The VPN Menu

Changed in version 2.5: The VPN module GUI has been partly redesigned.

New in version 2.5.: L2TP support

A VPN allows two separated local networks to directly connect to each other over potentially unsafe networks such as the Internet. All the network traffic through the VPN connection is securely transmitted inside an encrypted tunnel, hidden from prying eyes. Such a configuration is called a Gateway-to-Gateway VPN, or Gw2Gw VPN for short. Similarly, a single remote computer somewhere on the Internet can use a VPN tunnel to connect to a local trusted LAN. The remote computer, sometimes called a Road Warrior, appears to be directly connected to the trusted LAN while the VPN tunnel is active.

The Endian UTM Appliance supports the creation of VPNs based either on the IPsec protocol, which is supported by most operating systems and network equipment, or on the OpenVPN service.

A user friendly OpenVPN client for Microsoft Windows, Linux, and MacOS X can be downloaded from the Endian Network.

The Endian UTM Appliance can be set up either as an OpenVPN server or as a client, and even play both roles at the same time, in order to create a network of OpenVPN-connected appliances. The menu items available in the sub-menu are the following:

  • OpenVPN server - set up the OpenVPN server so that clients (both roadwarriors and other Endian UTM Appliances in a Gateway-to-Gateway setup) can connect to one of the local zones. utm4i
  • OpenVPN client (Gw2Gw) - set up the client-side of a Gateway-to-Gateway setup between two or more Endian UTM Appliances utm4i
  • IPsec/L2TP - set up IPsec-based VPN tunnels and L2TP connections utm4i
  • VPN Users - manage users of VPN connections. utm4i

New in version 2.5: Support for L2TP

Changed in version 2.5: Moved the management of all users under a submenu.

Changed in version 2.5.1: Moved IPsec and L2TP under the same menu

OpenVPN server utm4i

When configured as an OpenVPN server, the Endian UTM Appliance can accept remote connections from the uplink and allow a VPN client to be set up and work as if it were a local workstation or server.

The page opens with the summary of the current server configuration, separated into two boxes: Global settings and Connection status and control. Two additional tabs give access to Advanced settings and to the VPN client download.

Note

Whenever a change to the configuration of the OpenVPN server occurs or the way a user interacts with the other users is modified (e.g., by altering the Networks behind client option, see below), the OpenVPN server must be restarted, for the changes to be propagated to all users. This necessity is shown after some modification by a small box carrying a message that remembers to restart the server. The connected clients will be disconnected and automatically reconnected after a short timeout, usually without noticing the interruption.

Server configuration utm4i

This page shows two boxes: one that allows to set up some global settings, and an informative one that shows the connected clients.

Global settings

The box on the top shows the current settings, that can be changed at will right from there, by simply modifying the following options, which are all related to the bridged OpenVPN. When the choice is the use of a routed VPN setup, however, there will be only one option available: VPN Subnet.

OpenVPN server enabled
Tick this checkbox to make sure the OpenVPN server is started.
Bridged

Tick this option to run the OpenVPN server in bridged mode, i.e., within one of the existing zones.

Note

If the OpenVPN server is not bridged (i.e., it is routed), the clients will receive their IP addresses from a dedicated subnet. In this case, appropriate firewall rules in the VPN firewall should be created, to make sure the clients can access any zone, or some server/resource (e.g., a source code repository). If the OpenVPN server is bridged, it inherits the firewall settings of the zone it is defined in.

VPN subnet
This option is the only available if bridged mode is disabled. It allows the OpenVPN server to run in its own, dedicated subnet, that can be specified in the text box and should be different from the subnets of the other zones.
Bridge to
The zone to which the OpenVPN server should be bridged. The drop-down menu shows only the available zones.
Dynamic IP pool start address
The first possible IP address in the network of the selected zone that should be used for the OpenVPN clients.
Dynamic IP pool end address

The last possible IP address in the network of the selected zone that should be used for the OpenVPN clients.

Note

Traffic directed to this IP pool has to be filtered using the VPN firewall.

