
Build Diffie-Hellman parameters MUST be generated for the OpenVPN server.
12
STEP 7. Generate ta.key: openvpn --genkey --secret keys/ta.key. (OPTIONAL)
The parameter keys/ta.key in the command means the generated file name and file path.
IMPORTANT
All of the commands above are executed in one Command Prompt window. If you want to open a
new Command Prompt window to execute commands (i.e. create certificates for new client), please
pay attention:
 You don’t need to execute init-config command unless you edit vars.bat.sample file again.
 Each time you open a new Command Prompt window, you need to execute vars command first,
then execute other commands.
Key Files
Now we will find our newly generated keys and certificates in the easy-rsa/keys folder. You need to
copy the relevant files to the machines (server and clients) which need them. For different machines,
you will need different files:
Machine Needed Files

 ca.crt
 ca.key
 dh1024.pem
S100 PBX (Sever)
 server.crt
 server.key
 ta.key
 ca.crt
 windows.crt
Windows PC  windows.key
 ta.key
13
 ca.crt
 Android.crt
Android Phone  Android.key
 ta.key
 ca.crt
 s20.crt
S20 PBX (Client)  s20.key
 ta.key
14
Setup OpenVPN Server on S-Series PBX

STEP 1. Log in S-Series web user interface, click Main Menu and enter App Center.
STEP 2. Find VPN Sever, click Install to install the application. Once finished, click Main Menu, you
can see VPN Sever there.
STEP 3. Click VPN Server application, check the option Enable VPN Sever.
STEP 4. Make the VPN server configurations. Here we use the default settings as the figure shows
below.
Check the description of VPN server configuration parameters below.

Option Description
Server Port Specify which TCP/UDP port should OpenVPN listen on. The
default port is 1194.
Enable Compression Whether to compression on the VPN link.
If you enable it here, you must also enable it in the VPN client.
Protocol Choose the protocol:
 UDP
 TCP
Address pool Define the address pool.
Subnet mask Set the subnet mask.
Global Traffic Forwarding If enabled, this directive will configure all clients to redirect their
default network gateway through the VPN, causing all IP traffic
such as web browsing and DNS lookups to go through the VPN.
(The OpenVPN server machine may need to NAT or bridge the
15
TUN/TAP interface to the internet in order for this to work properly).

Device Mode Choose the device mode:
 TUN: a TUN device is a virtual point-point IP link.
 TAP: a TAP device is a virtual Ethernet adapter.
Note: Android clients don’t support TAP mode, please set the
device mode to TUN if you uses Android VPN client.
Encryption Choose encryption method:
 BlowFish
 AES-128
 AES-256
 Triple-DES
Key Length Set the key length.
The value must be the same with KEY_SIZE which were set in the
vars.bat.sample file
Maximum Number of Clients Set the maximum number of clients that could connect to the VPN
server.
Verification Mode Select the verification mode of clients.
 CA Cert + Client Cert (recommended)
 CA Cert + Client Cert + Account & Password
 CA Cert + Account & Password
STEP 5. Upload certificates and keys.
Option Description
CA Cert Upload ca.crt.
Public Server Cert Upload the VPN server certificate server.crt.
Private Server Key Upload the VPN server key server.key.
DH PEM Upload the DH file dh1024.pem.
If the KEY_SIZE is set to 2048, then you should upload
dh2048.pem.
Enable SSL/TLS If enabled, please upload ta.key file.
If you enable SSL/TLS on the VPN server, you must also enable
16
SSL/TLS on VPN client, and upload ta.key in the client.
STEP 6. Click Save, you can see the VPN server status shows running.
STEP 7. Go to Resource Monitor > Network, check the VPN server status and the private IP
address. As the figure shows below, the VPN server IP address is 10.8.0.1.
STEP 8. Forward the VPN server port on the router which is connected to S100 PBX.
The default VPN Server port is 1194. Here we forward the internal port 1194 to remote port 5087.
Please do the port forwarding according to your network environment.
17
Access the OpenVPN Server via Windows PC

