Difference between revisions of "OpenVPN FAQs"

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
 
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
[[Category:FAQs]]
 
[[Category:FAQs]]
  
=== What operating systems are supported? ===
+
=== Download Links ===
  
OpenVPN supports most operating system.
+
OpenVPN supports most operating systems. Download the appropriate client from the links below.
 +
 
 +
Deployment instructions are here: [https://support.untangle.com/hc/en-us/articles/206259537 Configure and deploy OpenVPN Clients for remote users]
  
  
 
==== Microsoft Windows ====
 
==== Microsoft Windows ====
  
You can download the Windows client from here: [https://openvpn.net/client-connect-vpn-for-windows/ https://openvpn.net/client-connect-vpn-for-windows/]. After installing the OpenVPN client, you can import the OpenVPN profile into the client.
+
You can download the Windows client from here: [https://openvpn.net/community-downloads/ https://openvpn.net/community-downloads/].  
  
==== Apple Mac ====
 
  
For Macs, we suggest [https://code.google.com/p/tunnelblick http://code.google.com/p/tunnelblick tunnelblick]
+
==== Apple macOS ====
 +
 
 +
You can download the macOS client here: [https://openvpn.net/client-connect-vpn-for-mac-os/ https://openvpn.net/client-connect-vpn-for-mac-os/]
  
# Download and install an OpenVPN client for macOS
 
# Login to the NG Firewall server, download the client config file zip and extract the files from the zip file.
 
# Place it in the ~/Library/Application Support/Tunnelblick/Configurations folder on the Mac.
 
# Run Tunnelblick by double-clicking its icon in the Applications folder.
 
  
 
==== Linux ====
 
==== Linux ====
  
For all other operating systems NG Firewall distributes a .zip with configuration and certificate files - these can be used with any OpenVPN-compatible VPN software on any operating system.
+
A Linux client is available here: [https://openvpn.net/openvpn-client-for-linux/ https://openvpn.net/openvpn-client-for-linux/]
 +
 
  
 
==== Chrome OS ====
 
==== Chrome OS ====
Line 28: Line 28:
  
 
https://support.untangle.com/hc/en-us/articles/207304818-Deploy-the-OpenVPN-Client-to-a-Chromebook
 
https://support.untangle.com/hc/en-us/articles/207304818-Deploy-the-OpenVPN-Client-to-a-Chromebook
 
=== Can I use it with my phone or tablet? ===
 
 
For smartphones, you'll need to install and run a VPN client that supports OpenVPN.
 
  
  
==== iOS based iPhones and iPads ====
+
==== iOS Mobile Devices ====
  
 
[[File:Ios-openvpn.png|200px|thumb]]
 
[[File:Ios-openvpn.png|200px|thumb]]
  
 
For iPhones, we suggest OpenVPN Connect available on iTunes https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8
 
For iPhones, we suggest OpenVPN Connect available on iTunes https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8
 
  
 
# Install OpenVPN Connect app on your iPhone or iPad.
 
# Install OpenVPN Connect app on your iPhone or iPad.
# Login to the NG Firewall server, download the client config file by selecting "client's configuration zip for other OSs".
+
# Login to the NG Firewall server, download the client config file by selecting "client configuration zip for other OSs".
 
# Unzip the config file.
 
# Unzip the config file.
 
# Open iTunes and select the .ovpn, .crt, and .key files from the config zip to add to the app on your iPhone or iPad.
 
# Open iTunes and select the .ovpn, .crt, and .key files from the config zip to add to the app on your iPhone or iPad.
Line 48: Line 43:
 
[[File:Openvpn-ios-add-files.jpg|200px|thumb]]
 
[[File:Openvpn-ios-add-files.jpg|200px|thumb]]
  
==== Android Based Phones ====
+
 
 +
==== Android Mobile Devices ====
  
 
[[File:Openvpn-on-android.png|200px|thumb]]
 
[[File:Openvpn-on-android.png|200px|thumb]]
  
OpenVPN for Android 4.0+ is available for connecting to NG Firewall OpenVPN. Detailed instructions from our forum contributor WebFool. http://forums.untangle.com/openvpn/30472-openvpn-android-4-0-a.html 
+
You can download the OpenVPN Connect client app from the Google Play Store: [https://play.google.com/store/apps/details?id=net.openvpn.openvpn https://play.google.com/store/apps/details?id=net.openvpn.openvpn]
  
# Download/Install Openvpn for Android on your android unit.
+
 
## https://play.google.com/store/apps/details?id=net.openvpn.openvpn
+
== Other FAQs ==
# Then download the Openvpn Configuration files from the NG Firewall.
 
