Scribd Logo
Upload

Welcome to Scribd!

  • ConnectingToVerimatrixServerVPNV PDF

    Uploaded by

    blesson123
    59 views5 pages

    Original Title

    ConnectingToVerimatrixServerVPNV.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    59 views5 pages

    ConnectingToVerimatrixServerVPNV PDF

    Uploaded by

    blesson123

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    AvediaStream TVgateways

    Connecting AvediaStream g4415-vx TVgateways


    to a Verimatix Server

    Configuration Guide
    Version 1.5

    This document details how to set up a secure VPN link between an AvediaStream g4415-vx TVgateway and
    the Verimatrix VCAS VECMG server. It contains the following sections:
    • OpenVPN Installation
    • OpenVPN Key and Certificate Generation
    • Set Key Generation Environment
    • Build Your Own Root Certificate Authority (CA) Certificate/Key
    • Build Diffie-Hellman Parameters
    • Build and Sign a Certificate Signing Request Using a Locally Installed Root Certificate/Key
    • Install OpenVPN Certificates and Keys on the TVgateway
    • Set VCAS Parameters on TVGateway
    OpenVPN Installation
    1 Install OpenVPN on the Verimatrix VCAS Server hosting the VCAS.
    2 You must also install Easy-RSA if it was not included with the OpenVPN package.
    3 Open UDP port 1194 on firewall for OpenVPN traffic.
    4 The Verimatrix VCAS ECMG hosting the VPN should use a configuration file based on
    this example (typically "/usr/share/openvpn/easy-rsa" or "/usr/share/easy-rsa"):
    # Which local IP address should OpenVPN
    # listen on? (optional)
    # local a.b.c.d

    # Port
    port 1194

    # Protocol TCP|UDP
    proto udp

    dev tun

    # This won't play nicely with Windows clients, but is necessary for the P-t-P
    # endpoint lookup done by the TVgateways
    ifconfig-pool-linear

    # Certificates

    ca ca.crt
    cert server.crt
    key server.key
    dh dh2048.pem

    # Configure server mode and supply a VPN subnet


    server 192.168.222.0 255.255.255.0

    # Maintain a record of client <-> virtual IP address


    # associations in this file.
    ifconfig-pool-persist ipp.txt

    # Push routes to the client to allow it


    # to reach other private subnets behind
    # the server.
    #push "route 192.168.2.0 255.255.255.0"

    # To assign specific IP addresses to specific


    # clients

    client-config-dir ccd

    #push "dhcp-option DNS 8.8.8.8"

    # The keepalive directive causes ping-like


    # messages to be sent back and forth over
    # the link so that each side knows when
    # the other side has gone down.
    # Ping every 10 seconds, assume that remote
    # peer is down if no ping received during
    # a 120 second time period.

    keepalive 10 120

    comp-lzo

    # The persist options will try to avoid


    # accessing certain resources on restart

    # that may no longer be accessible because


    # of the privilege downgrade.
    persist-key
    persist-tun

    # Output a short status file showing


    # current connections, truncated

    2
    # and rewritten every minute.
    status openvpn-status.log

    # Set the appropriate level of log


    # file verbosity.
    #
    # 0 is silent, except for fatal errors
    # 4 is reasonable for general usage
    # 5 and 6 can help to debug connection problems
    # 9 is extremely verbose
    verb 6

    For reference, the g4415-vx uses this OpenVPN config file:


    # OpenVPN configfile

    # Client-modus
    client

    # Interface
    dev tun-vmx
    nobind

    # Server - this gets set from the TVgateway config


    ;remote verimatrix-vcas 1194
    proto udp
    resolv-retry 15

    # Compression
    comp-lzo

    # Try to preserve some state across restarts.


    persist-key
    persist-tun

    # Certificates
    ca /var/lib/verimatrix.d/ca.crt
    cert /var/lib/verimatrix.d/gw.crt
    key /var/lib/verimatrix.d/gw.key

    # Security section
    auth-nocache
    remote-cert-tls server
    script-security 2
    ns-cert-type server

    # Set log file verbosity, this may be overridden by a hidden TVgateway


    # config option
    verb 4

    3
    OpenVPN Key and Certificate Generation
    Note: This document contains verbatim extracts from the Easy-RSA guide on the
    OpenVPN website:
    https://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rs
    a-key-management.html.

    On Verimatrix VCAS Server


    1 Locate the easy-rsa directory, typically /usr/share/openvpn/easy-rsa or
    /usr/share/easy-rsa.

    Set Key Generation Environment


    2 Edit the vars script. (You may wish to make a copy first.)
    3 Set KEY_CONFIG to point to the openssl.cnf file, included in the OpenVPN/Easy-RSA
    distribution.
    4 Set KEY_DIR to point to a directory which will contain all keys, certificates, etc.
    Note: This directory need not exist, and if it does, it will be deleted with rm -rf, so
    caution is required when setting KEY_DIR.
    5 (Optional) Edit other fields in vars per your site data. KEY_SIZE must be compatible
    across both peers participating in a secure SSL/TLS connection.
    6 "Source" the vars script (note space after the '.') . vars
    7 Enter ./clean-all

    Build Your Own Root Certificate Authority (CA) Certificate/Key


    This is stored locally on the VCAS server.
    1 Enter ./build-ca
    2 ca.crt and ca.key will be built in your KEY_DIR directory

    Build Diffie-Hellman Parameters


    This is required for the server end of a SSL/TLS connection.
    1 Enter ./build-dh

    Build and Sign a Certificate Signing Request Using a Locally Installed Root
    Certificate/Key
    This script generates and signs a certificate in one step, but you must ensure that the
    generated certificate and private key files are copied to the destination host over a secure
    channel.
    This needs to be done once for the VCAS server:
    1 Enter ./build-key server-cert

    And once per TVgateway using this VCAS server:


    1 Enter ./build-key gw-xxx
    2 Enter ./build-key gw-xxy
    3 Enter ./build-key gw-xyz
    where "xxx" etc. are unique identifiers such as the last 3 octets of the gateway MAC
    address e.g. 1234AB

    4
    The CA certificate (ca.crt), server key (server.key), server certificate (server.crt),
    Diffie-Hellman (dh2048.pem) parameters must be placed in the location specified by your
    OpenVPN configuration file.

    Install OpenVPN Certificates and Keys on the TVgateway


    To install the ca.crt, gw-1234AB.crt, gw-1234AB.key onto TVgateway, use the web
    interface to paste file contents on Verimatrix page:
    • "VCAS tunnel CA certificate" — use contents of ca.crt
    • "VCAS tunnel local certificate" — use contents of gw-1234AB.crt
    • "VCAS tunnel local key" — use contents of gw-1234AB.key
    This should be done on a secure network to prevent the TVgateway’s key files from being
    cloned.

    Set VCAS Parameters on TVGateway


    On the TVgateway Verimatrix page, set:
    • The Verimatrix VCAS server IP address (the VPN will tunnel to this)
    • The Verimatrix VCAS server ECMG TCP port number
    • The VECMG channel number in use (part of the VCAS configuration, see VCAS
    Administrative Interface -> Streams)

    You might also like