Endian banner

OpenVPN client (Gw2Gw)

In this page appears the list of the Endian UTM Appliance‘s connections as OpenVPN clients, i.e., all tunnelled connections to remote OpenVPN servers. For every connection, the list reports the status, the name, any additional option, a remark, and the actions available:

  • on off - the server is active or stopped.
  • edit - modify the server’s configuration
  • delete - remove the configuration and the server.

The status is closed when the connection is disabled, established when the connection is enabled, and connecting... while the connection is being established. Beside to enable and to disable a connection, the available actions are to edit or delete it. In the former case, a form will open, that is the same as the one that opens when adding a connection (see below) in which to see and modify the current settings, whereas in the latter case only deletion of that profile from the Endian UTM Appliance is permitted.

The creation of a new OpenVPN client connections is straightforward and can be done in two ways: Either click on the Add tunnel configuration button and enter the necessary information about the OpenVPN server to which to connect (there can be more than one) or import the client settings from the OpenVPN Access Server by clicking on Import profile from OpenVPN Access Server.

New in version 2.5: Import from Access Server.

Add tunnel configuration

There are two types of settings that can be configured for each tunnel configuration: The basic one includes mandatory options for the tunnel to be established, while the advanced one is optional and normally should be changed only if the OpenVPN server has a non-standard setup. To access the advanced settings, click on the >> button next to the Advanced tunnel configuration label. The basic settings are:

Connection name
A label to identify the connection.
Connect to
The remote OpenVPN server’s FQDN, port, and protocol in the form myvpn.example.com:port:protocol. The port and protocol are optional and left on their default values which are 1194 and udp respectively when not specified. The protocol must be specified in lowercase letters.
Upload certificate
The server certificate needed for the tunnel connection. Browsing the local filesystem is admitted, to search for the file, of the path and filename can be entered. If the server is configured to use PSK authentication (password/username), the server’s host certificate (i.e., the one downloaded from the Download CA certificate link in the server’s Menubar ‣ VPN ‣ OpenVPN server section) must be uploaded to the Endian UTM Appliance. Otherwise, to use certificate-based authentication, the server’s PKCS#12 file (i.e., the one downloaded from the Export CA as PKCS#12 file link on the server’s Menubar ‣ VPN ‣ OpenVPN server ‣ Advanced section) must be uploaded.
PKCS#12 challenge password
Insert here the Challenge password, if one was supplied to the CA before or during the creation of the certificate. This is only needed when uploading a PKCS#12 certificate.
Username, Password
If the server is configured to use PSK authentication (password/username) or certificate plus password authentication, provide here the username and password of the account on the OpenVPN server.
Remark
A comment on the connection.

Advanced tunnel configuration

In this box, that appears when clicking on the >> button in the previous box, additional options can be modified, though the values in this box should be modified only if the server side has not been configured with standard values.

Fallback VPN servers

One or more (one per line) fallback OpenVPN servers in the same format used for the primary server, i.e., myvpn.example.com:port:protocol. The port and protocol values default to 1194 and udp respectively when omitted. If the connection to the main server fails, one of these fallback servers will take over.

Hint

The protocol must be written in lowercase letters.

Device type
The device used by the server, which is either TAP or TUN.
Connection type
This drop-down menu is not available if TUN has been selected as Device type, because in this case the connection type is always routed. Available options are routed (i.e., the client acts as a gateway to the remote LAN) or bridged (i.e., the client firewall appears as part of the remote LAN). Default is routed.
Bridge to
This field is only available if TAP has been selected as Device type and the connection type is bridged. From this drop-down menu, select the zone to which this client connection should be bridged.
NAT
This option is only available if the Connection type is routed. Tick this checkbox to hide the clients connected through this Endian UTM Appliance behind the firewall’s VPN IP address. This configuration will prevent incoming connections requests to the clients. In other words, incoming connections will not see the clients in the local network.
Block DHCP responses coming from tunnel
Tick this checkbox to avoid receiving DHCP responses from the LAN at the other side of the VPN tunnel that conflict with a local DHCP server.
Use LZO compression
Compress the traffic passing through the tunnel, enabled by default.
Protocol
The protocol used by the server: UDP (default) or TCP. Set to TCP only if an HTTP proxy should be used: In this case, a form will show up to configure it.

If the Endian UTM Appliance can access the Internet only through an upstream HTTP proxy, it can still be used as an OpenVPN client in a Gateway-to-Gateway setup, but the TCP protocol for OpenVPN must be selected on both sides. Moreover, the account information for the HTTP upstream proxy must be provided in the text fields:

HTTP proxy
The HTTP proxy host, e.g., proxy.example.com:port, with the port defaulting to 8080 if not entered.
Proxy username, Proxy password
The proxy account information: The username and the password.
Forge proxy user-agent
A forged user agent string can be used in some cases to disguise the Endian UTM Appliance as a regular web browser, i.e., to contact the proxy as a browser. This operation may prove useful if the proxy accepts connections only for some type of browsers.

Once the connection has been configured, a new box at the bottom of the page will appear, called TLS authentication, from which to upload a TLS key file to be used for the connection. These options are available:

TLS key file
The key file to upload, searchable on the local workstation.
MD5
The MD5 checksum of the uploaded file, which will appear as soon as the file has been stored on the Endian UTM Appliance.
Direction
This value is set to 0 on servers and to 1 on clients.

Import profile from OpenVPN Access Server

The second possibility to add an account is to directly import the profile from an OpenVPN Access Server: In this case, the following information must be provided:

Connection name
A custom name for the connection.
Access Server URL

The URL of the OpenVPN Access Server.

Note

Note that the Endian UTM Appliance only supports XML-RPC configuration of the OpenVPN Access Server, therefore a URL input here has the form: https://<SERVERNAME>/RPC2.

Username, Password
The username and password on the Access Server.
Verify SSL certificate
If this checkbox is ticked and the server is running on an SSL encrypted connection, then the SSL certificate will be checked for validity. Should the certificate not be valid then the connection will be immediately closed. This feature might be disabled when using a self-signed certificate.
Remark
A comment to recall the purpose of the connection.