In this page you find:.In this page appears the list of the Endian UTM Appliance‘s connections asOpenVPN clients, i.e., all tunnelled connections to remote OpenVPNservers. For every connection, the list reports the status, the name,any additional option, a remark, and the actions available:. the server is active or stopped. modify the server’s configuration. remove the configuration and the server.The status is closed when the connection is disabled, establishedwhen the connection is enabled, and connecting.
While theconnection is being established. Beside to enable and to disable aconnection, the available actions are to edit or delete it. There are two types of settings that can be configured for each tunnelconfiguration: The basic one includes mandatory options for the tunnelto be established, while the advanced one is optional and normallyshould be changed only if the OpenVPN server has a non-standardsetup. To access the advanced settings, click on the button next to the Advanced tunnel configuration label. The basicsettings are: Connection name A label to identify the connection. Connect to The remote OpenVPN server’s FQDN, port, and protocol in theform myvpn.example.com:port:protocol. The port andprotocol are optional and left on their default values whichare 1194 and udp respectively when not specified.
Theprotocol must be specified in lowercase letters. Upload certificate The server certificate needed for the tunnel connection.Browsing the local filesystem is admitted, to search for thefile, of the path and filename can be entered. If the serveris configured to use PSK authentication (password/username),the server’s host certificate (i.e., the one downloaded fromthe Download CA certificate link in the server’sMenubar ‣ VPN ‣ OpenVPN server section)must be uploaded to the Endian UTM Appliance.
Otherwise, to usecertificate-based authentication, the server’s PKCS#12 file(i.e., the one downloaded from the Export CA asPKCS#12 file link on the server’s Menubar ‣VPN ‣ OpenVPN server ‣ Advanced section) must beuploaded. PKCS#12 challenge password Insert here the Challenge password, if one was supplied tothe CA before or during thecreation of the certificate. This is only needed whenuploading a PKCS#12 certificate. Username, Password If the server is configured to use PSK authentication(password/username) or certificate plus passwordauthentication, provide here the username and password of theaccount on the OpenVPN server. Remark A comment on the connection. In this box, that appears when clicking on the buttonin the previous box, additional options can be modified, though thevalues in this box should be modified only if the server side has notbeen configured with standard values.
Fallback VPN serversOne or more (one per line) fallback OpenVPN servers in thesame format used for the primary server, i.e.,myvpn.example.com:port:protocol. The port and protocolvalues default to 1194 and udp respectively when omitted. Ifthe connection to the main server fails, one of these fallbackservers will take over. HintThe protocol must be written in lowercase letters.
Device type The device used by the server, which is either TAP or TUN. Connection type This drop-down menu is not available if TUN has been selectedas Device type, because in this case the connection type isalways routed. Available options are routed (i.e., theclient acts as a gateway to the remote LAN) or bridged(i.e., the client firewall appears as part of the remoteLAN). Default is routed. Bridge to This field is only available if TAP has been selected asDevice type and the connection type is bridged. Fromthis drop-down menu, select the zone to which this clientconnection should be bridged.
NAT This option is only available if the Connection type isrouted. Tick this checkbox to hide the clients connectedthrough this Endian UTM Appliance behind the firewall’s VPN IPaddress. This configuration will prevent incoming connectionsrequests to the clients.
In other words, incoming connectionswill not see the clients in the local network. Block DHCP responses coming from tunnel Tick this checkbox to avoid receiving DHCP responses from theLAN at the other side of the VPN tunnel that conflict witha local DHCP server. Use LZO compression Compress the traffic passing through the tunnel, enabled bydefault. Protocol The protocol used by the server: UDP (default) or TCP. Set toTCP only if an HTTP proxy should be used: In this case, a formwill show up to configure it.If the Endian UTM Appliance can access the Internet only through an upstreamHTTP proxy, it can still be used as an OpenVPN client in aGateway-to-Gateway setup, but the TCP protocol for OpenVPN must beselected on both sides.
