Endian banner

OpenVPN server

When configured as an OpenVPN server, the Endian Hotspot Appliance can accept remote connections from the uplink and allow a VPN client to be set up and interact with the local resources as if it were a local workstation or server.

The OpenVPN server settings page is composed of two tabs: Server configuration and VPN client download.

Server configuration

This page shows a switch called Enable OpenVPN server swoff, that will start the OpenVPN server and all services related to it (like e.g., the VPN firewall if enabled) once clicked.

Below, there are two boxes, OpenVPN settings and OpenVPN server configuration - that contain all the options to configure the OpenVPN server.

Note

When starting the OpenVPN server for the first time, the root and host certificates are generated automatically.

OpenVPN settings

The box on the top shows the current OpenVPN settings, which concern the authentication method, and are:

Authentication type

There are three available authentication methods to connect clients to the OpenVPN server running on the Endian Hotspot Appliance:

  • PSK (username and password). Connection is established after providing correct username and password.

  • X.509 certificate. A valid certificate only is needed to connect.

  • X.509 certificate & PSK (two factor). Both a valid certificate, and a username/passwords combination are needed.

Warning

When employing certificate-only authentication, a client with a valid certificate will be granted access to the OpenVPN server even if it has no valid account!

Endian Hotspot Appliance‘s default method is PSK (username/password): The client authenticates using username and password. To use this method, no additional change is needed, while the other two methods are described below.

Certificate configuration

This drop-down menu is used to select the method of creation of a new certificate. The available options are:

  • Generate a new certificate. Create a new certificate from scratch. This option is only available if no host certificate has already been generated. A form will open where to specify all options necessary to create a new certificate.

  • Use selected certificate. Select one certificate from those available, shown on the right-hand side of the drop-down menu. It is possible to see the full details of this certificate by clicking on the View details hyperlink.

    Hint

    The name of the certificate selected appears right above the hyperlink.

  • Use an existing certificate. A second drop-down menu on the left allows to select a certificate that has already been created and stored on the Endian Hotspot Appliance.

  • Upload a certificate. By clicking on the Browse… button that appears underneath the drop-down menu it will be possible to select from the workstation and to upload an existing certificate. The password for the certificate, if needed, can be provided in the textfield on the right-hand side.

  • Upload a certificate signing request. The Browse… button that appears underneath the drop-down menu can be clicked to select from the workstation and upload an existing certificate signing request. The validity of the certificate in days can be provided in the textfield on the right-hand side.

On the right of the Certificate configuration drop-down menu, the name of the currently used certificate is shown, above the info icon and the View details link. The latter will show all information about the certificate when clicked.

Below the Certificate configuration drop-down menu, there is the download icon , with the name of the Certificate Authority and the Download certificate link to download the certificate needed for the client connections.

In the Advanced options panel, a few options are available to customise the OpenVPN server.

Delay triggers

A tick on the checkbox will allow to delay the triggers launched whenever a client connects to or disconnects from the OpenVPN server. Since triggers are mostly a reload of routing and firewall rules, this option proves useful when many clients connect or disconnect at the same time.

Log verbosity

This option allows to increase or decrease the amount of messages written in the log file. The default value is 1, which means that only the most relevant messages are written to the log file, and can be increased up to 5.

Hint

A good value for debugging is 4.

Create a DNS entry for each connected client

When this option is ticked, whenever a client connect, it will receive an entry in the local DNS server, for other clients to be able to connect easily to it. The next option will appear.

Clients DNS entry prefix

A custom prefix that will be prefixed to the username of a client to uniquely identify it when using the local DNS.

Hint

If the prefix written here is vpn, the entry will be vpn-username, like e.g., vpn-johndoe.

OpenVPN server configuration

In this editor all the necessary configuration values for the VPN server are defined.

Name

The name given to the OpenVPN server instance.

Remark

A comment for this instance.

Bind only to

The IP address to which the instance should listen to.

Port

The port on which the instance waits for incoming connections.

Device type

The device used by the instance, chosen between TUN and TAP from the drop-down menu. TUN devices require that the traffic be routed, hence the option Bridged below is not available for TUN devices.

Protocol

The protocol used, chosen between TCP and UDP from the drop-down menu.

Bridged

Tick this option to run the OpenVPN server in bridged mode, i.e., within one of the existing zones.

Note

If the OpenVPN server is not bridged (i.e., it is routed), the clients will receive their IP addresses from a dedicated subnet. In this case, appropriate firewall rules in the VPN firewall should be created, to make sure the clients can access any zone, or some server/resource (e.g., a source code repository) therein. If the OpenVPN server is bridged, it inherits the firewall settings of the zone it is defined in.

Bridged to

The zone to which the OpenVPN server should be bridged. The drop-down menu shows only the available zones.

VPN subnet

This option is only available if bridged mode is disabled. It allows the OpenVPN server to run in its own, dedicated subnet, that can be specified in the text box and should be different from the subnets of the other zones.

Dynamic IP pool start address

The first possible IP address in the network of the selected zone that should be used for the OpenVPN clients.

Dynamic IP pool end address

The last possible IP address in the network of the selected zone that should be used for the OpenVPN clients.

Routed and bridged OpenVPN server, static and dynamic.

When configuring a pool of IP addresses to be reserved for clients connecting via OpenVPN, it is necessary to keep in mind a few guidelines that help both the prevention of future malfunctioning and the cleaner and easier design and set up.

