After upgrading the firmware in both the XOnet and XOkey, you must perform a factory reset on the XOnet. This means you will need to re-register your XOkeys with your XOnet, and set your password again.
If you have just purchased a new XOnet with the latest firmware, you do not need to perform this step (but you can if you want to).
The XOnet VPEx Gateway provides secure encrypted access to a home network and the Internet from anywhere in the world. The XOnet is designed to work with the x.o.ware XOkey USB crypto, which creates a private tunnel from any open network, back to wherever the XOnet is.
For most installations, the XOnet does not require much configuration. However, there are two ways to connect it to your network: LAN Client and Router Mode. When it is used in LAN Client mode, the XOnet is attached to a Local Area Network, and assumes there is a router that connects it to the Internet. In Router mode, the XOnet is placed between your Internet modem (cable, DSL, or Fiber) and your local network (or another router).
Follow the steps in section 2.1 for the simplest configuration:
This configuration relies on a DHCP server on the network that will assign the XOnet an Internet (IP) address. You can change the address assigned to eth1 once you have access to it, or access it via eth2, which has the default address of 192.168.59.1.
Once the XOnet has been connected to your local network and powered up for at least fifteen seconds or so, you should be able to access its User Interface (UI) from any browser at http://xonet.local. (The browser must be on a computer that is connected to the local network connection of the XOnet). Note that if you power cycle the XOnet, and it is assigned a new IP address by your router, your browser may not find it at that address. If this happens, you can either use a different browser (which has not stored the address in its cache), or find out the address your router has assigned to it, in its DHCP clients listing (more work).
When you are able to connect to the XOnet’s UI, you should see this:
The user name is always admin (case sensitive), and when it is new (or after a factory reset), the password is any four characters. So you should change it immediately. After logging in, you will get the status page:
Click on System Administrator, and then select Change Password.
Enter any four characters for the current password, as there is none. Then enter six or more
alphanumeric characters for the new password, and also in the confirm password field. If they don’t match, you will see red X’s in the password field. Once they match and are acceptable, you can click on Change Password.
If you are happy with the configuration (click on configuration to see it), you do not need to change anything. So you will probably want to register your XOkey next.
Plug your XOkey into the USB port on the front panel, using the microUSB adapter that came with the XOkey. Click on XOkey manager on the side of the UI, and you should see this:
The XOkey takes about fifteen seconds to start up, at which point the XOnet will recognize it, and ask if you want to register it:
So click yes to start that process. It will ask for the XOkey’s password – this is the owner password just for communicating with the XOkey, which you should have set the first time you connected it to a computer. Enter it, and it then click “Authenticate”, which will open a window that will ask few more simple questions:
The Connection Name is how the XOnet will recognize this XOkey. It cannot be the same as any other XOkey already registered with this XOnet. When you use the XOKey to connect to an XOnet, you will not see this name anywhere, as it is only used by the XOnet it is registered to. This name is important to whoever manages this XOnet. It must be at least four alphanumeric characters.
The Real Name is what this XOkey will remember this XOnet. Since you can register your XOkey with many XOnets, you will need a way to identify which one you want to connect to. This could be called “Home” or “Work” or “”. This name will show up in the Gateway Manager in the Nickname field for this XOnet.
Select “XOnet to XOkey” for Key Type. An XOkey can also be used for transporting keys from one XOnet to another, but that is covered in sect. 3.3.
The password can be the same as your owner XOkey password, or it can be different. If someone else is registering the XOkey on their XOnet, they might want to enter a password for it, without knowing your owner password. In most cases, it is easiest just to use the same password as the owner password for the XOkey. The password must contain only alphanumeric characters.
There is one more option when registering the XOkey. When you remotely connect to an XOnet, you can also connect to the local network (LAN) it is connected to. The LAN Access option lets you disable this feature, in case you just want to provide secure Internet access. If you do not want the user of this XOkey to get remote access to the LAN, select “No” for this field.
Once these settings are complete, click “Complete Registration”.
When the registration process is done, it will tell you to unplug the XOkey:
So unplug the XOkey and click done. You can now use this XOkey to connect back to your LAN, from anywhere else.
The XOnet (version 2.0 firmware or newer) supports Android mobile device that use the free StrongSwan VPN Client app available on the Google Play Store. While setting up this connection is not as simple as registering an XOkey, it only requires a few steps.
This StrongSwan app does not have software that can utilize x.o.ware’s Private Network
Connector (PNC), which allows the XOkey to connect to the XOnet when both devices do not have public Internet (IP) addresses (i.e., they are connected to the private side of a router). The PNC software lets the XOnet dynamically assign a port on the router, so an XOkey can connect to it. Since the StrongSwan app does not have this capability, the XOnet must either have a public IP address, or it must be connected to a router that forwards port 4500 to the XOnet. If the XOnet is not configured this way, an Android device cannot connect to it.
The first step is to generate an IKEv2 certificate for the Android device. Use the XOkey manager page to create a new key, and select XOnet to Android as the Key Type. When you click on create, it will generate a file (with extension “.p12”) for the certificate that will be downloaded to your computer (or mobile device). This file must be copied without any changes (it is a text file) to the Android device, where it can be accessed by the StrongSwan app.
