Skip to end of metadata
Go to start of metadata

This guide describes connecting the 2N IP intercom, 2N® Access Unit, 2N® Access Unit 2.0 or 2N® LTE Verso (2N device), that is already connected to the Internet, to the user’s remote LAN.

This connection creates network bridge and thus enables connection to 2N device in the same way as it would be in the local network (2N device obtains IP address from local network DHCP where OpenVPN server is, uses network protocols like ARP, can perform broadcast and so on).

Connected 2N device can then be used as usual (for calls, video surveillance of its IP camera, 2N® Access Commander connection , etc..) as it was in same local network.

Device which is in same local network as 2N OpenVPN server does not need to connect to VPN, since all devices connected over VPN will have local network IP addresses from local DHCP. Solution is designed for OpenVPN to be installed on Linux.

VPN connection is pushed through stunnel for additional level of security.

Disclaimer

Icon

Please note that this guide and its content is provided "as is" without warranty of any kind, express or implied.

Therefore by using it you hereby agree with the use of the guide content and are aware of all and any functionality

limitations and consequences associated with the nature of this content, and by using it you also agree that this guide

has been provided without any guarantee and that 2N TELEKOMUNIKACE a.s. shall not be held liable for function limitations, security limitations or damage, if any, incurred as a result of using this guide.

You acknowledge that 2N TELEKOMUNIKACE a.s. provides the guide content for limited purpouse.

Please also note that various Linux distributions or versions may not accept all commands shown in this guide and 2N TELEKOMUNIKACE a.s. does not provide support for Linux.

Icon

OpenVPN server is designed to connect 2N devices exclusively, 3rd party devices or software may not be able to connect properly

 

 


Requirements:

 

Icon
  1. Public IP address at the router on local network side where OpenVPN server is, accessible from the Internet with a possibility of redirecting TCP port 443 to LAN (DMZ for OpenVPN server optional).
  2. DHCP at the local network side where OpenVPN server is.
  3. Linux PC running OpenVPN server (virtualization optional).
  4. OpenVPN server
  5. Stunnel4
  6. bridge-utils
  7. lshw
  8. openssl
  9. Firmware 2.31 or never in 2N device
  10. Intel PRO/1000T Server compatible network controller
  11. Promiscuous Mode enabled on network controller
  12. Required IT knowledge: Linux command line (bash), bash scripting, certificates, SSL, networking, VPN

Network topology

In case you cannot put OpenVPN server machine to DMZ and you need to use standard LAN and private address, you need to setup port forwarding so incoming connections from internet to OpenVPN server reach target machine. You will also need to allow such communication on router's firewall

1) Configure the local network on its router –  set DHCP IP reservation for OpenVPN server virtual machine (based on MAC address of virtual machine's ethernet port). DHCP server will always assign this machine same IP address.

2) Configure port forwarding if needed - forward public port to port 443 TCP on IP address assigned by DHCP for OpenVPN server.

Choose public port number above 1024 TCP to avoid using privileged ports.

See picture below:

 

2N OpenVPN server installation:

All examples shown in this article require to be run with elevated rights, either login as root or use proper command to gain required rights.

1) .On Linux machine, deploy following applications: stunnel4, openvpn, bridge-utils, lshw.

Example for Debian 10

Icon

apt-get install -y stunnel4 openvpn bridge-utils lshw >/dev/null

 

2) Create certificates for OpenVPN. You need server certificate, server key, ca and intercom certificate with intercom key. Then you need to put those certificates to correct folders for stunnel,openvpn and intercoms.

To make script run , you need to save it in EOL conversion to UNIX and encoding UTF-8 format, then upload it and apply chmod a+x to make script executable.

Example script for Debian 10

Icon

This script will generate unique certificates each time it is run and put them in /tmp/certs folder. Then it moves all required certificates to appropriate folders.

It also generates client certificates for IP Intercoms / Access Units and place them to folder /root/certs from where you can download them.

In order to run the script, please place it to .sh file and add neccessary privileges so you can execute the file.

Alternatively you can avoid using the script and create certificates and folders manually.

Password to intercom.key in this example is set to Test1234

Due to security we recommend to create your own certificates with own password and settings, use this example as a reference only. 2N TELEKOMUNIKACE a.s. does not hold any responsibility if example certificates will not be secure enough.

 

3) Now you need to setup stunnel configuration.

Example for Debian 10

Icon

Commands to run from command line

 

4) Next step is to configure OpenVPN service

Example for Debian 10

Icon

Commands to run from command line

 

5) OpenVPN service requires also to configure up.sh and down.sh scripts and give then proper file rights.

Example for Debian 10

Icon

Commands to run from command line

6) Then it is needed to bridge network traffic properly (do not run commands in this step over SSH as they include bringing ETH interface down which will result in connection loss)

Example for Debian 10

Icon

Commands to run from command line



7) Restart OpenVPN and asociated services

Example for Debian 10

Icon

Commands to run from command line

8) Check if stunnel and openvpn service are running with command run from command line, otherwise repeat step 7

lsof -i 4


9) If firewall is installed, enable ports 1149 and 443 to be accepted(example configuration uses TCP protocol for OpenVPN)

Example for UFW

Icon

ufw allow 1149/tcp

ufw allow 443/tcp

systemctl restart ufw

 

 

2N IP Intercoms, 2N® LTE Verso, 2N® Access Unit

In order to connect 2N IP device to 2N OpenVPN server, you need to upload certificates downloaded from OpenVPN server to 2N IP device and configure OpenVPN connection in 2N device. After successful connection, 2N device will receive DHCP address from local network where 2N OpenVPN server is and will appear to local network as local device.

1) Login to 2N device you want to connect to 2N OpenVPN server over internet

2) Go to System – Certificates

3) Upload ca.crt file to Trusted certificates:

4) Upload intercom.crt and intercom.key files to User Certificates:

 

So finally it looks like that:

 

Icon

You will use same client certificates for every 2N device connecting to this VPN.

 

5) Go to  System – Network – OpenVPN and set following:

    • Enabled: Yes
    • Default Interface: No
    • Server Address:  Public IP (which belongs to router where 2N OpenVPN server is)
    • Server Port: Public Port (port used for forwarding on router where 2N OpenVPN server is - for example 1443)
    • Trusted Certificate: 1
    • Client Certificate: 1
Icon

Set Default interface parameter to Yes if 2N device connected via VPN is supposed to communicate outside local network connected over VPN.

Otherwise, 2N device will route such traffic via its own connection and will not route it to VPN. 

 

6) Save your settings

7) Press START button to connect to 2N OpenVPN server

2N Device now should be able to initiate connection to 2N OpenVPN server and will receive new IP address from DHCP in local network where 2N OpenVPN server is.