OpenVPN
From UntangleWiki
Contents |
About OpenVPN
OpenVPN is an SSL-based VPN (virtual private network) that supports both site-to-site and client-to-site configurations. When you create new clients or sites, OpenVPN creates a custom executable for each client that contains the client, configuration, and authentication information. Users simply need to install the custom executable on their computers. OpenVPN supports the following operating systems:
- Windows 2000/XP and higher
- Linux
- OpenBSD
- FreeBSD
- NetBSD
- Mac OS X
- Solaris
Acerca de OpenVPN
OpenVPN es un SSL-basado en VPN (Virtual Private Network o Red Privada Virtual) que soporta configuraciones tanto Red a Red y de Cliente a Red. Cuando creas nuevos Clientes o Redes, OpenVPN crea un ejecutable personalizado para cada cliente, junto con la configuración y la información de autenticación. Los usuarios simplemente necesitan instalar el ejecutable en sus computadoras. OpenVPN es compatible con los siguientes sistemas operativos:
- Windows 2000/XP y Superior
- Linux
- OpenBSD
- FreeBSD
- NetBSD
- Mac OS X
- Solaris
Supported VPN Configurations
A Virtual Private Network (VPN) is a secure connection between a remote host or network and a local network over an otherwise insecure medium (ie the internet). With any VPN connection, there is a client and server. Your Untangle Server can be a VPN server, allowing remote clients or sites to connect to the exported internal resources. Your Untangle Server can also be a VPN client, gaining access to remote VPN servers and their resources.
When you configure OpenVPN, you choose between two types of configurations:
Note: You can use both configurations simultaneously.
- VPN Server with Remote VPN Clients (Software Clients). Where remote VPN clients (remote computers) connect to a VPN server. The software VPN client connects to the server, establishing an encrypted communication channel. Each VPN client authenticates via a secure key unique to that client. Implicit is that the server is protecting network resources from another untrusted network (usually the Internet). The VPN connection allows the remote client to reside on an untrusted network yet access protected resources behind the VPN server.
- VPN Server with Remote VPN Sites (Hardware Clients). Where an entire remote network connects to a VPN server. A VPN site can represent many individual hosts (machines) within its protected network. This configuration is common for remote offices, where a handful of employees need to join the protected network at headquarters. When a group of computers (a network) establishes a VPN connection to a server, the group of computers is said to be a site. An Untangle Server can also act as a remote site, bridging the internal network at that remote location to another Untangle Server acting as a VPN server.
To create a VPN, the Untangle Server depends on the following:
Key Distribution
Implied in the establishment of a secure connection is not only encryption thereby preventing eavesdropping by malicious parties between the VPN client and server, but also authentication. OpenVPN within Untangle Server implements this security using keys. Each computer that wants to connect to a VPN server must have a key installed. The process of installing this key is known as key distribution. The Untangle Server can distribute this key to each VPN Client and VPN Site using the following options:
- USB key
Caution: For security, if a key is lost (for example, because a VPN user loses a laptop that has a key installed), you must invalidate that key.
Exports
A secure communication channel itself is of only limited value. Once a client established a VPN connection to a server, that server then exports network resources to the client. These exported resources are the protected machines or subnets, shielded from the untrusted network but through a VPN connection.
This concept of exporting resources is a subtle one. A very simple VPN deployment may export the entire internal (protected) network to VPN clients. This can be thought of as the VPN client simply joining the internal network from a remote location through a secure channel. For many deployments, this might be appropriate. In other deployments, a further level of protection might be appropriate. For example, the most common use of VPN is employees working from home. Many homes now have wireless networks, which are not always properly secured. When users establish VPN connections from their homes, they can expose the corporation to any malware residing on their home network. To minimize this risk, you might choose to export specific network resources (for example, the intranet server) to VPN clients and not export other resources such as file servers, printers, and ERP systems that they normally might be able to access when at their desks at work. Therefore, you can export one of the following:
- Exported Address. The IP Address of a host (machine) within the protected network which will be visible to VPN clients or sites after they establish a VPN connection.
- Exported Network. A range of addresses (expressed as a subnet) within the protected network which will be visible to VPN clients or sites after they establish a VPN connection.
Address Pools
An address pool specifies a range of IP addresses that your Untangle Server assigns to VPN clients as they establish a secure VPN connection. These IP addresses are used on the internal (protected) network. For example, Emma initiates a VPN connection from her home. Her Internet Service Provider assigns her computer IP address 10.0.0.40. Afterward, she establishes her secure VPN connection to an Untangle Server, and the computers within the protected network see that her computer's IP address is 192.1.1.4. The Untangle Server to which Emma connected assigned IP address 192.1.1.4 to Emma's computer because this is one of the IP addresses in the address pool.
