From UntangleWiki

Untangle Server User's Guide

OpenVPN

Other Links: OpenVPN Description Page OpenVPN Screenshots OpenVPN Forums OpenVPN FAQs

---

Contents 1 About OpenVPN 2 Supported VPN Configurations 2.1 Untangle Server in VPN Server Mode 2.1.1 VPN Desktop/Laptop Clients 2.1.1.1 Create VPN Client 2.1.1.2 Distribute VPN Client Key 2.1.2 VPN Site Clients 2.2 Untangle Server in VPN Client Mode 3 Revoking Users' VPN Access Temporarily 4 Revoking Users' VPN Access Permanently 5 About OpenVPN Event Logs 6 Related Topics 7 OpenVPN FAQs 7.1 What operating systems are supported? Can I use it with my phone? 7.2 With OpenVPN, can I force all network traffic through the VPN tunnel? 7.3 Can I still use OpenVPN if my Untangle is in bridge mode? 7.4 Can I use OpenVPN on both of my WAN connections? 7.5 Is there a way to setup a password for the OpenVPN users? 7.6 Why are the OpenVPN clients I send through email never received? 7.7 Clients can connect using OpenVPN, but the tunnel drops after 15-30 seconds. Why? 7.8 OpenVPN connects, however I can not access anything. Why is this? 7.9 How can I restrict access to certain OpenVPN users? 7.10 Can I create site-to-site tunnels with non-Untangle devices? 7.11 I'm using site-to-site and my software clients can only talk to the main server. Why? 7.12 My site-to-site tunnel is set up correctly, however it isn't working properly Why? 7.13 How can I allow software clients to resolve DNS over the tunnel? 7.14 How can I get DNS resolution working over my site-to-site tunnel? 7.15 Why is the incorrect DNS Suffix pushed out to my clients?

About OpenVPN

OpenVPN is an SSL-based VPN (virtual private network) that supports both site-to-site and client-to-site configurations. When you create new clients or sites, OpenVPN creates a custom executable for each client that contains the client, configuration, and authentication information. Users simply need to install the custom executable on their computers. OpenVPN supports the following operating systems:

• Windows 2000/XP and higher
• Mac OS X
• Linux
• OpenBSD
• FreeBSD
• NetBSD

Supported VPN Configurations

A Virtual Private Network (VPN) is a secure connection between a remote host or network and a local network over an otherwise insecure medium (ie the Internet). With any VPN connection, there is a client and server. Your Untangle Server can be a VPN server, allowing remote clients or sites to connect to the exported internal network. Your Untangle Server can also be a VPN client, gaining access to remote Untangle VPN servers and their internal network.

When you configure OpenVPN, you choose between two types of configurations:

• Untangle in VPN Server Mode.

In this mode VPN clients connects to the Untangle server to establish an encrypted communication channel. Each VPN client authenticates via a secure key unique to that client. Implicit is that the server is protecting network resources from another untrusted network (usually the Internet). The VPN connection allows the remote client to reside on an untrusted network yet access protected resources behind the VPN server. VPN clients are either individual computers running VPN software client or another Untangle server (second Untangle) in VPN Client mode (more on this further down) to provide a secure connection for all the computers behind the second Untangle providing access to resources behind the primary Untangle running VPN server mode. Untangle in VPN Server Mode can accept connections from both desktop/laptop software VPN clients and Untangle servers in VPN Client Mode.

• Untangle in VPN Client Mode.

In this mode the Untangle provides connectivity for all the computers behind it to a remote network behind another Untangle in Server Mode. In this mode Untangle in VPN Client Mode provides a single encrypted connection to the other Untangle in Server Mode so the resources behind each Untangle can access remote resources on the other end.

Note: Remote networks in Site-to-Site configurations must have networks which do not have overlapping IP addresses. Sites cannot use the same IP address space.

Untangle server in VPN Server mode with Remote desktop/laptop VPN Clients

VPN Server connected to Untangle in Client Mode providing network bridge

Untangle Server in VPN Server Mode

Note: If you have already configured your Untangle as a VPN client, you will need to remove the OpenVPN module from the rack and then install the module again to reset OpenVPN to the initial state and get the VPN configuration wizard.