After the StrongSwan app is installed on your device, open it and select “Add VPN Profile”. You will need to enter the following information:
Profile Name: this is what you will call the XOnet. You can call this “XOnet” or “Home” or anything else that lets you know what you will be connecting to.
Gateway: This is the hostname of the XOnet. Copy it exactly from the configuration page on the XOnet UI. The app will use this address to find the XOnet.
Type: Select IKEv2 Certificate. The tap “Select User certificate”, and then find the .p12 file that the XOnet generated (and you copied to the device) by selecting “INSTALL”. When it is found, select allow.
CA certificate: Select automatically Enable “Show advanced settings”, and then use 4500 for Server port.
Save the settings.
To use this connection (but not from the same LAN that the XOnet is connected to), just tap on the profile that you just created.
You should delete the .p12 file from your computer after it has been transferred to your Android device.
The XOnet can create fixed encrypted connections with other remote XOnets, where they share access to their ETH2 ports. Since each XOnet can form secure connections with several other XOnets, they form what we call the Virtual Private Exonetwork. Since every network can be configured differently, connecting XOnets can not be automated, but the simple steps are provided here.
An XOnet creates a secure relationship with another XOnet in a similar way to registering XOkeys. However, one XOnet is considered the server and the other is a client (the names have little meaning, it’s just that we preferred “server/client” to “master/slave”). For VPEx connections, the Server XOnet generates a key, and responds to requests for connections from the client XOnet.
There are two parts to creating the secure relationship; both XOnets must be configured. We’ll start with the server XOnet.
Choose one of the two XOnets that you want to connect together as the server for the pair, and go to its XOkey Manager Page in its UI, where you will create a key for the Client XOnet to connect. There are two options for transporting the key: via an XOkey or by creating a file on your computer and copying it over to the client XOnet through its UI. Using the XOkey to transport the key is more secure; however, if you use just one computer for accessing both XOnets, and then fully delete the key file from it after it has been imported by the Client XOnet, it is fairly safe from being compromised.
If you want to transport the key via an XOkey, you must plug an XOkey (for which you have the owner password) into the USB port on the front panel of the Server XOnet. After waiting about fifteen seconds for it to boot up, then click on “+Register a new XOkey”. After you enter the password, you will see the window for registering the XOkey. You will also see the same window if you use the file transfer method for registering the Client XOnet. Select XOnet to XOnet for Key Type:
The Connection Name identifies the Client XOnet, and the Real Name describes the Server XOnet. When you want to connect the Client XOnet to the server XOnet, you will select the Real Name you assigned here. The Remote XOnet Ethernet2 IP address is the address assigned to Ethernet 2 on the Client XOnet. It cannot be in the same subnet that is assigned to Ethernet 2 on the Server XOnet (the first three numbers in the IP address define the subnet). The default value for Ethernet2 is 192.168.59.1, so you should change this setting on the Network configuration page for the Client XOnet to match this address, before copying the key from the file or XOkey to the Client XOnet. The Remote XOnet Ethernet2 Net Mask is typically 255.255.255.0, and you should use this value unless you have a reason to change it.
When these settings are complete, tap on Complete Registration, and wait for the done message to pop up, and remove the XOkey (or save the file to your computer).
Now go to the XOnet 2 XOnet management page in the UI for the Client XOnet.
If you are using an XOkey to transport the key from the server XOnet, plug it into the USB port on the front panel and wait about fifteen seconds. You can then click on “+Import key transported by XOkey”, and type the owner password for that XOkey, and click on Authenticate.
The key that you just exported from the Server XOnet should be selected on the XOkey, and click on Import to complete the operation.
If you are using the file transfer method, click on “+Import Software Key”, and select the file.
Networks are connected by clicking on the “Connect” button for a specific entry in the list of XOnets. The Server XOnet cannot initiate a connection, but it must have the Client XOnet enabled on the XOkey Manager page.
In the settings option for each XOnet, you can enable Auto-Connect, so that the Client XOnet will try to re-connect any time the connection is broken. You can also change addresses here if you decide to modify the network configuration.
You can connect many XOnets to any one XOnet, but they must all have different addresses assigned to Ethernet2. If an address is duplicated, the network may not operate correctly.
SECURITY VULNERABILITY: If the Client XOnet is stolen, anyone who has it will be able to connect to your Server XOnet. Since most people want to use auto-connect, it isn’t feasible to require a password to connect a Client XOnet to the Server XOnet. If your Client XOnet is lost or stolen, immediately go to the XOkey Management Page and delete it from the list of XOkeys (see section 4.0).
The XOnet can have secure relationships with many XOkeys, as there is no hard-coded limit on the number. You can register as many as practical, and disable or delete those XOkeys at any time. The Manage XOkeys page lists all of the XOkeys that have been registered, so if you lose one, just click on “Delete” for that entry in the list of XOkeys.