Moreover, the account information for theHTTP upstream proxy must be provided in the text fields: HTTP proxy The HTTP proxy host, e.g., proxy.example.com:port, withthe port defaulting to 8080 if not entered. Proxy username, Proxy password The proxy account information: The username and thepassword. Forge proxy user-agent A forged string can be used in some casesto disguise the Endian UTM Appliance as a regular web browser,i.e., to contact the proxy as a browser. This operation mayprove useful if the proxy accepts connections only for sometype of browsers.Once the connection has been configured, a new box at the bottom ofthe page will appear, called TLS authentication, from which toupload a TLS key file to be used for the connection. These options areavailable: TLS key file The key file to upload, searchable on the local workstation.
MD5 The MD5 checksum of the uploaded file, which will appear assoon as the file has been stored on the Endian UTM Appliance. Direction This value is set to 0 on servers and to 1 on clients.
NoteNote that the Endian UTM Appliance only supportsXML-RPC configuration of the OpenVPN Access Server,therefore a URL input here has the form:Username, Password The username and password on the Access Server. Verify SSL certificate If this checkbox is ticked and the server is running on an SSLencrypted connection, then the SSL certificate will be checkedfor validity. Should the certificate not be valid then theconnection will be immediately closed.
This feature might bedisabled when using a self-signed certificate. Remark A comment to recall the purpose of the connection.
In this page you find:.When configured as an OpenVPN server, the Endian UTM Appliance can accept remoteconnections from the uplink and allow a VPN client to be set up andinteract with the local resources as if it were a local workstation orserver.The OpenVPN server on the Endian UTM Appliance allows the simultaneous presenceof several server instances. Each instance listens on a differentport, and accepts incoming connections to that port only.Moreover, when the hardware on which Endian UTM Appliance is installed hasmultiple CPU cores, every instance may be assigned more that one core,thus resulting in an increase of the throughput and data processing ofthat instance. It is nevertheless also possible to have multipleinstances of OpenVPN running on a device equipped with a single-coreCPU, though this results in possibly reduced performances since theCPU carries the load of all instances.The OpenVPN server settings page is composed of three tabs:Server configuration, EasyVPN and VPNclient download. This page shows a switch called Enable OpenVPN server, thatwill start the OpenVPN server and all services related to it (likee.g., the if enabled) once clicked.Below, there are two boxes, OpenVPN settings -that allows to set upsome global settings shared by all the instances- and OpenVPNInstances - that containes the list of the OpenVPN server instancesdefined on the Endian UTM Appliance.At the bottom of the page, the Add new OpenVPN serverinstance link allows to define a new server instance and is followedby the list of the OpenVPN server instances defined. The box on the top shows the current OpenVPN settings, which concernthe authentication method, and are: Authentication typeThere are three available authentication methods to connect clientsto the OpenVPN server running on the Endian UTM Appliance:.
PSK (username and password). Connection is established afterproviding correct username and password. X.509 certificate. A valid certificate only is needed toconnect. X.509 certificate & PSK (two factor). Both a valid certificate,and a username/passwords combination are needed.
WarningWhen employing certificate-only authentication, aclient with a valid certificate will be granted access to theOpenVPN server even if it has no valid account!Endian UTM Appliance’s default method is PSK (username/password):The client authenticates using username and password. To use thismethod, no additional change is needed, while the other two methodsare described below.
Certificate configurationThis drop-down menu is used to select the method of creation of anew certificate. The available options are:.Use selected certificate. Select one certificate from thoseavailable, shown on the right-hand side of the drop-down menu. Itis possible to see the full details of this certificate byclicking on the View details hyperlink. HintThe name of the certificate selected appears rightabove the hyperlink.Use an existing certificate.
A new drop-down menu on theright-hand side on the left allows to select a certificate thathas already been created and stored on the Endian UTM Appliance.Generate a new certificate. Create a new certificate fromscratch.
This option is only available if no host certificate hasalready been generated. A form will open where to specify alloptions necessary to create a new certificate. These are the samefound in theeditor, with two slight changes: Common name becomes Systemhostname and Organizational unit name becomes Departmentname.Upload a certificate. By clicking on the Browsebutton that appears underneath the drop-down menu it will bepossible to select from the workstation and to upload an existingcertificate. The password for the certificate, if needed, can beprovided in the textfield on the right-hand side.Upload a certificate signing request.