Creating a Virtual Private Network
Task Go to 1. Configure your Untangle Server as a VPN server. Configuring Untangle Server as a VPN Server 2. Distribute the key and OpenVPN client software. Distributing Keys and OpenVPN Client 3. (VPN Site Configuration Only) Configure the branch office's router as a remote VPN site. Configuring Untangle Server as a Remote VPN Site 4. Access a network resource, to test the VPN that you created.
Configuring Untangle Server as a VPN Server
This procedure uses the Routing Server Wizard to configure OpenVPN as a VPN Server. Use this procedure if you want to configure your Untangle Server so that VPN Clients and VPN Sites can connect to your company's protected network.
To configure an Untangle Server as a VPN Server:
Before You Begin:
- Install OpenVPN. Go to Installing Software Products.
- If you intend to provide remote clients access to a specific computer (such as a file server), you must first provide that computer a static IP address if it does not already have a static IP address. Go to Assigning Network Computers Static IP Addresses.
- Configure Untangle Server to send email. Go to Configuring Server Email Traffic.
- From OpenVPN, click the Configure as VPN Server button to launch the Server Routing Setup Wizard. The Welcome Screen appears.
Note: Except Certificate Generation window, you can later visit every window in the wizard without launching the wizard.
- From the Welcome window, click the Next Page button.
- From the Generate Certificate window, specify company and location information, and click the Next Page button. The Add Address Pools window appears.
- Add at least one address pool as shown in Figure, Adding an Address Pool for Remote Employees, and click the Next button.
- Untangle Client provides a default IP address for the address pool. Accept the default.
- Add more than one address pool is if you plan to configure policies, as described in Policy Management. Normal installations only need one address pool.
- Each address pool describes a range of addresses, expressed in address and netmask syntax.
- Add an export:
- To be useful, a VPN server should export at least one network or computer.
- Exports enable you to define the computers and networks that you want to make visible to VPN clients and sites.
- Click the plus (add) button. A new row appears in the table. By default, OpenVPN exports the entire network.
- Do one of the following:
- If you want to accept the default and enable VPN users to access all resources on the network, in host/network name box, provide a descriptive name of the resource.
- If you only want VPN users to access a single computer, in the IP address text box and netmask text box, specify the computer's IP address and 255.255.255.255 subnet mask, then in host/network name text box, provide a descriptive name for the resource.
Tip: If you want to configure VPN, but do not want to activate the configuration yet, clear the export check box to temporarily hide the resource from VPN users.
- Click the Next button.
- Do one of the following:
- To configure for VPN Clients, provide users access to the VPN, add VPN clients to the address pool that you just created as shown in Figure, Providing Users VPN Access:
- Click the plus (add) button. A new row appears in the table.
- In the client name text box, type a descriptive name to identify the user. For example, you might use the user's computer name.
- Click the Next button, and click the Next button again to bypass the Add VPN Sites screen.
- To configure for VPN Sites, provide the VPN Site access to the address pool that you just created as shown in Figure, Providing Access to VPN Site:
- Click the Next button to bypass the Add VPN Clients window. The Add VPN Site window appears.
- Click the plus (add) button. A new row appears in the table.
- In the site name text box, specify a descriptive name of the site (for example, san_mateo_sales_office), and specify the internal IP address range on thre remote network.
- Select the is Untangle Server check box only if your VPN Site does not have an Untangle Server. Select the check box if the device is another VPN appliance that is running OpenVPN.
- Click the Next button.
- Click the Finish button. Congratualtions!
Note: The secure key distribution is disabled until you complete and save the VPN configuration.
Note: The secure key distribution is disabled until you complete and save the VPN configuration.
Next Step: Generate the required key. Go to Distributing Keys and OpenVPN Client.
Distributing Keys and OpenVPN Client
In order for VPN Clients and VPN Sites to connect to the VPN Server on the Untangle Server, they require site keys. VPN Clients, not VPN Sites, also require an OpenVPN client.
To generate a key and distribute the OpenVPN client:
- From OpenVPN, click the VPN Clients/VPN Sites tab.
- Do one of the following:
- For VPN Clients, click the VPN Clients tab.
- For VPN Sites, click the VPN Sites tab.
- Scroll to the VPN user or VPN site.
- In the secure key distribution column, click the Distribute Client button as shown in Figure, Distributing Keys and OpenVPN Client. A Question window appears.
