OpenVPN

From UntangleWiki

Jump to: navigation, search

Untangle Server User's Guide

Contents

[edit]

About OpenVPN

OpenVPN is an SSL-based VPN (virtual private network) that supports both site-to-site and client-to-site configurations. When you create new clients or sites, OpenVPN creates a custom executable for each client that contains the client, configuration, and authentication information. Users simply need to install the custom executable on their computers. OpenVPN supports the following operating systems:

  • Windows 2000/XP and higher
  • Linux
  • OpenBSD
  • FreeBSD
  • NetBSD
  • Mac OS X
  • Solaris

Top


[edit]

Acerca de OpenVPN

OpenVPN es un SSL-basado en VPN (Virtual Private Network o Red Privada Virtual) que soporta configuraciones tanto Red a Red y de Cliente a Red. Cuando creas nuevos Clientes o Redes, OpenVPN crea un ejecutable personalizado para cada cliente, junto con la configuración y la información de autenticación. Los usuarios simplemente necesitan instalar el ejecutable en sus computadoras. OpenVPN es compatible con los siguientes sistemas operativos:

  • Windows 2000/XP y Superior
  • Linux
  • OpenBSD
  • FreeBSD
  • NetBSD
  • Mac OS X
  • Solaris

Arriba

[edit]

Supported VPN Configurations

A Virtual Private Network (VPN) is a secure connection between a remote host or network and a local network over an otherwise insecure medium (ie the internet). With any VPN connection, there is a client and server. Your Untangle Server can be a VPN server, allowing remote clients or sites to connect to the exported internal resources. Your Untangle Server can also be a VPN client, gaining access to remote VPN servers and their resources.

When you configure OpenVPN, you choose between two types of configurations:

Note: You can use both configurations simultaneously.

  • VPN Server with Remote VPN Clients (Software Clients). Where remote VPN clients (remote computers) connect to a VPN server. The software VPN client connects to the server, establishing an encrypted communication channel. Each VPN client authenticates via a secure key unique to that client. Implicit is that the server is protecting network resources from another untrusted network (usually the Internet). The VPN connection allows the remote client to reside on an untrusted network yet access protected resources behind the VPN server.
Figure, VPN Server with Remote VPN Clients and Untangle as Router
Figure, VPN Server with Remote VPN Clients and Untangle as Router
Figure, VPN Server with Remote VPN Clients and Untangle as Bridge
Figure, VPN Server with Remote VPN Clients and Untangle as Bridge
  • VPN Server with Remote VPN Sites (Hardware Clients). Where an entire remote network connects to a VPN server. A VPN site can represent many individual hosts (machines) within its protected network. This configuration is common for remote offices, where a handful of employees need to join the protected network at headquarters. When a group of computers (a network) establishes a VPN connection to a server, the group of computers is said to be a site. An Untangle Server can also act as a remote site, bridging the internal network at that remote location to another Untangle Server acting as a VPN server.
Figure, VPN Server with Remote VPN Sites
Figure, VPN Server with Remote VPN Sites

To create a VPN, the Untangle Server depends on the following:

Top

[edit]

Key Distribution

Implied in the establishment of a secure connection is not only encryption thereby preventing eavesdropping by malicious parties between the VPN client and server, but also authentication. OpenVPN within Untangle Server implements this security using keys. Each computer that wants to connect to a VPN server must have a key installed. The process of installing this key is known as key distribution. The Untangle Server can distribute this key to each VPN Client and VPN Site using the following options:

  • Email
  • USB key

Caution: For security, if a key is lost (for example, because a VPN user loses a laptop that has a key installed), you must invalidate that key.

[edit]

Exports

A secure communication channel itself is of only limited value. Once a client established a VPN connection to a server, that server then exports network resources to the client. These exported resources are the protected machines or subnets, shielded from the untrusted network but through a VPN connection.

This concept of exporting resources is a subtle one. A very simple VPN deployment may export the entire internal (protected) network to VPN clients. This can be thought of as the VPN client simply joining the internal network from a remote location through a secure channel. For many deployments, this might be appropriate. In other deployments, a further level of protection might be appropriate. For example, the most common use of VPN is employees working from home. Many homes now have wireless networks, which are not always properly secured. When users establish VPN connections from their homes, they can expose the corporation to any malware residing on their home network. To minimize this risk, you might choose to export specific network resources (for example, the intranet server) to VPN clients and not export other resources such as file servers, printers, and ERP systems that they normally might be able to access when at their desks at work. Therefore, you can export one of the following:

  • Exported Address. The IP Address of a host (machine) within the protected network which will be visible to VPN clients or sites after they establish a VPN connection.
  • Exported Network. A range of addresses (expressed as a subnet) within the protected network which will be visible to VPN clients or sites after they establish a VPN connection.
[edit]

Address Pools

An address pool specifies a range of IP addresses that your Untangle Server assigns to VPN clients as they establish a secure VPN connection. These IP addresses are used on the internal (protected) network. For example, Emma initiates a VPN connection from her home. Her Internet Service Provider assigns her computer IP address 10.0.0.40. Afterward, she establishes her secure VPN connection to an Untangle Server, and the computers within the protected network see that her computer's IP address is 192.1.1.4. The Untangle Server to which Emma connected assigned IP address 192.1.1.4 to Emma's computer because this is one of the IP addresses in the address pool.