The first time the service is started a new, self-signed CA certificate for this OpenVPN server is generated, an operation that may take a long time. After the certificate has been generated, it can be downloaded by clicking on the Download CA certificate link. This certificate must be used by all the clients that want to connect to this OpenVPN server, otherwise they will not be able to access.

After the server has been set up, it is possible to create and configure accounts for clients that can connect to the Endian UTM Appliance in the Accounts tab.

Connection status and control

The box at the bottom shows a list of the currently connected clients, although the list will be empty until the OpenVPN server is running and clients have been created and have accessed the OpenVPN server. This box is identical to the one in Menubar ‣ Status ‣ OpenVPN connections, and contains for each client, its name, assigned and real IP address, the traffic (received and transmitted) in bytes, the connection time, the uptime, and the only possible action:

kill
Immediately close the connection for that client.

Troubleshooting VPN connections.

While several problem with VPN connections can be easily spotted by looking at the configuration, one subtle source of connections hiccups is a wrong value of the MTU size. The Endian UTM Appliance sets a limit of 1450 bytes to the size of the VPN’s MTU, to prevent problems with the common MTU value used by the ISP, which is 1500. However, some ISP may use a MTU value lower that the commonly used value, making the Endian MTU value too large and causing therefore connection issues (the most visible one is probably the impossibility to download large files). This value can be modified by accessing the Endian UTM Appliance from the CLI and following these guidelines:

  1. Write down the MTU size used by the ISP (see link below).
  2. Login to the CLI, either from a shell or from Menubar ‣ System ‣ Web Console.
  3. Edit the OpenVPN template with an editor of choice: nano /etc/openvpn/openvpn.conf.tmpl.
  4. Search for the string mssfix 1450.
  5. Replace 1450 with a lower value, for example 1200.
  6. Restart OpenVPN by calling: restartopenvpn.

See also

More information about the MTU size.

Advanced utm4i

In this tab, three boxes allow to specify advanced settings for the OpenVPN server. Among other settings, certificate-based authentication (as opposed to password-based) can be set here.

Hint

For a normal use these settings can be left at their default values.

Advanced settings

The first box contains some global settings about the daemon:

Port, Protocol
The combination (1194, UDP) for port and protocol is the default OpenVPN setting and it is a good practice to keep it unchanged. To make OpenVPN accessible via other ports, appropriate port forwarding rules should be defined (see Menubar ‣ Firewall ‣ Port Forwarding) to redirect incoming traffic to port 1194. The protocol should be set as TCP only in some borderline case, like e.g., when accessing the OpenVPN server through a third-party HTTP proxy, otherwise the default settings (1194, UDP) should always be used.
Block DHCP responses coming from tunnel
Tick this checkbox when receiving DHCP responses from the LAN at the other side of the VPN tunnel that conflict with the local DHCP server.
Don’t block traffic between clients
By default, the OpenVPN server isolates clients from each other. To change this behaviour, and allow traffic between different VPN clients, tick this option.
Allow multiple connections from one account:

Normally, one client is allowed to connect from one location at a time. Selecting this option permits multiple client logins, even from different locations. However, when the same client is connect twice or more, the VPN firewall rules do not apply anymore.

New in version 2.5: An option to allow multiple connections.

Global push options

In the second box the network setting sent to the client can be modified. Each option, after having been changed, should be enable by ticking the respective checkbox.

Push these networks
The routes to the specified networks defined here are sent to the connected clients.
Push these nameservers
The specified nameservers are sent to the connected clients.
Push domain
The search domains used for local name resolution are added to those of the connected clients.

Note

The options Push these nameservers and Push domain only work for clients running the Microsoft Windows operating system.

Authentication settings

The last box concerns the choice of the authentication method among the three available, which also determines the configuration options available.

PSK (username/password)

Endian UTM Appliance‘s default method is PSK (username/password): The client authenticates using username and password. To use this method, no additional change is needed, while the other two methods are described below.

By clicking on the Download CA certificate link, the public certificate of this OpenVPN server is downloaded. It is needed by the clients to verify the authenticity of the server they are connecting to. Furthermore, a click on the Export CA as PKCS#12 file link download the certificate in PKCS#12 format (which should be kept private), which can be imported into any OpenVPN server that should be used as a fallback server.