1. Click on Settings and click on Configure as VPN Server.
2. Click 'Next after reading the warning.
3. In the next step is to generate a certificate to secure the VPN communication.
   1. Enter the organization or company name
   2. Select the Country
   3. Enter a two letter abbreviation for the state or region.
   4. Enter city name
   5. Press 'Next
4. The next step has the IP ranges which will be exported to the remote VPN clients and sites enabling access to those IP ranges. By default the internal network of the Untangle is added. If there are other IP ranges which are handled by the Untangle such as DMZ addresses, they can be add at this point by clicking on the Add button.
5. Press Close as the configuration for Server Mode is complete.

With the Untangle Server VPN Server Mode configured, continue with the steps below to add VPN clients and sites which will connect to this VPN server.

VPN Desktop/Laptop Clients

Create VPN Client

By adding clients, these remote resources will have access to the resources behind the Untangle VPN server.

1. Click the Clients tab.
2. Click the Add button under VPN Clients .
   1. Enter a client name. Type a descriptive name to identify the user. For example, you might use the user's computer name.
   2. In the Address pool drop-down list, choose the address pool to which you want to assign the user. Generally use the default pool that is created automatic during the VPN Server wizard.
   3. Click Done.
3. Click 'Apply to save the new VPN client.

Note: The distribution button doesn't appear in the distribution column until you add and save the VPN Clients to your configuration.

Distribute VPN Client Key

For VPN Clients, specify the user's email address and click the Send Email button. The Untangle Server emails the VPN user a link to download the key and OpenVPN Client as the one shown in Downloading Key and OpenVPN Client. For greater security, you can download the key directly from the client to which you want to provide access, or to a USB key from another remote client.

1. Click the Distribute Client.
   

   

   Distribute User's VPN Key
2. Specify the user's email address and click the Send Email button. The Untangle Server emails the VPN user a link to download the key and OpenVPN Client as the one shown in Downloading Key and OpenVPN Client. For greater security, you can download the key directly from the client to which you want to provide access, or to a USB key from another remote client.
   

   

   Email or Download User's VPN Key
3. Ensure that VPN users download the key and OpenVPN Client properly. Users should click on the OpenVPN link as shown in Downloading Key and OpenVPN Client.
   

   

   Email for User's VPN Key
   1. For systems other than Windows, download the configuration files instead of the Windows installer and install the OpenVPN client specific for your system at openvpn.net
   2. For Windows 2000 and XP
      1. Download the Windows installer from the link in the email.
      2. Install normally by double clicking on the executable installer.
   3. For Windows Vista and 7
      1. Download the Windows installer from the link in the email.
      2. Right click on the executable installer and select Run as administrator
      3. After completing the installation we need to change the OpenVPN client to run as administrator.
         1. Click on Start Menu -> Programs -> OpenVPN and right click OpenVPN GUI.
         2. Select Properties.
         3. Click on Compatibility tab.
         4. Select Run this program as an administrator.
         5. Click OK

VPN Site Clients

Where an entire remote network connects to a VPN server. A VPN Client site can represent many individual hosts (machines) within its protected network. This configuration is common for remote offices, where a handful of employees need to join the protected network at headquarters. When a group of computers (a network) establishes a VPN connection to a server, the group of computers is said to be a site. An Untangle Server can also act as a remote site, bridging the internal network at that remote location to another Untangle Server acting as a VPN server.

On the Untangle server in VPN server Mode do the following"

1. Click the Clients tab.
2. Click the Add button under VPN Sites .
   1. Enter a site name. Type a descriptive name to identify the site. For example, you might use the city name.
   2. In the Address pool drop-down list, choose the address pool to which you want to assign the user. Generally use the default pool that is created automatic during the VPN Server wizard.
   3. Network address is the IP address space of the remote network. For example the remote office network is 192.168.200.0/24 so enter 192.168.200.0 in the Network address field and Network Mask 255.255.255.0 in the Network mask field. The main site and all of the remote sites must have different network address ranges.
   4. Click Done.
   5. Click 'Apply to save the new VPN site.
3. Click the Distribute Client and download the VPN Site configuration (config.zip).

