This article describes the settings you can use to connect your Ewon Flexy/Cosy to third party OpenVPN Servers.
The Ewon Cosy does not feature all the configuration menus you have in an Ewon Flexy but these settings can also be configured through the advanced COM parameters list.
APPLICABLE PRODUCTS
Ewon : Flexy
Ewon : Cosy
IN THIS ARTICLE
Ewon Standard OpenVPN settings
OpenVPN version compatibility
The first thing you have to check is the version of the OpenVPN Server that you use.
- The Ewon Flexy and Cosy131 are using OpenVPN version 2.0.9 when Firmware versions < 14.8. (TLS 1.1 max)
- The Ewon Flexy and Cosy131 are using OpenVPN version 2.4.9 when Firmware versions >= 14.8. (TLS 1.2 max)
- The Ewon Cosy+ is using OpenVPN version 2.4.9. (TLS 1.3 max)
Make sure you use OpenVPN parameters that are compatible with the Ewon version. Do not use new settings implemented in higher versions in your OpenVPN Server.
Also, OpenVPN might have change some default settings values that are no longer compatible with the Ewon version. There are two known settings that will cause problem with Cosy131 and Flexy, when using firmware < 14.8 and hence OpenVPN 2.0.9 :
- "Topology subnet" which is not supported by the Ewon version. Only the old "net30" setting is supported.
- "tls-version-min" must be set to 1.0.
Ewon Standard OpenVPN settings
To configure a VPN connection to a third party server, you can use the Flexy VPN configuration menu. For the Cosy, you will have to go through the Advanced
In Setup > System > Communication > VPN connection > Global, you can configure the main VPN connection settings :
In Setup > System > Communication > VPN Connection > Outgoing, you can set the server IP/URL and the client certificate/key and CA certificate.
If you select "eFive VPN Server", you can then use an authentication via username and password instead of a using a client certificate and key.
As mentioned in the introduction, the Ewon Cosy does not feature these menus. They can however be set to the advanced parameters menu (Setup > System > Storage > tabular Edition). Another trick is use a Flexy to setup the connection and then copy the comcfg.txt file from the Flexy to the Cosy.
Ewon Custom OpenVPN Settings
If you want to set extra OpenVPN parameters, you can do it using a .ovpn file that you copy to the usr/ directory of your Ewon in FTP. You must declare the file path in the COM parameter VPNCfgFile :
Using this parameter, you have two options. You can add some parameters to the existing Ewon config that you have set in the menus. In this case, use the "+" in front of the file path.
Example
cipher AES-256-CBC
auth MD5
comp-lzo
route-delay 4
verb 3
reneg-sec 0
Or fully configure the OpenVPN connection using the ovpn file and skip the config of the Ewon. In this case, simply set the file path to the config file without the "+".
Example
client
dev tun
proto udp
remote 192.168.120.96
port 1194
resolv-retry infinite
nobind
persist-key
persist-tun
keepalive 10 60
comp-lzo
verb 1
ca /ca.crt
cert /client.crt
key /client.key
#The ca.crt, client.crt and client.key must be located in the same directory
#as the ovpn file.
The only built-in menu that will remain active in the Ewon is "VPN use conditions" in "Setup > System > Communication > VPN Connection > Main Setup". This one is used to trigger the VPN connection.
(COM parameter "VPNCnxType" (0 = No VPN connection, 2 = Outgoing VPN connection)
For security reasons, not all OpenVPN parameters can be set in the ovpn file. Here is the list of the forbidden parameters : "ask-pass", "auth-user-pass-verify", "cd", "chroot", "client-config-dir", "client-connect", "client-disconnect", "down", "group", "ifconfig-noexec", "ipchange", "learn-address", "plugin", "setenv", "tls-verify", "tmp-dir", "up", "up-restart", "user".