The Browsebutton that appears underneath the drop-down menu can be clickedto select from the workstation and upload an existing certificatesigning request. The validity of the certificate in days can beprovided in the textfield on the right-hand side. NoteNote that it is currently not possible to generate aLet’s Encrypt CA from here.On the right of the Certificate configuration drop-down menu, thename of the currently used certificate is shown, above theicon and the View details link.
The latter will show allinformation about the certificate when clicked.Below the Certificate configuration drop-down menu, there is theicon, with the name of the Certificate Authority and theDownload certificate link to download the certificate neededfor the client connections.In the Advanced options panel, a few options are available tocustomise the OpenVPN server. Delay triggers A tick on the checkbox will allow to delay the triggers launchedwhenever a client connects to or disconnects from the OpenVPNserver. Since triggers are mostly a reload of routing and firewallrules, this option proves useful when many clients connect ordisconnect at the same time. Log verbosityThis option allows to increase or decrease the amount of messageswritten in the log file. The default value is 1, whichmeans that only the most relevant messages are written to the logfile, and can be increased up to 5.
NoteIf the OpenVPN server is not bridged (i.e., it isrouted), the clients will receive their IP addresses from adedicated subnet. In this case, appropriate firewall rules inthe should be created, to make surethe clients can access any zone, or some server/resource (e.g.,a source code repository) therein. If the OpenVPN server isbridged, it inherits the firewall settings of the zone it isdefined in.
Bridged to The zone to which the OpenVPN server should be bridged. Thedrop-down menu shows only the available zones. VPN subnet This option is the only available if bridged mode is disabled. Itallows the OpenVPN server to run in its own, dedicated subnet, thatcan be specified in the text box and should be different from thesubnets of the other zones. Dynamic IP pool start address The first possible IP address in the network of the selected zonethat should be used for the OpenVPN clients. Dynamic IP pool end address The last possible IP address in the network of the selected zonethat should be used for the OpenVPN clients. Routed and bridged OpenVPN server, static and dynamic IPaddresses.When configuring a pool of IP addresses to be reserved for clientsconnecting via OpenVPN, it is necessary to keep in mind a fewguidelines that help both the prevention of future malfunctioningand the cleaner and easier design and set up.Before starting the configuration of the server, there is a goldenrule to remember, concerning the implementation of the VPNmulticore architecture: Regardless of the bridged or routed modeused for a multicore VPN server instance, the reservation of staticIP addresses is neglected.
In other words, a client connecting tothis VPN server, will receive a dynamic IP address, even though inher configuration there is a static IP assignment.The first choice is to define whether the OpenVPN server should actin routed or bridged mode. In the former case, it is necessary todefine a suitable VPN subnet that will provide the IP addressesfor the clients. The traffic directed to this subnet has to befiltered, if necessary, using the.
Inthe latter case, the OpenVPN server is configured to consider theclients, upon connecting, as they were physically connected to thatzone, i.e., the server bridges the client to one of the zones. Inthis case, a pool of IP addresses must be defined within that zoneusing the two option that appear right before this box. This poolmust be entirely contained in the zone’s subnet and smaller thanthat one. It is also important to make sure that this pool doesconflict with other pools defined in that zone, likee.g., a DHCP server.In a bridged OpenVPN server it is possible to assign to some (oreven to all) user a static IP address.
When planning thispossibility, it is a good practice that these static IP addressesdo not belong to any of the IP pools defined in that zone, toprevent any conflicts of address and wrong routing. Traffic to thisparticular client can then be filtered using the VPN (or IPsec)user as source or destination of traffic in the Firewall rules. Certificate configurationThis drop-down menu is used to select the method of creation of anew certificate. The available options are:.Use selected certificate. Select one certificate from thoseavailable, shown on the right-hand side of the drop-down menu. Itis possible to see the full details of this certificate byclicking on the View details hyperlink. HintThe name of the certificate selected appears rightabove the hyperlink.Use an existing certificate.
