OpenVPN Setup

Setup and Configure the 1NCE VPN Service.

This section will guide through the setup process of the 1NCE VPN Service. At first, a basic overview of the required configuration and credential files is given. In the second part, the default installation and setup of the service is listed in detail. Tips for testing the VPN Service can be found in the Testing VPN Connectivity section. For custom OpenVPN installs, advanced routing or specific application setups refer to the OpenVPN Documentation.

Traffic Routing

Each 1NCE SIM has a fixed IP from the private IP space (RFC 1597) allocated. The connected VPN client also has a static address from the private IP space assigned. Please note that these addresses might not necessarily be from the same subnet, which has no impact on the functionality. The routing for all assigned SIM IP Subnets is pushed during the initialization of the connection. The customer specific traffic routing from the VPN terminating client to the specific applications/servers interfaces needs to be set up on configured by the customer and is specific to the application case. An example of IP routes pushed from the VPN server to the client are listed below. Please note that the IP addresses in the following examples are just illustrative and may not be the same as in your configuration.

Linux Systems

TUN/TAP device tun0 opened 
net_iface_mtu_set: mtu 1390 for tun0 
net_iface_up: set tun0 up 
net_addr_ptp_v4_add: 10.64.80.2 peer 10.64.80.3 dev tun0 
net_route_v4_add: 10.64.0.1/32 via 10.64.80.3 dev [NULL] table 0 metric -1 
net_route_v4_add: 100.119.x.x/24 via 10.64.80.3 dev [NULL] table 0 metric -1
# ifconfig tun0 

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1390 
      inet 10.64.80.2  netmask 255.255.255.255  destination 10.64.80.3 
      inet6 fe80::175f:440:7635:a1d1  prefixlen 64  scopeid 0x20<link> 
      unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC) 
      RX packets 73  bytes 3504 (3.5 KB) 
      RX errors 0  dropped 0  overruns 0  frame 0 
      TX packets 97  bytes 4656 (4.6 KB) 
      TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
# route 

Kernel IP routing table 
Destination    Gateway         Genmask         Flags Metric Ref    Use Iface 
10.64.0.2      10.64.80.3    255.255.255.255 UGH   0      0        0 tun0 
10.64.80.3        0.0.0.0    255.255.255.255 UH    0      0        0 tun0 
100.119.x.x    10.64.80.3    255.255.255.0   UG    0      0        0 tun0

Windows Systems

Notified TAP-Windows driver to set a DHCP IP/netmask of 10.64.80.2/255.255.255.252 on interface {ACF7A788-1EF1-43D2-9CE4-240945672EF6} [DHCP-serv: 10.64.80.2, lease-time: 31536000] 
Successful ARP Flush on interface [14] {ACF7A788-1EF1-43D2-9CE4-240945672EF6} 
MANAGEMENT: >STATE:1621401048,ASSIGN_IP,,10.64.80.2,,,, 
ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up 
MANAGEMENT: >STATE:1621401053,ADD_ROUTES,,,,,, 
C:\WINDOWS\system32\route.exe ADD 10.64.0.1 MASK 255.255.255.255 10.64.80.2 
Route addition via service succeeded 
C:\WINDOWS\system32\route.exe ADD 10.119.x.x MASK 255.255.252.0 10.64.80.2
Ethernet adapter Ethernet 2:  

   Connection-specific DNS suffix: 
   Link-local IPv6 Address          . : fe80::xxxx:xxxx:xxxx:xxxx 
   IPv4 Address  . . . . . . . . . . : 10.64.80.2 
   Subnet Mask   . . . . . . . . . . : 255.255.255.252 
   Default Gateway . . . . . . . . . :
IPv4 Routen Table 
=========================================================================== 
Active Routes: 
Network Destination        Netmask          Gateway        Interface Metric 
        10.64.0.1  255.255.255.255          10.64.80.3    10.64.80.1   4506 
       10.64.80.1  255.255.255.252          On-Link       10.64.80.1   4506 
       10.64.80.2  255.255.255.255          On-Link       10.64.80.1   4506 
       10.64.80.4  255.255.255.255          On-Link       10.64.80.1   4506 
       10.119.x.x    255.255.252.0          10.64.80.3    10.64.80.1   4506 
        224.0.0.0        240.0.0.0          On-Link       10.64.80.1   4506 
  255.255.255.255  255.255.255.255          On-Link       10.64.80.1   4506

Tunnel Interface

Connecting the VPN client on PC or server creates a separate tunnel network interface. All mobile originated and mobile terminated data traffic is sent through this tunnel interface and will be routed according to the destination IP address. When using the 1NCE VPN Service, the device with the 1NCE SIM can reach the customer VPN endpoint by addressing the static IP of the client application. In the other way, the application server can reach each individual device by addressing the static IP of the SIM. For opening or pinging a server to SIM device connection it is important that the SIM is attached to the network and the device modem has an active PDP data session open.

OpenVPN Configuration Files

Both the configuration and credential file can be downloaded from the configuration page of the 1NCE Connectivity Management Platform (CMP).

VPN Client File

When downloading the VPN configuration file (see extract below), two different file formats for Windows and Linux are available. The content of both files is almost identical. The only difference is the auth-user-pass entry in the file. This line points the VPN client towards the credentials.txt file for authenticating the user on the VPN server. The default path is different for the two operating systems but can be changed to the specific of the operating system or VPN client. The remote address and port of the VPN server should not be changed. It has to be ensured that both the domain address and the given port are configured in any firewall or access system to allow a connection towards the 1NCE VPN server. The table below shows the default config provided by 1NCE. Some parameters can be adapted (✔) while others should be not changed (❌). 1NCE does not recommend changing or altering the default configuration and does not guarantee that changes in the configuration will provide the expected connectivity.

