Configuring a connection to a VPN client (V2 service/K5 client certificate)

This section explains the procedure for configuring a (V2 service) connection to a VPN client.

Note:

This procedure has been confirmed using the following SSL-VPN client PC environment.

  • OS: Windows 7 Professional 64-bit, Japanese Version
  • VPN Client: OpenVPN 2.3.12
Note: In this procedure, OpenSSL 1.1.0 is used to convert the format of the certificates.
  1. Download the intermediate certificate and the root certificate to be used to create the CA certificates.

    Download the intermediate certificate and the root certificate from http://rms-digicert.ne.jp/howto/basis/digicert-root-certificates.html.

    Intermediate certificate: [DigiCert SHA2 High Assurance Server CA]

    Root certificate: [DigiCert High Assurance EV Root CA]

  2. Execute the following commands to convert the format of the downloaded certificates. 
    $ openssl x509 -in <Intermediate Certificate Name> -inform DER \
-out <Intermediate Certificate Name (Optional)>
    $ openssl x509 -in <Root Certificate Name> -inform DER \
-out <Root Certificate Name (Optional)>
  3. Execute the following command to confirm that the conversion was successful. 
    # ls -l

    Confirm that the certificates are displayed as follows.

    <Intermediate Certificate Name>
<Root Certificate Name>
  4. Merge the intermediate certificate and the root certificate.

    Copy the content of the certificates to a text editor.

    Note:

    • Using a text editor, open the two PEM format certificate files that you created.

    • Copy the displayed information which starts with "-----BEGIN CERTIFICATE-----" and ends with "-----END CERTIFICATE-----" from each file, and paste the information from both files into a new text file.

    • Confirm that the content of the created text file is as follows.

    -----BEGIN CERTIFICATE-----
Content of the Intermediate Certificate File (in PEM Format)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Content of the Root Certificate File (in PEM Format)
-----END CERTIFICATE-----

    Save the text file using an arbitrary file name. Save using the file extension ".crt".

  5. Issue the client certificate.

    For details on issuing a client certificate, refer to "3.3.5.1 Issue a Certificate for Authentication" in the "K5 Portal User Guide".

    Warning:

    Be sure to create a unique client certificate for SSL-VPN connection for each user.

    It is not possible for multiple users to use the same certificate for SSL-VPN connection at the same time.

    When there are multiple users, obtain as many certificates as there are users from the K5 portal.

  6. Converting client certificate formats

    For details on converting client certificate formats, refer to "Converting certificate formats".

    The SSL-VPN client (OpenVPN) explained in this chapter can use the "Encrypted private keys" and the "Unencrypted private keys" described in "Converting certificate formats".

  7. Install OpenVPN.

    Download the installer from https://www.openvpn.jp/download/, and then perform installation.

    For details on the installation procedure, refer to the "Features Handbook" > "Appendix" > "Setup of an OpenVPN Client (Windows)".

  8. Edit the client configuration file.

    In the sample-config folder in the installation directory, copy the file client.ovpn to the config folder.

    It is necessary to save the CA certificates, the client certificate, and the private key that are created in this procedure to the config folder.

    Open client.ovpn in the config folder using a text editor, and edit it as follows.

    • Lines beginning with "proto"

      proto tcp

    • Lines beginning with "remote"

      remote [Connection Target Server Address (Global IP Address of the SSL-VPN Connection Resource)] [Connection Target Port (443)]

    • Lines beginning with "ca"

      ca <CA Certificate Name>

    • Lines beginning with "cert"

      cert <Client Certificate Name>

    • Lines beginning with "key"

      key <Client_private_key_name>

    • Lines beginning with "comp-lzo"

      #comp-lzo

    • Lines beginning with "cipher"

      cipher AES-128-CBC

    • Lines beginning with "http-proxy" (Specified when connecting using an HTTP proxy server)

      http-proxy <HTTP Proxy Server Address> <HTTP Proxy Server Port Number> stdin basic

      stdin: When connecting to the HTTP proxy server, entry of a user name and password will be requested.

      basic: The authentication method will be basic authentication.

    Note:

    Example:

    proto tcp
remote xxx.xxx.xxx.xxx 443
ca ca.crt
cert client.crt
key client.key
#comp-lzo
cipher AES-128-CBC
http-proxy xxx.xxx.xxx.xxx 8080 stdin basic
  9. Start the OpenVPN client.

    Right-click the OpenVPN client icon, and select "Run as administrator" to start the OpenVPN client with administrator privileges.

  10. Connect over SSL-VPN.
    Note:

    To connect to a virtual server after establishing a SSL-VPN connection, it is necessary for the following to be configured to allow VPN tunnel network addresses to access the relevant virtual server.

    • The firewall of a virtual router for which SSL-VPN functionality has been configured
    • The security group allocated to the virtual server

    Start the client PC terminal, right-click the OpenVPN icon in the system tray, and then select [Connect].

    If the OpenVPN icon in the system tray turns green, then the SSL-VPN connection has been established.

    It is possible to connect to the virtual server by specifying its private IP address on the SSL-VPN client PC.

    * If you wish to terminate the SSL-VPN connection

    To terminate the connection, right-click the OpenVPN icon in the system tray, and select [Disconnect].

    If the OpenVPN icon turns grey, then the SSL-VPN connection has been terminated.