Finally, should this system be a fallback system, two further option are available:

PKCS#12
Use the Browse button to select the certificate file that exported from the primary server, or provide its path and name.
Challenge password
The password to read the certificate. Leave it empty if the certificate comes from another Endian UTM Appliance.

X.509 certificate and X.509 certificate & PSK (two factor)

When configuring the X.509-certificate-based authentication method (either certificate only or certificate plus username and password), the configuration becomes a bit more complicated. It is assumed (and required) that an independent certificate authority (CA) be employed for this purpose. It is neither possible nor desired to host such a certificate authority on Endian UTM Appliance.

It is necessary to generate and sign certificates for the server and for every client using the chosen certificate authority. The certificates type must be explicitly specified and be one of “server” and “client” in the “Netscape certificate type” field.

The server certificate file in PKCS#12 format must be uploaded in this section (specify the Challenge password that has been specified to the certificate authority before or during the creation of the certificate).

The client certificates need to have the common name fields equal to their OpenVPN user names.

Warning

When employing certificate-only authentication, a client with a valid certificate will be granted access to the OpenVPN server even if it has no valid account!

Finally, a revocation list (CRL) can be uploaded, in case a client certificate has been lost, to revoke that client certificate on the CA.

VPN client download utm4i

Click on the link to download the Endian VPN client for Microsoft Windows, MacOS X, and Linux from the Endian Network. A valid account is needed to download the client.

OpenVPN client (Gw2Gw) utm4i

In this page appears the list of the Endian UTM Appliance‘s connections as OpenVPN clients, i.e., all tunnelled connections to remote OpenVPN servers. For every connection, the list reports the status, the name, any additional option, a remark, and the actions available. The status is closed when the connection is disabled, and established when the connection is enabled. Beside to enable and to disable a connection, the available actions are to edit or delete it. In the former case, a form will open, that is the same as the one that opens when adding a connection (see below) in which to see and modify the current settings, whereas in the latter case only deletion of that profile from the Endian UTM Appliance is permitted.

The creation of a new OpenVPN client connections is straightforward and can be done in two ways: Either click on the Add tunnel configuration button and enter the necessary information about the OpenVPN server to which to connect (there can be more than one) or import the client settings from the OpenVPN Access Server by clicking on Import profile from OpenVPN Access Server.

New in version 2.5: Import from Access Server.

Add tunnel configuration

There are two types of settings that can be configured for each tunnel configuration: The basic one includes mandatory options for the tunnel to be established, while the advanced one is optional and normally should be changed only if the OpenVPN server has a non-standard setup. To access the advanced settings, click on the >> button next to the Advanced tunnel configuration label. The basic settings are:

Connection name
A label to identify the connection.
Connect to
The remote OpenVPN server’s FQDN, port, and protocol in the form myvpn.example.com:port:protocol. The port and protocol are optional and left on their default values which are 1194 and udp respectively when not specified. The protocol must be specified in lowercase letters.
Upload certificate
The server certificate needed for the tunnel connection. Browsing the local filesystem is admitted, to search for the file, of the path and filename can be entered. If the server is configured to use PSK authentication (password/username), the server’s host certificate (i.e., the one downloaded from the Download CA certificate link in the server’s Menubar ‣ VPN ‣ OpenVPN server section) must be uploaded to the Endian UTM Appliance. Otherwise, to use certificate-based authentication, the server’s PKCS#12 file (i.e., the one downloaded from the Export CA as PKCS#12 file link on the server’s Menubar ‣ VPN ‣ OpenVPN server ‣ Advanced section) must be uploaded.
PKCS#12 challenge password
Insert here the Challenge password, if one was supplied to the CA before or during the creation of the certificate. This is only needed when uploading a PKCS#12 certificate.
Username, Password
If the server is configured to use PSK authentication (password/username) or certificate plus password authentication, provide here the username and password of the account on the OpenVPN server.
Remark
A comment on the connection.

Advanced tunnel configuration

In this box, that appears when clicking on the >> button in the previous box, additional options can be modified, though the values in this box should be modified only if the server side has not been configured with standard values.

