Professional Documents
Culture Documents
CC10206-4 Instal Config OpenVPN Link ENG
CC10206-4 Instal Config OpenVPN Link ENG
REF: CC10206-4
For Agilia Connect Link+ product range
Table of Contents
1. Introduction ............................................................................................................. 4
Terminology and abbreviations ............................................................................................................. 4
Concurrent usage of certificates between OpenVPN server and Link+ client ...................................... 4
Generate the certificate and key for the OpenVPN server ..................................................................15
Generate certificates and keys for Link+ clients (5 steps per Link+ client) .........................................17
Prerequisites ........................................................................................................................................19
How to create server configuration file “server.oVPN” ........................................................................19
5. How to configure OpenVPN server 2.5.0............................................................. 25
Generate the authority certificate for OpenVPN server .......................................................................25
Generate the certificate and key for the OpenVPN server ..................................................................27
Generate the certificates and keys for Link+ OpenVPN clients ..........................................................29
How to generate the certificate and key for the OpenVPN server ......................................................36
2
How to generate certificates and keys for Link+ OpenVPN clients .....................................................37
How to configure Server and client files for concurrent use in server 2.3.6 ........................................39
3
1. Introduction
This document outlines the installation and configuration procedures for an OpenVPN server in a Microsoft
Windows environment and the configuration of Link+ clients. It also provides information about the concurrent
usage of OpenVPN certificates as required.
The OpenVPN installation ensures secure transmission of data between the Link+ and a third-party application
connected over TCP/IP.
Installation pre-requisites
The following two conditions are necessary for the successful installation of OpenVPN:
• The PC or server must run Microsoft Windows. Please refer to Table 2 and Table 3 in sections below
for supported versions.
4
* Note the OpenVPN server 2.3.6 is only used to generate the certificates/keys, and OpenVPN server 2.5.0 is
used to launch the VPN service. Do not keep OpenVPN server 2.3.6 and OpenVPN server 2.5.0 installed
at the same time on the target PC or server, it will lead to errors when launching the OpenVPN server.
5
2. How to install OpenVPN server version 2.3.6
Select the binary to be installed
For the OpenVPN installation, select the installation binary from https://build.openVPN.net/downloads/releases/
depending on the target OS (see table below).
6
➢ The license agreement (Figure 3) opens:
Read carefully the terms of the License Agreement. Then, click on « I Agree ».
7
2. Select the desired installation directory (Figure 5).
For example: C:\Program Files\OpenVPN. There are no restrictions on this location.
Note: This directory will be called <OpenVpnPath> in the rest of the document.
3. The installation starts. Windows may request confirmation to install the TAP-WIN32 driver: if so, please confirm
the installation (Figure 6).
8
When installation is complete the following window opens (Figure 7):
The message « Installation Complete » confirms that the installation successfully completed.
Un-check the box to start OpenVPN and click on “Finish”. You may read the OpenVPN Readme as desired.
9
3. How to install OpenVPN server 2.5.0
Select the binary to be installed
For the OpenVPN installation, select the installation binary from https://openVPN.net/community-downloads/
or https://build.openVPN.net/downloads/releases/ depending on the target OS (see table below).
10
➢ The Custom Installation (Figure 10) opens:
Click on OpenVPN Service and choose Entire feature will be installed on local hard drive.
Click on OpenSSL Utilities and choose Entire feature will be installed on local hard drive (needed to
configure the server and generate keys).
Select the desired installation directory.
• For example: C:\Program Files\OpenVPN.
• There are no restrictions on this location.
Note: This directory will be called <OpenVpnPath> in the rest of the document.
The installation starts. Windows may request confirmation to install the driver, if so, please confirm the
installation. When installation is finished, the OpenVPN Installing Completed dialog window opens (Figure 11):
11
Bring up the “System Properties” of the computer, click on “Environment Variables”, then select Path” under
“System variables” and click “Edit”. In the “Edit environment variable” popup window adds a new entry with value
“C:\Program Files\OpenVPN\bin”, then click “OK”. See Figure 12 below.
