Client-Server Mode - Brocade Communications Systems 5600 Reference Manual

Client-server mode

TABLE 6 V2 OpenVPN configuration: site-to-site with TLS (Continued)
Step
Show the OpenVPN configuration.
The configuration is the same as in the previous example except that the tls option is specified; the
crl-file option is not specified; and, because the V2 endpoint takes the active role, the dh-file option is
not needed.
Client-server mode
The following figure illustrates a typical remote access VPN setup in which one OpenVPN endpoint
acts as the server. Remote users run OpenVPN as clients to connect to the server and establish VPN
tunnels.
FIGURE 5 Client-server mode
Note that OpenVPN requires TLS in client-server mode, and the server takes the passive role while
the clients are active. Therefore, it is not necessary to specify the tls role option when operating in this
mode. In the preceding figure, assuming that V1 is the server and V2 is a client, the configuration for
V1 is shown below.
To configure V1 for client-server with TLS, perform the following steps in configuration mode. The
example has the following characteristics.
• The mode option specifies that this endpoint operates in server mode.
• The server subnet option indicates that the tunnel IP address of the client is allocated from the
192.168.200.0/24 subnet and that the tunnel IP address of the server (that is, the address of vtun0
on the server) is 192.168.200.1.
• The remote-host option is not set because the clients are actively contacting the server.
24
Command
vyatta@V2# show interfaces openvpn vtun0
local-address 192.168.200.2
mode site-to-site
remote-address 192.168.200.1
remote-host 12.34.56.78
tls {
role active
ca-cert-file /config/auth/ca.crt
cert-file /config/auth/V2.crt
key-file /config/auth/V2.key
}
Brocade 5600 vRouter OpenVPN Reference Guide
53-1003719-03