How to establish an SSL VPN Server by Omada Router in Controller mode?(Controller V5.4 or Above)

User Application Requirement
Updated 08-23-2022 02:51:34 AM FAQ view icon44416
This Article Applies to: 

User’s Application Scenario

SSL VPN can set the permissions that each user can access to resources and improve the management of the entire network. According to the following network topology, create three accounts with different permissions on the SSL VPN server to meet different requirements.

Account 1: VPN Client implements proxy Internet access through VPN Server;

Account 2: VPN Client can only access VLAN 20, but cannot access VLAN 30;

Account 3: The VPN Client and the devices behind the Server can only interact through the ICMP protocol.

Configuration

Step 1. Enable SSL VPN Server.

Go to Settings -->VPN-->SSL VPN, enable SSL VPN Server. On this page, choose WAN as WAN/LAN4, fill in the range of Virtual IP Pool as 10.10.10.10-10.10.10.100. Set the Primary DNS as 8.8.8.8 (you can set it according to your demands), then click Apply to save the settings.

Step 2. Create Tunnel Resources.

Go to Settings -->VPN-->SSL VPN -->Resource Management, click Create New Tunnel Resource to create two tunnel resources.

On the popup page, AllowVLAN20 uses IP addresses to limit resources; AllowICMP uses ICMP Protocol to limit resources.

Step 3. Create Resource Group.

Go to Settings -->VPN-->SSL VPN -->Resource Management, click Create New Resource Group to apply the two tunnel resources created in step 2 to two different resource groups.

Note: There are two default resource groups Group_LAN and Group_ALL. Group_LAN refers to all devices behind the Server, and Group_ALL also includes resources for accessing the Internet.

Step 4. Create User Group.

Go to Settings -->VPN-->SSL VPN -->User Group, click “+”. On the page, create a user group whose resource group belongs to Group_ALL. Please note that if you want to implement the proxy Internet access of the client, please select Group_ALL for the resource group.

Step 5. Create User.

When the setting is completed, the User List will appear in this page. Click Add Create New User to create user account that corresponds to the AllowALL user group. You can set the Username and Password according to your demands.

Step 6. Create other User.

Repeat steps 4 and 5 to create AllowVLAN20 and AllowICMP user groups, and bind corresponding user accounts to these two user groups respectively.

After the setting is complete, the created user information will be displayed on the User List page.

Step 7. Export Certificate.

Go to SSL VPN -->SSL VPN Server, click Export Certificate to export the configuration file, and the client can connect to the server using this configuration file.

Verification process

Use the OpenVPN GUI on the client to import the configuration file, enter the corresponding username and password to connect.

Account 1: VPN Client implements proxy Internet access through VPN Server;

After a successful connection, the server assigns the VPN client an IP address of 10.10.10.11. When the client accesses 8.8.8.8, the first hop is the VPN Tunnel. Because the data is encrypted, the corresponding IP address cannot be resolved. The second hop is the default gateway of the VPN Server, and all data of the client goes through the VPN Tunnel to realize proxy Internet access.

Go to Insight -->VPN Status-->SSL VPN, information about the Client connection will also be displayed here.

Account 2: VPN Client can only access VLAN 20, but cannot access VLAN 30

After a successful connection, the server assigns the VPN client an IP address of 10.10.10.12. The VPN client can ping the device in VLAN 20 (192.168.20.100), but cannot ping the device in VLAN 30 (192.168.30.100). At the same time, the management interface of the router can be accessed through 192.168.20.1.

Account 3: The VPN Client and the devices behind the Server can only interact through the ICMP protocol.

After a successful connection, the server assigns the VPN client an IP address of 10.10.10.13. The VPN client can ping the device in VLAN 20 (192.168.20.100) and the device in VLAN 30 (192.168.30.100). But the management interface of the router cannot be accessed through 192.168.20.1.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

Related FAQs

Is this faq useful?

Your feedback helps improve this site.

Recommend Products

Community

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >

icon

Accessibility Adjustments

icon RESET

Choose the right accessibility profile for you

OFF

Seizure Safe

Eliminates flashes and reduces color

OFF

Cognitive Disability

Assists with reading and focusing

OFF

Vision Impaired

Enhances the website's visuals

OFF

ADHD Friendly

More focus and fewer distractions

Content Adjustments

Adjust Scale

icon
100%
icon

Highlight Title

icon

Highlight Link

icon

Text Magnifier

icon

Readable Font

icon

Align Center

icon

Align Left

icon

Align Right

icon

Color Adjustment

Low Saturate

icon

High Saturate

icon

Dark Contrast

icon

Light Contrast

icon

Set Text Colors

Monochrome

icon

Set Title Colors

High Contrast

icon

Set BackgroundColor

Orientation Adjustments

Muted

icon

Hide Images

icon

Stop Animation

icon

Reading Mask

icon

Highlight Hover

icon

Big Black Cursor

mutedicon

Big White Cursor

icon

Hide Video/Audio

icon

Stop Video

icon

Stop Audio

icon

Hide Animation

icon

Reading Guide

icon

Useful Links

Chat Now