VPN example:
Remote Access VPN, Bridge, Multihoming (gateway), MOBIKE, Mobile VPN clients (Windows 7/8/10 and Rockhopper), One-armed, Behind a NAT/NAPT and EAP(MSCHAPv2, VPN clients)/certificate (PKCS#12/X.509, Rockhopper(gateway)).


The following image shows example network for this scenario.

Ubuntu is installed on VPN Gateway (Bridge/Remote Access Server), Internal host/Internal DNS server, Router1 (Destination NAPT or Port Forwarding) and VPN Client1.

Rockhopper VPN software is installed on VPN Gateway and VPN Client1. VPNs are connected between this gateway and VPN clients (VPN Client1 (Rockhopper) and VPN Client2 - Windows 7/8/10). VPN Gateway works as a bridge between the VPN clients and protected network (LAN, 192.168.0.0/24). The gateway is deployed as a one-armed gateway.

EAP-MSCHAPv2 is used as an authentication method for the VPN clients and RSA-Signature (certificate) is used for VPN Gateway.

Router1 is multihomed (10.0.0.1/24 and 10.0.1.1/24). It forwards IKEv2 and ESP packets destinated to these addresses to VPN Gateway.

The VPN clients and VPN Gateway are located behind a NAT(NAPT). Router1 provides NAT/NAPT (Network Address Port Translation) service or Port Forwarding service for them. Similarly, NAT/NAPT (Network Address Port Translation) or VPN passthrough is enabled on Router2.

MOBIKE is enabled on both Windows 7/8/10 and Rockhopper (by default).



sample0

rhpvif10 on VPN Gateway or VPN Client1: A virtual interface(a Tunnel/TAP interface) to access internal network. "10" is the VPN realm ID. This interface is automatically created by Rockhopper VPN service and configured not by system tools like ifconfig command but by Rockhopper Web console.

br0 on VPN Gateway: A bridge interface linking eth0 and rhpvif10 interfaces as ports. This interface is managed by brctl command in the bridge-utils package. You need to manually link eth0 with br0 by brctl command, while rhpvif10 is automatically linked with br0 by Rockhopper VPN service.

eth0, eth1 and/or eth2 on each node: Real interfaces to access physical network.


A VPN realm is a security domain for group members to share the same security policy and VPN configuration. For instance, you can define the VPN realm "10" for a sales team and the other VPN realm "20" for a developing team.


Advance preparation:


- VPN Gateway(gateway1.example.com):
# sudo brctl addbr br0
# sudo brctl addif eth0
# sudo ifconfig br0 192.168.0.100 netmask 255.255.255.0

# sudo route add default gw 192.168.0.10
Please see also "man 8 brctl" for more details to setup a bridge interface.
If you manually setup a bridge interface after configuring Rockhopper, please restart Rockhopper like this:
# sudo /etc/init.d/rockhopper restart

- Router1(Port Forwarding):
# sudo ifconfig eth0 10.0.0.1 netmask 255.255.255.0
# sudo ifconfig eth1 10.0.1.1 netmask 255.255.255.0
# sudo ifconfig eth2 192.168.0.10 netmask 255.255.255.0

Enable IPv4 routing.
# sudo sysctl net.ipv4.ip_forward=1

Forward packets destinated to 10.0.0.1:500(Router1) to 192.168.0.100:500(VPN Gateway).
# sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.0.1 --dport 500 -j DNAT --to-destination 192.168.0.100:500

Forward packets destinated to 10.0.1.1:500(Router1) to 192.168.0.100:500(VPN Gateway).
# sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.1.1 --dport 500 -j DNAT --to-destination 192.168.0.100:500

Forward packets destinated to 10.0.0.1:4500(Router1) to 192.168.0.100:4500(VPN Gateway).
# sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.0.1 --dport 4500 -j DNAT --to-destination 192.168.0.100:4500

Forward packets destinated to 10.0.1.1:4500(Router1) to 192.168.0.100:4500(VPN Gateway).
# sudo iptables -t nat -A PREROUTING -p udp --dst 10.0.1.1 --dport 4500 -j DNAT --to-destination 192.168.0.100:4500


- Internal host/Internal DNS server:
# sudo ifconfig eth0 192.168.0.101 netmask 255.255.255.0

Above configuration will be lost after you restart your computer. To setup permanent configuration, you can edit /etc/network/interface like this. This is an example for VPN Gateway (gateway1.example.com) on Ubuntu.

