You are on page 1of 5

AvediaStream TVgateways

Connecting AvediaStream g4415-vx TVgateways


to a Verimatix Server

Configuration Guide
Version 1.5

This document details how to set up a secure VPN link between an AvediaStream g4415-vx TVgateway and
the Verimatrix VCAS VECMG server. It contains the following sections:
• OpenVPN Installation
• OpenVPN Key and Certificate Generation
• Set Key Generation Environment
• Build Your Own Root Certificate Authority (CA) Certificate/Key
• Build Diffie-Hellman Parameters
• Build and Sign a Certificate Signing Request Using a Locally Installed Root Certificate/Key
• Install OpenVPN Certificates and Keys on the TVgateway
• Set VCAS Parameters on TVGateway
OpenVPN Installation
1 Install OpenVPN on the Verimatrix VCAS Server hosting the VCAS.
2 You must also install Easy-RSA if it was not included with the OpenVPN package.
3 Open UDP port 1194 on firewall for OpenVPN traffic.
4 The Verimatrix VCAS ECMG hosting the VPN should use a configuration file based on
this example (typically "/usr/share/openvpn/easy-rsa" or "/usr/share/easy-rsa"):
# Which local IP address should OpenVPN
# listen on? (optional)
# local a.b.c.d

# Port
port 1194

# Protocol TCP|UDP
proto udp

dev tun

# This won't play nicely with Windows clients, but is necessary for the P-t-P
# endpoint lookup done by the TVgateways
ifconfig-pool-linear

# Certificates

ca ca.crt
cert server.crt
key server.key
dh dh2048.pem

# Configure server mode and supply a VPN subnet


server 192.168.222.0 255.255.255.0

# Maintain a record of client <-> virtual IP address


# associations in this file.
ifconfig-pool-persist ipp.txt

# Push routes to the client to allow it


# to reach other private subnets behind
# the server.
#push "route 192.168.2.0 255.255.255.0"

# To assign specific IP addresses to specific


# clients

client-config-dir ccd

#push "dhcp-option DNS 8.8.8.8"

# The keepalive directive causes ping-like


# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.

keepalive 10 120

comp-lzo

# The persist options will try to avoid


# accessing certain resources on restart

# that may no longer be accessible because


# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing


# current connections, truncated

2
# and rewritten every minute.
status openvpn-status.log

# Set the appropriate level of log


# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6

For reference, the g4415-vx uses this OpenVPN config file:


# OpenVPN configfile

# Client-modus
client

# Interface
dev tun-vmx
nobind

# Server - this gets set from the TVgateway config


;remote verimatrix-vcas 1194
proto udp
resolv-retry 15

# Compression
comp-lzo

# Try to preserve some state across restarts.


persist-key
persist-tun

# Certificates
ca /var/lib/verimatrix.d/ca.crt
cert /var/lib/verimatrix.d/gw.crt
key /var/lib/verimatrix.d/gw.key

# Security section
auth-nocache
remote-cert-tls server
script-security 2
ns-cert-type server

# Set log file verbosity, this may be overridden by a hidden TVgateway


# config option
verb 4

3
OpenVPN Key and Certificate Generation
Note: This document contains verbatim extracts from the Easy-RSA guide on the
OpenVPN website:
https://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rs
a-key-management.html.

On Verimatrix VCAS Server


1 Locate the easy-rsa directory, typically /usr/share/openvpn/easy-rsa or
/usr/share/easy-rsa.

Set Key Generation Environment


2 Edit the vars script. (You may wish to make a copy first.)
3 Set KEY_CONFIG to point to the openssl.cnf file, included in the OpenVPN/Easy-RSA
distribution.
4 Set KEY_DIR to point to a directory which will contain all keys, certificates, etc.
Note: This directory need not exist, and if it does, it will be deleted with rm -rf, so
caution is required when setting KEY_DIR.
5 (Optional) Edit other fields in vars per your site data. KEY_SIZE must be compatible
across both peers participating in a secure SSL/TLS connection.
6 "Source" the vars script (note space after the '.') . vars
7 Enter ./clean-all

Build Your Own Root Certificate Authority (CA) Certificate/Key


This is stored locally on the VCAS server.
1 Enter ./build-ca
2 ca.crt and ca.key will be built in your KEY_DIR directory

Build Diffie-Hellman Parameters


This is required for the server end of a SSL/TLS connection.
1 Enter ./build-dh

Build and Sign a Certificate Signing Request Using a Locally Installed Root
Certificate/Key
This script generates and signs a certificate in one step, but you must ensure that the
generated certificate and private key files are copied to the destination host over a secure
channel.
This needs to be done once for the VCAS server:
1 Enter ./build-key server-cert

And once per TVgateway using this VCAS server:


1 Enter ./build-key gw-xxx
2 Enter ./build-key gw-xxy
3 Enter ./build-key gw-xyz
where "xxx" etc. are unique identifiers such as the last 3 octets of the gateway MAC
address e.g. 1234AB

4
The CA certificate (ca.crt), server key (server.key), server certificate (server.crt),
Diffie-Hellman (dh2048.pem) parameters must be placed in the location specified by your
OpenVPN configuration file.

Install OpenVPN Certificates and Keys on the TVgateway


To install the ca.crt, gw-1234AB.crt, gw-1234AB.key onto TVgateway, use the web
interface to paste file contents on Verimatrix page:
• "VCAS tunnel CA certificate" — use contents of ca.crt
• "VCAS tunnel local certificate" — use contents of gw-1234AB.crt
• "VCAS tunnel local key" — use contents of gw-1234AB.key
This should be done on a secure network to prevent the TVgateway’s key files from being
cloned.

Set VCAS Parameters on TVGateway


On the TVgateway Verimatrix page, set:
• The Verimatrix VCAS server IP address (the VPN will tunnel to this)
• The Verimatrix VCAS server ECMG TCP port number
• The VECMG channel number in use (part of the VCAS configuration, see VCAS
Administrative Interface -> Streams)