Config ParameterDefault ValueCustomizable
client
Indicates that the client.ovpn file is a client configuration.
dev
Virtual network device set to Tunnel (TUN), simulates a network layer device and operates with layer 3 IPv4 and IPv6 packets. Tunnel interface name can be changed to tun<x> where <x> is a integer number.
tun
proto
Protocol setting for communicating with remote host.
udp
remote
Remote host name or IP address.
<url> <port>
resolv-retry
If hostname resolve fails for –remote, retry resolve for n seconds before failing.
infinite
nobind
Do not bind to local address and port. The IP stack will allocate a dynamic port for returning packets.
explicit-exit-notify
Send server an exit notification if tunnel is restarted or OpenVPN process is exited. Number of attempts that the client will try to resend the exit notification.
3
keepalive
Simplification of –ping and –ping-restart. Checks the current connection state by ICMP PING. Settings are <Interval Timeout>.
5 30
(user)
Change the user ID of the OpenVPN process after initialization, dropping privileges in the process. This option is useful to protect the system in the event that some hostile party was able to gain control of an OpenVPN session. This is option only included in the client.conf file for Linux operating systems.
root
(group)
Optional group to be owner of this tunnel. This is option only included in the client.conf file for Linux operating systems.
nogroup
persist-key
Don't re-read key files across SIGUSR1 or --ping-restart.
persist-tun
Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts.
remote-cert-tls
Require that peer certificate was signed with an explicit key usage and extended key usage based on RFC3280 TLS rules.
server
verb
Set output verbosity. Level 3 is recommended if you want a good summary of what’s happening without being swamped by output.
3
auth-nocache
VPN client will not cache the username and password needed for authentication in virtual memory. This will prevent the log entry "WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this" upon connection establishment.
auth-user-pass
Authenticate with server using username/password from a file containing username/password on 2 lines.
/etc/openvpn/credentials.txt
auth-retry
Controls how OpenVPN responds to username/password verification errors such as the client-side response to an AUTH_FAILED message from the server or verification failure of the private key password.
nointeract
tun-mtu
Optional parameter Maximum Transmission Units. In most cases, leave this parameter set to its default value. In case of issues with HTTPS or SSH connections, try lowering this value.
1500
certificates
Certificates included in the config file.

More information about the configuration options can be found in the OpenVPN Reference Manual.

Password Cache Warning

If detailed logging is setup for the OpenVPN client, the following warning might appear when the OpenVPN client is started:

WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this.

This warning can be avoided by adding the auth-nocache parameter into the OpenVPN client configuration file. This should usually have no side affects, nevertheless the official documentation states:
“If specified, this directive will cause OpenVPN to immediately forget username/password inputs after they are used. As a result, when OpenVPN needs a username/password, it will prompt for input from stdin, which may be multiple times during the duration of an OpenVPN session.“

VPN Credential File

The credentials.txt file downloaded from the CMP (see extract below) contains a user id as username and an access token as password for the 1NCE VPN server. The content of this file does not need to be modified. The location of this file needs to be set in the VPN Config File client.ovpn.

<customer_id>
<vpn_access_token>

Windows

The Windows platform is often used for testing on personal computers or in a Windows Server environment. In this section, the configuration of the 1NCE VPN Service for the Windows Operating System is shown.

Requirements

Besides the client.ovpn and the credentials.txt file downloaded from the 1NCE Connectivity Management Platform, a current version of the OpenVPN client for Windows needs to be installed. For this please download the latest version from the OpenVPN Download Portal.

Setup

For installing the OpenVPN Client please follow the instructions from the Windows Installer. The default settings configured in by the Installer should be fine. The client.ovpn and credentials.txt files need to be placed in the folder where the OpenVPN client expects to find configurations. For the Windows Operating System with a default OpenVPN install, this location is typically C:\Program Files\OpenVPN\config. For custom installations, please refer to the settings and information from the OpenVPN client.

After loading the configuration and starting OpenVPN, the 1NCE configuration will be loaded. If multiple configurations are present in OpenVPN, renaming the client.ovpn to a custom filename will make differentiating the connections easier. The connection can be established by clicking on the System Tray Icon of OpenVPN and clicking "Connect". If a successful connection is established, the computer should now be ready to ping and establish connection towards active/connected 1NCE SIM with an open PDP data session. The VPN connection can be terminated by clicking "Disconnect" in the OpenVPN menu.

The logs of the VPN connection are typically located in C:\Program Files\OpenVPN\log\client.txt. Please refer to the log for debugging purposes.

Linux/Mac OS

The basic setup of the VPN client is comparable to the Windows environment, but the OpenVPN client software is dependent on the OS.

Requirements

As Mac OS and especially Linux come in more flavors, we suggest to install a recommended OpenVPN client for the specifically used system. For Mac OS users we can recommend Tunnelblick. On a Linux system the OpenVPN client can usually be installed by using the packet manager from the distribution (e.g. apt-get on Ubuntu or Debian). For further information refer to an OpenVPN guide for the relevant OS.. The client.ovpn and the credentials.txt are identical for the Linux/Mac OS setup and can be downloaded from the 1NCE CMP.

Setup

After installing a OpenVPN client, the client configuration and credential file need to be imported to the specific client. In the client.ovpn the location of the credentials.txt file needs to be setup. A often used default location for the client.ovpn and credentials.txt for Linux systems is /etc/openvpn. Please copy both files to this location and set the auth-user-pass path accordingly. For Mac OS follow the instructions of Tunnelblick to import both configuration files.
Tunnelblick can be started via the user interface in the system tray. The connection status and log can be observed in the application window.
For Linux OS, please refer to the documentation of the specific distribution to see how to start, use and monitor the OpenVPN client.


Did this page help you?