Top

[edit]

Creating a Virtual Private Network

Task Go to
1. Configure your Untangle Server as a VPN server. Configuring Untangle Server as a VPN Server
2. Distribute the key and OpenVPN client software. Distributing Keys and OpenVPN Client
3. (VPN Site Configuration Only) Configure the branch office's router as a remote VPN site. Configuring Untangle Server as a Remote VPN Site
4. Access a network resource, to test the VPN that you created.

Accessing Network Resources

[edit]

Configuring Untangle Server as a VPN Server

This procedure uses the Routing Server Wizard to configure OpenVPN as a VPN Server. Use this procedure if you want to configure your Untangle Server so that VPN Clients and VPN Sites can connect to your company's protected network.

To configure an Untangle Server as a VPN Server:

Before You Begin:

  1. From OpenVPN, click the Configure as VPN Server button to launch the Server Routing Setup Wizard. The Welcome Screen appears.

    Note: Except Certificate Generation window, you can later visit every window in the wizard without launching the wizard.

  2. From the Welcome window, click the Next Page button.
  3. From the Generate Certificate window, specify company and location information, and click the Next Page button. The Add Address Pools window appears.
  4. Add at least one address pool as shown in Figure, Adding an Address Pool for Remote Employees, and click the Next button.
    • Untangle Client provides a default IP address for the address pool. Accept the default.
    • Add more than one address pool is if you plan to configure policies, as described in Policy Management. Normal installations only need one address pool.
    • Each address pool describes a range of addresses, expressed in address and netmask syntax.
    Figure, Adding an Address Pool for Remote Employees
    Figure, Adding an Address Pool for Remote Employees
  5. Add an export:
    • To be useful, a VPN server should export at least one network or computer.
    • Exports enable you to define the computers and networks that you want to make visible to VPN clients and sites.
    1. Click the plus (add) button. A new row appears in the table. By default, OpenVPN exports the entire network.
    2. Do one of the following:
      • If you want to accept the default and enable VPN users to access all resources on the network, in host/network name box, provide a descriptive name of the resource.
      • If you only want VPN users to access a single computer, in the IP address text box and netmask text box, specify the computer's IP address and 255.255.255.255 subnet mask, then in host/network name text box, provide a descriptive name for the resource.

        Tip: If you want to configure VPN, but do not want to activate the configuration yet, clear the export check box to temporarily hide the resource from VPN users.

    3. Click the Next button.
      4. Figure, Exporting the Entire Network
      Figure, Exporting the Entire Network
  6. Do one of the following:
    • To configure for VPN Clients, provide users access to the VPN, add VPN clients to the address pool that you just created as shown in Figure, Providing Users VPN Access:
      • Figure, Providing Access to VPN Users
      Figure, Providing Access to VPN Users
      1. Click the plus (add) button. A new row appears in the table.
      2. In the client name text box, type a descriptive name to identify the user. For example, you might use the user's computer name.

        3. Note: The secure key distribution is disabled until you complete and save the VPN configuration.

      3. Click the Next button, and click the Next button again to bypass the Add VPN Sites screen.
    • To configure for VPN Sites, provide the VPN Site access to the address pool that you just created as shown in Figure, Providing Access to VPN Site:
      • Figure, Providing Access to VPN Sites
      Figure, Providing Access to VPN Sites
      1. Click the Next button to bypass the Add VPN Clients window. The Add VPN Site window appears.
      2. Click the plus (add) button. A new row appears in the table.
      3. In the site name text box, specify a descriptive name of the site (for example, san_mateo_sales_office), and specify the internal IP address range on thre remote network.

        4. Note: The secure key distribution is disabled until you complete and save the VPN configuration.

      4. Select the is Untangle Server check box only if your VPN Site does not have an Untangle Server. Select the check box if the device is another VPN appliance that is running OpenVPN.
      5. Click the Next button.
  7. Click the Finish button. Congratualtions!

Next Step: Generate the required key. Go to Distributing Keys and OpenVPN Client.

Top

[edit]

Distributing Keys and OpenVPN Client

In order for VPN Clients and VPN Sites to connect to the VPN Server on the Untangle Server, they require site keys. VPN Clients, not VPN Sites, also require an OpenVPN client.