- /etc/network/interface (Ubuntu):
auto eth0
iface eth0 inet manual
up /sbin/ifconfig eth0 promisc

auto br0
iface br0 inet static
address 192.168.0.100
network 192.168.0.0
netmask 255.255.255.0
gateway 192.168.0.10
broadcast 192.168.0.255
bridge_ports eth0
bridge_stp off
bridge_maxwait 10


- PKCS#12 and PEM files:

   - VPN Gateway(Bridge): gateway1.example.com.p12 (PKCS#12)
   - CA: TestCa-cacert.pem (X.509, PEM/Base64-encoding)

   The certificate(X.509) for VPN Gateway includes a subjectAltName(Host name/FQDN).
   - gateway1.example.com (Host name/FQDN)

See "Tips: Creating a Rockhopper's certificate compatible with a Windows 7/8/10 VPN client by XCA." and "Documents/Tips: Managing certificates by XCA" to create the PKCS#12 file, including a private key and a certificate(X.509) for VPN Gateway and the CA certificate(X.509), and the PEM file for the CA certificate(X.509).


Configuring VPN:


VPN Gateway(gateway1.example.com):


  1. Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
  2. Login with administrator's name and password. (by default, admin and secret).
  3. If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
  4. Add a new VPN realm.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Add VPN Realm button.

    - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

    Realm ID: 10
    Realm Name: Example VPN
    Description: Config for Example VPN.
    Mode: Bridge


  5. Setup VPN Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > VPN Interface[Left-Tree]:
    Click this tree node and show VPN Tunnel/TAP Interface pane.

    - Enter or select the following.

    Internal Address Type: Unnumbered(for bridging)
    Linked Bridge Name: br0

    - If the VPN clients communicate with hosts on other subnets like 192.168.1.0/24, enter the following router's address. VPN Gateway forwards decrypted packets destinated to other subnets to the router(192.168.0.1).

    Internal Gateway's IPv4 Address (optional): 192.168.0.1


  6. Setup Network Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > Network Interface[Left-Tree]:
    Click this tree node and show Network Interface pane.

    - Uncheck Use default route and enter the followings.

        Primary interface:

          - Name: Select br0 to establish VPN.

          - Dest NAT IPv4 Address (MOBIKE Responder): 10.0.0.1, 10.0.1.1

    These are mapped (reflexive) addresses on Router1. VPN clinets (MOBIKE initiators) will be notified of either address as a VPN gateway's additional address.


  7. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > Service[Left-Tree]:
    Click this tree node and show Service pane.

    - Network Deployment: Select Hub(Concentrator) Node.

    - Remote Configuration(IKEv2): Select Remote Configuration Server.

    - Authentication Method for remote peers: Check EAP (Extensible Authentication Protocol) Clients. [Version 0.2.b1-021 -]

    - EAP Server: Select EAP-MSCHAPv2.

    - Default EAP Server: Check Enable.


  8. Setup Remote Config Server.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] >Service[Left-Tree] > Remote Config Server[Left-Tree]:
    Click this tree node and show Remote Config Server(IKEv2) pane.


  9. Setup Remote Config Server - Internal Address Pool.

    - Remote Config Server(IKEv2)[Pane] > Internal Address Pool[Tab]:
    Click Add Address Pool button.

    - Add a New Address Pool[Dialog]: Enter the following, then click OK button.
    Address Type: Address Range IPv4 Address Range: 192.168.0.20 - 192.168.0.30


  10. Setup Remote Config Server - Internal DNS.

    - Remote Config Server(IKEv2)[Pane] > Internal DNS[Tab]:
    Enter the following as an Internal DNS server's address.

    DNS Server's IPv4 Address: 192.168.0.101


  11. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > My Key Store[Left-Tree]:
    Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: RSA Signature(RSA-Sig)
    My ID Type: auto
    Imported Key Format: PKCS#12 - File
    PKCS#12 file(*.p12): gateway1.example.com.p12
    RSA Private Key's Password: himitsu


  12. Setup Peers' Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Bridge)[Left-Tree] > Peers' Key Store[Left-Tree]:
    Click this tree node and show Peers Key Store pane.

    - Click Add Peer's Key/Password button.

    - Add a New Peer's Key[Dialog]: Enter the following key for VPN Client1, then click "OK" button.

    Peer ID Type: EAP-MSCHAPv2: User Name
    Peer ID: alice
    Pre-Shared Key(PSK)/Password: 1234567890


    Similarly, add the following key for VPN Client2:

    Peer ID Type: EAP-MSCHAPv2: User Name
    Peer ID: bob
    Pre-Shared Key(PSK)/Password: abcdefghij


  13. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]: Click this tree node and show "Edit VPN Realm(Save, Add, Remove, or Load)" pane.