# Unzip them and copy them to the Phone/SDcard.
 
# Now Open "Openvpn for Android"
 
# Click "All your precious VPNs"
 
# In the top right corner Click on the folder.
 
# Browse to the folder where you have the OpenVPN .Conf file. Click on the file and hit Select
 
# Then in the top right corner hit the little Floppy disc Icon to save the import.
 
# Now you should see "imported profile" click on it to connect to the tunnel.
 
  
 
=== With OpenVPN, can I force all network traffic through the VPN tunnel? ===
 
=== With OpenVPN, can I force all network traffic through the VPN tunnel? ===
  
Yes, you can run "Full Tunnel" which forces all internet-bound traffic to go through the VPN and out the NG Firewall on the remote end (and is subject to all filtering). If running as a "Split Tunnel" where ''Full Tunnell'' is not checked only traffic to exported networks only will go through the VPN.
+
Yes, you can run "Full Tunnel" which forces all internet-bound traffic to go through the VPN and out the NG Firewall on the remote end (and is subject to all filtering). If running as a "Split Tunnel" (where ''Full Tunnel'' is not checked) only traffic to exported networks will go through the VPN.
 +
 
  
 
=== Can I still use OpenVPN if my NG Firewall does not have a public IP? ===
 
=== Can I still use OpenVPN if my NG Firewall does not have a public IP? ===
Line 75: Line 64:
 
# Port forward UDP port 1194 from your router to the NG Firewall server. This will allow remote clients to connect to NG Firewall even though it doesn't have a public IP.
 
# Port forward UDP port 1194 from your router to the NG Firewall server. This will allow remote clients to connect to NG Firewall even though it doesn't have a public IP.
 
# Configure your public address in [[Config]] > [[Network]] > [[Hostname]]. This is the address in the distributed clients that remote clients and networks will attempt to connect to.
 
# Configure your public address in [[Config]] > [[Network]] > [[Hostname]]. This is the address in the distributed clients that remote clients and networks will attempt to connect to.
 +
  
 
=== Can I use OpenVPN on both of my WAN connections? ===
 
=== Can I use OpenVPN on both of my WAN connections? ===
  
Yes. The client chooses which WAN to connect to; the server will answer via the same WAN the client connected on. The client chooses based on your configuration of Public Address. If the Public Address fails it will then try the IPs of the WANs manually as configured in the conf file.
+
Yes. The client chooses which WAN to connect to; the server will answer via the same WAN the client connected on. The client chooses based on your configuration of Public Address. If the Public Address fails it will then try the IPs of the WANs manually as configured in the .conf file.
  
  
=== Is there a way to setup a password for the OpenVPN users? ===
+
=== Is there a way to set up a password for the OpenVPN users? ===
  
Yes, if you right click on the OpenVPN icon on the client's PC there is an option for a password - please note this password is only used when launching the client.
+
Yes, if you right-click on the OpenVPN icon on the client's PC there is an option for a password. Please note this password is only used when launching the client.
  
  
 
=== OpenVPN connects, however I can not access anything. Why is this? ===
 
=== OpenVPN connects, however I can not access anything. Why is this? ===
  
Many things could cause this issue. First verify that the hosts that you are trying to reach are exported in ''Exported Networks.'' After connecting OpenVPN, try to ping NG Firewall's LAN IP address (if exported), then try to bring up the UI by entering the IP in a browser. If these work your tunnel is up and operational. If you can't reach a Windows machine, verify Windows Firewall is disabled on the target machine as it will block access from non-local subnets by default. If the target machine runs another OS, verify it is either using NG Firewall as a gateway or the machine its using as a gateway has a static route sending the VPN Address Pool to the NG Firewall.
+
Many things could cause this issue. First verify that the hosts that you are trying to reach are exported in ''Exported Networks.'' After connecting OpenVPN, try to ping NG Firewall's LAN IP address (if exported), then try to bring up the UI by entering the IP in a browser. If these work, your tunnel is up and operational. If you can't reach a Windows machine, verify Windows Firewall is disabled on the target machine as it will block access from non-local subnets by default. If the target machine runs another OS, verify it is either using NG Firewall as a gateway or the machine its using as a gateway has a static route sending the VPN Address Pool to the NG Firewall.
 +
 
  
 
=== How can I restrict access to certain OpenVPN users? ===
 
=== How can I restrict access to certain OpenVPN users? ===
  
By default, openvpn users can connect to any machine that the NG Firewall can connect to. However, routes are pushed to all the "Exported" network automatically. Beware, nothing prevents adding remote users that have administrator access to their machines to add routes manually.
+
By default, OpenVPN users can connect to any machine that the NG Firewall can connect to. However, routes are pushed to all the "Exported" network automatically. Be aware that nothing prevents remote users who have administrator access to their machines from adding routes manually.
  
