OpenVPN client (Gw2Gw)
In this page appears the list of the Endian UTM Appliance‘s connections as
OpenVPN clients, i.e., all tunnelled connections to remote OpenVPN
servers. For every connection, the list reports the status, the name,
any additional option, a remark, and the actions available:
- - the server is active or stopped.
- - modify the server’s configuration
- - remove the configuration and the server.
The status is closed when the connection is disabled, established
when the connection is enabled, and connecting... while the
connection is being established. Beside to enable and to disable a
connection, the available actions are to edit or delete it. In the
former case, a form will open, that is the same as the one that opens
when adding a connection (see below) in which to see and modify the
current settings, whereas in the latter case only deletion of that
profile from the Endian UTM Appliance is permitted.
The creation of a new OpenVPN client connections is straightforward
and can be done in two ways: Either click on the Add tunnel
configuration button and enter the necessary information about the
OpenVPN server to which to connect (there can be more than one) or
import the client settings from the OpenVPN Access Server by clicking
on Import profile from OpenVPN Access Server.
New in version 2.5: Import from Access Server.
There are two types of settings that can be configured for each tunnel
configuration: The basic one includes mandatory options for the tunnel
to be established, while the advanced one is optional and normally
should be changed only if the OpenVPN server has a non-standard
setup. To access the advanced settings, click on the >>
button next to the Advanced tunnel configuration label. The basic
- Connection name
- A label to identify the connection.
- Connect to
- The remote OpenVPN server’s FQDN, port, and protocol in the
myvpn.example.com:port:protocol. The port and
protocol are optional and left on their default values which
are 1194 and udp respectively when not specified. The
protocol must be specified in lowercase letters.
- Upload certificate
- The server certificate needed for the tunnel connection.
Browsing the local filesystem is admitted, to search for the
file, of the path and filename can be entered. If the server
is configured to use PSK authentication (password/username),
the server’s host certificate (i.e., the one downloaded from
the Download CA certificate link in the server’s
must be uploaded to the Endian UTM Appliance. Otherwise, to use
certificate-based authentication, the server’s PKCS#12 file
(i.e., the one downloaded from the Export CA as
PKCS#12 file link on the server’s section) must be
- PKCS#12 challenge password
- Insert here the Challenge password, if one was supplied to
the CA before or during the
creation of the certificate. This is only needed when
uploading a PKCS#12 certificate.
- Username, Password
- If the server is configured to use PSK authentication
(password/username) or certificate plus password
authentication, provide here the username and password of the
account on the OpenVPN server.
- A comment on the connection.
In this box, that appears when clicking on the >> button
in the previous box, additional options can be modified, though the
values in this box should be modified only if the server side has not
been configured with standard values.
- Fallback VPN servers
One or more (one per line) fallback OpenVPN servers in the
same format used for the primary server, i.e.,
myvpn.example.com:port:protocol. The port and protocol
values default to 1194 and udp respectively when omitted. If
the connection to the main server fails, one of these fallback
servers will take over.
The protocol must be written in lowercase letters.
- Device type
- The device used by the server, which is either TAP or TUN.
- Connection type
- This drop-down menu is not available if TUN has been selected
as Device type, because in this case the connection type is
always routed. Available options are routed (i.e., the
client acts as a gateway to the remote LAN) or bridged
(i.e., the client firewall appears as part of the remote
LAN). Default is routed.
- Bridge to
- This field is only available if TAP has been selected as
Device type and the connection type is bridged. From
this drop-down menu, select the zone to which this client
connection should be bridged.
- This option is only available if the Connection type is
routed. Tick this checkbox to hide the clients connected
through this Endian UTM Appliance behind the firewall’s VPN IP
address. This configuration will prevent incoming connections
requests to the clients. In other words, incoming connections
will not see the clients in the local network.
- Block DHCP responses coming from tunnel
- Tick this checkbox to avoid receiving DHCP responses from the
LAN at the other side of the VPN tunnel that conflict with
a local DHCP server.
- Use LZO compression
- Compress the traffic passing through the tunnel, enabled by
- The protocol used by the server: UDP (default) or TCP. Set to
TCP only if an HTTP proxy should be used: In this case, a form
will show up to configure it.
If the Endian UTM Appliance can access the Internet only through an upstream
HTTP proxy, it can still be used as an OpenVPN client in a
Gateway-to-Gateway setup, but the TCP protocol for OpenVPN must be
selected on both sides. Moreover, the account information for the
HTTP upstream proxy must be provided in the text fields:
- HTTP proxy
- The HTTP proxy host, e.g.,
the port defaulting to 8080 if not entered.
- Proxy username, Proxy password
- The proxy account information: The username and the
- Forge proxy user-agent
- A forged user agent string can be used in some cases
to disguise the Endian UTM Appliance as a regular web browser,
i.e., to contact the proxy as a browser. This operation may
prove useful if the proxy accepts connections only for some
type of browsers.
Once the connection has been configured, a new box at the bottom of
the page will appear, called TLS authentication, from which to
upload a TLS key file to be used for the connection. These options are
- TLS key file
- The key file to upload, searchable on the local workstation.
- The MD5 checksum of the uploaded file, which will appear as
soon as the file has been stored on the Endian UTM Appliance.
- This value is set to 0 on servers and to 1 on clients.
The second possibility to add an account is to directly import the
profile from an OpenVPN Access Server: In this case, the following
information must be provided:
- Connection name
- A custom name for the connection.
- Access Server URL
The URL of the OpenVPN Access Server.
Note that the Endian UTM Appliance only supports
XML-RPC configuration of the OpenVPN Access Server,
therefore a URL input here has the form:
- Username, Password
- The username and password on the Access Server.
- Verify SSL certificate
- If this checkbox is ticked and the server is running on an SSL
encrypted connection, then the SSL certificate will be checked
for validity. Should the certificate not be valid then the
connection will be immediately closed. This feature might be
disabled when using a self-signed certificate.
- A comment to recall the purpose of the connection.