Professional Documents
Culture Documents
Configuration Guide
Version 1.5
This document details how to set up a secure VPN link between an AvediaStream g4415-vx TVgateway and
the Verimatrix VCAS VECMG server. It contains the following sections:
• OpenVPN Installation
• OpenVPN Key and Certificate Generation
• Set Key Generation Environment
• Build Your Own Root Certificate Authority (CA) Certificate/Key
• Build Diffie-Hellman Parameters
• Build and Sign a Certificate Signing Request Using a Locally Installed Root Certificate/Key
• Install OpenVPN Certificates and Keys on the TVgateway
• Set VCAS Parameters on TVGateway
OpenVPN Installation
1 Install OpenVPN on the Verimatrix VCAS Server hosting the VCAS.
2 You must also install Easy-RSA if it was not included with the OpenVPN package.
3 Open UDP port 1194 on firewall for OpenVPN traffic.
4 The Verimatrix VCAS ECMG hosting the VPN should use a configuration file based on
this example (typically "/usr/share/openvpn/easy-rsa" or "/usr/share/easy-rsa"):
# Which local IP address should OpenVPN
# listen on? (optional)
# local a.b.c.d
# Port
port 1194
# Protocol TCP|UDP
proto udp
dev tun
# This won't play nicely with Windows clients, but is necessary for the P-t-P
# endpoint lookup done by the TVgateways
ifconfig-pool-linear
# Certificates
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
client-config-dir ccd
keepalive 10 120
comp-lzo
2
# and rewritten every minute.
status openvpn-status.log
# Client-modus
client
# Interface
dev tun-vmx
nobind
# Compression
comp-lzo
# Certificates
ca /var/lib/verimatrix.d/ca.crt
cert /var/lib/verimatrix.d/gw.crt
key /var/lib/verimatrix.d/gw.key
# Security section
auth-nocache
remote-cert-tls server
script-security 2
ns-cert-type server
3
OpenVPN Key and Certificate Generation
Note: This document contains verbatim extracts from the Easy-RSA guide on the
OpenVPN website:
https://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rs
a-key-management.html.
Build and Sign a Certificate Signing Request Using a Locally Installed Root
Certificate/Key
This script generates and signs a certificate in one step, but you must ensure that the
generated certificate and private key files are copied to the destination host over a secure
channel.
This needs to be done once for the VCAS server:
1 Enter ./build-key server-cert
4
The CA certificate (ca.crt), server key (server.key), server certificate (server.crt),
Diffie-Hellman (dh2048.pem) parameters must be placed in the location specified by your
OpenVPN configuration file.