Connect the VPN with the president PC who is working at home and the net gear "BR200 router"!

(*This story is fictional. It has nothing to do with real people or organizations other than NETGEAR.)

Let's enable the president who is working from home to access the internal file server!

The other day, thanks to the remote introduction of Netgear's Wi-Fi 6 access point "WAX610", the home of Gochiso Bento president Gochi, whose internet environment has improved for telecommuting. Web conferencing has become smoother, and the president is delighted, saying, "Thanks to Kentaro-kun. Thank you!"

"Also, I want to access the company's file server. You can do it!" Eh, I've never heard of such a thing, but... Taking that into account, Kentaro called his best friend, Ryosuke, who works as an SIer and is knowledgeable about IT, to ask for help.

Ryosuke said, "The company's router is a NETGEAR BR200 model, isn't it? If you look on the web, it seems to support OpenVPN, so you should be able to set up a VPN between the president's PC and the company's router. No?" he answers casually. Well, what is "VIPN"? ――From there, Kentaro was given a detailed explanation about VPNs for an hour. I see, I understand (I think). I also checked the BR200's OpenVPN settings on the Netgear site.

The president is the most active person in the company. And so on. It would be convenient to be able to access the company's file server not only when working from home, but also when using a PC on a business trip or on the go. The next day, when I proposed the use of OpenVPN to the president, he said, "That's good!"

I thought I had a rough understanding of VPN, but I wonder if the president's VPN connection really works...

This time, I'm talking about setting up a VPN that allows access to the internal network from outside the company. VPN is an abbreviation for "Virtual Private Network", and is a technology that uses encrypted communication technology to build a "virtual" dedicated network on top of an existing network.

VPN is roughly divided into "client VPN" and "base-to-base VPN". A client VPN is connected from a client terminal such as a PC or smartphone outside the company to a VPN server installed in an office, and a VPN device installed at the head office and a branch office is connected to each other, and the entire VPN connection is made at each location. It is a site-to-site VPN.

Difference between "client VPN" and "base-to-base VPN"

This case is client VPN. Using the open source software "OpenVPN", the president's client PC and the router in the Gochiso Bento office are connected via VPN. By doing so, the president's PC can be connected to the company network from home or outside. By connecting to a VPN, it is possible to access internal resources such as file servers and business application servers.

Preparation for using OpenVPN: Settings on the BR200 router side

The NETGEAR BR200 router comes standard with the OpenVPN server function, so enable it (start it up) and set it to the PC side. If you install the OpenVPN client software, you will be able to connect to the company LAN via the Internet.

1: Enable dynamic DNS and OpenVPN service on BR200 router setting page 2: Download OpenVPN configuration file for client 3: Install OpenVPN client on PC and apply 2 configuration file 4: Perform connection operation with OpenVPN client

BR200 User Manual (English version) https://www.downloads.netgear.com/files/GDC/BR200/BR200_UM_EN.pdf

According to the manual, when using OpenVPN, use a fixed IP address for the WAN port (Internet side port) of the router, or use a dynamic DNS service (DDNS, so that the dynamic IP address can be accessed with a fixed host name). service).

*Note: The above manual also explains that it is not necessary if you are managing with NETGEAR Insight, but in reality, if you do not use either one, the OpenVPN server function will not work. cannot be enabled. If you have an Internet line contract that does not have a fixed global IP address, please use the dynamic DNS service as introduced below.

Let's actually configure the BR200 router. First, open a browser on a PC connected to the router's LAN port and access "https://www.routerlogin.net". Depending on the browser, a privacy error will be displayed, but for now ignore it and allow the connection. Since the login screen opens, enter the administrator ID and password of the NETGEAR Insight account.

Once logged in, you'll see the router's home screen. The language is set to English by default, but you can change it to Japanese from the "Language" pull-down menu at the top right of the screen.

Top page of management screen of BR200 router

First, let's set up a dynamic DNS service so that we can access this router with a fixed hostname.

Click the "Advanced" tab on the management screen and click "Dynamic DNS" displayed on the left menu. After checking the "Use dynamic DNS" checkbox, select a service provider. There are three options: NETGEAR, No-IP, and DynDNS. If you already have an account for any DDNS service, select "Yes" for "Do you have a NETGEAR DDNS account?" Enter your password and click "Register".

If you don't have those accounts, you can register one free account from this screen. You can choose any service provider, but each has a different domain name. If you select "NETGEAR", you can use the host name "○○○.mynetgear.com".

Dynamic DNS configuration screen. Here, the host name is newly registered

Enter the desired host name ("gochibento.mynetgear.com" here), email address, and password to register. This mynetgear.com domain is managed by No-IP, which provides a dynamic DNS service, so you will receive a confirmation email from No-IP. Click "Confirm Account" and the registration is complete when the No-IP activation completion page is displayed.

When you click "Confirm Account" in the confirmation email from No-IP, the No-IP account registration completion screen opens.

Go back to your BR200 router's settings screen and click "Apply" on the Dynamic DNS service settings page. The dynamic DNS service is now set up.

Next, click OpenVPN on the left to go to the OpenVPN settings page. After checking the "Open VPN service" check box, click "Apply" at the bottom right of the screen to reflect the settings. This will start the OpenVPN server built into the router, allowing you to connect from the outside.

By the way, it's a good idea to make a note of what the "TUN mode service type" and "TAP mode service type" at the bottom of the screen are set to (the default is UDP and the port number is 12973). and 12974).

OpenVPN Settings Page

After clicking "Apply", download "OpenVPN configuration package download" corresponding to the OS of the client terminal to be connected. This is a Zip file that includes the OpenVPN client configuration file (client.ovpn) and client certificate (client.key). Since the connection destination information (host name, port number, etc.) is written in advance, the connection setting is completed simply by reading this into the OpenVPN client. Since the client terminal this time is a Windows PC, I clicked "For Windows" and downloaded the Zip file.

When multiple PCs connect to VPN, the same client configuration file will be used. The configuration file should be shared only by users who need it, and should not be placed on a file server that can be accessed by an unspecified number of people. You should download it again).