12
4. How to configure OpenVPN server 2.3.6
Generate the authority certificate for OpenVPN server
1. Open a DOS console (cmd.exe) as an administrator. To do so, bring up Windows Run dialog window by
clicking Windows+R keys, then enter cmd.exe, right-click on the resulting icon selection and select “Run
as administrator”.
2. In the DOS console, run the command cd <OpenVpnPath>\easy-rsa
➢ The configuration file vars.bat.sample is copied for initialization (see Figure 13)
13
5. Modify with administrator rights the variables in the vars.bat file by inserting your own configuration
settings. These settings will be those used by default to create certification files (see Figure 15
below):
HOME=<OpenVpnPath>\easy-rsa.bat
KEY_SIZE=1024
KEY_COUNTRY =FR
KEY_PROVINCE=RA
KEY_CITY=BREZINS
KEY_EMAIL=admin@localhost.com
KEY_CN = Server
KEY_NAME = FK
KEY_OU= BUAD
Figure 15 : Example settings for Fresenius Kabi in Brézins, France with key size 1024 bit
Check that the file generated is not empty. If so, please repeat the procedure above and address
potential errors that can occur in the DOS console.
14
Generate the certificate and key for the OpenVPN server
1- In the DOS console as administrator (see previous section), run the command build-key-server.bat server
(Figure 17).
2- Fill in the Common Name field with “server”. Confirm the other fields with their suggested default value.
3- Do not fill in the password (simply hit the Return key).
4- Sign the certificate answering “y” to the question and hit the Return key.
5- Publish (commit) answering “y” to the question and hit the Return key.
15
➔ The files server.crt and server.key are generated in the directory
<OpenVpnPath>\easy-rsa\keys
Check that the files generated are not empty. If so, please repeat the procedure above and address
potential errors that can occur in the DOS console.
16
Generate certificates and keys for Link+ clients (5 steps per Link+ client)
1. In the DOS console and as an administrator, run the command build-key.bat <name_for_the_client1> (Figure
18).
Note: <name_for_the_client1> is a parameter value to be set depending on the topology in use. See
example below where the value is set to “client1”.
2. Fill in the field Common Name with <name_for_the_client1> and confirm the other fields with their suggested
default value.
3. Do not fill in the password (simply hit the Return key).
4. Sign the certificate answering “y” to the question and hit the Return key.
5. Publish (commit) answering “y” to the question and hit the Return key.
Check that the files generated are not empty. If so, please repeat the procedure above and address
potential errors that can occur in the DOS console.
17
Repeat these steps for a second Link client:
2. Fill in the field Common Name with <name_for_the_client2> and confirm the other fields with their suggested
default value.
3. Do not fill in the password (simply hit the Return key).
4. Sign the certificate answering “Y” to the question and hit the Return key.
5. Publish (commit) answering “Y” to the question and hit the Return key.
Check that the files generated are not empty. If so, please repeat the procedure above and address
potential errors that can occur in the DOS console.
To generate certificates and keys for other Link+ clients, repeat the 5 steps above.
Figure 19 : Build-dh.bat
Check that the file generated is not empty. If so, please repeat the procedure above and address
potential errors that can occur in the DOS console.
18
How to update server and client configuration files
Prerequisites
Copy the following files of the OpenVPN server from <OpenVPNPath>\easy-ra\keys to the destination folder
<OpenVpnPath>\config:
• ca.crt
• server.crt
• server.key
• dh1024.pem
1. Copy the file “server.oVPN” in <OpenVpnPath>\config then edit it using your preferred text editor (notepad.exe
can be used).
