Configure Remote User Access using OpenVPN

I am able to connect to a Balance 20 using the OpenVPN client. Is there a way to disconnect after a period of inactivity? The client seems to stay connected until I manually disconnect.

1 Like

Thank you for the tutorial. This is surprisingly simple, ON WINDOWS, ironically. I have successfully gotten this to work on windows using the exact instructions. However, when trying to connect from Mac OS using Tunnelblick, I am getting the following error:

. I also have tried using openvpn connect agent on mac os and I am having similar problems. It seems like the client successfully connects, however, no data seems to tranmit to and from the router. I’m thinking this some sort of dns error.

Has anyone else had any success connecting to openvpn server from Mac OS Mojave? If so, could you please let me know what settings you altered from your openvpn client profile, and what software you are using? Thanks so much for any help or any ideas in debugging this not-so-simple Mac OS issue.

Perhaps we could get a Mac Specific tutorial?

Dan

We’ve successfully employed Shimo v.5 on MacOS/Mojave, importing the profile provided by the router without any modifications.

Z.

2 Likes

Well I figured it out thanks to opening a ticket with pepwave. Turns out, all I had to do was enable dns proxy in my surf soho. Thank you for letting me know that you got this working with shimo on mojave! This helped me figure out the solution through the process of elimination! Thanks!

1 Like

You’ll want to add a dns entry on the tunnel too. If you need multiple route statements, just add another one like nsg shared below the route-nopull.

dhcp-option DNS 192.168.40.1

1 Like

is there a way to set up the OpenVPN connection to limit a user to only one IP address on the network, or a group of IPs?

In short, are there VPN firewall rules that can be configured to limit access to devices on the network?

@mahanadm, you may create a VLAN for OpenVPN client. Ensure the OpenVPN client connects to this VLAN. Then you may apply “Internal Network Firewall Rules” to limit this VLAN to the IP addresses in the network.

1 Like

I don’t think this was ever fixed (split tunnel not working as intended unless you manually edit the config file generated by the router).

In addition to adding lines such as these to make the split tunnel work…

route-nopull
route 192.168.40.0 255.255.255.0 vpn_gateway

…you might also want to add lines similar to the following to allow name resolution to function over the VPN (so people connected to the VPN can access network resources by the names they have on the remote network):

dhcp-option DNS 192.168.40.10
dhcp-option DOMAIN mynetwork.local

The first line says “use this server for DNS when connected to the VPN” - typically this would be the IP address of the domain controller on the remote network. The second line says "here is the name of the network, so that people can connect to machines by their hostname (e.g. myfileserver) instead of having to use the fully qualified domain name (e.g. myfileserver.mynetwork.local).

One other quirk in the PEPLink implementation is that users will receive an AUTH FAILED error when connecting if the PEPLink is not the DHCP server for the remote network. That error message is misleading, as it is not an auth failure. Assuming that you don’t want your PEPLink to be the DHCP server (perhaps you have assigned that role to your Windows domain controller), the way to fix this is to configure the PEPLink with a new VLAN with a different IP subnet, enable the DHCP server on the PEPLink for that VLAN (clicking to allow routing between VLANS), and then when configuring OpenVPN on the PEPLink assign it to the newly created VLAN. Voila - now it works.

This is strange because of at least two reasons:
#1) The misleading error message about auth failed
#2) The fact that you can configure other types of VPN’s on the PEPLink (e.g. PPTP) and not encounter this issue (i.e. the VPN works fine even if the PEPLink isn’t the DHCP server on the remote network).

3 Likes

@nsg, I tested it is working fine. Below is my testing environment:

Peplink device: Balance One, 8.0.2
Testing PC: Windows 10
OpenVPN client: OpenVPN v11.13.0.0

This is my testing result:

These are the settings of my split tunnel profile. I didn’t make any changes on it:

Are you have the same environment?

We yet to support 3rd party DHCP server for OpenVPN. Please use local DHCP server for the time being.

2 Likes

Dear all,

I’m currently having a trouble as below log, can anyone please help, i’m keep getting the Wrong credentials messeage