The first choice is to define whether the OpenVPN server should act in routed or bridged mode. In the former case, it is necessary to define a suitable VPN subnet that will provide the IP addresses for the clients. The traffic directed to this subnet has to be filtered, if necessary, using the VPN firewall. In the latter case, the OpenVPN server is configured to consider the clients, upon connecting, as they were physically connected to that zone, i.e., the server bridges the client to one of the zones. In this case, a pool of IP addresses must be defined within that zone using the two option that appear right before this box. This pool must be entirely contained in the zone’s subnet and smaller than that one. It is also important to make sure that this pool does conflict with other pools defined in that zone, like e.g., a DHCP server.

In a bridged OpenVPN server it is possible to assign to some (or even to all) user a static IP address. When planning this possibility, it is a good practice that these static IP addresses do not belong to any of the IP pools defined in that zone, to prevent any conflicts of address and wrong routing. Traffic to this particular client can then be filtered using the VPN (or IPsec) user as source or destination of traffic in the Firewall rules.

In the Advanced options box, additional options can be configured.

Allow multiple connections from one account:

Normally, one client is allowed to connect from one location at a time. Selecting this option permits multiple client logins, even from different locations. However, when the same client is connect twice or more, the VPN firewall rules do not apply anymore.

Block DHCP responses coming from tunnel

Tick this checkbox when receiving DHCP responses from the LAN at the other side of the VPN tunnel that conflict with the local DHCP server.

Client to client connections

Select from the drop-dow menu the modalities of the communications between clients of the OpenVPN server.

  • Not allowed: The clients can not communicate one to the other.

  • Allow direct connections: The clients can communicate directly with each other but filtering is not possible.

  • Filter connections in the VPN firewall The clients can communicate with each other, but their traffic is redirected to the VPN Firewall and can be filtered using suitable rules there.

Renegotiation data channel key interval

This option allows to modify the time interval after which the data channel key will be renegotiated. The value is measured in seconds, with the default value set to 3600 seconds.

Push these nameservers

By ticking this checkbox, the nameserver specified in the textfield below are sent to the clients upon connection.

Nameservers

The nameservers specified in this textfield are sent to the connected clients, when the previous checkbox has been ticked.

Push these networks

By ticking this checkbox, the routes to the networks defined in the textfield below are sent to the connected clients.

Networks

The networks specified in this textfield are sent to the connected clients, when the previous checkbox has been ticked.

Push this domain

By ticking this checkbox, the search domain defined in the textfield on the right-hand side, is added to those of the connected clients.

Note

The options Push these nameservers and Push domain only work for clients running the Microsoft Windows operating system.

Domain

The domain that will be used to identify the servers and network resources in the VPN network (i.e., the search domain).

Authentication type

The authentication type for this instance of OpenVPN. By default it will inherit the global configuration. However, this can be overridden by specifying manually one of the available options here. They are: PSK (username/password), X.509 certificate and X.509 certificate & PSK (two factor). They are the same as in the global option.

Cipher

This drop-down menu allows to choose the cipher that is used by the OpenVPN server. The default value is Auto, which means that the cipher is automatically negotiated.

Message digest algorithm

This drop-down menu allows to choose the message digest algorithm that is used by the OpenVPN server. The default value is Auto, which means that the cipher is automatically negotiated.

Disable channel encryption

When this option is ticked, the whole VPN traffic through this instance will NOT be encrypted, i.e., it will be in plain text. Moreover, the previous two options will disappear.

Warning

It is strongly suggested to not disable encryption on the OpenVPN server, as the whole traffic will not be encrypted and could be read in case the communication is intercepted.

The first time the service is started a new, self-signed CA certificate for this OpenVPN server is generated, an operation that may take a long time. After the certificate has been generated, it can be downloaded by clicking on the Download CA certificate link. This certificate must be used by all the clients that want to connect to this OpenVPN server, otherwise they will not be able to access.

After the server has been set up, it is possible to create and configure accounts for clients that can connect to the Endian Hotspot Appliance in the Authentication tab.

Enabled

Tick this checkbox to make sure the OpenVPN server is started.

Troubleshooting VPN connections.

While several problem with VPN connections can be easily spotted by looking at the configuration, one subtle source of connections hiccups is a wrong value of the MTU size. The Endian Hotspot Appliance sets a limit of 1450 bytes to the size of the VPN’s MTU, to prevent problems with the common MTU value used by the ISP, which is 1500. However, some ISP may use a MTU value lower that the commonly used value, making the Endian MTU value too large and causing therefore connection issues (the most visible one is probably the impossibility to download large files). This value can be modified by accessing the Endian Hotspot Appliance from the CLI and following these guidelines:

  1. Write down the MTU size used by the ISP (see link below).

  2. Login to the CLI, either from a shell or from Menubar ‣ System ‣ Web Console.

  3. Edit the OpenVPN template with an editor of choice: nano /etc/openvpn/openvpn.conf.tmpl.

  4. Search for the string mssfix 1450.

  5. Replace 1450 with a lower value, for example 1200.

  6. Restart OpenVPN by calling: jobcontrol restart openvpnjob.

See also

More information about the MTU size.

VPN client download

Click on the link to download the Endian VPN client for Microsoft Windows and MacOS X from the Endian Network. A valid account on Endian Network is required.

Table Of Contents

Previous topic

The VPN Menu

Next topic

OpenVPN client (Gw2Gw)

Documentation archive

Version 5.1
Version 5.0
Version 3.2
Version 3.0
Version 2.5
Version 2.4
Version 2.3
Version 2.2
Version 2.1

Other products

Endian UTM 5.2
Endian 4i Edge 5.2