To generate a key and distribute the OpenVPN client:

  1. From OpenVPN, click the VPN Clients/VPN Sites tab.
  2. Do one of the following:
    • For VPN Clients, click the VPN Clients tab.
    • For VPN Sites, click the VPN Sites tab.
  3. Scroll to the VPN user or VPN site.
  4. In the secure key distribution column, click the Distribute Client button as shown in Figure, Distributing Keys and OpenVPN Client. A Question window appears.
    5. Figure, Distributing Keys and OpenVPN Client
    Figure, Distributing Keys and OpenVPN Client
  5. Do one of the following:
    • For VPN Clients, in the Question window, specify the user's email address, and click the Proceed button. The Confirmation window appears. The Untangle Server emails the VPN user a link to download the key and OpenVPN Client as the one shown in Figure, Downloading Key and OpenVPN Client.
      • Figure, Downloading Key and OpenVPN Client for VPN Clients
      Figure, Downloading Key and OpenVPN Client for VPN Clients
    • For VPN Sites, in the Question window, specify an email address, or insert a USB key into a USB port on the VPN Site's Untangle Server and select the Distribute via USB Key to download the key. In the former choice, the Untangle Server emails a link to download the key as shown in Figure, Downloading Key for VPN Site.
      Figure, Downloading Key for VPN Sites
      Figure, Downloading Key for VPN Sites

Next Step:

Top

[edit]

Configuring Untangle Server as a Remote VPN Site

Perform this procedure on the remote VPN site's Untangle Server, not the VPN Server. If your Untangle Server is the gateway for branch office and some other router acts as the gateway for the headquarters, configure the Untangle Server as a remote VPN site. This procedure uses the Client Site Wizard to configure OpenVPN as a VPN Site.

To configure an Untangle Server as a remote VPN site:

  1. If you want to download the key that you generated in Distributing Keys and OpenVPN Client on the remote VPN site's Untangle Server from a USB key, insert that USB key into one of the Untangle Server's USB ports.
  2. Log on to the VPN Site's Untangle Server.
  3. From OpenVPN, click the Setup tab.
  4. Click the Wizard tab, and click the Configure as VPN Client button to launch the Client Setup Wizard. The Welcome window appears.
  5. Click Next. The Download Configuration window appears.
  6. Do one of the following:
  7. Using the values that were emailed to you (see Figure, Downloading Key for VPN Site), specify the Server IP Address and Password, or select the Download from USB Key if you saved the key to a USB Key.
  8. Click the Next button.
  9. Click the Finish button to save the settings. Your VPN Site can now connect to the VPN Server!

Next Step: To test your VPN, access a network resource. Go to Accessing Network Resources.

Top

[edit]

Accessing Network Resources

Network resources include computers. For example, desktops or file servers.

To access network resources:

  1. Log on to the VPN. Do one of the following:
    • If you have are connecting to a VPN Site, you are always connected. Proceed to the next step.
    • If you are connecting to the VPN in a VPN Client configuration and you only have one connection, double-click on the OpenVPN Client icon. A window appears.
    • If you are connecting to the VPN in a VPN Client configuration and you have more than one connection, right-click on the OpenVPN Client icon and select sitename > Connect. A window appears.

    You successfully logged on to the VPN if:

    • The OpenVPN Connection window reads Successful, then the window disappears.
    • The OpenVPN icon turns green.
    Figure, Logging On To a VPN Using OpenVPN Client Software
    Figure, Logging On To a VPN Using OpenVPN Client Software
    Figure, Choosing Between Two OpenVPN Connections
    Figure, Choosing Between Two OpenVPN Connections
    Figure, Accessing a Network Resource by Hostname
    Figure, Accessing a Network Resource by Hostname
  2. Access a network resource. For example, in Windows XP:
    1. Launch a Windows Explore window.
    2. Type \\IPAddressofComputer or \\ComputerHostname, and press Enter.

Top

[edit]

Revoking Users' VPN Access Temporarily

To secure your network, temporarily disable a user's key if that user does not intend to use the VPN for an extended period of time, such as in the event of an employee's leave of absence. If you want to permanently remove a user's key, go to Revoking Users' VPN Access Permanently.

To temporarily disable a VPN user's key:

  1. From OpenVPN, click the Show Setting button.
  2. Click the VPN Clients/Sites tab, and click the VPN Clients tab.
  3. In the row that corresponds to the user, clear the Enabled check box, and click the Save Settings button.

Top

[edit]

Revoking Users' VPN Access Permanently

To secure your network, always disable a user's key if that user loses a laptop on which a key is installed. To revoke a user's VPN access, you must disable the user's key. In this case, the user needs to reinstall the VPN client and key. This procedure removes a user from a VPN Site or VPN Client, revokes the user's certificate, and permanently invalidates the key that was previously issued to the user.

If you want to temporarily remove a user's key, go to Revoking Users' VPN Access Temporarily.

To permanently disable a VPN user's key:

  1. From OpenVPN, click the Show Setting button.
  2. Click the VPN Clients/Sites tab, and click the VPN Clients tab.
  3. In the row that corresponds to the user, delete the user's account.
  4. Create a new user account with the same parameters. Go to VPN Site or VPN Client.
  5. Distribute the client and key. Go to Distributing Keys and OpenVPN Client.

Top

[edit]

About OpenVPN Event Logs

Use the following terms and definitions to understand the OpenVPN Event Log:

start time The time the connection was established.
end time The time the connection was terminated.
client name The name of the connection's client.
client address The IP address of the connection's client.
Kbytes sent The number of Kilo bytes that have been sent on the connection.
Kbytes received The number of Kilo bytes that have been received on the connection.
[edit]

VPN FAQs

Retrieved from "http://wiki.untangle.com/index.php/OpenVPN"
Personal tools