A new drop-down menu on theright-hand side on the left allows to select a certificate thathas already been created and stored on the Endian UTM Appliance.Generate a new certificate. Create a new certificate fromscratch. This option is only available if no host certificate hasalready been generated. A form will open where to specify alloptions necessary to create a new certificate. These are the samefound in theeditor, with two slight changes: Common name becomes Systemhostname and Organizational unit name becomes Departmentname.Upload a certificate.
By clicking on the Browsebutton that appears underneath the drop-down menu it will bepossible to select from the workstation and to upload an existingcertificate. The password for the certificate, if needed, can beprovided in the textfield on the right-hand side.Upload a certificate signing request. The Browsebutton that appears underneath the drop-down menu can be clickedto select from the workstation and upload an existing certificatesigning request. The validity of the certificate in days can beprovided in the textfield on the right-hand side.
NoteNote that it is currently not possible to generate aLet’s Encrypt CA from here.On the right of the Certificate configuration drop-down menu, thename of the currently used certificate is shown, above theicon and the View details link. The latter will show allinformation about the certificate when clicked.Below the Certificate configuration drop-down menu, there is theicon, with the name of the Certificate Authority and theDownload certificate link to download the certificate neededfor the client connections.In the Advanced options box, additional options can beconfigured. Number of processes The drop-down menu allows to chose how many CPUs of the Endian UTM Appliancecan be used by the instance, hence the options in the drop-downmenu may vary. Allow multiple connections from one account: Normally, one client is allowed to connect from one location at atime. Selecting this option permits multiple client logins, evenfrom different locations. However, when the same client is connecttwice or more, the VPN firewall rules do not apply anymore.
Block DHCP responses coming from tunnel Tick this checkbox when receiving DHCP responses from the LAN atthe other side of the VPN tunnel that conflict with the local DHCPserver. Client to client connectionsSelect from the drop-dow menu the modalities of the communicationsbetween clients of the OpenVPN server. This option is onlyavailable on single-process servers, i.e., on servers running onlyone instance of the OpenVPN server. Not allowed: The clients can not communicate one to theother. Allow direct connections: The clients can communicatedirectly with each other but filtering is not possible. Filter connections in the VPN firewall The clients cancommunicate with each other, but their traffic is redirected tothe VPN Firewall and can be filtered using suitable rules there. NoteIn case of Appliances having multi-core CPUs, there is noselection possible and the option Filter connections inthe VPN firewall is automatically activated.
Renegotiation data channel key interval This option allows to modify the time interval after which the datachannel key will be renegotiated. The value is measured in seconds,with the default value set to 3600 seconds. Push these nameservers By ticking this checkbox, the nameserver specified in the textfieldbelow are sent to the clients upon connection.
Nameservers The nameservers specified in this textfield are sent to theconnected clients, when the previous checkbox has been ticked. Push these networks By ticking this checkbox, the routes to the networks defined in thetextfield below are sent to the connected clients. Networks The networks specified in this textfield are sent to theconnected clients, when the previous checkbox has been ticked. Push this domain By ticking this checkbox, the search domain defined in thetextfield on the right-hand side,is added to those of the connected clients. NoteThe options Push these nameservers andPush domain only work for clients running the MicrosoftWindows operating system. Domain The domain that will be used to identify the servers and networkresources in the VPN network (i.e., the search domain). Authentication type The authentication type for this instance of OpenVPN.
By default itwill inherit the global configuration. However, this can beoverridden by specifying manually one of the available optionshere. They are: PSK (username/password), X.509certificate and X.509 certificate & PSK (twofactor). They are the same as in the global option. Cipher This drop-down menu allows to choose the cipher that is used by theOpenVPN server. The default value is Auto, which meansthat the cipher is automatically negotiated.
Message digest algorithm This drop-down menu allows to choose the message digest algorithmthat is used by the OpenVPN server. The default value isAuto, which means that the cipher is automaticallynegotiated. Disable channel encryptionWhen this option is ticked, the whole VPN traffic through thisinstance will NOT be encrypted, i.e., it will be in plaintext.
