MyVPN Server1. Generate Server Cerificates2. Configure Main Parameters3. Add User4. Edit User5. User Configuration files6. Connecting to MyVPN Server7. FAQ

Official Documentation of OpenVPN®

Video Manual of MyVPN Server

Video Manual of MyVPN Client

The MyVPN Server module is an addon that will allow you to create a Virtual Private Network using open source OpenVPN®.

OpenVPN® is a full­featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible clientauthentication methods based on certificates, smart cards, and/or username/password credentials, and allows user or group­specific access control policies using firewall rulesapplied to the VPN virtual interface.

Unregistered VersionUnregistered Version has some limitations:

VPN Network (Only 192.168.10.0/255.255.255.0)Port (Only 1195)You can add only 1 User

Please open Elastix Addon Market to buy it and upload license file to MyVPN Server Addon.

Quick Start Guide1. Generate Server Cerificates

First you should Generate New Server Certificate. Press the button Server Certificate and complete all fields marked with a red asterisk (*). Then press the button GenerateNew Server Certificate . A short while later, the OpenVPN® generated a new server cerificates.

Field Description Example

Country The two­letter ISO abbreviation for your country US

Province The state or province where your organization is located. Can not be abbreviated. Georgia

City The city where your organization is located. Atlanta

Organization The exact legal name of your organization. Do not abbreviate VOIP Laboratory Inc.

Email The email address for the CA (who to contact) support@voip­lab.ru

Canonical Name Since this is your root certificate voip­lab.ru

Note: This may take several minutes; do not disrupt the process.

Warning: Generation new cerificates will remove all user configurations!!! Don't do it if not shure!

2. Configure Main Parameters

Once all the necessary certificates have been added, you should configure main parameters MyVPN Server.

Field Description Recommend Value

Status The field Status shows the state of the service Active / Inactive

Interface Local IP address for bind. If specified, OpenVPN® will bind to this address only. If unspecified, OpenVPN® will bind to all interfaces. 192.168.1.1

Port TCP/UDP port number for both local and remote. The current default of 1194 represents the official IANA port number assignment forOpenVPN® and has been used since version 2.0­beta17. Previous versions used port 5000 as the default. 1194

VPN NetworkA helper directive designed to simplify the configuration of OpenVPN's server mode. This directive will set up an OpenVPN® serverwhich will allocate addresses to clients out of the given network/netmask. The server itself will take the ".1" address of the givennetwork for use as the server­side endpoint of the local TUN/TAP interface.

192.173.0.0/255.255.255.0

Primary DNS Primary DNS Server 8.8.8.8

Secondary DNS Secondary DNS Server 4.4.4.4

Maximum Clients Limit server to a maximum of n concurrent clients. 100

Log Level

Set output verbosity to n (default=1). Each level shows all info from the previous levels. Level 3 is recommended if you want a goodsummary of what's happening without being swamped by output.0 ­­ No output except fatal errors. 1 to 4 ­­ Normal usage range. 5 ­­ Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercaseis used for TUN/TAP packets. 6 to 11 ­­ Debug info range (see errlevel.h for additional information on debug levels).

1

Protocol Use protocol TCP/UDP for communicating with remote host udp

Static Routes Push routes to the client to allow it to reach other private subnets behind the server.192.168.5.0/255.255.255.0192.172.15.0/255.255.255.252192.168.16.1/255.255.255.255

Additional Options:

Field Description Recommend Value

Use Hostname for Connect Use this option to specify a Remote Field like hostname . Checked

Enable set Default Gateway Automatically execute routing commands to cause all outgoing IP traffic to be redirected over the VPN. Checked

Disable Inter­Client Communication

Because the OpenVPN® server mode handles multiple clients through a single tun or tap interface, it is effectively a router. The ­­client­to­client flag tells OpenVPN to internally route client­to­client traffic rather than pushing all client­originating traffic to the TUN/TAPinterface. When this option is used, each client will "see" the other clients which are currently connected. Otherwise, each client will onlysee the server. Don't use this option if you want to firewall tunnel traffic using custom, per­client rules.

