firewall
rule 10 permit any from private to private
rule 20 permit any from private to public
rule 30 permit any from public.wan.ppp0 to public.wan
rule 40 permit openvpn from public.wan to public.wan.ppp0
protect
crypto pki trustpoint local
crypto pki enroll local
radius-server local
server enable
nas 127.0.0.1 key awplus-local-radius-server
group route
attribute Framed-Route "192.168.10.0/24 192.168.20.1"
attribute Framed-Route "192.168.30.0/24 192.168.20.1"
user userA password passwdA group route
user userB password passwdB group route
user userC password passwdC group route
user userD password passwdD group route
radius-server local
server enable
nas 127.0.0.1 key awplus-local-radius-server
user userA password passwdA
user userB password passwdB
user userC password passwdC
user userD password passwdD
!
interface tunnel0
ip address 192.168.20.1/24
tunnel mode openvpn tap
ip tcp adjust-mss 1260
!
ip dhcp option 121 name Classless-Static-Route hex
!
ip dhcp pool pool10
network 192.168.20.0 255.255.255.0
range 192.168.20.2 192.168.20.10
option Classless-Static-Route 18c0a80ac0a8140118c0a81ec0a81401
lease 0 2 0
subnet-mask 255.255.255.0
!
service dhcp-server
!
ddns enable
!
ddns-update-method dyn_update
update-url https://example.com?user=<USERNAME>&pwd=<PASSWORD>&host=<HOST-NAME>
host-name test.example.com
username ddns_user
password ddns_pass
update-interval 3600
!
interface eth2
encapsulation ppp 0
!
interface ppp0
ip ddns-update-method dyn_update
ppp ipcp dns request
keepalive
ip address negotiated
ppp username user@isp
ppp password isppasswd
ip tcp adjust-mss pmtu
!
interface eth0
ip address 192.168.10.1/24
interface eth1
ip address 192.168.30.1/24
!
zone private
network lan
ip subnet 192.168.10.0/24
ip subnet 192.168.20.0/24
ip subnet 192.168.30.0/24
!
zone public
network wan
ip subnet 0.0.0.0/0 interface ppp0
host ppp0
ip address dynamic interface ppp0
!
firewall
rule 10 permit any from private to private
rule 20 permit any from private to public
rule 30 permit any from public.wan.ppp0 to public.wan
rule 40 permit openvpn from public.wan to public.wan.ppp0
protect
!
nat
rule 10 masq any from private to public
enable
!
crypto pki trustpoint local
subject-alt-name test.example.com
subject-name /O=AlliedTelesis/CN=test.example.com
!
radius-server host localhost key awplus-local-radius-server
!
aaa authentication openvpn default group radius 2fa
!
crypto pki trustpoint local
crypto pki enroll local
radius-server local
server enable
nas 127.0.0.1 key awplus-local-radius-server
group route
attribute Framed-Route "192.168.10.0/24 192.168.20.1"
attribute Framed-Route "192.168.30.0/24 192.168.20.1"
user userA password passwdA group route
user userB password passwdB group route
user userC password passwdC group route
user userD password passwdD group route
!
service 2fa
2fa skew-adjust
2fa totp-window-size 5
!
interface tunnel0
tunnel openvpn ip-pool range 192.168.20.11 192.168.20.20 mask 255.255.255.0
tunnel mode openvpn tun
ip address 192.168.20.1/24
ip tcp adjust-mss pmtu
!
ip route 0.0.0.0/0 ppp0
!
end