Moreover, the previous two options will disappear. WarningIt is strongly suggested to not disable encryption onthe OpenVPN server, as the whole traffic will not be encryptedand could be read in case the communication is intercepted.The first time the service is started a new, self-signed CAcertificate for this OpenVPN server is generated, an operation thatmay take a long time. After the certificate has been generated, it canbe downloaded by clicking on the Download CA certificatelink. This certificate must be used by all the clients that want toconnect to this OpenVPN server, otherwise they will not be able toaccess.After the server has been set up, it is possible to create andconfigure accounts for clients that can connect to the Endian UTM Appliance inthe Authentication tab. Enabled Tick this checkbox to make sure the OpenVPN server is started.
Troubleshooting VPN connections.While several problem with VPN connections can be easily spotted bylooking at the configuration, one subtle source of connectionshiccups is a wrong value of the MTU size. The Endian UTM Appliancesets a limit of 1450 bytes to the size of the VPN’s MTU, to preventproblems with the common MTU value used by the ISP, whichis 1500. However, some ISP may use a MTU value lower that thecommonly used value, making the Endian MTU value too large andcausing therefore connection issues (the most visible one isprobably the impossibility to download large files). This value canbe modified by accessing the Endian UTM Appliance from the CLI andfollowing these guidelines:. Write down the MTU size used by the ISP (see link below). Login to the CLI, either from a shell or fromMenubar ‣ System ‣ Web Console. Edit the OpenVPN template with an editor of choice:nano /etc/openvpn/openvpn.conf.tmpl.
Endian Vpn Client Android
Search for the string mssfix 1450. Replace 1450 with a lower value, for example 1200. Restart OpenVPN by calling: jobcontrol restart openvpnjob. New in version 5.1.The page contains a switch that needs to be clicked to enablethe Plug & Connect procedure, which allows the management of remoteEndian devices from the current Endian UTM Appliance.If the procedure has never been carried out, the page contains a tablewith three links above it. The table contains the list of remotedevices, with the following information:. The device name, which must be unique.
The IP Address of the remote, assigned by the OpenVPN server. The description of the device. The available actions.The three links above the table, Plug & Connect(Autoregistration), Add gateway, and Advancedsettings allow to start the Plug & connect procedure, manually add anew device, and define some option, respectively. Plug & Connect versus Add gatewayBoth autoregistration ( Plug & Connect) and manualregistration ( Add gateway) methods are intended to allowclient to remotely connect through the Endian UTM Appliance to gateways andendpoints by means of virtual IPs. The two procedures are howeverintended to be alternative one to each other and have differentpros and cons.Plug & Connect allows to deploy a device in a remotelocation and build an immediate VPN connection to the Endian UTM Appliance,register it to the Endian Network, and add endpoints that are locatedbehind the remote appliance, that acts in fact as a gateway. Itsstrong point is that is quick and requires only a few information(activation code and passwords) and an internet connection to havea working remote gateway.
It does not allow a thoroughconfiguration of the gateway’s local network and other options.Manual registration on the contrary gives more controlover the configuration of the remote gateway, allowing to fullyconfigure the company data and networking. It is however slower andmay require to know in advance the network topology of the gatewaysand endpoints. The plug and connect procedure allows to register a remote Endianappliance that can be managed by the current Endian UTM Appliance.When clicking on the Plug & Connect Step (Autoregistration),the three-step procedure starts. In the first step, only one option isavailable. Activation Code Enter the activation code of the remote appliance to register tothe Endian UTM Appliance, then click on Next to proceed.In the next step, the following options are available: Device name The name given to the device, which must be unique. Description An optional description of the gateway.
Admin (Web user) passwordThe password of the admin user on the remote device. In this tab it is possible to modify some of the properties of theremote gateway. Name The name assigned to the new gateway, which must be unique. Description A description for the device.
Password, Confirm password The password to access the gateway. Tick the checkbox on theright-hand side of the textbox to show in clear text thepassword. Maximum number of endpoints The first information to be supplied is an approximate estimateof the endpoint that will be governed by the gateway. EndpointsA table showing all the endpoints controlled by the gateway,along with those information:. The name of the endpoint.
