firewall
rule 10 permit any from private to private
rule 20 permit any from private to public
rule 30 permit any from public.wan.ppp0 to public.wan
rule 40 permit openvpn from public.wan to public.wan.ppp0
protect
crypto pki trustpoint local
crypto pki enroll local
radius-server local
server enable
nas 127.0.0.1 key awplus-local-radius-server
group route
attribute Framed-Route "192.168.10.0/24 192.168.20.1"
attribute Framed-Route "192.168.30.0/24 192.168.20.1"
user user01 password passwd01 group route
user user02 password passwd02 group route
user user03 password passwd03 group route
radius-server local
server enable
nas 127.0.0.1 key awplus-local-radius-server
user user01 password passwd01
user user02 password passwd02
user user03 password passwd03
!
interface tunnel0
ip address 192.168.20.1/24
tunnel mode openvpn tap
ip tcp adjust-mss 1260
!
ip dhcp option 121 name Classless-Static-Route hex
!
ip dhcp pool pool10
network 192.168.20.0 255.255.255.0
range 192.168.20.2 192.168.20.10
option Classless-Static-Route 18c0a80ac0a8140118c0a81ec0a81401
lease 0 2 0
subnet-mask 255.255.255.0
!
service dhcp-server
!
ddns enable
!
ddns-update-method dyn_update
update-url https://example.com?user=<USERNAME>&pwd=<PASSWORD>&host=<HOST-NAME>
host-name test.example.com
username ddns_user
password ddns_pass
update-interval 3600
!
interface eth2
encapsulation ppp 0
!
interface ppp0
ip ddns-update-method dyn_update
ppp ipcp dns request
keepalive
ip address negotiated
ppp username user@isp
ppp password isppasswd
ip tcp adjust-mss pmtu
!
interface eth0
ip address 192.168.10.1/24
interface eth1
ip address 192.168.30.1/24
!
zone private
network lan
ip subnet 192.168.10.0/24
ip subnet 192.168.20.0/24
ip subnet 192.168.30.0/24
!
zone public
network wan
ip subnet 0.0.0.0/0 interface ppp0
host ppp0
ip address dynamic interface ppp0
!
firewall
rule 10 permit any from private to private
rule 20 permit any from private to public
rule 30 permit any from public.wan.ppp0 to public.wan
rule 40 permit openvpn from public.wan to public.wan.ppp0
protect
!
nat
rule 10 masq any from private to public
enable
!
crypto pki trustpoint local
subject-alt-name test.example.com
subject-name /O=AlliedTelesis/CN=test.example.com
!
radius-server host localhost key awplus-local-radius-server
!
aaa authentication openvpn default group radius 2fa
!
crypto pki trustpoint local
crypto pki enroll local
radius-server local
server enable
nas 127.0.0.1 key awplus-local-radius-server
group route
attribute Framed-Route "192.168.10.0/24 192.168.20.1"
attribute Framed-Route "192.168.30.0/24 192.168.20.1"
user user01 password passwd01 group route
user user02 password passwd02 group route
user user03 password passwd03 group route
!
service 2fa
2fa skew-adjust
2fa totp-window-size 5
2fa email-otp
!
mail smtpserver 198.51.100.1
mail smtpserver authentication plain username reporter password s3|=123+
mail from reporter@example.com
!
interface tunnel0
tunnel openvpn ip-pool range 192.168.20.11 192.168.20.20 mask 255.255.255.0
tunnel mode openvpn tun
ip address 192.168.20.1/24
ip tcp adjust-mss pmtu
!
ip route 0.0.0.0/0 ppp0
!
end