Tue Apr 28 23:13:44 2020 OpenVPN 2.4.9 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 16 2020
Tue Apr 28 23:13:44 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Apr 28 23:13:44 2020 library versions: OpenSSL 1.1.1f 31 Mar 2020, LZO 2.10
Tue Apr 28 23:13:44 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Apr 28 23:13:44 2020 Need hold release from management interface, waiting…
Tue Apr 28 23:13:45 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Apr 28 23:13:45 2020 MANAGEMENT: CMD ‘state on’
Tue Apr 28 23:13:45 2020 MANAGEMENT: CMD ‘log all on’
Tue Apr 28 23:13:45 2020 MANAGEMENT: CMD ‘echo all on’
Tue Apr 28 23:13:45 2020 MANAGEMENT: CMD ‘bytecount 5’
Tue Apr 28 23:13:45 2020 MANAGEMENT: CMD ‘hold off’
Tue Apr 28 23:13:45 2020 MANAGEMENT: CMD ‘hold release’
Tue Apr 28 23:13:48 2020 MANAGEMENT: CMD ‘username “Auth” “anpham@123”’
Tue Apr 28 23:13:48 2020 MANAGEMENT: CMD ‘password […]’
Tue Apr 28 23:13:48 2020 Outgoing Control Channel Encryption: Cipher ‘AES-256-CTR’ initialized with 256 bit key
Tue Apr 28 23:13:48 2020 Outgoing Control Channel Encryption: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Tue Apr 28 23:13:48 2020 Incoming Control Channel Encryption: Cipher ‘AES-256-CTR’ initialized with 256 bit key
Tue Apr 28 23:13:48 2020 Incoming Control Channel Encryption: Using 256 bit message hash ‘SHA256’ for HMAC authentication
Tue Apr 28 23:13:48 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]27.65.194.22:1194
Tue Apr 28 23:13:48 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Apr 28 23:13:48 2020 UDP link local: (not bound)
Tue Apr 28 23:13:48 2020 UDP link remote: [AF_INET]27.65.194.22:1194
Tue Apr 28 23:13:48 2020 MANAGEMENT: >STATE:1588090428,WAIT,
Tue Apr 28 23:13:48 2020 MANAGEMENT: >STATE:1588090428,AUTH,
Tue Apr 28 23:13:48 2020 TLS: Initial packet from [AF_INET]27.65.194.22:1194, sid=b0c158b1 6a70dded
Tue Apr 28 23:13:48 2020 VERIFY OK: depth=1, C=US, O=Peplink, CN=OpenVPN CA/[email protected]
Tue Apr 28 23:13:48 2020 VERIFY KU OK
Tue Apr 28 23:13:48 2020 Validating certificate extended key usage
Tue Apr 28 23:13:48 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Apr 28 23:13:48 2020 VERIFY EKU OK
Tue Apr 28 23:13:48 2020 VERIFY OK: depth=0, C=US, O=Peplink, CN=OpenVPN Server/[email protected]
Tue Apr 28 23:13:48 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Apr 28 23:13:48 2020 [OpenVPN Server/[email protected]] Peer Connection Initiated with [AF_INET]27.65.194.22:1194
Tue Apr 28 23:13:50 2020 MANAGEMENT: >STATE:1588090430,GET_CONFIG,
Tue Apr 28 23:13:50 2020 SENT CONTROL [OpenVPN Server/[email protected]]: ‘PUSH_REQUEST’ (status=1)
Tue Apr 28 23:13:50 2020 AUTH: Received control message: AUTH_FAILED
Tue Apr 28 23:13:50 2020 SIGUSR1[soft,auth-failure] received, process restarting
Tue Apr 28 23:13:50 2020 MANAGEMENT: >STATE:1588090430,RECONNECTING,auth-failure,
Tue Apr 28 23:13:50 2020 Restart pause, 5 second(s)

Has this been updated since originally posted?

I need to run Peplink in client mode as well.

I’ve tested this out and it appears to work with split tunnel. Quite easy to install the OpenVPN client and importing the file. Tried with Windows built-in but i think there are some setting issues so it didn’t work. Am wondering where I can find the capacity for remote access users. I have some clients who wish to work from home temporarily and want to connect to the office network. The datasheet only gives values for site-to-site VPNs. Where can I find this info?

This should help you Toy: Firmware Release for OpenVPN WAN - #2 by Cassy_Mak

1 Like

tnx, I faced with similar issue that’s why I started using VeePN service, it works great. Now I have access to the blocked websites. It provides a high level of security and doesn’t cost much.

How exactly do I add that entry to the tunnel? Do I add it on the oven client config side or the surf soho router server side?

Why does the peplink community forums believe I have never logged in before? Now I cannot log in with my Norman ID? @Dan_Ran ? Could a pepwave Administrator please help me with this issue? @peplinkspecialist

I have no opinion about your experience - just reporting our own.

Good luck,

Z

1 Like

@Dan_Ran1, look like the account for Dan_Ran is fine. You may PM me a screenshot where you see the error message. By the way, are you trying to login with Peplink ID - Extending Peplink ID to the forum?

1 Like

Hello Erik,
maybe this has been explained already but i cant’t find it: which is the client limit and the concurrent session limit of this openVPN server?

1 Like

hello,

Great discussion :slight_smile:
Can anyone recommend a VPN client for Mac mini ?

Tamir