At this point the Untangle VPN Server has a key ready for the remote Untangle Client VPN. The simplest way to transfer VPN key to the remote site is to login to both the VPN Server and the VPN Client sites on the same browser.

Untangle Server in VPN Client Mode

1. Login to the remote Untangle server which will serve as the VPN Client.
2. Click on OpenVPN Settings button.
3. At the Welcome screen click Next button
4. Select Upload Configuration and upload the configuration file (config.zip) previously downloaded.
5. Once the Success popup appears, click OK.
6. You are now connected to the main office.
7. Click OK at the bottom of the site.

Revoking Users' VPN Access Temporarily

To secure your network, temporarily disable a user's key if that user does not intend to use the VPN for an extended period of time, such as in the event of an employee's leave of absence. If you want to permanently remove a user's key, go to Revoking Users' VPN Access Permanently.

1. From OpenVPN, click the Show Setting button.
2. Click the VPN Clients tab.
3. In the VPN Clients area, clear the Enabled check box that corresponds to the user, then click the Save button.

Revoking Users' VPN Access Permanently

To secure your network, always disable a user's key if that user loses a laptop on which a key is installed. To revoke a user's VPN access, you must disable the user's key. In this case, the user needs to reinstall the VPN client and key. This procedure removes a user from a VPN Site or VPN Client, revokes the user's certificate, and permanently invalidates the key that was previously issued to the user.

If you want to temporarily remove a user's key, go to Revoking Users' VPN Access Temporarily.

About OpenVPN Event Logs

Event logs are only available on the Untangle Server in VPN Server mode. The client side only has if it's connected or not in the Status tab. Use the following terms and definitions to understand the OpenVPN Event Log:

start time	The time the connection was established.
end time	The time the connection was terminated.
client name	The name of the connection's client.
client address	The IP address of the connection's client.
Kbytes sent	The number of Kilo bytes that have been sent on the connection.
Kbytes received	The number of Kilo bytes that have been received on the connection.

Related Topics

OpenVPN

Top OpenVPN Questions and Answers

OpenVPN Site-to-Site Instructions

OpenVPN FAQs

What operating systems are supported? Can I use it with my phone?

The OpenVPN client that Untangle distributes is compatible with all versions of Windows, however if you're using Windows Vista or Windows 7 you'll need to both install and run the application as an Administrator - simply right-click and choose Run as Administrator. Running as an administrator is necessarily to allow the application to write routes for the VPN and must be done every time the application is started on Windows Vista or 7.

For all other operating systems Untangle distributes a .zip with configuration and certificate files - these can be used with any OpenVPN-compatible VPN software on any operating system. For Macs, we suggest http://code.google.com/p/tunnelblick tunnelblick. For smartphones, you'll need to install and run a VPN client that supports OpenVPN. Android's build-in VPN client won't import the files unless you convert them, but if your phone is rooted you can use the application OpenVPN Settings on the Android Market.

With OpenVPN, can I force all network traffic through the VPN tunnel?

Untangle's implementation of OpenVPN uses split tunneling - only VPN traffic will traverse the tunnel; any non-VPN traffic will go out the normal WAN connection. We're currently evaluating the feasibility of a full tunnel solution; we'll update this entry when we have more information.

Can I still use OpenVPN if my Untangle is in bridge mode?

Yes, however you will probably need to make some changes on your router to set it up properly. Set up OpenVPN as necessary, then on your router:

1. Forward port 1194 (UDP) to the Untangle.
2. Forward your External HTTPS Port (443 by default, set at Config > Administration) to the Untangle.
3. Verify your setting is correct at Config > Administration > Public Address as it is used by Untangle for configuring OpenVPN clients.
4. Add a Static Route on your router pointing the VPN Address Pool (172.16.0.0/24 by default, set in OpenVPN) at the Untangle.

