TP-Link Omada TP-Link Vigi
Contact Us
Log In
United States / English
Get a Demo
Search

How to establish an SSL VPN Server by Omada Router in Standalone mode?

User Application Requirement
Updated 08-23-2022 02:02:10 AM Number of views for this article36614
This Article Applies to: 

User’s Application Scenario

SSL VPN can set the permissions that each user can access to resources and improve the management of the entire network. According to the following network topology, create three accounts with different permissions on the SSL VPN server to meet different requirements.

Account 1: VPN Client implements proxy Internet access through VPN Server;

Account 2: VPN Client can only access VLAN 20, but cannot access VLAN 30;

Account 3: The VPN Client and the devices behind the Server can only interact through the ICMP protocol.

Configuration

Step 1. Create the VPN IP Pool.

When the VPN client is applying to connect, the VPN server will assign a virtual IP address, which is from the VPN IP Pool. Go to Preferences --> VPN IP Pool, Click Add.

On the popup page, here we name the IP Pool Name as SSL_VPN, configure Starting IP Address as 10.10.10.10, Ending IP Address as 10.10.10.100, then click OK to save the settings. You may set the values according to your network.

Step 2. Enable SSL VPN Server.

Go to SSL VPN -->SSL VPN Server, check Enable. On the popup page, choose Service port as WAN/LAN4, choose Virtual IP Pool as SSL_VPN that created on step 1. Set the Primary DNS as 8.8.8.8 (you can set it according to your demands), then click Save to save the settings.

Step 3. Create Tunnel Resources.

Go to SSL VPN -->Resource Management-->Tunnel Resources, click Add to create two tunnel resources. On the popup page, AllowVLAN20 uses IP addresses to limit resources; AllowICMP uses ICMP Protocol to limit resources.

Step 4. Create Resource Group.

Go to SSL VPN -->Resource Management-->Resource Group, click Add to apply the two tunnel resources created in step 3 to two different resource groups.

Note: There are two default resource groups Group_LAN and Group_ALL. Group_LAN refers to all devices behind the Server, and Group_ALL also includes resources for accessing the Internet.

Step 5. Create User Group.

Go to SSL VPN -->User Management-->User Group, click Add to create three user groups. Apply different resource groups to the three user groups according to the different permissions of the three accounts. Please note that if you want to implement the proxy Internet access of the client, please select Group_ALL for the resource group.

Step 6. Create User.

Go to SSL VPN -->User Management-->User, click Add to create three user accounts. Each account corresponds to a different user group and you can set the Username and Password according to your demands.

Here, we created the following three account information based on the resource permissions of the above three accounts:

Step 7. Export Certificate.

Go to SSL VPN -->SSL VPN Server, click Export Certificate to export the configuration file, and the client can connect to the server using this configuration file.

Verification process

Use the OpenVPN GUI on the client to import the configuration file, enter the corresponding username and password to connect.

Account 1: VPN Client implements proxy Internet access through VPN Server;

After a successful connection, the server assigns the VPN client an IP address of 10.10.10.11. When the client accesses 8.8.8.8, the first hop is the VPN Tunnel. Because the data is encrypted, the corresponding IP address cannot be resolved. The second hop is the default gateway of the VPN Server, and all data of the client goes through the VPN Tunnel to realize proxy Internet access.

Go to SSL VPN -->Status, information about the Client connection will also be displayed here.

Account 2: VPN Client can only access VLAN 20, but cannot access VLAN 30

After a successful connection, the server assigns the VPN client an IP address of 10.10.10.12. The VPN client can ping the device in VLAN 20 (192.168.20.100), but cannot ping the device in VLAN 30 (192.168.30.100). At the same time, the management interface of the router can be accessed through 192.168.20.1.

Account 3: The VPN Client and the devices behind the Server can only interact through the ICMP protocol.

After a successful connection, the server assigns the VPN client an IP address of 10.10.10.13. The VPN client can ping the device in VLAN 20 (192.168.20.100) and the device in VLAN 30 (192.168.30.100). But the management interface of the router cannot be accessed through 192.168.20.1.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

Related FAQs

Is this faq useful?

Your feedback helps improve this site.

Recommend Products

Community

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >

We have updated our Policies. Read Privacy Policy and Terms of Use here.
This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy .

We have updated our Policies. Read Privacy Policy and Terms of Use here.
This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy .

Basic Cookies

These cookies are necessary for the website to function and cannot be deactivated in your systems.

TP-Link

SESSION, JSESSIONID, accepted_local_switcher, tp_privacy_base, tp_privacy_marketing, tp_smb-select-product_scence, tp_smb-select-product_scenceSimple, tp_smb-select-product_userChoice, tp_smb-select-product_userChoiceSimple, tp_smb-select-product_userInfo, tp_smb-select-product_userInfoSimple, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType

Youtube

id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ

Zendesk

OptanonConsent, __cf_bm, __cfruid, _cfuvid, _help_center_session, _pendo___sg__.<container-id>, _pendo_meta.<container-id>, _pendo_visitorId.<container-id>, _zendesk_authenticated, _zendesk_cookie, _zendesk_session, _zendesk_shared_session, ajs_anonymous_id, cf_clearance

Analysis and Marketing Cookies

Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.

The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.

Google Analytics & Google Tag Manager

_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>

Google Ads & DoubleClick

test_cookie, _gcl_au