GWN7000 - OpenVPN® Site-to-Site VPN Guide

  • Updated on March 25, 2024

A Virtual Private Network (VPN) is used to create an encrypted connection tunnel, enabling users to exchange data across shared or public networks while acting as clients connected to a private network. The benefit of using a VPN is to ensure the appropriate level of security for connected systems when the underlying network infrastructure alone cannot provide it. The most common types of VPNs are remote-access VPNs and site-to-site VPNs.

1231321.png
VPN Architecture Overview

The VPN security model provides:

  • Client authentication to forbid any unauthorized user from accessing the VPN network.
  • Encryption will prevent man-in-middle attacks and eavesdropping on the network traffic.
  • Data integrity to maintain the consistency, and trustworthiness of the messages exchanged.

The purpose of this guide is to underline the VPN client/server feature on Grandstream GWN7000 Router and use this feature to implement Site-To-Site VPN to connect multiple locations.

SCENARIO OVERVIEW

Company ABC has several locations/offices connected to the Internet using Grandstream GWN7000 routers and for security reasons the traffic between the main office in LA and one of the branch offices in NY, the admin has decided to establish a VPN Site-to-Site tunnel between the two sites in order to ensure that sensitive data between the two networks is forwarded securely into the encrypted tunnel. This will allow also phone calls to go encrypted and protected against possible rogue eavesdropping of phone calls between the two offices.

  • The main office has a LAN subnet with a range of: 192.168.1.0/24
  • The branch office has a LAN Subnet with a range of: 192.168.3.0/24
  • The VPN tunnel will have the following IP range: 10.1.1.0 (Start address is 10.1.1.100 and End Address is 10.1.1.200).

The figure below shows the actual diagram of the network:

Network Diagram

The main design is to set the client/server architecture to implement the VPN Tunnel, currently, GWN supports client/server for both OpenVPN and PPTP technologies, we will cover through this guide the necessary configurations that are needed to establish the connection using PPTP protocol and provide at the end some verification procedures.

CONFIGURATION STEPS

In this guide, we are providing the necessary steps and configuration needed to achieve the described scenario in the first section. For more detailed descriptions for each configuration field/parameter, please refer to GWN7000 User Manual or GWN7000 VPN Guide.

Core Site Configuration

First, we start by setting up the core site side where we will need to implement a PPTP server that will be accepting connections from PPTP clients enabled on remote branch offices/sites.

Creating PPTP Users

The administrator needs to create PPTP users under the User Manager menu to be authenticated by the PPTP server at the core site GWN7000.

To add/create PPTP-enabled users, follow the below steps:

  1. Go to “System SettingsUser Manager”.
  2. Click on button. A popup window will appear.

Refer to the below figure showing an example of configuration and the below table showing all available options with their respective description.

  1. Click on button after completing all the fields for the server certificate.

Notes:

  • Make sure to enable the PPTP client Subnet option.
  • Under the Client Subnet field, the administrator needs to enter the IP range of the branch site LAN, and the GWN7000 server will build a route to that destination, thus allowing site-to-site communication.

Creating PPTP Server

After creating all users for each site that will be connecting to the core site via the PPTP tunnel. The administrator needs now to create and enable the PPTP server instance on the GWN7000 located on the core site.

To create a new PPTP server, follow the below steps:

  1. Go under “VPNPPTPServer”.
  2. Click on and fill in the required information as shown on the figure below.

The table below gives the description for each option/parameter.

Field

Description

Enable

Click on the checkbox to enable the PPTP VPN Server.

VPN Name

Enter a name for the PPTP Server.

PPTP Server Address

Configure the PPTP server’s

local address (ex: 10.1.1.1). Note: This is not the public IP of the GWN, this is the IP address of the interface that will be used to build the PPTP tunnel between the

server and the client.

Client Start Address

Configure the remote client IP start address.

Notes:

  • This address should be in the same subnet as the end address and PPTP server address.
  • This is the address that will be used on the client side when connecting to the server in order to build the PPTP Tunnel.

Client End Address

Configure the remote client IP end address.

Notes:

  • This address should be in the same subnet as the start address and PPTP server address.
  • This is the address that will be used on client side when connecting to the server in order to build the PPTP Tunnel.

Allow Forwarding between Site-To-Site VPNs

This option allows forwarding between multiple site-to-site VPNs. i.e. if there are multiple PPTP users configured with client subnet enabled, then this option allows one PPTP client subnet to access another PPTP client subnet through the server.

Note: for this option to work more than one PPTP users with client subnet must be enabled.

MPPE

Enable/disable Microsoft Point-to-Point Encryption.

Auto Forward group traffic

Configures if enable group traffic forwards to be automatic. If enabled, users should choose which groups they want to forward, if not, users can still do it manually via forwarding rules under firewall settings.

Note: When disabling, the previous group settings will be cleared, the administrator needs to re-configure the groups.

Network Group

Configure the network group to access the VPN connection. You can choose more than one network group at the same time.

  1. Click after completing all the fields.
  2. Click on top of the web GUI to apply changes.

Notes:

  • Users could enable MPPE encryption for more security under both the PPTP server and the client as we will see later on.
  • Make sure to enable the option “Auto Forward Group Traffic” in order to allow the traffic coming from the PPTP tunnel into the network group(s) at the core site location.

Server status can be checked after this under “VPNPPTPServer” as shown in the following figure.

Branch Site Configuration

Now that the GWN7000 router at the core site is UP and running, we move on to configure a PPTP client instance under the GWN7000 router on the branch site. Please follow the below steps in order to set it up.

  1. Go to “VPNPPTP→Client” and follow the steps below:
  2. Click on and the following window will pop up.
  3. Under Remote PPTP Server field, put the public IP of the core site router to which the client will initiate tunnel connection (example: 192.168.6.71).
  4. Add the list of networks that are reachable through the GWN7000 running PPTP server. Here we set the IP range for the core site LAN (i.e. 192.168.1.0/24). This will allow the GWN7000 at the branch site to build a route to the core network to allow full site-to-site communication.
  1. The final step would be to enable MPPE encryption since it’s used for both client and server for more security of the data.

Once this done, press save and apply then check the PPTP client status to verify its connection status.

We can see as well that the PPTP client did take the IP 10.1.1.100 from the pool configured under the PPTP server.

VERIFICATION

For verification purposes, we can do the following:

  1. On the branch office site, log onto the router and check the routing table to verify that the core office LAN is listed as reachable through the PPTP tunnel.

  1. Ping from the branch site to the core site using connected devices to each LAN, below is a screenshot showing a UCM6102 (IP= 192.168.1.115) on the core site initiating successful ping requests to a GXP2140 phone (IP=192.168.3.61) on the branch site.

  1. Finally, users could successfully register phones in the branch office to the UCM located on the core site and make phone calls with phones located on the core site as well.

Was this article helpful?

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support

Leave a Comment