We have a Packet Filter rule called Route VPN traffic that would go through the Bridge you can try enabling, however it does not always work so we recommend the Static Route.

This is needed because typically your users will have the router as their gateway and the router won't know what to do with the packets destined for the OpenVPN pool, so it will send them to its own gateway (probably an ISP device) which will discard them.

Can I use OpenVPN on both of my WAN connections?

This is currently being verified and we will update this entry when we know more.

Is there a way to setup a password for the OpenVPN users?

Yes, if you right click on the OpenVPN icon on the client's PC there is an option for a password - please note this password is only used when launching the client.

Why are the OpenVPN clients I send through email never received?

You can test email receipt at Config > Email > Email Test - if they receive the test, they should get the OpenVPN client. If they are still not receiving it, you can check the mailer log at /var/log/exim4/mainlog for any errors.

Clients can connect using OpenVPN, but the tunnel drops after 15-30 seconds. Why?

Check to see if you have any unused or disconnected interfaces set to Dynamic - if so, change these to Static.

OpenVPN connects, however I can not access anything. Why is this?

Many things could cause this issue - after connecting OpenVPN, try to ping Untangle's LAN IP address, then try to bring up the UI by entering the IP in a browser. If these work your tunnel is up and operational. If you can't reach a Windows machine, verify Windows Firewall is disabled on the target machine as it will block access from non-local subnets by default. If the target machine runs another OS, verify it is either using Untangle as a gateway or the machine its using as a gateway has a static route sending the VPN Address Pool to the Untangle.

How can I restrict access to certain OpenVPN users?

Anything you Export in OpenVPN will be available to everyone; if you'd like to allow or deny access to specific resources for specific users you can use Firewall rules.

Can I create site-to-site tunnels with non-Untangle devices?

When using OpenVPN for site-to-site tunnels Untangle only supports using other Untangle boxes as endpoints. Some users have had success with DD-WRT and Tomato, but this is not supported by Untangle. If you need to connect a VPN tunnel to a non-Untangle device, we recommend using IPsec.

I'm using site-to-site and my software clients can only talk to the main server. Why?

If you have both software clients on the road and site-to-site tunnels, the software clients will only be able to see your main site by default. To allow them to transit the tunnel(s) to other sites, simply add the VPN Address Pool to the Exported Hosts and Networks. After this is done, software clients will be able to reach all exported sites.

My site-to-site tunnel is set up correctly, however it isn't working properly Why?

If you have a site with a WAN IP of 1.2.3.4 and another site with a WAN IP of 1.2.3.5, the site-to-site VPN tunnel may not work if the IPs are in the same subnet or share the same gateway. In order for the site to site VPN to work, each location needs to be completely different from the other location. You might need to ask your ISP to change one of your sites IPs to a different subnet.

How can I allow software clients to resolve DNS over the tunnel?

To allow DNS resolution for software clients you'll need to modify some OpenVPN settings - if Untangle is doing DNS resolution on your network, simply check Export DNS at OpenVPN Settings > Advanced > Address Pools for any VPN Address Pools you want DNS resolution exported for. If Untangle is not resolving DNS on your network, you'll need to check Export DNS, set DNS Override to Enabled, then enter the IP address of the DNS Server under Primary IP. You may need to use the FQDN when accessing resources across the tunnel.

How can I get DNS resolution working over my site-to-site tunnel?

You'll need to go to Config > Networking > Advanced > Local DNS and add the IP of the DNS server on the far side of the tunnel, enter the domain in the Domain List column, and use the FQDN when accessing resources. Please note that you'll need to do this on both sides of the tunnel for it to work from either side.

Why is the incorrect DNS Suffix pushed out to my clients?

The DNS Suffix is set when the client is created - you can not change this later, you'll need to delete and recreate the user and redistribute the client. Whatever suffix you want pushed out to your clients, set it in Config > Networking > DNS Server, make sure the DNS Server is turned on, then create your clients. You can turn off the DNS Server after you create the clients if you wish. If the DNS server is turned off when you create them, your clients will get the suffix example.com. Some users are reporting that this only works correctly if the DNS Server is set to On all the time.