How to establish an SSL VPN Server by Omada Router in Controller mode?(Controller V5.4 or Above)
ER8411 , Omada Software Controller( V5 ) , Omada Cloud-Based Controller
Recent updates may have expanded access to feature(s) discussed in this FAQ. Visit your product's support page, select the correct hardware version for your device and check either the Datasheet or the firmware section for the latest improvements added to your product.
User’s Application Scenario
SSL VPN can set the permissions that each user can access to resources and improve the management of the entire network. According to the following network topology, create three accounts with different permissions on the SSL VPN server to meet different requirements.
Account 1: VPN Client implements proxy Internet access through VPN Server;
Account 2: VPN Client can only access VLAN 20, but cannot access VLAN 30;
Account 3: The VPN Client and the devices behind the Server can only interact through the ICMP protocol.
Configuration
Step 1. Enable SSL VPN Server.
Go to Settings -->VPN-->SSL VPN, enable SSL VPN Server. On this page, choose WAN as WAN/LAN4, fill in the range of Virtual IP Pool as 10.10.10.10-10.10.10.100. Set the Primary DNS as 8.8.8.8 (you can set it according to your demands), then click Apply to save the settings.
Step 2. Create Tunnel Resources.
Go to Settings -->VPN-->SSL VPN -->Resource Management, click Create New Tunnel Resource to create two tunnel resources.
On the popup page, AllowVLAN20 uses IP addresses to limit resources; AllowICMP uses ICMP Protocol to limit resources.
Step 3. Create Resource Group.
Go to Settings -->VPN-->SSL VPN -->Resource Management, click Create New Resource Group to apply the two tunnel resources created in step 2 to two different resource groups.
Note: There are two default resource groups Group_LAN and Group_ALL. Group_LAN refers to all devices behind the Server, and Group_ALL also includes resources for accessing the Internet.
Step 4. Create User Group.
Go to Settings -->VPN-->SSL VPN -->User Group, click “+”. On the page, create a user group whose resource group belongs to Group_ALL. Please note that if you want to implement the proxy Internet access of the client, please select Group_ALL for the resource group.
Step 5. Create User.
When the setting is completed, the User List will appear in this page. Click Add Create New User to create user account that corresponds to the AllowALL user group. You can set the Username and Password according to your demands.
Step 6. Create other User.
Repeat steps 4 and 5 to create AllowVLAN20 and AllowICMP user groups, and bind corresponding user accounts to these two user groups respectively.
After the setting is complete, the created user information will be displayed on the User List page.
Step 7. Export Certificate.
Go to SSL VPN -->SSL VPN Server, click Export Certificate to export the configuration file, and the client can connect to the server using this configuration file.
Verification process
Use the OpenVPN GUI on the client to import the configuration file, enter the corresponding username and password to connect.
Account 1: VPN Client implements proxy Internet access through VPN Server;
After a successful connection, the server assigns the VPN client an IP address of 10.10.10.11. When the client accesses 8.8.8.8, the first hop is the VPN Tunnel. Because the data is encrypted, the corresponding IP address cannot be resolved. The second hop is the default gateway of the VPN Server, and all data of the client goes through the VPN Tunnel to realize proxy Internet access.
Go to Insight -->VPN Status-->SSL VPN, information about the Client connection will also be displayed here.
Account 2: VPN Client can only access VLAN 20, but cannot access VLAN 30
After a successful connection, the server assigns the VPN client an IP address of 10.10.10.12. The VPN client can ping the device in VLAN 20 (192.168.20.100), but cannot ping the device in VLAN 30 (192.168.30.100). At the same time, the management interface of the router can be accessed through 192.168.20.1.
Account 3: The VPN Client and the devices behind the Server can only interact through the ICMP protocol.
After a successful connection, the server assigns the VPN client an IP address of 10.10.10.13. The VPN client can ping the device in VLAN 20 (192.168.20.100) and the device in VLAN 30 (192.168.30.100). But the management interface of the router cannot be accessed through 192.168.20.1.
Get to know more details of each function and configuration please go to Download Center to download the manual of your product.
Related FAQs
- How to configure IPSec LAN to LAN VPN for multiple subnets using the new GUI
- How to access the internet by using VPN Server as a proxy gateway
- What to do if you cannot access the remote network through Client-to-LAN/Site VPN tunnel
- How to set up PPTP & L2TP VPN Server with Omada Gateway in Controller Mode
Is this faq useful?
Your feedback helps improve this site.
What’s your concern with this article?
- Dissatisfied with product
- Too Complicated
- Confusing Title
- Does not apply to me
- Too Vague
- Other
We'd love to get your feedback, please let us know how we can improve this content.
Thank you
We appreciate your feedback.
Click here to contact TP-Link technical support.
TP-Link Community
Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.
We have updated our Policies. Read Privacy Policy and Terms of Use here.
This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy .
We have updated our Policies. Read Privacy Policy and Terms of Use here.
This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy .
Basic Cookies
These cookies are necessary for the website to function and cannot be deactivated in your systems.
TP-Link
accepted_local_switcher, tp_privacy_base, tp_privacy_marketing, tp_smb-select-product_scence, tp_smb-select-product_scenceSimple, tp_smb-select-product_userChoice, tp_smb-select-product_userChoiceSimple, tp_smb-select-product_userInfo, tp_smb-select-product_userInfoSimple, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType
Livechat
__livechat, __lc2_cid, __lc2_cst, __lc_cid, __lc_cst, CASID
Youtube
id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ
Analysis and Marketing Cookies
Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.
The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.
Google Analytics & Google Tag Manager
_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>
Google Ads & DoubleClick
test_cookie, _gcl_au
Meta Pixel
_fbp
Crazy Egg
cebsp_, _ce.s, _ce.clock_data, _ce.clock_event, cebs
Hotjar
OptanonConsent, _sctr, _cs_s, _hjFirstSeen, _hjAbsoluteSessionInProgress, _hjSessionUser_14, _fbp, ajs_anonymous_id, _hjSessionUser_<hotjar-id>, _uetsid, _schn, _uetvid, NEXT_LOCALE, _hjSession_14, _hjid, _cs_c, _scid, _hjAbsoluteSessionInProgress, _cs_id, _gcl_au, _ga, _gid, _hjIncludedInPageviewSample, _hjSession_<hotjar-id>, _hjIncludedInSessionSample_<hotjar-id>
lidc, AnalyticsSyncHistory, UserMatchHistory, bcookie, li_sugr, ln_or