Untangle Networks [home]

Personal tools

OpenVPN FAQs

From UntangleWiki

(Redirected from VPN FAQs)
Jump to: navigation, search

All Untangle FAQs

Contents

[edit]

Can I install the OpenVPN client that came with Untangle Server onto a Vista and Windows 7 Operating Systems?

Yes! The OpenVPN client that Untangle bundles with the Untangle server has been upgraded for compatibility with Vista, both 32-bit and 64-bit versions. Please note, you might need to login as the administrator to the Vista machine or disable the UAC. To disable the UAC, please check out this URL: [1]

[edit]

What operating systems does OpenVPN support?

OpenVPN supports the following operating systems:

  • Windows 2000/XP and higher
  • Linux
  • OpenBSD
  • FreeBSD
  • NetBSD
  • Mac OS X
  • Solaris
[edit]

I started OpenVPN and my network died. Why?

The most common cause is because the address pool assigned to VPN users is in the same address range used by LAN users. Unless your LAN uses addresses that are in the default VPN address pool, leave the VPN address pool as is. Otherwise, change the pool as needed to make sure they are different. For more information, go to Prepare To Configure Your VPN Server.

[edit]

Why is the hostname not resolving for VPN users?

If you mapped a hostname to an IP address so that VPN users can access that network resource using the hostname instead of the IP address, and those users can only access the network resource using the IP address, you probably didn't select the export DNS check box when you mapped the hostname to the IP address as outlined in Mapping Computer Hostnames To IP Addresses.

[edit]

What does Warning...files...no longer available... mean?

If you recieve the following message when you try to download the VPN Client:

Warning The files that you requested are no longer available, please contact your network administrator for more information

...your VPN Client key is no longer valid. Ask your Untangle Server administrator to resend the VPN Client key.

[edit]

Why does OpenVPN provide a default IP address pool that is incompatible with my network?

As discussed in Configuring Untangle Server as a VPN Server, Untangle Client provides a default IP address pool (also known as virtual IP addresses). Accept the default. By design, this default IP address pool does not match your current network's IP address scheme, ensuring that remote VPN clients do not conflict with non-VPN clients on the same network.

[edit]

How do I set up OpenVPN Server if my Untangle Server is behind another router?

Use port forwarding to enable users outside to connect to the VPN Server. Do the following:

  1. Add a redirect or port forward from some external IP UDP port 1194 to the Untangle Server port 1194. Go to Redirecting External and Internal Traffic.
  2. Configure OpenVPN to use the correct public external IP. (It may be necessary to redistribute your client configurations after making this change)
  • If the hostname that looks up in DNS to the external IP, configure Untangle Server to use that hostname: Config > Administration > Public Address and specify the 'Use Hostname.'
  • If you do not have a hostname that looks up externally, configure Untangle Server to use the external IP: Config > Administration > Public Address and choose 'Use a Manually Specified IP.'
[edit]

If a user or site loses a secure key, how do I disable the old key and issue a new one?

When you remove a user from a VPN Site or VPN Client, you revoke that user's certificate and invalidate the key that was previously issued to that user. To permanently revoke a user's key, go to Revoking Users' VPN Access Permanently.

[edit]

Can I administer an Untangle Server over a VPN connection?

Yes. To administer the Untangle Server, you must include the internal address of the system in one of the Exported hosts networks. This internal address can either be one of the following:

  • A single entry that contains the IP address with a 255.255.255.255 netmask. For example, 192.168.1.1/255.255.255.255.
  • An entry that contains a network that includes the IP address. For example, 192.168.1.0/255.255.255.0.
[edit]

Can I use OpenVPN with my Mac OS X workstation?

Yes. OpenVPN supports many platforms including Mac OS X. You will need to install a VPN client on your Mac.

To install a Mac OS X VPN client:

  1. Download the Tunnelblick client at http://www.tunnelblick.net (Release Candidate 3).
  2. Unzip the download and copy the Tunnelblick application to your Applications Folder.

To configure Tunnelblick client:

  1. Download VPN configuration files from Untangle Server.
  2. Copy the config files to /Users/_USERNAME_/Library/openvpn

To start Tunnelblick client:

  1. Execute client from the Applications folder.
  2. The icon will appear in the top right corner of the Menu Bar. Click on the icon and select Connect 'office-mv'.
  3. To view websites hosted inside the VPN you may need to do the following:
    1. click on "Details" in the Tunnelblick menu (see image below)
    2. check the "Set Nameserver" box (see 2nd image below)
    3. Disconnect and Re-Connect your VPN

Image:TunnelblickSettings.png

Image:TunnelblickDetails.png

[edit]

Can I use OpenVPN on both of my WAN connections?

No. OpenVPN will only function on your primary WAN connection.

[edit]

I have found this forum by searching for OpenVPN on my favorite search engine, I need help?

This is for the Untangle's implementation of the OpenVPN. If you do not have the Untangle installation, you would need to try somewhere else for support, or maybe try us out.

[edit]

My Untangle is in the bridge mode, how do I setup the OpenVPN?