Unchecked

Enable Compression Use fast LZO compression ­­ may add up to 1 byte per packet for incompressible data. Checked

Enable NAT Use this option to anutomatically generate NAT rules for iptables. Checked

Keep Alive Options:

Field Description Recommend Value

Ping everyPing remote over the TCP/UDP control channel if no packets have been sent for at least n seconds (specify ­­ping on both peers tocause ping packets to be sent in both directions since OpenVPN ping packets are not echoed like IP ping packets). When used in oneof OpenVPN's secure modes (where ­­secret, ­­tls­server, or ­­tls­client is specified), the ping packet will be cryptographically secure.

10

Restart after Similar to ­­ping­exit, but trigger a SIGUSR1 restart after n seconds pass without reception of a ping or other packet from remote. 60

Notice : the second parameter (Ping Restart) must be at least twice the value of the first parameter (Ping Every). A ratio of 1:5 or 1:6 would be even better.Recommended setting is 10 60.

3. Add UserOnce all the necessary settings have been saved and MyVPN Server was successfully started, you should add new Users. Press the button Add User and complete all fieldsmarked with a red asterisk (*). Then press Save user button.

Field Description Example

Common name Unique identifiactor of user SlaveServer

Email Contact Email address support@voip­lab.ru

Static IP Static IP address for user. 192.173.0.13

Country The two­letter ISO abbreviation for your country US

Province The state or province where your organization is located. Can not be abbreviated. Georgia

City The city where your organization is located. Atlanta

Organization The exact legal name of your organization. Do not abbreviate VOIP Laboratory Inc.

Canonical Name Since this is your root certificate voip­lab.ru

Expiration Date Expiration Date of certificate 10.06.2015

4. Edit UserYou can change Static IP address for created Users. Open user settings and complete Static IP. Use blank Static IP to set dinamically IP Address

5. User Configuration files

You can send complete *.ovpn configuration file to contact mail via pressing the button . Or save it to local drive via pressing the button .

Also you can edit Email Template. Press the button 'Email Template' and configute it

6. Connecting to MyVPN Server

6.1 Elastix (Linux)

For better compatibility for Elastix we created the module MyVPN Client Manager. You should download it using Addons Market.

6.2 Windows

Download lastest version and install it. After that you should copy EXAMPLE.ovpn to the folder c:\program files\OpenVPN\config. After that you can connect Windows to ElastixMyVPN Server. Right click on OpenVPN system tray icon and connect it.

6.3 Mac OS

Tunnelblick is a free, open source graphic user interface for OpenVPN on OS X. It provides easy control of OpenVPN client and/or server connections. It comes as a ready­to­use application with all necessary binaries and drivers (including OpenVPN, easy­rsa, and tun/tap drivers). No additional installation is necessary ­­ just add your configurationand encryption information.

7. FAQ

7.1 I configured MyVPN Server but can't connect to it. My client returns 'Waiting server...'

You must add allow firewall rule. Open the page Security­>Define ports. Press the button Define Port and define the same port that your MyVPN Server uses. Then press Savebutton

Open the page Security­>Firewall Rules and add new rule like this:

To take effect you must set new rule upper than REJECT ALL rule and save changes.

Please return to the page MyVPN Server and press Update button to fix iptables nat rule.

7.2 I configured MyVPN Server and option 'Disable Inter­Client Communication' is on. But clients still see each other.

This is because you turn on option 'Enable NAT'. You should disable inter client communication manually. Open the page Security­>Firewall Rules(Activate it if necessary) andadd new rule as shown down.(192.168.10.0/255.255.255.0 is my MyVPN Server Network).

Then disactivate selected FORWARD rule as shown down.

Please return to the index page of MyVPN Server and press Update button to fix iptables nat rule.

Developer: Nikita Rukavkov

Site: VOIP Laboratory

Support: support@voip­lab.ru