2. Update the following configuration settings with your own configuration (see highlighted sections in Figure 20):
• IP address (server IP address on which OpenVPN is installed)
• VPN server port (note that this port must be opened in the firewall)
• Authority file path (ca.crt)
• Server certification file path (server.crt)
• Server key file path (server.key)
• Diffie Hellman file path (dh1024.pem)
• Select the type of encoding AES
19
##################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################
20
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca "C:\\Program\ Files\ (x86)\\OpenVPN_64bits\\config\\ca.crt"
cert "C:\\Program\ Files\ (x86)\\OpenVPN_64bits\\config\\server.crt"
key "C:\\Program\ Files\ (x86)\\OpenVPN_64bits\\config\\server.key"
# This file should be kept secret
21
;push "route 192.168.20.0 255.255.255.0"
22
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
23
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nobody
24
5. How to configure OpenVPN server 2.5.0
Generate the authority certificate for OpenVPN server
Copy with administrator rights the file vars.example in path <OpenVpnPath>\easy-rsa and paste in the same
directory, change the file name of copied file to vars.
Modify with administrator rights the variables in the vars.bat file by inserting your own configuration settings.
These settings will be those used by default to create certification files (see Figure 21 below):
25
1. In the DOS console, run the command ./easyrsa init-pki
➢ The PKI folder is created (see Figure 23)
26
➔ The ca.crt file is generated in the directory <OpenVpnPath>\easy-rsa\pki
Check that the file generated is not empty. If so, please repeat the procedure above and address
potential errors that can occur in the DOS console.
27
In the DOS console, run the command ./easyrsa sign server server (Figure 26).
Fill in the Confirm request details field with “yes” and hit the Return key.
Check that the files generated are not empty. If so, please repeat the procedure above and address
potential errors that can occur in the DOS console.
28
Generate the certificates and keys for Link+ OpenVPN clients
In the DOS console, run the command ./easyrsa gen-req client1 nopass (Figure 27).
Fill in the Common Name field with “client1” and hit the Return key.
29
Figure 28 : Sign the client certificate
Check that the files generated are not empty. If so, please repeat the procedure above and address
potential errors that can occur in the DOS console.
30
Repeat these steps for a second Link client:
In the DOS console, run the command ./easyrsa gen-req client2 nopass.
Fill in the Common Name field with “client2” and press on « Enter ».
In the DOS console, run the command ./easyrsa sign client client2.
Fill in the Confirm request details field with “yes” and press on « Enter ».
Check that the files generated are not empty. If so, please repeat the procedure above and address
potential errors that can occur in the DOS console.
To generate certificates and keys for other Link clients, repeat the 4 steps above.
Figure 29 : Build-dh.bat
31
➔ The file dh.pem is generated in the directory <OpenVpnPath>\easy-rsa\pki
Check that the file generated is not empty. If so, please repeat the procedure above and address
potential errors that can occur in the DOS console. If the file is not empty, we can now close the DOS console.
Copy the following files of the OpenVPN server from original directory to the folder <OpenVpnPath>\config:
• ca.crt (order by original directory: <OpenVpnPath>\easy-rsa\pki)
• server.crt (order by original directory: <OpenVpnPath>\easy-rsa\pki\issued)
• server.key (order by original directory: <OpenVpnPath>\easy-rsa\pki\private)
• dh.pem (order by original directory: <OpenVpnPath>\easy-rsa\pki)