Fallback VPN servers

One or more (one per line) fallback OpenVPN servers in the same format used for the primary server, i.e., myvpn.example.com:port:protocol. The port and protocol values default to 1194 and udp respectively when omitted. If the connection to the main server fails, one of these fallback servers will take over.

Hint

The protocol must be written in lowercase letters.

Device type
The device used by the server, which is either TAP or TUN.
Connection type
This drop-down menu is not available if TUN has been selected as Device type, because in this case the connection type is always routed. Available options are routed (i.e., the client acts as a gateway to the remote LAN) or bridged (i.e., the client firewall appears as part of the remote LAN). Default is routed.
Bridge to
This field is only available if TAP has been selected as Device type and the connection type is bridged. From this drop-down menu, select the zone to which this client connection should be bridged.
NAT
This option is only available if the Connection type is routed. Tick this checkbox to hide the clients connected through this Endian UTM Appliance behind the firewall’s VPN IP address. This configuration will prevent incoming connections requests to the clients. In other words, incoming connections will not see the clients in the local network.
Block DHCP responses coming from tunnel
Tick this checkbox to avoid receiving DHCP responses from the LAN at the other side of the VPN tunnel that conflict with a local DHCP server.
Use LZO compression
Compress the traffic passing through the tunnel, enabled by default.
Protocol
The protocol used by the server: UDP (default) or TCP. Set to TCP only if an HTTP proxy should be used: In this case, a form will show up to configure it.

If the Endian UTM Appliance can access the Internet only through an upstream HTTP proxy, it can still be used as an OpenVPN client in a Gateway-to-Gateway setup, but the TCP protocol for OpenVPN must be selected on both sides. Moreover, the account information for the HTTP upstream proxy must be provided in the text fields:

HTTP proxy
The HTTP proxy host, e.g., proxy.example.com:port, with the port defaulting to 8080 if not entered.
Proxy username, Proxy password
The proxy account information: The username and the password.
Forge proxy user-agent
A forged user agent string can be used in some cases to disguise the Endian UTM Appliance as a regular web browser, i.e., to contact the proxy as a browser. This operation may prove useful if the proxy accepts connections only for some type of browsers.

Once the connection has been configured, a new box at the bottom of the page will appear, called TLS authentication, from which to upload a TLS key file to be used for the connection. These options are available:

TLS key file
The key file to upload, searchable on the local PC’s file system.
MD5
The MD5 checksum of the uploaded file, which will appear as soon as the file has been stored on the Endian UTM Appliance.
Direction
This field is set to 0 on servers and to 1 on clients.

Import profile from OpenVPN Access Server

The second possibility to add an account is to directly import the profile from an OpenVPN Access Server: In this case, the following information must be provided:

Connection name
A custom name for the connection.
Access Server URL

The URL of the OpenVPN Access Server.

Note

Note that the Endian UTM Appliance only supports XML-RPC configuration of the OpenVPN Access Server, therefore a URL input here has the form: https://<SERVERNAME>/RPC2.

Username, Password
The username and password on the Access Server.
Verify SSL certificate
If this checkbox is ticked and the server is running on an SSL encrypted connection, then the SSL certificate will be checked for validity. Should the certificate not be valid then the connection will be immediately closed. This feature might be disabled when using a self-signed certificate.
Remark
A comment to recall the purpose of the connection.

IPsec/L2TP utm4i

The IPsec page contains two tabs (IPsec and L2TP), that allow to set up and configure the IPsec tunnels and to enable the L2TP support, respectively.

IPsec utm4i

The IPsec tab contains three boxes: First, Global settings, serves to enable and configure IPsec. The second, Connection status and control, shows all the connections and allows to add a new one. Finally, the Certificate authorities box allows to manage the certificates. Note that by adding a new connection, new boxes will be shown, that help in the configuration of the connections’ types and of their options.

IPsec in a nutshell.

IPsec is a generic standardised VPN solution, in which the encryption and the authentication tasks are carried out on the OSI layer 3 as an extension to the IP protocol. Therefore, IPsec must be implemented in the kernel’s IP stack. Although IPsec is a standardised protocol and it is compatible to most vendors that implement IPsec solutions, the actual implementation may be very different from vendor to vendor, sometimes causing severe interoperability issues.

