44.2. Preparing the configuration on the Intra2net system

44.2.1. Create certificate

The Intra2net system requires its own private key with a X.509 certificate to accept VPN connections from clients. This single key can easily be used for all VPN connections. Technically it would be possible to use this key also for SSL/TLS connections. However, certificates used for this purpose typically have a short validity period, which is why a dedicated key is usually the better choice for VPN connections.

Some VPN clients require a CA signed certificate, so we recommend setting up a CA signed certificate as described below from the very beginning.

  1. The Intra2net system should be addressable for the VPN clients via a DNS name on the Internet.

    If the Intra2net system has a static IP, set up a DNS entry for it in your own official domain. The system can then be reached under a name such as intra.company.com or mail.example.com. This can normally be set up free of charge and promptly by the web space provider that hosts the domain.

    If the Intra2net system is assigned a different IP for each Internet dial-up, a DynDNS service must be set up for addressing. See Section 11.13, „DynDNS“.

    A static IP cannot be used directly with some VPN clients without a DNS name. In addition, changing the IP when changing providers is costly. We therefore recommend to use only DNS names and no IPs for addressing.

  2. Go to the menu Network > DNS > Settings and enter this externally accessible DNS name in the field Full hostname for connections from the Internet.

  3. Go to the menu System > Keys > Own keys and create a new, self-signed certificate.

  4. Name the key VPN-CA or similar and also enter this as computer name. Enter NOT the DNS hostname of the Intra2net system as host name. We recommend a validity period of 5 years. Let the key be generated.

  5. Create another new self-signed certificate. Give the key the name "VPN" and then append the external DNS host name of your Intra2net system, e.g. VPN myintra.dyndns.org. Enter the external DNS host name under Computer name (CN). To prevent ID conflicts with certificates used for TLS, enter for example VPN under Department (OU). Create the key.

  6. Change to the tab CA for the just created key. Sign this key with the previously generated VPN-CA key.

  7. Go to the menu Services > VPN > Settings and configure the just created and signed server certificate as default.

44.2.2. Default settings for new connections

In the menu Services > VPN > Settings you can define the default settings for newly created VPN connections.

Server certificate and server address must be configured as described in Section 44.2.1, „Create certificate“.

Select a firewall ruleset that allows the needed access to the local network that is desired for VPN clients.

Each VPN client is assigned an individual, virtual IP for the VPN connection. This IP must lie outside of all local networks, routings and other VPN connections. Enter the IP for the first VPN client under Base IP address for single devices. All other VPN clients will receive consecutive IPs.