OpenVPN server

When configured as an OpenVPN server, the Connect Switchboard can accept remote connections from the uplink and allow a VPN client to be set up and interact with the local resources as if it were a local workstation or server.

The OpenVPN server on the Connect Switchboard allows several server instances to run concurrently, provided the CPU has a sufficient number of cores: for every CPU core, one OpenVPN instance is allowed. Each instance listens on a different port, and accepts incoming connections to that port only.

Moreover, when the hardware on which Connect Switchboard is installed has multiple CPU cores, every instance may be assigned more that one core, thus resulting in an increase of the throughput and data processing of that instance.

The first time the service is started a new, self-signed CA certificate for this OpenVPN server is generated and can be downloaded by clicking on the Download certificate link. It can later be used by all the clients that want to connect to this OpenVPN server.

Finally, after the server has been configured, it is possible to create and configure accounts for clients that can connect to the Connect Switchboard in the Authentication page.

The OpenVPN server module is composed of four pages, namely Server configuration, Server instances, EasyVPN, and VPN client download.

Server configuration

This page shows a switch Disabled, that will start the OpenVPN server and all services related to it (like e.g., the VPN firewall if enabled) once clicked.

Note

When starting the OpenVPN server for the first time, the root and host certificates are generated automatically.

Below, there are two boxes, OpenVPN settings–that allows to set up global settings shared by all the instances–and OpenVPN Instances–that contains the list of the OpenVPN server instances defined on the Connect Switchboard.

OpenVPN settings

The box on the top shows the current OpenVPN settings, which concern the authentication method, and are:

Authentication type

Type

There are three available authentication methods to connect clients to the OpenVPN server running on the Connect Switchboard:

A password-based connection is established after providing a correct username/password combination.

A certificate-based connections requires that only a valid certificate is needed to establish the connection.

The two factor authentication requires both a valid certificate and a username/password combination.

Warning

When employing certificate-only authentication, any client with a valid certificate will be granted access to the OpenVPN server even without a valid account!

Connect Switchboard‘s default method is PSK (username/password): The client authenticates using username and password. To use this method, no additional change is needed, while the other two methods are described below.

Server certificate

Certificate configuration

This drop-down menu is used to select the method of creation of a new certificate. The available options are:

Select one certificate from those available, shown on the right-hand side of the drop-down menu. It is possible to see the full details of this certificate by clicking on the View details hyperlink.

A new drop-down menu appears, to allow the selection of a certificate that has already been created and stored on the Connect Switchboard.

Create a new certificate from scratch. This option is only available if no host certificate has already been generated. A form will open where to specify all options necessary to create a new certificate. These are the same found in the new certificates generation editor, with two slight changes: Common name becomes System hostname and Organizational unit name becomes Department name.

By clicking on the Browse… button that appears underneath the drop-down menu it will be possible to select from the workstation and to upload an existing certificate. The password for the certificate, if needed, can be provided in the textfield on the right-hand side.

The Browse… button that appears underneath the drop-down menu can be clicked to select from the workstation and upload an existing certificate signing request. The validity of the certificate in days can be provided in the textfield on the right-hand side.

When a certificate has been chosen, below the Certificate configuration drop-down menu appear the name of the currently used certificate and the View details link. The latter will show all information about the certificate when clicked.

By clicking on Download certificate, it will be possible to download the certificate necessary for the connecting clients.

Advanced options

In the Advanced options panel, a few options are available to customise the OpenVPN server.

Delay triggers

A tick on the checkbox will allow to delay the triggers launched whenever a client connects to or disconnects from the OpenVPN server. Since triggers are mostly a reload of routing and firewall rules, this option proves useful when many clients connect or disconnect at the same time.

Log verbosity

This option allows to increase or decrease the amount of messages written in the log file. The default value is 1, which means that only the most relevant messages are written to the log file, and can be increased up to 5.

Hint

A good value for debugging is 4.

Create a DNS entry for each connected client

When this option is ticked, whenever a client connect, it will receive an entry in the local DNS server, for other clients to be able to connect easily to it. The next option will appear.

Clients DNS entry prefix

A custom prefix that will be prefixed to the username of a client to uniquely identify it when using the local DNS.

Hint

If the prefix written here is vpn, the entry will be vpn-username, like e.g., vpn-johndoe.

Server instances

In this page appears the list of already defined OpenVPN instances; for each of them are displayed the name, a remark, and some details about the configuration, namely: The port on which the instance is listening, the protocol, the type of device, the type of network, authentication and certificate used, and the available actions.

Above the table, the Add new OpenVPN server instance button allows to define a new server instance and is followed by the list of the OpenVPN server instances defined.

Note

The number of allowed OpenVPN instances depends on the number of CPU cores of the appliance: at most one defined (enabled or not) instance per core is permitted; if not, , the message Maximum number of OpenVPN server instances exceeded is shown. To check the number of CPU cores, check either the CPU Load widget in the Dashboard, or use the command ds openvpn.settings.ALLOWED_INSTANCES from the command line.

Add new OpenVPN instance

In the editor, the following configuration options are shown.

Name

The name given to the OpenVPN server instance.

Remark

A comment for this instance.

Bind only to

The IP address to which the instance should listen to.

Port

The port on which the instance waits for incoming connections.

Note

Each server must be configured on a different port.

Network Options

Device type

The device used by the instance, chosen between TUN and TAP from the drop-down menu. TUN devices require that the traffic be routed, hence the option Bridged below is not available for TUN devices.

