Table of Contents  MOBOTIX Online Help

OpenVPN Configuration

Table of Contents
OpenVPN Configuration
Requirements
General OpenVPN Setup
Authentication
Logging Options
Manage VPN Certificates
FAQs and Error Messages
Additional Information

Open the OpenVPN dialog to configure camera's OpenVPN client settings.

For more information about OpenVPN, visit the OpenVPN Community website.

Requirements

Creating an OpenVPN connection requires a corresponding server, which provides secure access to the camera. To do so, you could run your own OpenVPN server or use the service from an OpenVPN provider.

General OpenVPN Setup

Parameter

Description

OpenVPN

Enables or disables the OpenVPN client.

Server Address

Enter the address to which the OpenVPN client will connect.

Server Port

Enter the port to which the OpenVPN server is listening for incoming connections.

(OpenVPN option --rport port)

Encryption

Select the encryption cipher that is being used.

The encryption ciphers are included in the OpenSSL library.

For additional information on this topic, see the following websites:

Communication Protocol

Depending on the OpenVPN server settings, you can choose UDP or TCP.

LZO Compression

Use this option to enable LZO data compression. For more information about LZO, see www.oberhumer.com.

Maximum Fragment Size

UDP only! Set the size of the data fragments to n bytes. This can help prevent the fragmentation of UDP packets.

(OpenVPN option --fragment max)

mssfix Size

UDP only! Improves the TCP connection over the UDP tunnel by reducing the TCP packet size.

(OpenVPN option --mssfix max)

TUN Device MTU

Set the MTU of the used TUN device. This depends on the connection type used.

(OpenVPN option --tun-mtu n)

MTU Test

UDP only! This test can help in finding good MTU parameters. Do not use this test in normal operation mode.

Ping Interval

Sends a ping to the remote server over the tunnel if no packets have been sent for at least n seconds. This option keeps the tunnel open if the connection between the camera and the server runs over a stateful inspection firewall.

(OpenVPN option --ping n)

Ping Restart

If the remote server is not sending a ping or other packet for more than n seconds, the OpenVPN client on the camera will restart the connection. (OpenVPN option --ping-restart n)

Renegotiation

Renegotiates the data channel key after n seconds (default is 3600s). Once the timeout is reached on either the server or the client side, the camera starts the renegotiation process. Setting this value to 0 disables client-side renegotiation.

(OpenVPN option --reneg-sec n)

Authentication

Parameter

Description

VPN Certificates

If the private key is protected by a Passphrase, enter the corresponding Passphrase in this field. The keyfiles can managed in the Manage VPN Certificates dialog.

VPN User Name

Enter the OpenVPN user name in this field.

(OpenVPN option --auth-user-name)

VPN Password

Enter the OpenVPN password in this field.

(OpenVPN option --auth-user-pass)

Logging Options

Parameter

Description

VPN Logging Level

  • 0: No output except fatal errors

  • 1: Small amount of status information

  • 2: More status information, e.g., certification and encryption status

  • 3: Even more status information

  • 4: Full status information

Manage VPN Certificates

The Manage VPN Certificates dialog manages the certificates that are used to establish OpenVPN connections.

To authenticate the server against the camera, a certificate from an Certificate Authority (CA) is required. In addition, it is possible to use an RSA-based public/private key pair to authenticate the camera against the server.

Parameter

Description

Certificate Authority (CA) Certificate

Use this section to store a new certificate from a CA in the camera.

Upload: uploads a certificate in .PEM format to the camera.

Delete: Removes the certificate.

Client Certificate

Use this section to store a new public key in the camera for authenticating the camera against the server.

Upload: uploads a certificate in .PEM format to the camera.

Delete: Removes the certificate.

Client Key

The private key contains the secret part of the public/private key authentication scheme. Use this section to store a new private key in the camera.

Upload: uploads a private key in .PEM format to the camera.

Delete: Removes the private key.

To enter the Passphrase, go back to the OpenVPN dialog.

FAQs and Error Messages

Frequently Asked Questions

1.

Which types of VPN are supported?

This implementation currently supports the OpenVPN protocol in point-to-point mode (routing).

2.

Which type of encryption is used?

You can select different encryption ciphers depending on the requirements of the server.

3.

How can I recognize if a connection is valid or not?

The VPN log file should contain the message "Initialization Sequence Completed".

4.

Why aren't the certificates accepted by the server?

  • Make sure that the client and the server are using the same time (e.g., by using a common time server, see Time & Date).

  • Make sure that the Certificate Authority (CA) matches the values of the client certificate.

  • Make sure that the modulus of the client certificate and the client key are identical.

Error Messages

1.

The camera cannot establish a connection to the OpenVPN server.

  • Set the VPN Logging Level to 4 and check the output.

  • Make sure that the client and the server are using the same time (e.g., by using a common time server, see Time & Date).

  • Make sure that the client and the server are in the same subnet.

2.

TLS ERROR

  • Did you upload all certificates?

  • Are the certificates the proper ones for the server?

  • Make sure that the Certificate Authority (CA) matches the values on the server.

3.

No client-side authentication method is specified.

  • Did you upload the client key and the client certificate?

  • Did you enter both the VPN user name and the corresponding password?

  • After uploading the client certificate, make sure that you click again on the Set button in the OpenVPN Configuration dialog.

4.

Network is unreachable, Check your network connectivity.

  • Make sure that you can reach the specified IP address of the server.

  • Can you establish a connection to the server (ping)?

  • Did you set the correct communication protocol (UDP/TCP)?

5.

HOST_NOT_FOUND, Cannot resolve host address, The specified host is unknown

  • Make sure that the server name is resolved properly (using nslookup).

  • Did you enter the server name properly?

  • Has the server name been properly entered at the DNS service?

6.

Write to TUN/TAP: Invalid argument (code=22)

Make sure that you are using the same settings for LZO Compression on the server and the client.

Additional Information


Storing the Configuration

Click on the Set button to activate your settings and to save them until the next reboot of the camera.

Click on the Factory button to load the factory defaults for this dialog (this button may not be present in all dialogs).

Click on the Restore button to undo your most recent changes that have not been stored in the camera permanently.

Click on the Close button to close the dialog. While closing the dialog, the system checks the entire configuration for changes. If changes are detected, you will be asked if you would like to store the entire configuration permanently.


© 2001-2024 MOBOTIX · https://www.mobotix.com