The endpoint’s IP address. A description of the endpoint.Each field in each table’s row can be edited by double-clickingon it.The management of the endpoints can be done using the buttons at thebottom of the table: Add row This option allows a new endpoint to be added to the gateway.
Itsconfiguration can be carried out by double-clicking on the fieldsof the new row. Delete rowBy clicking on this button, the highlighted endpoint is removedfrom the gateway.
This button is active only when one row isselected. NoteDepending on the type of the model chosen, some of theoptions available will be filled in with suitable values. Root password Choose the password for the root user, used for SSH (console) access. Admin password Choose the password for the admin user, used for HTTPS (browser) access. Host name The hostname of the gateway Domain name The gateway’s domain name. Company The company to which the gateway belongs E-mail The reference e-mail for the gateway, usually of the responsibleperson for that gateway. Timezone The timezone in which the gateway is located.
Country The country where the gateway is located. Red type The type of the RED interface, i.e., how the gateway connects tothe Internet. Four types are available: DHCP,Static, No uplink, and 3G. Red device The interface that connects the gateway to the Internet. Theavailable options in this drop-down menu are determined by theModel chosen above. This option does not appear when the Redtype is set as No uplinkThe following options are displayed according to the selected type ofred device.
By choosing DHCP, none of them will appear. Red IPs/CIDRs The IP address of the RED interface. This option appears only whenthe RED type is Static. Red gateway IP The IP address of the gateway for the RED interface. This optionand the next one is needed to access the Internet and appears onlywhen the RED type is Static or No uplink.
DNS Servers The IP addresses of the DNS server used by the gateway, one perline. It appears only when the RED type is Static orNo uplink. Access Point Name The name of the access point, appears only in the 3G/4Gand UMTS Red Type. Modem Type This option appears only for the 3G/4G Red Type andallows to select the type of modem to be used from the drop-downmenu, among those available: 3G/4G or CDMA Green device The interface of the GREEN zone, i.e., the one in which theendpoints are situated. Green IPs/CIDRs The IP address pool assigned to the GREEN zone. Blue device The interface of the BLUE zone.
Endian Vpn Client Login
Blue IPs/CIDRs The IP address pool assigned to the BLUE zone. Orange device The interface of the ORANGE zone. Orange IPs/CIDRs The IP address pool assigned to the ORANGE zone. Custom OpenVPN server IP/FQDN, port, and protocolA custom address used by the endpoint to connect to the OpenVPNserver.
HintThe format to be used for the address in this and in thenext option is hostname.domain:port:protocol orIP.address:port:protocol, with the port or protocolas optional, hence valid values includevpn.example.com:1197:udp and123.45.If the protocol is specified, the port must be specified aswell. Custom OpenVPN fallback IP address/FQDN, port, and protocol A custom address used by the endpoint to connect to the fallbackOpenVPN server. OpenVPN through HTTP proxy Tick the checkbox when the gateway uses a proxy for its connectionto the Internet. The next four options will appear to configurethat proxy. Upstream server The IP address of the upstream proxy server.
Endian Vpn Client
Upstream port The port on which the proxy service runs on the server. Upstream username The username to connect to the proxy server, if needed. Upstream password The password to connect to the proxy server, if needed. Upstream NTLM proxy authentication Click the checkbox if the upstream HTTP proxy requires NTLMAuthentication. Forge proxy user-agent If the upstream HTTP proxy needs to be contacted with a givenuser-agent, write it here.Finally, a click on Advanced settings allows to define a fewadditional options. Global virtual IP pool This options defines the IP address subnet for the addresses of thegateways.
OpenVPN server public IP/FQDN and port The public IP address or FQDN to be assigned to the OpenVPNserver. Endian Network account The username used to access Endian Network Endian Network password or registration key The password of the Endian Network account or the Endian UTM Appliance’sregistration key.
New gateways default model Choose from the drop-down which should be the default model ofnew-added gateways.