This page is also used for managing Android and other XOnet client devices, and for viewing remote directories of connected XOnets.
The XOkey gives you remote access to your home network, through the XOnet. After the XOnet boots up, it creates a map of the devices that are connected to its ethernet ports, and lists those devices in the Network Directory page (under the Status page in the UI). The list will also display the manufacturer of the devices, by looking up who the MAC address was assigned to (not the user, the manufacturer). This information is passed to the XOkey when you use the Network Directory feature while connected to an XOnet.
You can also view the network directory of a connected XOnet. From a Client XOnet, you can view the network of a Server XOnet from the XOnet 2 XOnet page. From a Server XOnet, the network of a Client XOnet is viewed from the XOkey Manager page.
For most users, the XOnet will work without making any changes to its network configuration. However, some installations may require special settings, which are done in the Configuration page.
The XOnet has two Ethernet ports, eth1 and eth2, which allows it to be configured in two modes – LAN mode and Router mode. The most common configuration is LAN mode, where the XOnet is just connected to the local network, and gets a local IP address from your router. (or whatever device is the DHCP server). In this configuration, it can communicate with all of the devices on the LAN, which is how it can also provide a secure gateway to them from outside your home or office.
You can force the XOnet to use a static address that you assign, and also configure it as a DHCP server. This last option is more common in Router mode, where the XOnet is connected between the cable or DSL modem and your router, or between your local network and a private or shared network that you keep separate from everything else (when the XOnet is connected to another XOnet, every device connected to eth2 is accessible by devices connected to eth2 on the remote XOnet). To change the settings for either port, click on edit, make the changes, and then click save.
When your XOnet is used in LAN mode, you can greatly speed up the time it takes for an XOkey to connect to the XOnet if you can set port forwarding on your router. When port 4500 is forwarded to the XOnet’s local IP address, the XOkey does not need to figure out how to get through your router’s firewall to the XOnet, so it connects much quicker. Since every router is different, we cannot tell you how to change this setting, but strongly recommend that you do it if possible.
The XOnet can also perform as a basic router, between eth1 and eth2. In version 2.0 of the XOnet firmware, there are no firewall features, so this mode would typically be used for creating a second, isolated network.
The XOnet also needs to use a DNS server to look up Internet addresses for various functions (like checking the update server). You can change the DNS server that the XOnet uses in the Advanced Settings section.
Since most individuals do not have a static address assigned to their Internet connection, the XOnet must be assigned a unique host name, so it can be addressed and found by the XOkey. To insure it is unique to the outside world, we generate a host name based on a random 16-digit hex number. By default, the XOnet will also use a Dynamic DNS service (see 7.0) hosted at vpex.org, which is operated just for XOnets and XOkeys. If you use vpex.org as your DDNS server, you must use a host name that it will recognize. If you want to use a different DDNS service, you can change the host name on the Configuration page by clicking on “Change Hostname”.
If the XOnet is assigned a static address, you can set the hostname to anything that will resolve to that static address.
Keep in mind that if you change the host name, any XOkeys that are registered with the XOnet will have to be re-registered, as they will look for the original host name when you try to connect to the XOnet. If you perform a factory reset, the host name will also change.
By default, the XOnet uses a DDNS service hosted by x.o.ware at vpex.org. The first time it is powered up after getting its host name (either during manufacturing, or from a factory reset), the XOnet registers the host name with vpex.org. In the Dynamic DNS configuration page (just below Configuration on the UI), you can add a new DDNS service, but you will need to manually register for it. Once you add a new DDNS service, you can disable the vpex.org server.
There are two ways to update the software in the XOnet: the easy way, using the x.o.ware update server, or manually downloading and installing the new software file.
The UI of the XOnet always displays basic status at the top of the page, indicating whether the XOnet can access the Internet, DNS servers, and if there is an update available. A green check mark in a circle for each of those conditions indicates a true state: so if Update Available is green, just below that is a blue button that you can click to download and install the latest version from x.o.ware’s update server.
If you have downloaded the new software image to the computer that is being used to access the XOnet’s UI, you can select that file from Software Update page, and it will be installed, and the XOnet will automatically re-start. The whole process takes about a minute.
This was covered as part of the initial setup, but you can change the password at any time. It does not affect any of the XOkeys registered with it.
If you experience trouble using the XOnet, this function can help x.o.ware diagnose the problem. It generates a text file that provides status information. You can ignore this if you are not having any problems.
This erases all changes you have made to the XOnet since you received it. It also assigns it a new host name, and forces it to generate new encryption keys. When you do a factory reset, all XOkeys that were registered will no longer connect to it – they will need to be re-registered.
A Factory reset can also be performed by pushing a paper clip into the small hole on the rear panel of the XOnet, between the micro-USB power jack and eth2, for about 30 seconds. Do not, in either case, disconnect power from the unit until the log-in window is displayed in your browser.
Reboot is used when trying to diagnose problems, primarily by x.o.ware engineers. However, almost any computer product can get in a state where it’s not functioning correctly and needs to be re-started. For one of those times, this option saves you the trouble of power cycling the unit.