Tunnel VPN: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
 
Line 123: Line 123:
=== Example: Dynamic Rules ===
=== Example: Dynamic Rules ===


Unlike most solutions, Untangle also allows for automatic dynamic adjustment of what traffic goes through the tunnel by using tags.
Unlike most solutions, NG Firewall also allows for automatic dynamic adjustment of what traffic goes through the tunnel by using tags.
Hosts can be tagged manually by tagging the appropriate device or username associated with a host, or automatically using trigger rules [[Events#Triggers]].
Hosts can be tagged manually by tagging the appropriate device or username associated with a host, or automatically using trigger rules [[Events#Triggers]].



Latest revision as of 18:20, 3 May 2022

    Tunnel VPN
Other Links:
Tunnel VPN Description Page
Tunnel VPN Demo
Tunnel VPN Forums
Tunnel VPN Reports
Tunnel VPN FAQs



About Tunnel VPN

The Tunnel VPN service app provides secure tunnels to remote servers and services and determines which traffic on the network goes through these tunnels.

The VPN Overview article provides some general guidance of which VPN technology may be the best fit for different scenarios.

Use Cases

Tunnel VPN is used in a wide variety of configurations. Some common scenarios are described below.

Branch Offices

Organizations with one or more small branch offices can use Tunnel VPN to send all internet-bound traffic at the remote small branch through the central site for security and filtering. This alleviates the need to actively manage the security and filtering configuration at the branch offices, and also allows for easier management at the central site as well as centralized monitoring and reporting.

Remote Security Services

There are many cloud-based security services or Cloud Access Security Brokers (CASB) that will enforce policy and security network traffic as it transits from the local infrastructure to the internet.

Tunnel VPN can be configured to send traffic, either in total or selectively, to the desired cloud services. For example, Tunnel VPN can send all port 25 (SMTP) through a specific tunnel to a cloud email archiving service. Alternatively you could send, DNS, web, or even all traffic through dedicated cloud services.

SD-WAN

SD-WAN (software-denfined networking) type deployments often have the need to maintain several tunnels to dedicated CASBs or internet "exit" points. Tunnel VPN allows you to maintain connections to several cloud exit points and prioritize the tunnels such that if one tunnel goes down the next available tunnel will be leveraged.

When combined with WAN Failover and WAN Balancer this provides an easy way to ensure the network is always online and the best possible tunnel is being used for connectivity, regardless of cloud services going up or down or individual ISPs or internet connections being up or down.

Privacy

Tunnel VPN can connect to other NG Firewall services or most Privacy VPN services (like NordVPN, ExpressVPN, Private Internet Access, and so on).

Many countries have imposed limits or monitoring on "forbidden" content. This can range from content expressing certain political views, information on historical events, region-locked content, unapproved types of entertainment, or copyrighted material. Also many locations do not have access to ISPs (or governments) that respect net-neutrality.

For these locations, Tunnel VPN can provide safe encrypted passage to a location that supports a freer internet and supports net neutrality. Rules can either statically determine what traffic goes through a tunnel (specific hosts or ports) or can dynamically shift which traffic uses the tunnel using tags. For example, a host can be switched to using a tunnel once Skype or Bittorrent usage is detected.

Settings

This section reviews the different settings and configuration options available for Tunnel VPN.

Status

The Status tab shows the on/off status of Tunnel VPN.

Tunnels

The Tunnels tab configures the encrypted tunnels to remote servers/services.

To add a new tunnel, simply click the Add button at the top.

  • Enabled - If checked, this tunnel is enabled. If not enabled it will not connect and not be active.
  • Tunnel Name - A unique name for the tunnel.
  • Provider - this is the remote service/provider. Select the appropriate option for the remote service.
    • Untangle - this is for connecting to a remote NG Firewall server
    • NordVPN - this is for connecting to NordVPN at [nordvpn.com]
    • ExpressVPN - this is for connecting to ExpressVPN at [expressvpn.com]
    • Custom zip file - used for any remote service that supplies an zip file with an OpenVPN configuration inside
    • Custom zip file with username/password - used for any remote service that supplies an zip file with an OpenVPN configuration inside and also requires a valid username and password.
    • Custom ovpn file - used for any remote service that supplies an ovpn file
    • Custom ovpn file with username/password - used for any remote service that supplies an ovpn file also requires a valid username and password.
    • Custom conf file - used for any remote service that supplies an openvpn conf file
    • Custom conf file with username/password - used for any remote service that supplies an openvpn conf file also requires a valid username and password.
  • Select VPN Config File button uploads the zip/conf/ovpn file
  • Username specifies the username (if required)
  • Password specifies the password (if required)

First, provide a name and choose the remote provider type. After choosing the provider type the instructions will describe how to configure the rest of the fields.

On save, all enabled tunnels will attempt to connect to the remote services. The log can be viewed on the Log tab.