If restricting access to OpenVPN users is a concern, [[Firewall]] rules or [[Filter Rules#Forward Filter Rules|Filter Rules]] can be used. In the [[Firewall]], the easiest way is to create a block rule blocking traffic when ''Source Interface'' == ''OpenVPN''. Above that rule create rules to allow traffic when ''Username'' is the openvpn user you want to allow to the desired locations. In this scenario openvpn traffic will be blocked into your network except for explicitly allowed traffic.
+
If restricting access to OpenVPN users is a concern, [[Firewall]] rules or [[Filter Rules#Forward Filter Rules|Filter Rules]] can be used. In the [[Firewall]] app, the easiest way is to create a block rule blocking traffic when ''Source Interface'' == ''OpenVPN''. Above that rule, create rules to allow traffic when ''Username'' is the OpenVPN user you want to allow to the desired locations. In this scenario OpenVPN traffic will be blocked into your network except for explicitly allowed traffic.
  
 
Using rules you can limit access to certain resources to only the desired remote users.
 
Using rules you can limit access to certain resources to only the desired remote users.
  
=== Can I create site-to-site tunnels with non-Untangle devices? ===
 
  
When using OpenVPN for site-to-site tunnels Untangle only supports using other Untangle boxes as endpoints. Some users have had success with DD-WRT and Tomato, but this is not supported by Untangle. If you need to connect a VPN tunnel to a non-Untangle device, we recommend using [[IPsec VPN]].  
+
=== Can I create site-to-site tunnels with non-NG Firewall devices? ===
 +
 
 +
When using OpenVPN for site-to-site tunnels we only support using other NG Firewall endpoints. Some users have had success with DD-WRT and Tomato, but this is not supported by the Support team. If you need to connect a VPN tunnel to an endpoint that isn't another Arista ETM device, we recommend using [[IPsec VPN]].
  
  
Line 110: Line 102:
 
=== How can I allow software clients to resolve DNS over the tunnel? ===
 
=== How can I allow software clients to resolve DNS over the tunnel? ===
  
To allow DNS resolution for remote clients you'll need to modify some OpenVPN settings - if Untangle is doing DNS resolution on your network, simply check '''Push DNS''' in '''OpenVPN Settings > Server > Groups > Group Name''' for any groups you want to push DNS settings to. Configure the DNS settings you would like pushed to the remote clients. You may need to use the [http://en.wikipedia.org/wiki/Fully_qualified_domain_name FQDN] when accessing resources across the tunnel.
+
To allow DNS resolution for remote clients you'll need to modify some OpenVPN settings - if NG Firewall is doing DNS resolution on your network, simply check '''Push DNS''' in '''OpenVPN Settings > Server > Groups > Group Name''' for any groups you want to push DNS settings to. Configure the DNS settings you would like pushed to the remote clients. You may need to use the [http://en.wikipedia.org/wiki/Fully_qualified_domain_name FQDN] when accessing resources across the tunnel.
  
  
Line 140: Line 132:
 
=== Clients are getting disconnected after 60 seconds. Why? ===
 
=== Clients are getting disconnected after 60 seconds. Why? ===
  
Did you share the same client config between multiple machines. If both are running they will conflict. When the second one connects the first is disconnected. After 60 seconds the first will reconnect and disconnect the second. This repeats endlessly. Do not share the same client config with multiple machines.
+
Did you share the same client config between multiple machines? If both are running simultaneously, they will conflict: when the second connects the first is disconnected. After 60 seconds, the first will reconnect and disconnect the second. This repeats endlessly. Do not share the same client config with multiple machines.
  
  
Line 146: Line 138:
  
 
Make sure that the IP that the client is connecting to is the public IP of the server, or that the traffic to that IP on port 1194 is being forwarded to your server. Also make sure you are testing from the outside. By default the [[Access Rules]] block OpenVPN clients from connecting to a server from one of its own LANs. This is to prevent clients from losing connectivity while on the local network because of a routing loop.
 
Make sure that the IP that the client is connecting to is the public IP of the server, or that the traffic to that IP on port 1194 is being forwarded to your server. Also make sure you are testing from the outside. By default the [[Access Rules]] block OpenVPN clients from connecting to a server from one of its own LANs. This is to prevent clients from losing connectivity while on the local network because of a routing loop.
 
