User Documentation

ManualsBrandsWeidmueller ManualsAutomation & SoftwareIE-SR-4TX-LTE/4G-EU

Version 1.2 / August 2020 Page 52 / 102

Layer

The OpenVPN interface may operate on two different layers:

Ethernet Layer (Layer 2), i.e. will be bridged with >LAN (interface)<

IP Layer (Layer 3) with its own IP address which must be configured on

the IP configuration page.

OpenVPN de-

vice type

L3 interfaces can either be run as TUN or TAP devices. The letter is de-

fault on the device type. TUN connections will always use the OpenVPN

topology subnet. If subnets behind clients shall be reachable in TUN

mode, there are route entries required in the OpenVPN server configura-

tion. These entries will be available only if the routes to the subnets are

configured in the client configuration table on the server.

Note: Each VPN endpoint must use the same setting on this option.

Server ad-

dress

The remote server address can either be a DNS name or an IP address

Server Port

TCP/UDP port number e.g. 1194. If a server instance is enabled on TCP

Port 443 the HTTPS web server must be disabled manually at the page

Configuration → Services → Web server. A potentially configured access

restriction for the web server will limit access to the OpenVPN server in

this case! Each OpenVPN server instance must use a unique TCP/UDP

port!

Protocol

Transport protocol of this VPN connection. UDP has a slightly better per-

formance and stability but cannot be handled by HTTP proxies and some

4G provides block UDP tunnels. TCP is the default on this device type.

Certificate

Select certificate for authentication at remote peer.

Note: New certificates can be uploaded in Configuration → General set-

tings → Certificates. Please note that certificates which have extended

key usage (EKU) fields can only be used as server certificate (EKU TLS

Web Server Authentication) or as client certificate (EKU Web Client Au-

thentication). Each client connected to one server and the server itself

must use a certificate from the same Certification Authority (CA).

Authentication

with username

and password

Enable additional authentication with username and password

Pull routes

from server

The OpenVPN option “pull” will pull the routes from the server if it pushes

them.

Use HTTP

proxy

OpenVPN TCP clients can use a HTTP proxy for tunneling the VPN con-

nection. To the proxy the traffic will look like HTTPS web traffic. The sys-

tem wide HTTP proxy must be configured under Configuration → Network

→ HTTP proxy

Log level

None: Will log no messages through the Event Log

Info: Log only some information and critical errors

Debug: Log state information too

Verbose: Log all possible messages

LZO compres-

sion

Sets the OpenVPN LZO option for all connections.

No: Is the default on this device type. Do not use compression.

Yes: Always enable LZO compression

Adaptive: Use an adaptive algorithm to dynamically detect if compression

is useful or not

Note: Each OpenVPN endpoint must use the same setting on this option.

Cipher

Select the OpenVPN cipher to use. BF-CBC is the default cipher. Each

OpenVPN endpoint must use the same cipher! You can use none for per-

formance critical layer 2 tunnels or intranets.