How to establish an SSL VPN Server by Omada Router in Standalone mode?

User’s Application Scenario

SSL VPN can set the permissions that each user can access to resources and improve the management of the entire network. According to the following network topology, create three accounts with different permissions on the SSL VPN server to meet different requirements.

Account 1: VPN Client implements proxy Internet access through VPN Server;

Account 2: VPN Client can only access VLAN 20, but cannot access VLAN 30;

Account 3: The VPN Client and the devices behind the Server can only interact through the ICMP protocol.

Configuration

Step 1. Create the VPN IP Pool.

When the VPN client is applying to connect, the VPN server will assign a virtual IP address, which is from the VPN IP Pool. Go to Preferences --> VPN IP Pool, Click Add.

On the popup page, here we name the IP Pool Name as SSL_VPN, configure Starting IP Address as 10.10.10.10, Ending IP Address as 10.10.10.100, then click OK to save the settings. You may set the values according to your network.

Step 2. Enable SSL VPN Server.

Go to SSL VPN -->SSL VPN Server, check Enable. On the popup page, choose Service port as WAN/LAN4, choose Virtual IP Pool as SSL_VPN that created on step 1. Set the Primary DNS as 8.8.8.8 (you can set it according to your demands), then click Save to save the settings.

Step 3. Create Tunnel Resources.

Go to SSL VPN -->Resource Management-->Tunnel Resources, click Add to create two tunnel resources. On the popup page, AllowVLAN20 uses IP addresses to limit resources; AllowICMP uses ICMP Protocol to limit resources.

Step 4. Create Resource Group.

Go to SSL VPN -->Resource Management-->Resource Group, click Add to apply the two tunnel resources created in step 3 to two different resource groups.

Note: There are two default resource groups Group_LAN and Group_ALL. Group_LAN refers to all devices behind the Server, and Group_ALL also includes resources for accessing the Internet.

Step 5. Create User Group.

Go to SSL VPN -->User Management-->User Group, click Add to create three user groups. Apply different resource groups to the three user groups according to the different permissions of the three accounts. Please note that if you want to implement the proxy Internet access of the client, please select Group_ALL for the resource group.

Step 6. Create User.

Go to SSL VPN -->User Management-->User, click Add to create three user accounts. Each account corresponds to a different user group and you can set the Username and Password according to your demands.

Here, we created the following three account information based on the resource permissions of the above three accounts:

Step 7. Export Certificate.

Go to SSL VPN -->SSL VPN Server, click Export Certificate to export the configuration file, and the client can connect to the server using this configuration file.

Verification process

Use the OpenVPN GUI on the client to import the configuration file, enter the corresponding username and password to connect.

Account 1: VPN Client implements proxy Internet access through VPN Server;

After a successful connection, the server assigns the VPN client an IP address of 10.10.10.11. When the client accesses 8.8.8.8, the first hop is the VPN Tunnel. Because the data is encrypted, the corresponding IP address cannot be resolved. The second hop is the default gateway of the VPN Server, and all data of the client goes through the VPN Tunnel to realize proxy Internet access.

Go to SSL VPN -->Status, information about the Client connection will also be displayed here.

Account 2: VPN Client can only access VLAN 20, but cannot access VLAN 30

After a successful connection, the server assigns the VPN client an IP address of 10.10.10.12. The VPN client can ping the device in VLAN 20 (192.168.20.100), but cannot ping the device in VLAN 30 (192.168.30.100). At the same time, the management interface of the router can be accessed through 192.168.20.1.

Account 3: The VPN Client and the devices behind the Server can only interact through the ICMP protocol.

After a successful connection, the server assigns the VPN client an IP address of 10.10.10.13. The VPN client can ping the device in VLAN 20 (192.168.20.100) and the device in VLAN 30 (192.168.30.100). But the management interface of the router cannot be accessed through 192.168.20.1.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.