How to connect your Ewon to Third Party OpenVPN Servers

25 Dec 2022

This article describes the settings you can use to connect your Ewon Flexy/Cosy to third party OpenVPN Servers (Ex : Anybus Defender ca be set as an OpenVPN Server)

The Ewon Cosy does not feature all the configuration menus you have in an Ewon Flexy but these settings can also be configured through the advanced COM parameters list.

APPLICABLE PRODUCTS

Ewon : Flexy
Ewon : Cosy

 

IN THIS ARTICLE

OpenVPN version compatibility

Ewon Standard OpenVPN settings

Ewon Custom OpenVPN settings

 

OpenVPN version compatibility

The first thing you have to check is the version of the OpenVPN Server that you use.

  • The Ewon Flexy and Cosy131 are using OpenVPN version 2.0.9 when Firmware versions < 14.8. (TLS 1.1 max)
  • The Ewon Flexy and Cosy131 are using OpenVPN version 2.4.9 when Firmware versions >= 14.8. (TLS 1.2 max)
  • The Ewon Cosy+ is using OpenVPN version 2.4.9. (TLS 1.3 max)

Make sure you use OpenVPN parameters that are compatible with the Ewon version.  Do not use new settings implemented in higher versions in your OpenVPN Server.

Also, OpenVPN might have change some default settings values that are no longer compatible with the Ewon version.  There are two known settings that will cause problem with Cosy131 and Flexy, when using firmware < 14.8 and hence OpenVPN 2.0.9 :

  • "Topology subnet" which is not supported by the Ewon version.  Only the old "net30" setting is supported.
  • "tls-version-min" must be set to 1.0.

 

Ewon Standard OpenVPN settings

To configure a VPN connection to a third party server, you can use the Flexy VPN configuration menu. For the Cosy, you will have to go through the Advanced  

In Setup > System > Communication > VPN connection > Global, you can configure the main VPN connection settings :

mceclip1.png

In Setup > System > Communication > VPN Connection > Outgoing, you can set the server IP/URL and the client certificate/key and CA certificate.

 

mceclip0.png

If you select "eFive VPN Server", you can then use an authentication via username and password instead of a using a client certificate and key.

mceclip2.png

As mentioned in the introduction, the Ewon Cosy does not feature these menus.  They can however be set to the advanced parameters menu (Setup > System > Storage > tabular Edition). Another trick is use a Flexy to setup the connection and then copy the comcfg.txt file from the Flexy to the Cosy.

 

Ewon Custom OpenVPN Settings

If you want to set extra OpenVPN parameters, you can do it using a .ovpn file that you copy to the usr/ directory of your Ewon in FTP.  You must declare the file path in the COM parameter VPNCfgFile :

mceclip3.png

Using this parameter, you have two options.  You can add some parameters to the existing Ewon config that you have set in the menus. In this case, use the "+" in front of the file path. 

Example

cipher AES-256-CBC
auth MD5
comp-lzo
route-delay 4
verb 3
reneg-sec 0


Or fully configure the OpenVPN connection using the ovpn file and skip the config of the Ewon.  In this case, simply set the file path to the config file without the "+".

Example

client
dev tun
proto udp
remote 192.168.120.96
port 1194
resolv-retry infinite
nobind
persist-key
persist-tun
keepalive 10 60
comp-lzo
verb 1
ca /ca.crt
cert /client.crt
key /client.key
#The ca.crt, client.crt and client.key must be located in the same directory
#as the ovpn file.

The only built-in menu that will remain active in the Ewon is "VPN use conditions" in "Setup > System > Communication > VPN Connection > Main Setup". This one is used to trigger the VPN connection.

mceclip4.png

(COM parameter "VPNCnxType" (0 = No VPN connection, 2 = Outgoing VPN connection)

 

For security reasons, not all OpenVPN parameters can be set in the ovpn file.  Here is the list of the forbidden parameters : "ask-pass", "auth-user-pass-verify", "cd", "chroot", "client-config-dir", "client-connect", "client-disconnect", "down", "group", "ifconfig-noexec", "ipchange", "learn-address", "plugin", "setenv", "tls-verify", "tmp-dir", "up", "up-restart", "user".