    - Click Save Configuration button.



VPN Client1:


- Version: 0.2.b1-021 or later


  1. Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
  2. Login with administrator's name and password (by default, admin and secret).
  3. If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
  4. Add a new VPN realm.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Add VPN Realm button.

    - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

    Realm ID: 10
    Realm Name: "Example VPN"
    Description: "Config for Example VPN."
    Mode: Remote Client

  5. Setup Destination.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Destination[Left-Tree]: Click this tree node and show Destination (Concentrator / Gateway) pane.

    - Enter the following.

    Destination Address: IPv4 and 10.0.0.1

  6. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > My Key Store[Left-Tree]: Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: EAP-MSCHAPv2

  7. Setup CA Certificate/CRL.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > CA Certificate/CRL[Left-Tree]:
    Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.

    - Enter the following.

    Imported Certificate/CRL Format: PEM(Base64-encoding) - File
    CA Certificates(X.509, *.pem): TestCA-cacert.pem

  8. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.


- Advanced Settings


  1. Open Rockhopper Web console on http://127.0.0.1:32501 (by default) by Firefox.
  2. Login with administrator's name and password (by default, admin and secret).
  3. If VPN Configuration tab is not shown, uncheck Hide configuration tabs checkbox.
  4. Add a new VPN realm.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Add VPN Realm button.

    - Add a VPN Realm[Dialog]: Enter the following, then click OK button.

    Realm ID: 10
    Realm Name: "Example VPN"
    Description: "Config for Example VPN."
    Mode: Remote Client


    - Check Advanced Settings. (Version: 0.2.b1-021 or later)


  5. Setup VPN Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > VPN Interface[Left-Tree]: Click this tree node and show VPN Tunnel/TAP Interface pane.

    - Enter the following.

    Internal Address Type: Auto(IKEv2 Configuration)

  6. Setup Network Interface.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Network Interface[Left-Tree]: Click this tree node and show Network Interface pane.

    - Check Use default route.

  7. Setup Service.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Service[Left-Tree]: Click this tree node and show Service pane.

    - Network Deployment: Select Spoke Node/Other.

    - Remote Configuration(IKEv2): Select VPN client.

  8. Setup My Key Store.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > My Key Store[Left-Tree]: Click this tree node and show My Key Store pane.

    - Enter the following.

    Authentication Method: EAP-MSCHAPv2

  9. Setup Peers.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Peers[Left-Tree]: Click this tree node and show Peers pane.

    - Click Add Peer button.

    - Add a New Peer[Dialog]: Enter the following, then click OK button.

    Peer ID Type: Host Name(FQDN)
    Peer ID: gateway1.example.com

  10. Setup the Peer's information.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > Peers[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
    Click this tree node and show Peer: gateway1.example.com(FQDN) pane.

    - Enter the following.

    Peer's IP Address: IPv4 and 10.0.0.1 (Router1's global address)
    This peer's Network Deployment: Hub(Concentrator) Node

  11. Setup CA Certificate/CRL.

    - VPN Configuration[Tab] > VPN Realms[Left-Tree] > 10:Example VPN(Remote Client)[Left-Tree] > CA Certificate/CRL[Left-Tree]:
    Click this tree node and show CA Certificate/Certificate Revocation List(CRL) pane.

    - Enter the following.

    Imported Certificate/CRL Format: PEM(Base64-encoding) - File
    CA Certificates(X.509, *.pem): TestCA-cacert.pem

  12. Save this realm's configuration.

    - VPN Configuration[Tab] > Edit VPN Realm(Save, Add, etc.)[Left-Tree]:
    Click this tree node and show Edit VPN Realm(Save, Add, Remove, or Load) pane.

    - Click Save Configuration button.


Connect VPN:


  1. Open VPN Client1's Web console on http://127.0.0.1:32501 (by default) by Firefox.
  2. Login with administrator's name and password (by default, admin and secret).
  3. Top [Tab] > 10:Example VPN[Left-Tree] > gateway1.example.com(FQDN)[Left-Tree]:
    Click this tree node and show 10: gateway1.example.com(FQDN) pane.
  4. Click Connect button and open the EAP Authentication dialog.
  5. Enter a user name (alice) and a password and then push OK button.



VPN Client2 (Windows 7):


- Import a CA certificate for the Computer account by Microsoft Management Console(MMC).


