pclanb [label="PC Site B\n192.168.8.20",shape="cisco.pc"];
}
}
--------------------------------
Preparations
--------------------------------
.....................
Trust
.....................
In order to setup a tunnel on both ends, we need to configure certificates to warrant trust between both machines.
We have chosen to setup the server on "Site B", so we start with Trust configuration there.
* First we need an **Authority** which we are going to create in :menuselection:`System --> Trust --> Authorities`
* Select `Create an internal Certificate Authority`
* Choose cryptographic settings and a lifetime (you may want to increase the default as after this time you do need to redistribute certificates to both server and client).
* Add descriptive information for this CA (`Descriptive name`, `City`, `Email`, ..`)
* Set the `Common Name` to something descriptive for this certificate, like "Office-ovpn"
* Next generate a **Certficate** for the server using :menuselection:`System --> Trust --> Certificates`
* Select `Create an internal Certificate`
* Choose the just created authority in `Certificate authority`
* Add descriptive information for this CA (`Descriptive name`, whereabouts are copied from the CA)
* Choose cryptographic settings, lifetime determines the validaty of the server certificate (you do need to track this yourself), it's allowed to choose a longer period here
* Set the `Common Name` to the fqdn of this machine.
* As the client (Site A) will also need a **Certificate**, we need to create a certificate, also using :menuselection:`System --> Trust --> Certificates`
* Select `Create an internal Certificate`
* Choose the just created authority in `Certificate authority`
* Add descriptive information for this CA (`Descriptive name`, whereabouts are copied from the CA)
* Choose cryptographic settings, lifetime determines the validaty of the server certificate (you do need to track this yourself), it's allow to choose a longer period here
* Set the `Common Name` to username the other end will use for identification. For this example we use :code:`test-client`
..Note::
It's a best practice to offer each user it's own certificate using the same common name as the username, although
it is also possible to clients to share a certificate. When adding a certificate from the user manager the CN is automatically
set to its name. In this example we will only authenticate using the certificate, no additional user or password will be required.
.....................
Static keys
.....................
We create a static key and define it's use in :menuselection:`VPN --> OpenVPN --> Instances --> Static Keys`, for this example
select `auth` as mode and click the gear button to generate one. Provide a description for this key.
* Copy the public part of the certificate authority to the firewall at Site A (use the download button and copy the contents into a new CA on this host)
Leave empty to bind to all addresses assigned to this machine or use a loopback address combined with a port forward when
the external address is not static.
..admonition:: Note :sup:`2`
The network(s) served by this openvpn instance, after startup routes will be created. In order to bind
the network to the correct client a `Client Specific Overwrite` is also needed.
Hit the apply button when the instance is configured and add a client specific overwrite in :menuselection:`VPN --> OpenVPN --> Client Specific Overrides`