WAN-Router/Firewall (3rd party)-Untangle (bridgemode)-LAN

First of all, this is not an ideal scenario. You will need to make some changes on your network to get this to work properly. If you are unsure and want an easier OpenVPN solution, you might want to check out this post. http://forums.untangle.com/openvpn/14129-openvpn-site-client-best-easiest-case.html

To make the OpenVPN work when the Untangle is in the bridgemode, you will need to make few changes on the edge router/firewall. 1) Port forward UDP 1194 to the Untangle. 2) Port forward https port (typically 443, if 443 is already utilized, pick something else), match is on the Untangle, config, administration, https port. 3) You can try this packet filter rule (this is hit and miss, and may not work for all of you) Great news! You can use this new feature. Config, networking, upper right hand corner, advanced, packet filter rules. Enable the last rule.

4) If the packet filter rule did not work for you, you will need to create a static route on your router/firewall.

Breakdown why this is needed: Typically, when you have the Untangle in the bridgemode, all the users on your LAN will have their gateway pointed to the Router/Firewall. So, when the OpenVPN user tries to connect to a server on the inside, the Untangle doesn't know how to route that traffic properly, since it is not the gateway.

[edit]

I am about to setup the OpenVPN, what is the best and the easiest way?

http://forums.untangle.com/openvpn/14129-openvpn-site-client-best-easiest-case.html

[edit]

I want to setup site to site VPN, help please?

http://forums.untangle.com/openvpn/8578-site-site-vpn-step-step-instructions.html


[edit]

When I try to send the OpenVPN client via the email option, my users do not receive the email?

First, make sure that your email setting is correct (config, email). Run the email test. If you are getting the email test, you should be able to get the OpenVPN client email.

Your other option is to directly download the client from the Untangle.

[edit]

I can connect to the OpenVPN, however, I can not access anything?

Many things could cause this issue. First, check to see if the Windows firewall is not causing this issue. Try pinging the Untangle's internal IP address (assuming you are not blocking ping). If you are able to ping the Untangle, that means that the OpenVPN tunnel is up and functional. (more to come)

[edit]

I can access via the IP address, I want to access via their name?

Pending on who is doing the DNS on the network. If you have an internal DNS server, you will need to go into the advanced tab of the OpenVPN, checkmark the export DNS, and enable the DNS Override. Input the IP address of the DNS server. You will need to use the FQDN.

  • You might also try flushing your DNS, on Windows, the command is ipconfig /flushdns


[edit]

Can I use 3rd party like DD-WRT to connect?

Currently, this is unsupported. We only support the OpenVPN running on the Untangle platform.

[edit]

Does OpenVPN support IPsec, PPTP, or any other types of VPN?

Currently, the OpenVPN implementation on the Untangle, is based on SSL.

[edit]

I need more help, what are my options?

OpenVPN is part of our Open Source package, if you have our paid package that includes support, please contact us via email or by calling us. We do not offer pay per incident at this time.

Free support is available via this forum or wiki.untangle.com

[edit]

I have the Multi-WAN, does the OpenVPN work if my WAN fails?

Not at this time, currently, OpenVPN only works with the Primary WAN.

[edit]

I would like to restrict access to certain OpenVPN users?

Exported address/host on the OpenVPN is for everyone, if you want individual control, you would need to use the firewall module.

[edit]

My OpenVPN user is connected remotely, can I force all the traffic through the VPN tunnel so that they can be filtered by the web filter, spyware filter, and etc.?

Untangle's implementation of the OpenVPN uses split tunneling. Only the VPN traffic will traverse through the tunnel, and non VPN traffic will go out their normal way.

I know that the native OpenVPN supports full tunneling like PPTP, however, Untangle does not support this option.

==Scenario: Multi-site VPN, site A (server side), B (client), and C (client). Also have software clients added to the OpenVPN server side A. A, B, and C, and talk to each other because you are exporting A, B, C's networks under exported hosts/networks. The software clients can only talk to A, however you want them to communicate to all sites.==

If you want the software clients to also talk to B and C, you will need to add the address pool of the software clients to the exported hosts/networks.


[edit]

My OpenVPN site to site is setup correctly, however, unable to pass traffic?

This is a very rare case, however this does happen from time to time. If you have site A with 1.2.3.4 and site B with 1.2.3.5, site to site VPN will not work, since both of them are in the same subnet or their gateways are the same. In order for the site to site VPN to work, each location needs to be completely different from the other location. You might need to ask your ISP to change one of your location's IP to a different subnet.

[edit]

Is there a way to setup a password for the OpenVPN users?

Yes, if you right click on the OpenVPN icon on the client's PC, there is an option for a password. This is the password to launch the OpenVPN client to connect.


[edit]

Ok, I have read all the FAQs and I want to ask a question, what is the best way?

If you have the paid support subscription, please email or call us. If you do not have the paid support subscription, please use our forums.untangle.com If you have this info, it will be much faster and easier to troubleshoot. More information the better, example: Site to Site or Site to Client VPN: Untangle version: Router mode or Bridge mode: OpenVPN client's OS: What issues are you experiencing or briefly describe the issue:

Retrieved from "http://wiki.untangle.com/index.php/OpenVPN_FAQs"