 
=== How do load a 9.4.x (server) remote network client zip on a 10.x Untangle (client) ===
 
 
9.4.2 site-to-site client zip will load on 10.x without modifications.  10.x has built-in converters to load 9.4 configuration zip files.
 
 
 
=== How do load a 10.0 and later (server) remote network client zip on a 9.4.x Untangle (client) ===
 
 
The directory structure of the client config zip has changed in 10.0.  This means 9.4 Untangle instances will not load 10.0 and later config zip files correctly.  The workaround is to modify the 10.0+ zip file to the 9.4 directory structure.
 
 
 
'''Modify OpenVPN config zip file for use on 9.4 instances'''
 
# Download client config zip from 10.0 OpenVPN server.
 
# Unzip the config zip.
 
# The directory structure is
 
#* openvpn-<name of untangle>-config
 
#**  untangle-vpn
 
#*** untangle-<random number>.conf 
 
#*** untangle-<random number>.ovpn
 
#*** key            '''''<--- rename this directory to untangle-vpn'''''
 
#**** untangle-<random number>-<name of untangle>.crt
 
#**** untangle-<random number>-<name of untangle>.key
 
#**** untangle-<random number>-<name of untangle>-ca.crt
 
# Modify untangle-<random number>.conf and untangle-<random number>.ovpn files
 
#* '''''Change the following lines:'''''
 
#** cert key/untangle-4855-FortWayne.crt
 
#** key key/untangle-4855-FortWayne.key
 
#** ca key/untangle-4855-FortWayne-ca.crt
 
#* '''''To:'''''
 
#** cert untangle-vpn/untangle-4855-FortWayne.crt
 
#** key untangle-vpn/untangle-4855-FortWayne.key
 
#** ca untangle-vpn/untangle-4855-FortWayne-ca.crt
 
# Rezip the directory structure from the top untangle-vpn folder
 
# Import this new remote openVPN client config file to the 9.4 Untangle in VPN client mode.
 

Latest revision as of 21:02, 22 September 2022


Download Links

OpenVPN supports most operating systems. Download the appropriate client from the links below.

Deployment instructions are here: Configure and deploy OpenVPN Clients for remote users


Microsoft Windows

You can download the Windows client from here: https://openvpn.net/community-downloads/.


Apple macOS

You can download the macOS client here: https://openvpn.net/client-connect-vpn-for-mac-os/


Linux

A Linux client is available here: https://openvpn.net/openvpn-client-for-linux/


Chrome OS

Steps to install OpenVPN on Chrome OS devices:

https://support.untangle.com/hc/en-us/articles/207304818-Deploy-the-OpenVPN-Client-to-a-Chromebook


iOS Mobile Devices

Ios-openvpn.png

For iPhones, we suggest OpenVPN Connect available on iTunes https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8

  1. Install OpenVPN Connect app on your iPhone or iPad.
  2. Login to the NG Firewall server, download the client config file by selecting "client configuration zip for other OSs".
  3. Unzip the config file.
  4. Open iTunes and select the .ovpn, .crt, and .key files from the config zip to add to the app on your iPhone or iPad.
Openvpn-ios-add-files.jpg


Android Mobile Devices

Openvpn-on-android.png

You can download the OpenVPN Connect client app from the Google Play Store: https://play.google.com/store/apps/details?id=net.openvpn.openvpn


Other FAQs

With OpenVPN, can I force all network traffic through the VPN tunnel?

Yes, you can run "Full Tunnel" which forces all internet-bound traffic to go through the VPN and out the NG Firewall on the remote end (and is subject to all filtering). If running as a "Split Tunnel" (where Full Tunnel is not checked) only traffic to exported networks will go through the VPN.


Can I still use OpenVPN if my NG Firewall does not have a public IP?

Sometimes NG Firewall is installed behind another router (typically as a bridge). You can still run OpenVPN, however you will need to make some additional changes so remote clients can connect to the server:

  1. Port forward UDP port 1194 from your router to the NG Firewall server. This will allow remote clients to connect to NG Firewall even though it doesn't have a public IP.
  2. Configure your public address in Config > Network > Hostname. This is the address in the distributed clients that remote clients and networks will attempt to connect to.


Can I use OpenVPN on both of my WAN connections?

Yes. The client chooses which WAN to connect to; the server will answer via the same WAN the client connected on. The client chooses based on your configuration of Public Address. If the Public Address fails it will then try the IPs of the WANs manually as configured in the .conf file.