Moreover, the configuration and administration of IPsec is usually quite difficult due to its complexity and design, while some particular situations might even be impossible to handle, for example when there is the necessity to cope with NAT.

Compared to IPsec, OpenVPN is easier to install, configure, and manage. The Endian UTM Appliance implements an easy to use administration interface that supports different authentication methods. It is suggested to use IPsec only if absolutely needed, for example to support existing IPsec installations or when dealing with devices that do not support OpenVPN, because of interoperability problems that may arise, while the use of OpenVPN is encouraged in all other cases, especially if there is the necessity to work with NAT.

Global settings

In this box can be done the configuration of the main parameters for the IPsec configuration:

Enabled
Enable IPsec by ticking the checkbox (it is disabled by default).
Debug options
By clicking on the small + sign, some checkboxes will appear: Show the structure of input messages, Show the structure of output messages, Show interaction with kernel IPsec support (KLIPS), and Show interaction with DNS. By ticking them, more detailed messages will be logged to the /var/log/messages file.

Connection status and control

Here there is a list of accounts and their connection status. The list shows the name, type, common name, remark, and status of each connection. New connections are added by clicking on the Add button (see below). Possible actions on each connection are: To restart restoreicon, to enable on or disable off, to edit edit or to delete delete it.

Certificate authorities

In the last box of the IPsec main page, the root and host certificates are shown and the existing certificates can be managed. If root and host certificates have yet to be generated, a “Not present” message is shown.

Generate root/host certificates
Click on the button to generate new root and host certificates. In the page that will open, all the required information (see Generate root/host certificates further on) can be provided.
CA name
In case that a CA certificate signed by an Authority is available, enter the name of the Authority in the first text box, and the certificate file in the second one. The file selector to facilitate the search for the file can be opened by clicking on the Browse... button, and the certificate uploaded by clicking on the Upload CA certificate button.
Reset
To erase an already created Certificate, click on this button at the bottom of the page.

Warning

Please note that by resetting the root certificates, not only the certificates but also certificate-based connections will be erased.

Generate root/host certificates

The following information shall be entered to create new host and root certificates.

Organization name
The organization name to use in the certificate. For example, if the VPN is connecting together the schools in a school district, it can be something like “School District of Aberdeen.”
Endian Firewall hostname
The hostname used to identify the certificate. It should be either the FQDN or the REDIP address of the Endian UTM Appliance.
Your email address
A contact e-mail address.
Your department
The department name.
City
The name of the town or city.
State or province
The name of the state or province.
Country
Country of residence.

The certificates are created after clicking on the Generate root/host certificates button. The process can take up to several minutes to complete.

Subject alt name
An alternative hostname for identification.

Instead of generating new certificates, a previously created PKCS12 certificate file can be upload using the lower box of the page.

Upload PKCS12 file
Open the file selection dialogue box by clicking on the Browse... button and select the PKCS12 file.
PKCS12 file password
The password of the certificate, if the file is protected.
Upload PKCS12 file
Click this button to upload the PKCS12 file.

Add a tunnel/Connection type

Upon clicking on Add under Connection status and control, a page will open from which to select either a Host-to-Net Virtual Private Network, a Net-to-Net Virtual Private Network, or an L2TP Host-to-Net Virtual Private Network. After the choice of the type of connection, and one click on the Add button, the page for the connection editor will open, that contains two boxes grouping the types of options: Connection configuration and Authentication.

Connection configuration

The first box is used to configure the network parameters:

Name
The name of the connection.
Enabled
If ticked, the connection is enabled.
Interface
The interface through which the host is connecting. In Net-to-Net it is always the uplink.
Local subnet
The local subnet.
Local ID
A string that identifies the local host of the connection.
Remote host/IP
the IP or FQDN of the remote host.
Remote subnet
Only available for net-to-net connections, it specifies the remote subnet.
Remote ID
The ID that identifies the remote host of this connection.
Dead peer detection action

The action to perform if a peer disconnects. Available choices from the drop-down menu are to Clear, to Hold, or to Restart the peer.

