OpenVPN enables you to create an SSL-based VPN (virtual private network) that supports both site-to-site and client-to-site tunnels. This allows your road warrior users to connect to local resources as if they were in the office, or connect the networks of several geographically distant offices together - all with the added security of encryption protecting your data. OpenVPN supports any operating system with an OpenVPN-compatible VPN client (which is almost every OS), even smartphones!
This section reviews the different settings and configuration options available for OpenVPN.
The setup wizard configures the initial configuration of OpenVPN - please pay attention to the promps as they provide valuable information on how the application works and the answers to your questions will determine the configuration.
- VPN Server: In VPN Server mode, software clients (and other Untangle boxes) will connect to your server, allowing traffic to flow.
- Certificate: First, fill out some information to generate a certificate for OpenVPN.
- Exports: This is where the magic happens - anything you export will be available to users who connect to the VPN or have access to the other side of a site-to-site tunnel. By default, all NAT'd networks will be exported in their entirety.
- VPN Client: In VPN Client mode, your Untangle will connect to another Untangle, establishing a secure tunnel for traffic to flow.
- If you're using Client mode, your Untangle will connect to another to establish the tunnel. There are no settings to configure in Client mode. During the setup, you will only be asked for a file (config.zip) to import, which you will get from the Untangle running as a Server. Do not unzip this file, simply import it as is.
The Status tab shows you information on the configuration type of OpenVPN, as well as a list of open connections, the time the tunnels were created and transmit statistics.
The Clients tab is used to add or delete both software and site clients. When creating users, make sure to use the correct type - if you don't it will not work properly, if at all. Instructions on creating each type of client are below.
Creating and using Software Clients
Software clients are used to connect one machine to the LAN, typically a user who travels often or works from home. Once the tunnel has been connected, they will be able to access resources on the LAN like they were connected to it locally. To set up a new software client, just go to the Clients tab of OpenVPN and hit Add under VPN Clients.
- Client Name: The address pool used for this client - this should be fine as default in most situations.
- Address Pool: The address pool used for this client.
Once the client has been created, just hit Done, then Apply. After Untangle is done building the VPN client, you can click Distribute Client to get the client - you can either download the client directly or have it sent through email. FYI, if you're using Windows Vista or Windows 7 you'll need to both install and run the application as an Administrator - simply right-click and choose Run as Administrator. Running as an administrator is necessarily to allow the application to write routes for the VPN and must be done every time the application is started on Windows Vista or 7.
Creating and using Site-to-site Tunnels
Site-to-site tunnels are persistent connections between two networks - if you have one remote user they should use a software client, but if you have a few remote users at an office, a site-to-site tunnel is a better idea. Please note that each network in a site-to-site configuration must have different IP spaces - one location might be 10.0.1.0/24 and another 10.0.2.0/24. You cannot have both sides using 10.0.1.0/24, nor can you have one site using 10.0.1.0/16 and the other 10.0.2.0/24 because the second network is encompassed by the first. If you're in one of the situations we just mentioned you'll need to renumber one of the networks - there is no way around this.
To set up a new site-to-site connection, just go to the Clients tab of OpenVPN and hit Add under VPN Sites - it is important that you do not create it as a normal VPN Client.
- Site Name: A descriptive name for this VPN site.
- Address Pool: The address pool used for this client - this should be fine as default in most situations.
- Network Address: The LAN IP of the Untangle on that network.
- Network Mask: The netmask of the remote network.
Once that information has been filled in, just hit Done, then Apply. After Untangle is done building the VPN client, you can click Distribute Client to get the config.zip file for import into the other Untangle.
Exported Hosts and Networks
The Exported Hosts and Networks tab controls what resources are available to VPN users. You have a few options when adding exports:
- Host/Network name: A descriptive name for this export.
- IP Address: The IP address to use (in conjunction with the netmask below) for the VPN Address Pool.
- Netmask: The netmask of the host/network for export - if this is /24 (255.255.255.0), the entire /24 subnet of the IP Address in the export will be exported. To export only a single host, use a netmask of /32 (255.255.255.255).
The Advanced tab has options relating to VPN Address Pools and DNS options for OpenVPN.
- Pool Name: A descriptive name for this address pool.
- IP Address: The IP address to use (in conjunction with Netmask below) for the VPN Address Pool.
- Netmask: The netmask to use for the VPN Address Pool.