1. Copy the file “server.oVPN” in <OpenVpnPath>\config then edit it with administrator rights.
2. Update the following configuration settings with your own configuration (see highlighted texts in Figure 30):
• IP address (Server IP address on which is installer OpenVPN)
• VPN server port (this port must be open in the firewall)
• Authority file path (ca.crt)
• Server certification file path (server.crt)
• Server key file path (server.key)
• Diffie Hellman file path (dh.pem)
• Disable the tls-auth ta.key 0
• Select the type of encoding AES
• Enable compatible with older clients
32
Line 25: local 192.168.0.2
Line 32: port 1194
Line 78: ca "C:\\Program\ Files\\OpenVPN\\config\\ca.crt"
Line 79: cert "C:\\Program\ Files\\OpenVPN\\config\\server.crt"
Line 80: key "C:\\Program\ Files\\OpenVPN\\config\\server.key"
Line 85: dh "C:\\Program\ Files\\OpenVPN\\config\\dh.pem"
Line 244: # tls-auth ta.key 0 # This file is secret
Line 252: data-ciphers AES-128-CBC
Line 263: comp-lzo
33
6. How to configure the OpenVPN server for concurrent usage
How to generate the authority certificate for OpenVPN server
In OpenVPN 2.3.6, edit the file openssl-1.0.0.cnf under <OpenVpnPath>\easy-rsa with administrator rights, and
update line 57 as shown in Figure 31:
default_md = SHA256
HOME=<OpenVpnPath>\easy-rsa.bat
34
KEY_SIZE=2048
KEY_COUNTRY =FR
KEY_PROVINCE=RA
KEY_CITY=BREZINS
KEY_EMAIL=admin@localhost.com
KEY_CN = Server
KEY_NAME = FK
KEY_OU= BUAD
Figure 34 : Settings for Fresenius, Brézins, France with key size 2048 bit
In the DOS console run the command vars.bat. It will run the initialization of the default variables.
In the DOS console, run the command clean-all.bat. This will clean-up old generated keys in the
<OpenVpnPath>\easy-rsa\keys directory
In the DOS console, run the command build-ca.bat (Figure 35). It will start the authority certificate generation.
Press Enter key to confirm the suggested default variables.
Check that the file generated is not empty. If so, please repeat the procedure above and address
potential errors that can occur in the DOS console.
35
How to generate the certificate and key for the OpenVPN server
In OpenVPN 2.3.6, in the DOS console, run the command build-key-server.bat server (Figure 36).
Fill in the Common Name field with “server”. Confirm the other fields with their suggested default value.
Do not fill in the password (Return).
Sign the certificate answering “y” to the question and press on « Enter ».
Publish (commit) answering “y” to the question and press on « Enter ».
36
Check that the files generated are not empty. If so, please repeat the procedure above and address
potential errors that can occur in the DOS console.
In OpenVPN 2.3.6, in the DOS console, run the command build-key.bat <name_for_the_client1> (Figure 37).
Note: <name_for_the_client1> is chosen by you, for example: client1
37
Fill in the field Common Name with <name_for_the_client1> and confirm the other fields with their suggested
default value.
Do not fill in the password (Return).
Sign the certificate answering “y” to the question and press on « Enter ».
Publish (commit) answering “y” to the question and press on « Enter ».
Check that the files generated are not empty. If so, please repeat the procedure above and address
potential errors that can occur in the DOS console.
Fill in the field Common Name with <name_for_the_client2> and confirm the other fields with their suggested
default value.
Do not fill in the password (Return).
Sign the certificate answering “Y” to the question and press on « Enter ».
Publish (commit) answering “Y” to the question and press on « Enter ».
Check that the files generated are not empty. If so, please repeat the procedure above and address
potential errors that can occur in the DOS console.
To generate certificates and keys for other Link clients, please repeat the steps above.
38
Figure 38 : Build-dh.bat
Check that the file generated is not empty. If so, please repeat the procedure above and address
potential errors that can occur in the DOS console.
How to configure Server and client files for concurrent use in server 2.3.6
If OpenVPN server 2.5.0 is used simultaneously with Link+ D14/D5 and Link+ D16for D14/D15 Link+
with D16 Link+, go to section 6.6 directly. Proceed as follows otherwise.
1. Copy the following files of the OpenVPN server from <OpenVPNPath>\easy-ra\keys to the folder
<OpenVpnPath>\config:
• ca.crt
• server.crt
• server.key
• dh2048.pem
Copy the file “server.oVPN” in <OpenVpnPath>\config then edit it with administrator rights.