Note

Unlike in other places, clicking or moving the mouse over the ? will not provide a tooltip, but open a web page with a detailed description of the functionalities of the dead peer detection.

Remark
A comment for the connection.
Edit advanced settings
Tick this checkbox to edit more advanced settings. They will be accessible and editable after saving the current settings (at the bottom of the next box).

Authentication

This box serves to configure the authentication.

Use a pre-shared key

Enter a pass phrase to be used to authenticate the other side of the tunnel. Choose this option for a simple Net-to-Net VPN.

Warning

Do not use PSKs to authenticate Host-to-Net connections!

Upload a certificate request
Some roadwarrior IPsec implementations do not have their own CA. If they wish to use IPsec’s built-in CA, they can generate a so-called certificate request, which is a partial X.509 certificate that must be signed by a CA. During the certificate request upload, the request is signed and the new certificate will become available under the Menubar ‣ VPN section of the Endian UTM Appliance.
Upload a certificate
In this case, the peer IPsec has a CA available for use. Both the peer’s CA certificate and host certificate must be included in the uploaded file.
Upload PKCS12 file - PKCS12 file password
Choose this option to upload a PKCS12 file. If the file is secured by a password, it must be supplied in the text field below the file selection field.
Generate a certificate
A new X.509 certificate can also be created. In this case, the required fields must be defined. Optional fields are indicated by red dots. If this certificate is for a Net-to-Net connection, the User’s Full Name or System Hostname field must contain the fully qualified domain name of the peer. The PKCS12 File Password fields ensure that the host’s generated certificates cannot be intercepted and compromised while being transmitted to the IPsec peer.

Advanced settings

In this page, that opens upon defining and saving a new connection, some advanced setting for that connection can be defined.

Warning

Unexperienced users should not change the following advanced settings!

IKE encryption
The encryption methods that should be supported by IKE.
IKE integrity
The algorithms that should be supported to verify the integrity of packets.
IKE group type
The IKE group type.
IKE lifetime
How many hours are the IKE packets valid.
ESP encryption
The encryption methods that should be supported by the ESP.
ESP integrity
The algorithms that should be supported to verify the integrity of packets.
ESP key life
How many hours should an ESP key be valid.
IKE aggressive mode allowed

Tick this box to enable IKE aggressive mode. It is suggested NOT to do so.

Changed in version 2.5: This option was removed from the 2.5 version.

Perfect Forward Secrecy
If this box is ticked, perfect forward secrecy is enabled.
Negotiate payload compression
Tick this box to use payload compression.
Roadwarrior virtual IP
This option allows to assign a virtual IP (“inner IP”) to the user when the connection is established.

See also

On the website help.endian.com, the following tutorials are available:

  1. IPsec VPN - How to Create a Roadwarrior Connection (Shrewsoft)
  2. SSL VPN - How to Create a Net-to-Net Connection
  3. SSL VPN - How to Create a Net-to-Net Connection (over HTTP)
  4. IPsec VPN - How to Create a Net-to-Net Connection (Endian-to-Endian)
  5. SSL VPN - How to Create a Roadwarrior Connection
  6. IPsec VPN - How to Create a Net-to-Net Connection (Endian-to-Cisco ASA)

L2TP utm4i

L2TP, the Layer 2 Tunnelling Protocol, is described in RFC 2661. In a nutshell, it is a protocol that allows a tunnel connection that carries PPP packets. It is used to support VPN connections using IPSec.

The following options are available to configure L2TP.

Enable L2TP
The checkbox must be ticked to enabled L2TP support in the Endian UTM Appliance.
Zone
The zone to which the L2TP connections are directed. Only the activated zones can be chosen from the drop-down menu.
L2TP IP pool start address, L2TP IP pool end address
The IP range from which L2TP users will receive an IP address when connecting to the Endian UTM Appliance.
Enable debug
Tick this checkbox to let L2TP produce more verbose logs.