Is there a way to set up a password for the OpenVPN users?

Yes, if you right-click on the OpenVPN icon on the client's PC there is an option for a password. Please note this password is only used when launching the client.


OpenVPN connects, however I can not access anything. Why is this?

Many things could cause this issue. First verify that the hosts that you are trying to reach are exported in Exported Networks. After connecting OpenVPN, try to ping NG Firewall's LAN IP address (if exported), then try to bring up the UI by entering the IP in a browser. If these work, your tunnel is up and operational. If you can't reach a Windows machine, verify Windows Firewall is disabled on the target machine as it will block access from non-local subnets by default. If the target machine runs another OS, verify it is either using NG Firewall as a gateway or the machine its using as a gateway has a static route sending the VPN Address Pool to the NG Firewall.


How can I restrict access to certain OpenVPN users?

By default, OpenVPN users can connect to any machine that the NG Firewall can connect to. However, routes are pushed to all the "Exported" network automatically. Be aware that nothing prevents remote users who have administrator access to their machines from adding routes manually.

If restricting access to OpenVPN users is a concern, Firewall rules or Filter Rules can be used. In the Firewall app, the easiest way is to create a block rule blocking traffic when Source Interface == OpenVPN. Above that rule, create rules to allow traffic when Username is the OpenVPN user you want to allow to the desired locations. In this scenario OpenVPN traffic will be blocked into your network except for explicitly allowed traffic.

Using rules you can limit access to certain resources to only the desired remote users.


Can I create site-to-site tunnels with non-NG Firewall devices?

When using OpenVPN for site-to-site tunnels we only support using other NG Firewall endpoints. Some users have had success with DD-WRT and Tomato, but this is not supported by the Support team. If you need to connect a VPN tunnel to an endpoint that isn't another Arista ETM device, we recommend using IPsec VPN.


I'm using site-to-site and my software clients can only talk to the main server. Why?

If you have both software clients on the road and site-to-site tunnels, the software clients will only be able to see your main site by default. To allow them to transit the tunnel(s) to other sites, simply add the VPN Address Pool to the Exported Hosts and Networks. After this is done, software clients will be able to reach all exported sites.


How can I allow software clients to resolve DNS over the tunnel?

To allow DNS resolution for remote clients you'll need to modify some OpenVPN settings - if NG Firewall is doing DNS resolution on your network, simply check Push DNS in OpenVPN Settings > Server > Groups > Group Name for any groups you want to push DNS settings to. Configure the DNS settings you would like pushed to the remote clients. You may need to use the FQDN when accessing resources across the tunnel.


How do I auto-start OpenVPN when my computer boots?

This only applies to Windows XP Pro, Vista, & Windows 7 to auto-start OpenVPN on boot: First, Navigate to C:\Program Files\OpenVPN\config. This directory will have sitename.conf, sitename.ovpn and subdirectory untangle-vpn. In this directory, identify the .ovpn file that corresponds to your site's name.

Modify OpenVPN

  1. Go to START > Control Panel > Administrative Tools > Services
  2. Right click on OpenVPN and select Properties
  3. Change Startup Type to Automatic
  4. Click OK
  5. Close the Services window
  6. Close the Administrative Tools window
  7. Close Control Panel

Modify Registry

  1. Go to Start > Run > Regedit
  2. Follow path down to: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  3. Locate the entry for "openvpn-gui"
  4. The command reference should say: C:\Program Files\OpenVPN\bin\openvpn-gui.exe
  5. MODIFY IT TO: C:\Program Files\OpenVPN\bin\openvpn-gui.exe --connect sitename.ovpn. Where sitename is customized for your specific site.
  6. Modify the following registry value to 1: HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\allow_service
  7. Exit RegEdit

When the machine restarts, the user will automatically be connected with the VPN client.


Clients are getting disconnected after 60 seconds. Why?

Did you share the same client config between multiple machines? If both are running simultaneously, they will conflict: when the second connects the first is disconnected. After 60 seconds, the first will reconnect and disconnect the second. This repeats endlessly. Do not share the same client config with multiple machines.


I'm setting up a new client and can't connect. Why?

Make sure that the IP that the client is connecting to is the public IP of the server, or that the traffic to that IP on port 1194 is being forwarded to your server. Also make sure you are testing from the outside. By default the Access Rules block OpenVPN clients from connecting to a server from one of its own LANs. This is to prevent clients from losing connectivity while on the local network because of a routing loop.