Adapt the following configuration settings to your configuration (see highlighted texts in Figure 39):
IP address (Server IP address on which is installer OpenVPN)
VPN server port (this port must be open in the firewall)
Authority file path (ca.crt)
Server certification file path (server.crt)
Server key file path (server.key)
Diffie Hellman file path (dh2048.pem)
Select the type of encoding AES
39
Line 25: local 192.168.0.2
Line 32: port 1194
Line 78: ca "C:\\Program\ Files\ (x86)\\OpenVPN\\config\\ca.crt"
Line 79: cert "C:\\Program\ Files\ (x86)\\OpenVPN\\config\\server.crt"
Line 80: key "C:\\Program\ Files\ (x86)\\OpenVPN\\config\\server.key"
Line 85: dh "C:\\Program\ Files\ (x86)\\OpenVPN\\config\\dh2048.pem"
Line 250: cipher AES-128-CBC # AES
Figure 39 : Example of <OpenVpnPath>\sample-config for Windows 7, 64-bit
Server and client configuration files for concurrent use in server 2.5.0
Phase 1: Files copy
Copy the following OpenVPN server files which generated by server 2.3.6, to OpenVPN server 2.5.0 installation
directory. The original directory of these files is in server 2.3.6 installation path <OpenVpnPath>\easy-rsa\keys,
the destination directory of those files is in server 2.5.0 installation path <OpenVpnPath>\config.
• ca.crt
• server.crt
• server.key
• dh2048.pem
Copy the file “server.oVPN” in server 2.5.0 installation path <OpenVpnPath>\config then edit it with
administrator rights.
Adapt the following configuration settings to your configuration (see highlighted texts in Figure 40):
IP address (Server IP address on which is installer OpenVPN)
VPN server port (this port must be open in the firewall)
Authority file path (ca.crt)
Server certification file path (server.crt)
Server key file path (server.key)
Diffie Hellman file path (dh2048.pem)
Disable the tls-auth ta.key 0
Select the type of encoding AES
Enable compatible with older clients
40
Line 252: data-ciphers AES-128-CBC
Line 263: comp-lzo
Figure 40 : Example of <OpenVpnPath>\sample-config for Windows 7, 64-bit
Note: please check it the OpenVPN GUI was already auto started by a non-administrator user. If this is the
case, the OpenVPN GUI must be exited, then restarted as administrator. You can use the shortcut added to
the computer desktop during installation (see Figure 41 below):
A notification icon opens in the task bar (see Figure 42): click on “Connect”
41
Figure 42 : Connect the OpenVPN server
42
How to launch OpenVPN server as a Windows service
For OpenVPN 2.3.6
The Services window opens. Select the OpenVPN Service and select “properties” with a right click (See Figure 43)
Check “automatic” startup type of the service (See Figure 44) and start the service
43
Figure 44 : OpenVPN service properties window
In OpenVPN 2.5.0 it’s not possible to auto start the server with Graphical Interface.
You must copy all the content of the C:\Program Files\OpenVPN\config\ to the C:\Program
Files\OpenVPN\config-auto\ folder.
Following this method, the OpenVPNservice (already set to Automatic with OpenVPN server 2.5.0) will auto
start the server at computer logon but without Graphic Interface, only in service mode.
In the notification icon in Figure 45, the “Connect” option should be greyed out and “Disconnect” option appear
in black:
a. If this is not the case, please refer to section 7.1 and/or to section 10.
b. If this is the case, proceed with the step below.
44
Figure 45 : Show status of OpenVPN server
Check that the server is “Connected” in the Connection OpenVPN (server) window . See Figure 46 as an
example.
If this is not the case, please refer to section 7.1 and/or to section 11.
45
For OpenVPN 2.5.0 without Graphical Interface
After the computer restart, check that the computer takes the OpenVPN Server IP in a DOS console:
Verify the OpenVPN TAP adapter take the first IP of the virtual IP set in server.ovpn (See Example below).
If an IP address is set for the OpenVPN Tap adapter, the server is running.
Note: Be careful, the OpenVPN Graphical Interface will not show OpenVPN Server as Started and you can’t
start it with the GUI in this configuration. It will return an error if you try to connect with GUI Interface.
How to check communication between the OpenVPN server and the Link+ client
Pre-requisite: The Link+ and the OpenVPN server must be connected on the network.