- Export DNS: If checked, the VPN Address Pool will use either Untangle or the specific DNS Server to resolve DNS requests, depending on the DNS Override settings.
- Full Tunnel: If checked, the clients/sites that are members of this pool will send ALL of their internet traffic through the VPN client allowing for the apps to filter all of their traffic to the internet.
- Server Port: The connection port of OpenVPN. As of v9.2 we have a bug open for this feature.
- Site Name: The name of the (local) site.
- DNS Override: If enabled, DNS requests from clients using OpenVPN tunnels will be forwarded to the Primary/Secondary DNS Servers listed. If Unchecked, the DNS requests will be forwarded to Untangle itself.
Use the following terms and definitions to understand the Event Logs:
|Start Time||The time the connection was established.|
|End Time||The time the connection was terminated.|
|Client Name||The name of the connection's client.|
|Client Address||The WAN IP address of the connection's client.|
|Port||The Source Port of the client's tunnel.|
|Duration||The amount of time the tunnel was up.|
|KB sent||The number of kilobytes that have been sent on the connection.|
|KB received||The number of kilobytes that have been received on the connection.|
What operating systems are supported?
OpenVPN supports most operating system.
The OpenVPN client that Untangle distributes is compatible with all versions of Windows, however if you're using Windows Vista or Windows 7 you'll need to both install and run the application as an Administrator - simply right-click and choose Run as Administrator. Running as an administrator is necessarily to allow the application to write routes for the VPN and must be done every time the application is started on Windows Vista or 7.
For Macs, we suggest http://code.google.com/p/tunnelblick tunnelblick.
- Download and install an OpenVPN client for MacOSX
- Login to the Untangle Server, download the client config file zip and extract the files from the zip file.
- Place it in the ~/Library/Application Support/Tunnelblick/Configurations folder on the Mac.
- Run Tunnelblick by double-clicking its icon in the Applications folder.
For all other operating systems Untangle distributes a .zip with configuration and certificate files - these can be used with any OpenVPN-compatible VPN software on any operating system.
Can I use it with my phone or tablet?
For smartphones, you'll need to install and run a VPN client that supports OpenVPN.
iOS based iPhones and iPads
For iPhones, we suggest OpenVPN Connect available on iTunes https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8
- Install OpenVPN Connect app on your iPhone or iPad.
- Login to the Untangle Server, download the client config file and extract the files from the zip file. .
- Open iTunes and select the files from the config zip to add to the app on your iPhone or iPad.
Android Based Phones
OpenVPN for Android 4.0+ is available for connecting to Untangle OpenVPN. Detailed instructions from our forum contributor WebFool. http://forums.untangle.com/openvpn/30472-openvpn-android-4-0-a.html
- Download/Install Openvpn for Android on your android unit.
- Then download the Openvpn Configuration files from the Untangle Unit.
- Unzip them and copy them to the Phone/SDcard.
- Now Open "Openvpn for Android"
- Click "All your precious VPNs"
- In the top right corner Click on the folder.
- Browse to the folder where you have the OpenVPN .Conf file. Click on the file and hit Select
- Then in the top right corner hit the little Floppy disc Icon to save the import.
- Now you should see "imported profile" click on it to connect to the tunnel.
With OpenVPN, can I force all network traffic through the VPN tunnel?
Untangle now support both split tunnel and full tunnel VPNs in v9.3+!
Can I still use OpenVPN if my Untangle is in bridge mode?
Yes, however you will probably need to make some changes on your router to set it up properly. Set up OpenVPN as necessary, then on your router:
- Forward port 1194 (UDP) to the Untangle.
- Forward your External HTTPS Port (443 by default, set at Config > Administration) to the Untangle.
- Verify your setting is correct at Config > Administration > Public Address as it is used by Untangle for configuring OpenVPN clients.
- Add a Static Route on your router pointing the VPN Address Pool (172.16.0.0/24 by default, set in OpenVPN) to the Untangle local IP if return traffic does not already pass through Untangle on its way to the client machine's gateway.
Can I use OpenVPN on both of my WAN connections?
This is currently being verified and we will update this entry when we know more.
Is there a way to setup a password for the OpenVPN users?
Yes, if you right click on the OpenVPN icon on the client's PC there is an option for a password - please note this password is only used when launching the client.
Why are the OpenVPN clients I send through email never received?