Rules

Rules control what traffic is routed through the tunnels. The Tunnel VPN rules are run before any WAN Balancer rules are evaluated and before the routing table is consulted. If a Tunnel VPN rule matches and the tunnel is active the traffic will exit through the tunnel regardless of the WAN Balancer or routing configuration. In other words Tunnel VPN takes precedence over any other routing configuration.

The Rules documentation describes how rules work and how they are configured. As with all rules, rules are evaluated in order and the action is taken from the first matching rule.

IMPORTANT: HOWEVER, unlike most rules if the first matching rule has an action Destination Tunnel of 'tunnel-example' however the 'tunnel-example' is currently not online, then the evaluation will continue to the next rule. This allows for easy configuration of preference of tunnels.

Example: Static Rules

  • If allow of the following conditions are met:
  • Destination Port is 25
  • Perform the following action(s):
  • Destination Tunnel: tunnel-1

This will route all port 25 traffic through tunnel-1. If tunnel-1 is offline, traffic will be routed normally.

Example: Preference Order

  • Rule 1: Always (no conditons) perform the following action, Destination Tunnel: 'tunnel-1'
  • Rule 2: Always (no conditons) perform the following action, Destination Tunnel: 'tunnel-2'
  • Rule 3: Always (no conditons) perform the following action, Destination Tunnel: 'tunnel-3'

Then traffic will always route to tunnel-1. If tunnel-1 is not available it will route to tunnel-2. If tunnel-2 is not available it will route to tunnel-3. If tunnel-3 is not available it will route normally.

Example: Dynamic Rules

Unlike most solutions, NG Firewall also allows for automatic dynamic adjustment of what traffic goes through the tunnel by using tags. Hosts can be tagged manually by tagging the appropriate device or username associated with a host, or automatically using trigger rules Events#Triggers.

For example if you'd like a host using bittorrent to automatically be routed through the tunnel. Add a trigger rule to tag hosts detected as using bittorrent (an example is there by default) and then add the following Tunnel VPN rule:

  • If allow of the following conditions are met:
  • Client Tagged is bittorrent-use
  • Perform the following action(s):
  • Destination Tunnel: tunnel-1

This will route any hosts tagged "bittorrent-use" through "tunnel-1". The trigger rule will ensure that any host detected using Bittorrent will automatically be tagged so that each session after the detection will go through the tunnel.

Example: Multiple Triggers

If there are many scenarios in which a host should be routed through a tunnel you can configured multiple triggers. For example you can configure multiple trigger rules:

  • If host is using Skype, tag host "tunnel" expires in 10 minutes
  • If host is accessing craigslist, tag host "tunnel" expires in 10 minutes
  • If host is accessing "Gaming" category website, tag host "tunnel" expires in 10 minutes

Then add the following Tunnel VPN Rule:

  • If allow of the following conditions are met:
  • Client Tagged is tunnel
  • Perform the following action(s):
  • Destination Tunnel: tunnel-1

And if a host does any of those action, it will automatically be switched to the tunnel (until the tag expires which will be 10 minutes after the speficied activity stops).

Log

This shows the raw OpenVPN log file. Beware: there are often many errors logged by OpenVPN that are not an issue.

This is useful for debugging issues if the tunnels are not initializing correctly to the service providers.

Reports

There are currently no specific reports for Tunnel VPN. However all traffic is logged with the appropriate tunnel set as the destination interface.

All reports (Application Control Web Filter etc) can be viewed and filter per tunnel by adding a Destination Interface condition where the value equals the tunnel ID.

Related Topics

OpenVPN IPsec VPN

Tunnel VPN FAQs

My Tunnel keeps disconnecting; What can I do about it?

Different services provide different parameters for managing disconnects in the config file.

Some services often explicitly specify to not reconnect when the connection is lost. This configuration is not optimal and is likely done by the services to minimize server load.

To tune these settings simply edit the .ovpn file (or the .ovpn file inside the zip) before uploading it to Tunnel VPN. You can change the "keepalive" setting or the "ping" and "ping-restart" settings. If non of those are specified just adding "keepalive 10 120" will be sufficient to tell it to test the connection every 10 seconds and restart if after 120 seconds all tests fail. Similarly if ping or ping-restart is already specified simply replace the existing "ping" configuration with "ping 10" and the existing "ping-restart" with "ping-restart 120".

More can be read about openvpn configuration here.


Can I only route certain protocols or "domains" or "sites" through the tunnel VPN?

No, routing can be done only based on the information known at the time the packet is routed. If a new connection is opened the application and many other properties of the session are not yet known, only the IPs, ports, etc.

Later Application Control may identify the "application" or "category" and Web Filter may identify the domain or site categorization (if its HTTP at all). However information that is learned later can not be used to change routing decisions that are made in the past.

However, one common workaround is to detect a certain application and tag the host using that application with a tag. Then you can create a Tunnel VPN rule to route hosts tag with that tag through the tunnel.

This there a limit on how many tunnel VPN I can configure?

The current limit is 40 tunnels.