See also

On the website help.endian.com, there are several tutorials available, that help in the set up of the Endian UTM Appliance as IPsec server and smartphones as clients:

  1. Setup of a VPN with IPsec and an L2TP tunnel
  2. Connecting to an Endian UTM via L2TP (IPSec) using Android
  3. Connecting to an Endian UTM via L2TP (IPSec) using iOS
  4. Connecting to an Endian UTM via L2TP (IPSec) using Windows 7

VPN Users utm4i

Changed in version 2.5: This configuration page was moved from Menubar ‣ VPN ‣ OpenVPN server ‣ Accounts and its layout was improved.

The box in this page contains the list of OpenVPN users, which is initially empty. The only available action is therefore to Add new User, while the list contains the list of the accounts already defined with some information on it: The account’s name, a remark, whether it is an OpenVPN or L2TP user, the networks used by the account, its status and the available actions.

Click on Add new User to add a VPN account. In the form that will show up, the following options can be specified for each user:

Add User

Name
The login name of the user
Enabled
Tick the checkbox to enable the user, i.e., to allow her to connect to the OpenVPN server on the Endian UTM Appliance.
Password, Confirm password
The password for the user, to be entered twice. The passwords are actually not shown: To see them, tick the two checkboxes on their right.
Remark
An additional comment.

Under the VPN protocols panel, two checkboxes allow to chose the protocol used for the VPN connection:

OpenVPN
Tick this checkbox to allow the OpenVPN protocol to be used.
L2TP

Tick this checkbox to allow the L2TP protocol to be used.

Note

This option can not be selected if no L2TP tunnel has yet been configured. In such a case, an informative message appears as a hyperlink: Upon clicking on it, the IPsec connection editor opens. Once done, it will be possible to allow a VPN user to connect using the L2TP Protocol.

Right below, it is possible to specify more advanced settings for each of the protocols that the user shall use. A click on the Advanced Settings hyperlink shows two more hyperlinks: Clicking on each of them reveals a new panel in which to configure further settings for the connection.

OpenVPN Options

direct all client traffic through the VPN server
If this option is checked, all the traffic from the connecting client, regardless of the destination, is routed through the uplink of the Endian UTM Appliance. The default is to route all the traffic whose destination is outside any of the internal zones (such as Internet hosts) through the client’s uplink.
Push only global options to this client
For advanced users only. Normally, when a client connects, tunneled routes to networks that are accessible via VPN are added to the client’s routing table, to allow it to connect to the various local networks reachable from the Endian UTM Appliance. This option should be enabled if this behaviour is not wanted, but the client’s routing tables (especially those for the internal zones) should be modified manually.
Push route to blue zone, Push route to orange zone
When this option is active, the client will have access to the blue or the orange zone. These options have no effect if the corresponding zones are not enabled.
Networks behind client
This option is only needed if this account is used as a client in a Gateway-to-Gateway setup. In the box should be written the networks laying behind this client that should be pushed to the other clients. In other words, these networks will be available to the other clients.
Push only these networks
The local network routes that should be pushed to the client. This options overrides all automatically pushed routes
Static IP addresses
Dynamic IP addresses are assigned to clients, but a static IP address provided here will be assigned to the client whenever it connects.
Enable push these nameservers
Assign custom nameservers on a per-client basis here. This setting (and the next one) can be defined, but enabled or disabled at will.
Enable push domains
Assign custom search domains on a per-client basis here.
One-to-One NAT
In the two textfield below it is possible to specify custom one-to-one NAT-ed sources and destinations.

Note

When planning to have two or more branch offices connected through a Gateway-to-Gateway VPN, it is good practice to choose different subnets for the LANs in the different branches. For example, one branch might have a GREEN zone with the 192.168.1.0/24 subnet while the other branch uses 192.168.2.0/24. Using this solution, several possible sources for errors and conflicts will be avoided. Indeed, several advantages come for free, including: The automatic assignment of correct routes, without the need for pushing custom routes, no warning messages about possibly conflicting routes, correct local name resolution, and easier WAN network setup.

L2TP Options

IPsec Tunnel
This drop-down menu allows to choose the tunnel that will be employed by the user, among those already defined.

Table Of Contents

Previous topic

The Proxy Menu

Next topic

The Hotspot Menu

Documentation archive

Version 2.4
Version 2.3
Version 2.2
Version 2.1