You can test email receipt at Config > Email > Email Test - if they receive the test, they should get the OpenVPN client. If they are still not receiving it, you can check the mailer log at /var/log/exim4/mainlog for any errors.
OpenVPN connects, however I can not access anything. Why is this?
Many things could cause this issue - after connecting OpenVPN, try to ping Untangle's LAN IP address, then try to bring up the UI by entering the IP in a browser. If these work your tunnel is up and operational. If you can't reach a Windows machine, verify Windows Firewall is disabled on the target machine as it will block access from non-local subnets by default. If the target machine runs another OS, verify it is either using Untangle as a gateway or the machine its using as a gateway has a static route sending the VPN Address Pool to the Untangle.
How can I restrict access to certain OpenVPN users?
Anything you Export in OpenVPN will be available to everyone; if you'd like to allow or deny access to specific resources for specific users you can use Firewall rules.
Can I create site-to-site tunnels with non-Untangle devices?
When using OpenVPN for site-to-site tunnels Untangle only supports using other Untangle boxes as endpoints. Some users have had success with DD-WRT and Tomato, but this is not supported by Untangle. If you need to connect a VPN tunnel to a non-Untangle device, we recommend using IPsec.
I'm using site-to-site and my software clients can only talk to the main server. Why?
If you have both software clients on the road and site-to-site tunnels, the software clients will only be able to see your main site by default. To allow them to transit the tunnel(s) to other sites, simply add the VPN Address Pool to the Exported Hosts and Networks. After this is done, software clients will be able to reach all exported sites.
My site-to-site tunnel is set up correctly, however it isn't working properly Why?
If you have a site with a WAN IP of 18.104.22.168 and another site with a WAN IP of 22.214.171.124, the site-to-site VPN tunnel may not work if the IPs are in the same subnet or share the same gateway. In order for the site to site VPN to work, each location needs to be completely different from the other location. You might need to ask your ISP to change one of your sites IPs to a different subnet.
How can I allow software clients to resolve DNS over the tunnel?
To allow DNS resolution for software clients you'll need to modify some OpenVPN settings - if Untangle is doing DNS resolution on your network, simply check Export DNS at OpenVPN Settings > Advanced > Address Pools for any VPN Address Pools you want DNS resolution exported for. If Untangle is not resolving DNS on your network, you'll need to check Export DNS, set DNS Override to Enabled, then enter the IP address of the DNS Server under Primary IP. You may need to use the FQDN when accessing resources across the tunnel.
How can I get DNS resolution working over my site-to-site tunnel?
You'll need to go to Config > Networking > Advanced > Local DNS and add the IP of the DNS server on the far side of the tunnel, enter the domain in the Domain List column, and use the FQDN when accessing resources. Please note that you'll need to do this on both sides of the tunnel for it to work from either side.
Why is the incorrect DNS Suffix pushed out to my clients?
The DNS Suffix is set when the client is created - you can not change this later, you'll need to delete and recreate the user and redistribute the client. Whatever suffix you want pushed out to your clients, set it in Config > Networking > DNS Server, make sure the DNS Server is turned on, then create your clients. You can turn off the DNS Server after you create the clients if you wish. If the DNS server is turned off when you create them, your clients will get the suffix example.com. Some users are reporting that this only works correctly if the DNS Server is set to On all the time.
How do I auto-start OpenVPN when my computer boots?
This only applies to Windows XP Pro, Vista, & Windows 7 to auto-start OpenVPN on boot: First, Navigate to C:\Program Files\OpenVPN\config. This directory will have sitename.conf, sitename.ovpn and subdirectory untangle-vpn. In this directory, identify the .ovpn file that corresponds to your site's name.
- Go to START > Control Panel > Administrative Tools > Services
- Right click on OpenVPN and select Properties
- Change Startup Type to Automatic
- Click OK
- Close the Services window
- Close the Administrative Tools window
- Close Control Panel
- Go to Start > Run > Regedit
- Follow path down to: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Locate the entry for "openvpn-gui"
- The command reference should say: C:\Program Files\OpenVPN\bin\openvpn-gui.exe
- MODIFY IT TO: C:\Program Files\OpenVPN\bin\openvpn-gui.exe --connect sitename.ovpn. Where sitename is customized for your specific site.
- Modify the following registry value to 1: HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\allow_service
- Exit RegEdit
When the machine restarts, the user will automatically be connected with the VPN client.