  1. Open Microsoft Management Console(MMC) by clicking the Start button, enter "mmc" into the search box, and push Enter.
  2. On the File menu, point to Add/Remove Snap-in, and open the Add or Remove Snap-ins dialog.
  3. Click the certificates under Available snap-ins and push Add.
  4. Select the Computer account and push Next.
  5. Select the Local computer and push Finish.
  6. Push OK on Add or Remove Snap-ins dialog and close it.
  7. Click the folder Certificates(Local Computer) / Trusted Root Certification Authorities / Certificates folder, click the Action menu, point to All Tasks, and then click Import.
  8. Click Next and follow the instructions.
    - An imported CA certificate's file: TestCa-cacert.pem

- Setup a VPN connection.


  1. Open Network and sharing center from Control Panel and select Set up a new connection or network.
  2. Click Connect to a workplace and push Next.
  3. Click Use my Internet connection (VPN).
  4. Enter gateway1.example.com into Internet Address and Example VPN into Destination name, check Don't connect now; just set it up so I can connect later and push Next.
  5. Enter "bob" into User Name and "abcdefghij" into Password. Push Create and close the wizard dialog.
  6. Open Network and sharing center from Control Panel again and select Change adapter settings.
  7. Open the properties dialog of Example VPN adapter and show Security tab.
  8. Enter the following:
    - Type of VPN: IKEv2
    - Data encryption: Require encryption (disconnect if server declines)
    - Authentication: Use Extensible Authentication Protocol(EAP) and EAP-MSCHAPv2
  9. Push OK.

- Edit the hosts file if DNS service is not available for gateway1.example.com.


  1. Open "C:Windows/System32/drivers/etc/hosts" by notepad as an administrator. If you can't find these folders, please see Show hidden files.
  2. Add the following line into this hosts file.

    10.0.0.1   gateway1.example.com   # (Example VPN)

  3. Save and close the file.

- Connect VPN


  1. Open Network and sharing center from Control Panel again and select Connect to a network.
  2. Click the Example VPN connection, push the Connect button and open the VPN dialog.
  3. Enter a user name (bob) and a password and then push Connect button.



VPN client2 (Windows 8):


Also, see Windows 8 VPN Get Connected by Microsoft.

- Import a CA certificate for the Computer account by Microsoft Management Console(MMC).


  1. Move the cursor to the right corner of your screen and open Charms.
  2. Open Microsoft Management Console(MMC) by clicking the Search icon and entering "mmc" into the search box.
  3. On the File menu, point to Add/Remove Snap-in, and open the Add or Remove Snap-ins dialog.
  4. Click the certificates under Available snap-ins and push Add.
  5. Select the Computer account and push Next.
  6. Select the Local computer and push Finish.
  7. Push OK on Add or Remove Snap-ins dialog and close it.
  8. Click the folder Certificates(Local Computer) / Trusted Root Certification Authorities / Certificates folder, click the Action menu, point to All Tasks, and then click Import.
  9. Click Next and follow the instructions.
    - An imported CA certificate's file: TestCa-cacert.pem

- Setup a VPN connection.


  1. Move the cursor to the right corner of your screen and open Charms.
  2. Open Control Panel by clicking the Search icon and entering "Control Panel" into the search box.
  3. Open Network and sharing center from the Control Panel's Network and Internet and then click Set up a new connection or network.
  4. Click Connect to a workplace and push Next.
  5. Click Use my Internet connection (VPN).
  6. Enter gateway1.example.com into Internet Address and Example VPN into Destination name and push Create.
  7. Open Network and sharing center from Control Panel again and click Change adapter settings.
  8. Open the properties dialog of Example VPN adapter and show Security tab.
  9. Enter the following:
    - Type of VPN: IKEv2
    - Data encryption: Require encryption (disconnect if server declines)
    - Authentication: Use Extensible Authentication Protocol(EAP) and EAP-MSCHAPv2
  10. Push OK.

- Edit the hosts file if DNS service is not available for gateway1.example.com as mentioned above.



- Connect VPN


  1. Move the cursor to the right corner of your screen and open Charms.
  2. Click Settings and then click the Network icon.
  3. In Networks click the VPN connection Example VPN and then push Connect.
  4. Enter the user name ("bob") and the password ("abcdefghij"), and then push Connect button.


Windows 10 VPN Client:


See Connect a Windows 10 VPN client with Rockhopper - Use Extensible Authentication Protocol - EAP-MSCHAPv2 and X.509.


Back to Top