- Do one of the following:
- For VPN Clients, in the Question window, specify the user's email address, and click the Proceed button. The Confirmation window appears. The Untangle Server emails the VPN user a link to download the key and OpenVPN Client as the one shown in Figure, Downloading Key and OpenVPN Client.
- For VPN Sites, in the Question window, specify an email address, or insert a USB key into a USB port on the VPN Site's Untangle Server and select the Distribute via USB Key to download the key. In the former choice, the Untangle Server emails a link to download the key as shown in Figure, Downloading Key for VPN Site.
Next Step:
- For VPN Clients:
- Ensure that VPN users download the key and OpenVPN Client properly. Users should click on the OpenVPN link as shown in Figure, Downloading Key and OpenVPN Client.
- To test your VPN, access a network resource. Go to Accessing Network Resources.
- For VPN Sites: Configure the remote office's Untangle Server as a VPN Site. Go to Configuring Untangle Server as a Remote VPN Site.
Configuring Untangle Server as a Remote VPN Site
Perform this procedure on the remote VPN site's Untangle Server, not the VPN Server. If your Untangle Server is the gateway for branch office and some other router acts as the gateway for the headquarters, configure the Untangle Server as a remote VPN site. This procedure uses the Client Site Wizard to configure OpenVPN as a VPN Site.
To configure an Untangle Server as a remote VPN site:
- If you want to download the key that you generated in Distributing Keys and OpenVPN Client on the remote VPN site's Untangle Server from a USB key, insert that USB key into one of the Untangle Server's USB ports.
- Log on to the VPN Site's Untangle Server.
- From OpenVPN, click the Setup tab.
- Click the Wizard tab, and click the Configure as VPN Client button to launch the Client Setup Wizard. The Welcome window appears.
- Click Next. The Download Configuration window appears.
- Do one of the following:
- Using the values that were emailed to you (see Figure, Downloading Key for VPN Site), specify the Server IP Address and Password, or select the Download from USB Key if you saved the key to a USB Key.
- Click the Next button.
- Click the Finish button to save the settings. Your VPN Site can now connect to the VPN Server!
Next Step: To test your VPN, access a network resource. Go to Accessing Network Resources.
Accessing Network Resources
Network resources include computers. For example, desktops or file servers.
To access network resources:
- Log on to the VPN. Do one of the following:
- If you have are connecting to a VPN Site, you are always connected. Proceed to the next step.
- If you are connecting to the VPN in a VPN Client configuration and you only have one connection, double-click on the OpenVPN Client icon. A window appears.
- If you are connecting to the VPN in a VPN Client configuration and you have more than one connection, right-click on the OpenVPN Client icon and select sitename > Connect. A window appears.
- The OpenVPN Connection window reads Successful, then the window disappears.
- The OpenVPN icon turns green.
- Access a network resource. For example, in Windows XP:
- Launch a Windows Explore window.
- Type \\IPAddressofComputer or \\ComputerHostname, and press Enter.
You successfully logged on to the VPN if:
Revoking Users' VPN Access Temporarily
To secure your network, temporarily disable a user's key if that user does not intend to use the VPN for an extended period of time, such as in the event of an employee's leave of absence. If you want to permanently remove a user's key, go to Revoking Users' VPN Access Permanently.
To temporarily disable a VPN user's key:
- From OpenVPN, click the Show Setting button.
- Click the VPN Clients/Sites tab, and click the VPN Clients tab.
- In the row that corresponds to the user, clear the Enabled check box, and click the Save Settings button.
Revoking Users' VPN Access Permanently
To secure your network, always disable a user's key if that user loses a laptop on which a key is installed. To revoke a user's VPN access, you must disable the user's key. In this case, the user needs to reinstall the VPN client and key. This procedure removes a user from a VPN Site or VPN Client, revokes the user's certificate, and permanently invalidates the key that was previously issued to the user.
If you want to temporarily remove a user's key, go to Revoking Users' VPN Access Temporarily.
To permanently disable a VPN user's key:
- From OpenVPN, click the Show Setting button.
- Click the VPN Clients/Sites tab, and click the VPN Clients tab.
- In the row that corresponds to the user, delete the user's account.
- Create a new user account with the same parameters. Go to VPN Site or VPN Client.
- Distribute the client and key. Go to Distributing Keys and OpenVPN Client.
About OpenVPN Event Logs
Use the following terms and definitions to understand the OpenVPN Event Log:
start time The time the connection was established. end time The time the connection was terminated. client name The name of the connection's client. client address The IP address of the connection's client. Kbytes sent The number of Kilo bytes that have been sent on the connection. Kbytes received The number of Kilo bytes that have been received on the connection.