Deactivate the Windows firewall for OpenVPN (at a minimum for the port defined in the server configuration).
Check that the OpenVPN server can ping the connected Link+, and vice versa.
➔ The Link client and the OpenVPN server are properly connected
46
Link+ client configuration
Connect to the Link+ Web interface.
Select “Configuration” -> “Data Export” (see Figure 47).
Note: Check “Enabled” for “Serial export protocol for Agilia SP and VP” if you wish to activate export of data for
Agilia SP and VP pumps.
47
Click on “OK”.
Return to the “Configuration” menu in the Link Web interface (see Figure 50).
Select “Network”
48
The file <name_for_the_client1>.crt generated by OpenVPN server 2.3.6 is in directory
<OpenVpnPath>\easy-rsa\keys.
The file <name_for_the_client1>.crt generated by OpenVPN server 2.5.0 is in directory
<OpenVpnPath>\easy-rsa\pki\issued.
h) Click on “open” to download it.
Before applying the changes, check that the selected files are correct.
2. Press OK.
49
3. When the network configuration operation is complete, press on
50
9. Connection between OpenVPN and Link+ verification
Pre-requisite: Link+ boot is complete.
51
VPN connection configuration verification
Connect to the Link+ web interface.
Go to “Configuration”.
Go to “Network”.
In the field “VPN Client address” check that there is a new IP address (see Figure 55): this is the virtual address
for Link defined and used by OpenVPN:
a. If this is not the case, go back to section 8.1 and/or refer to section10.
b. If this is the case, go on to the step below.
➔ The Link and the Open VPN server are connected, your
data are protected.
If this is not the case, go back to section 9 and/or refer to section 10.
52
10. Troubleshooting
Sections 4 and 5
Make sure that any error encountered during OpenVPN server configuration are resolved before continuing with
the configuration procedure. In addition, check the size of the generated files during these steps. They must be
different from 0 kb. If this issue occurs, please restart the procedure and address errors appearing in the DOS
console.
53
If there is still an issue, perform again the configuration of both Open VPN client and server, including certificates
and VPN keys generation.
The ipp.txt file shall mention the client common name and the
wanted virtual IP network address.
ifconfig-pool-persist file [seconds]: Persist ifconfig-pool data to file, at seconds intervals (default=600), as
well as on program startup and shutdown.
The goal of this option is to provide a long-term association between clients (denoted by their common name)
and the virtual IP address assigned to them from the ifconfig-pool. Maintaining a long-term association is good
for clients because it allows them to effectively use the persist-tun option (the persist-tun option is used to
ensure that the connection comes back up automatically if the underlying network is disrupted.).
If seconds = 0, file will be treated as read-only. This is useful if you would like to treat file as a configuration
file.
54
server.oVPN configuration example:
Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations
between a common name and IP address. They do not guarantee that the given common name will always
receive the given IP address. Use ifconfig-push (For more details, please refer to the HowTo guide of the
OpenVPN server: https://openVPN.net/index.php/open-source/documentation/howto.html) to guarantee the
assignments.
In case of OpenVPN server crash or unclean shutdown, you potentially lose the persistence of the
ipp.txt file which was not saved. Therefore, the client can get a different virtual IP address than before.
Note: OpenVPN server is configured by default in net30 topology mode. The OpenVPN server assigns a /30
subnet for each client that connects. The first available /30 subnet (after the one the server is using) is:
• 10.10.0.4/30
• 10.10.0.4 -- Network address
• 10.10.0.5 -- Virtual IP address in the OpenVPN Server
• 10.10.0.6 -- Virtual IP address assigned to the client
• 10.10.0.7 -- Broadcast address.
Therefore, one client will use 4 IP addresses in the network for the net30 topology. This should be considered
when configuring the OpenVPN network.
55
-End of Document-
Fresenius Kabi AG
Else-Kröner-Str. 1
61352 Bad Homburg - GERMANY
Tel.: +49 (0) 6172 / 686-
www.fresenius-kabi.com