Now, we will setup our windows PC as an OpenVPN client, and access the OpenVPN via windows
PC. Here, the S100 PBX (OpenVPN server) is setup in the head office, and we will access the S100
via windows PC in the branch office.
STEP 1. Install OpenVPN on the windows PC.
Refer to Install OpenVPN for details.
Note:
 An OpenVPN GUI will appear on the windows desktop after the installation, we will use the
OpenVPN GUI to connect to VPN server later.
STEP 2. Copy certificates and keys to config folder.
Copy the certificates and keys for windows PC to %OpenVPN installation directory%\config folder. In
this guide, we installed OpenVPN in the destination folder D:\OpenVPN, so we copy the following
files to D:\OpenVPN \config.
 ca.crt
 windows.crt
 windows.key
 ta.key
STEP3. Edit OpenVPN client configuration file for the windows PC.
Go to D:\OpenVPN\sample-config, we can find a sample file client.ovpn. Double click the file to edit it.
We need to change the configurations according to the VPN server. Check the figures below to see
what to edit in the configuration file.
Note:
 Comments are preceded with “#” or “,” in the configuration file.
18
Edit the cryptographic cipher according to

the server setting.
cipher BF-CBC #BlowFish
cipher AES-128-CBC # AES-128
cipher AES-256-CBC #AES-256
cipher DES-EDE3-CBC # Triple-DES
19
STEP 4. Copy the client.ovpn file to config folder.
Now we have client configuration file, certificates and keys in the config folder.
STEP 5. Connect to the OpenVPN server.
1) Right click the OpenVPN GUI on the desktop, run as administrator.

2) Find the OpenVPN GUI in the bottom right corner, right click the icon, and click Connect.
3) Once connected, you can see the status shows as below.
STEP 6. Access S100 using the VPN IP address.
Now, we can access S100 using the VPN IP address. In this guide, the VPN server address is
10.8.0.1. Type the IP in the address bar in your browser, and click enter, we can see the S100 login
page.
20
Access the OpenVPN Server via Android Phone

Now, we will set up our Android phone as an OpenVPN client, and access the OpenVPN via the
phone.
STEP 1. Install OpenVPN Connect application on the Android phone.
STEP 2. Create a folder in the Android phone SD card.
1) Connect the Android phone to a PC using USB cable, and open device to view files.
2) Create a folder in the SD card. Here we name the folder as “OpenVPN”.
STEP 3. Copy the certificates and keys to the created folder.
Copy the certificates and keys for Android to OpenVPN folder:

 ca.crt
 Android.crt
 Android.key
 ta.key
STEP 4. Edit OpenVPN client configuration file for the Android phone
Edit the sample file client.ovpn.
Where to get the sample file?

We have uploaded the sample configuration file on our website, click here to get the file.
Note:
 Comments are preceded with “#” or “,” in the configuration file.
 Android clients don’t support TAP device mode.
We need to change the configurations according to the VPN server ’s settings. Check the figures
below to see what to edit in the configuration file.
21
Edit the cryptographic cipher according to

the server setting.
cipher BF-CBC #BlowFish
cipher AES-128-CBC # AES-128
cipher AES-256-CBC #AES-256
cipher DES-EDE3-CBC # Triple-DES
22
STEP 5. Copy the client.ovpn file to OpenVPN folder.
Now we have client configuration file, certificates and keys in the OpenVPN folder.
STEP 6. Connect to the OpenVPN server.
1) Run OpenVPN Connect application on the Android phone.
2) Click the icon on the top right corner. Click Import > Import Profile from SD card.
3) Select client.ovpn file from OpenVPN folder. Click client.ovpn, then click SELECT.
23
4) Click Connect. If connected to the VPN server, you can see the status shows connected.
STEP 7. Access S100 using the VPN IP address.
Now, we can access S100 using the VPN IP address. In this guide, the VPN server address is
10.8.0.1. Type the IP in the address bar in your browser, and click enter, we can see the S100 login
page.
24
Connect Two S-Series PBXs via VPN Network

We can configure another S-Series PBX as a VPN client, and connect the two PBXs using VoIP
trunk via VPN network.
STEP 1. Enable OpenVPN feature on S20.
Go to Settings > System > Network > OpenVPN, check the option Enable OpenVPN. The S20 will
act as an OpenVPN client.
STEP 2. Configure the OpenVPN client settings on S20.
1) Choose Type as “Manual Configuration”.
2) Configure the client settings according to server settings.

 Server address: enter the public IP address of the S100.
 Server port: enter the forwarded OpenVPN server port on the router.
 Protocol: choose the same protocol with that of the server.
 Device Mode: choose the same mode with that of the server.
 Encryption: choose the same mode with that of the server.
 Username: enter the username if the sever set verification mode as “CA Cert + Client Cert
+ Account & Password”.
 Password: enter the password if the sever set verification mode as “CA Cert + Client Cert +
Account & Password”.
3) Upload the certificates and keys to the PBX.
Option Description
CA Cert Upload ca.crt.
Cert Upload the client certificate s20.crt.
Key Upload the VPN server key s20.key.
Enable SSL/TLS If enabled, please upload ta.key file.
If you enable SSL/TLS on the VPN server, you must also enable
SSL/TLS on VPN client, and upload ta.key in the client.
4) Click Save.
25
STEP 3. Check the VPN network status and IP address.
26
Manage VPN Clients
Clients List
On the VPN Sever, we can check all the connected clients in Client List.
Username/Password Authentication
Choosing Verification Mode as “CA Cert + Client Cert + Account & Password” or “CA Cert + Account
& Password” on the VPN server will enable two-factor authentication, requiring both client-certificate
and username/password authentication to succeed in order for the client to be authenticated.
STEP 1. Choose Verification Mode as “CA Cert + Client Cert + Account & Password” or “CA Cert +
Account & Password”.
27
STEP 2. Add accounts and specify usernames and passwords.
 For the S-Series PBX client
Enter the username and password directly on the OpenVPN edit page.
 For Android and Windows Clients

