Using OpenVPN
OpenVPN provides encrypted VPN (Virtual Private Network) connectivity that allows you to securely access the MangoGT from a remote location as if it were on your local network. This is extremely useful when the MangoGT is deployed at a customer site or remote facility where direct network access is not available.
Once configured, the MangoGT automatically establishes an encrypted VPN tunnel to your OpenVPN server on each boot. You can then access the Mango web interface, SSH, and all other services through the VPN connection without needing to configure port forwarding or firewall rules on the customer's network.
Prerequisites
Before configuring OpenVPN on the MangoGT, you need:
- An OpenVPN server set up and running (on your own infrastructure or a hosted service)
- A client configuration package exported from your OpenVPN server (typically a
.zipor.ovpnfile containing certificates, keys, and configuration) - SSH access to the MangoGT (see SSH Access)
In most cases, the VPN connection will tunnel through firewalls and NAT routers without issues. However, some tightly restricted customer networks may block VPN traffic. Always check with the site's IT department about their policy regarding VPN connections before deploying.
Setup Instructions
Step 1: Upload the Client Configuration
Upload the client configuration package (.zip file) to the MangoGT using SFTP. Place the file in the /etc/openvpn/ directory.
Alternatively, you can use SCP from your local machine:
scp -P 2222 client-config.zip mango@mangogtXXXX.local:/tmp/
Step 2: Extract the Configuration Files
Connect to the MangoGT via SSH and extract the configuration:
ssh mango@mangogtXXXX.local -p 2222
# Move the zip file to the OpenVPN directory if needed
sudo mv /tmp/client-config.zip /etc/openvpn/
# Extract the configuration files
cd /etc/openvpn
sudo unzip client-config.zip
The extracted files typically end up in a subdirectory (for example, /etc/openvpn/clientname/). Move all VPN configuration files to the /etc/openvpn/ directory:
sudo mv /etc/openvpn/clientname/* /etc/openvpn/
sudo rmdir /etc/openvpn/clientname
Step 3: Verify the Configuration Files
After extraction, the /etc/openvpn/ directory should contain:
| File | Purpose |
|---|---|
*.conf or *.ovpn | Main OpenVPN client configuration file |
ca.crt | Certificate Authority certificate |
*.crt | Client certificate |
*.key | Client private key |
ta.key (optional) | TLS authentication key |
The client private key file (*.key) contains sensitive cryptographic material. Ensure file permissions are restrictive:
sudo chmod 600 /etc/openvpn/*.key
Step 4: Rename the Configuration File
OpenVPN on Debian looks for .conf files in /etc/openvpn/. If your configuration file has an .ovpn extension, rename it:
sudo mv /etc/openvpn/client.ovpn /etc/openvpn/client.conf
Step 5: Restart the OpenVPN Service
Restart the OpenVPN service to establish the VPN connection:
sudo service openvpn restart
You can also restart the service through the Webmin interface if it is installed, under the System > Bootup/Shutdown tab.
Step 6: Verify the VPN Connection
After the service restarts, verify that the VPN tunnel has been established:
sudo ifconfig
You should see a new tun0 network adapter with the VPN IP address assigned by your OpenVPN server:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P: 10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500
The inet addr on the tun0 interface is your MangoGT's VPN IP address. You can now access the MangoGT remotely using this address.
Accessing the MangoGT Over VPN
Once the VPN is active, you can access all MangoGT services through the VPN IP address:
| Service | Access URL/Command |
|---|---|
| Mango web interface | https://10.8.0.6:8443 (use your VPN IP) |
| SSH | ssh mango@10.8.0.6 -p 2222 |
| SFTP | Connect to 10.8.0.6 port 2222 in your SFTP client |
Replace 10.8.0.6 with the actual VPN IP address shown by ifconfig.
Automatic Connection on Boot
The OpenVPN service is configured to start automatically when the MangoGT boots. As long as the configuration files are in /etc/openvpn/ and the service is enabled, the MangoGT will attempt to establish the VPN connection each time it starts up.
To verify the service is enabled for automatic startup:
sudo systemctl is-enabled openvpn
If the output is enabled, the VPN will start on boot. If not, enable it:
sudo systemctl enable openvpn
Troubleshooting
| Symptom | Possible Cause | Solution |
|---|---|---|
No tun0 interface after restart | Configuration file error | Check /var/log/syslog for OpenVPN error messages |
| Connection times out | Firewall blocking VPN traffic | Verify that the customer network allows outbound traffic on the OpenVPN server port (typically UDP 1194) |
| Certificate errors | Expired or mismatched certificates | Re-export the client configuration from the OpenVPN server |
| VPN connects but cannot reach MangoGT | Routing issue on the VPN server | Verify the server is configured to push routes and allow client-to-client or client-to-server traffic |
To view OpenVPN logs for debugging:
sudo grep openvpn /var/log/syslog | tail -50
Security Considerations
- OpenVPN provides strong encryption (AES-256 by default) for all traffic between the MangoGT and your VPN server
- Keep client certificates and private keys secure. If a key is compromised, revoke it on the OpenVPN server and issue a new one
- Use certificate-based authentication rather than username/password for production deployments
- Regularly update the OpenVPN software on both the MangoGT and the server to address security vulnerabilities
- Consider using a dedicated VPN server rather than a shared service for industrial SCADA deployments
Related Pages
- Setting Up Remote Backups — Automate backups over the VPN connection
- SSH Access to the MangoGT — Remote command-line access through the VPN tunnel
- MangoGT FAQ — Common questions about MangoGT connectivity and operation