STEP 1. Add auth-user-pass passfile in the client configuration file client.ovpn.
28
STEP 2. Add passfile file into the client.

1) Create a new text document.
2) Enter the username and password according to the account settings on VPN server.
 Line 1: enter username.
 Line 2: enter password.
3) Save the file.

4) Rename the file as “passfile”. Note: change the file name extension, do not contain .txt in
the file name.
29
5) Copy the file to clients.

 For windows: copy the passfile file to config folder.
 For Android phone: copy the passfile file to OpenVPN folder.
6) When you try to connect to the VPN server, you will be required to enter username and
password.
30

VPN Server Configruation Guide en

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

VPN Server Configruation Guide en

Uploaded by

Copyright:

Available Formats

VPN Server Configuration Guide

Date: November 14, 2016

Yeastar Information Technology Co. Ltd.

Main Steps to Configure VPN .................................................................................................................. 3

In This Guide ............................................................................................................................................ 3

Install OpenVPN ......................................................................................................................................... 4

Generate Certificates and Keys ................................................................................................................ 7

Key Files ................................................................................................................................................. 13

Setup OpenVPN Server on S-Series PBX .............................................................................................. 15

Access the OpenVPN Server via Windows PC ..................................................................................... 18

Access the OpenVPN Server via Android Phone ................................................................................. 21

Connect Two S-Series PBXs via VPN Network ..................................................................................... 25

Manage VPN Clients................................................................................................................................. 27

Clients List .............................................................................................................................................. 27

Username/Password Authentication ...................................................................................................... 27

Main Steps to Configure VPN

Check the OpenVPN installer download link below:

STEP 1. Double click the OpenVPN installer to start installing.

STEP 3. Click I Agree.

STEP 6. Click Finish.

Generate Certificates and Keys

STEP 1. Change vars.bat.sample file.

 Variable HOME means the easy-rsa folder path.

STEP 2. Initialize the PKI (Public Key Infrastructure).

2) Enter %OpenVPN installation directory%\easy-rsa folder. In this guide, we installed OpenVPN in

3) Type the following commands:

STEP 3. Build root Certificate Authority (CA) certificate/key.

1) Execute command build-ca.

STEP 4. Generate certificate & key for server: build-key-server server.

Here we make certificates and keys for 3 clients:

STEP 6. Generate Diffie Hellman parameters: build-dh.

Build Diffie-Hellman parameters MUST be generated for the OpenVPN server.

STEP 7. Generate ta.key: openvpn --genkey --secret keys/ta.key. (OPTIONAL)

Machine Needed Files

Setup OpenVPN Server on S-Series PBX

Check the description of VPN server configuration parameters below.

TUN/TAP interface to the internet in order for this to work properly).

STEP 5. Upload certificates and keys.

SSL/TLS on VPN client, and upload ta.key in the client.

Access the OpenVPN Server via Windows PC

STEP 1. Install OpenVPN on the windows PC.

Refer to Install OpenVPN for details.

STEP 2. Copy certificates and keys to config folder.

Edit the cryptographic cipher according to

STEP 4. Copy the client.ovpn file to config folder.

STEP 5. Connect to the OpenVPN server.

1) Right click the OpenVPN GUI on the desktop, run as administrator.

3) Once connected, you can see the status shows as below.

STEP 6. Access S100 using the VPN IP address.

Access the OpenVPN Server via Android Phone

STEP 1. Install OpenVPN Connect application on the Android phone.

STEP 2. Create a folder in the Android phone SD card.

STEP 3. Copy the certificates and keys to the created folder.

Copy the certificates and keys for Android to OpenVPN folder:

Edit the sample file client.ovpn.

Where to get the sample file?

Edit the cryptographic cipher according to

STEP 5. Copy the client.ovpn file to OpenVPN folder.

STEP 6. Connect to the OpenVPN server.

1) Run OpenVPN Connect application on the Android phone.

STEP 7. Access S100 using the VPN IP address.

Connect Two S-Series PBXs via VPN Network

STEP 1. Enable OpenVPN feature on S20.