Protocol

The protocol used, chosen between TCP and UDP from the drop-down menu.

Bridged

Tick this option to run the OpenVPN server in bridged mode, i.e., within one of the existing zones.

The following options will appear.


Bridged to

The zone to which the OpenVPN server should be bridged. The drop-down menu shows only the available zones.

Dynamic IP pool start address

The first possible IP address in the network of the selected zone that should be used for the OpenVPN clients.

Dynamic IP pool end address

The last possible IP address in the network of the selected zone that should be used for the OpenVPN clients.


VPN subnet

This option is the only available if bridged mode is disabled. It allows the OpenVPN server to run in its own, dedicated subnet, that can be specified in the text box and should be different from the subnets of the other zones.

Note

If the OpenVPN server is routed), the clients will receive their IP addresses from a dedicated subnet. In this case, appropriate firewall rules in the VPN firewall should be created, to make sure the clients can access a zone, or just some resource (e.g., a source code repository) therein. If the OpenVPN server is bridged, it inherits the firewall settings of the zone it is defined in.

Routed and bridged OpenVPN server, static and dynamic IP addresses.

When configuring a reserved pool of IP addresses for OpenVPN clients, it is necessary to keep in mind a few rules that will keep the networking setup cleaner and help in troubleshooting, if needed.

  • Before starting the configuration of the server in a multicore architecture, regardless of the bridged or routed mode, any reservation of static IP addresses is ignored. In other words, a client connecting to this VPN server, will always receive a dynamic IP address, even if it is configured with a static IP assignment.

  • The first choice is to define whether the OpenVPN server should act in routed or bridged mode. In routed mode, it is necessary to define a dedicated VPN subnet that must be different from any other defined on the Firewall. Moreover, the traffic directed to this subnet has to be filtered, if necessary, using the VPN firewall. In bridged mode, the OpenVPN server will consider the clients as physically connected to that zone, i.e., the OpenVPN server bridges the clients to one of the zones. In this case, a pool of IP addresses must be defined within the zone, that must be entirely contained in the zone’s subnet and be smaller than that one. It is also important to make sure that this pool does conflict with other pools defined in that zone, like e.g., a DHCP server.

  • In bridged mode it is possible to assign to some (or even to all) users a static IP address, that good practices suggest to define outside of any IP pools defined in that zone, to prevent both an IP address conflict and a wrong routing. Traffic to these IPs can then be filtered using the VPN (or IPsec) user as source or destination of traffic in the firewall rules.

Certificate

Certificate configuration

This drop-down menu is used to select the method of creation of a new certificate. The available options are:

Select one certificate from those available, shown on the right-hand side of the drop-down menu. It is possible to see the full details of this certificate by clicking on the View details hyperlink.

A new drop-down menu appears, to allow the selection of a certificate that has already been created and stored on the Connect Switchboard.

Create a new certificate from scratch. This option is only available if no host certificate has already been generated. A form will open where to specify all options necessary to create a new certificate. These are the same found in the new certificates generation editor, with two slight changes: Common name becomes System hostname and Organizational unit name becomes Department name.

By clicking on the Browse… button that appears underneath the drop-down menu it will be possible to select from the workstation and to upload an existing certificate. The password for the certificate, if needed, can be provided in the textfield on the right-hand side.

The Browse… button that appears underneath the drop-down menu can be clicked to select from the workstation and upload an existing certificate signing request. The validity of the certificate in days can be provided in the textfield on the right-hand side.

When a certificate has been chosen, below the Certificate configuration drop-down menu appear the name of the currently used certificate and the View details link. The latter will show all information about the certificate when clicked.

Advanced options

In the Advanced options box, additional options can be configured.

Number of processes

The drop-down menu allows to chose how many CPUs of the Connect Switchboard can be used by the instance, hence the options in the drop-down menu may vary.

Note

This option is present only on appliances with multicore CPU.

Allow multiple connections from one account:

Normally, one client is allowed to connect from one location at a time. Selecting this option permits multiple client logins, even from different locations. However, when the same client is connect twice or more, the VPN firewall rules do not apply anymore.

Block DHCP responses coming from tunnel

Tick this checkbox when receiving DHCP responses from the LAN at the other side of the VPN tunnel that conflict with the local DHCP server.

Client to client connections

Select from the drop-down menu the modalities of the communications between clients of the OpenVPN server. This option is only available on single-process servers, i.e., on servers running only one instance of the OpenVPN server.

The clients will not be able to communicate one to the other.

With Allow direct connections, the clients can communicate directly with each other but filtering is not possible.

When option Filter connections in the VPN firewall is selected, the clients can communicate with each other, but their traffic is redirected to the VPN Firewall and can be filtered using suitable rules there.

Renegotiation data channel key interval

This option allows to modify the time interval after which the data channel key will be renegotiated. The value is measured in seconds, with the default value set to 3600 seconds.

Push options

Push these nameservers

By ticking this checkbox, the nameserver specified in the textfield below are sent to the clients upon connection.

Nameservers

The nameservers specified in this textfield are sent to the connected clients, when the previous checkbox has been ticked.

Push these networks

By ticking this checkbox, the routes to the networks defined in the textfield below are sent to the connected clients.

Networks

The networks specified in this textfield are sent to the connected clients, when the previous checkbox has been ticked.

Push this domain

By ticking this checkbox, the search domain defined in the textfield on the right-hand side, is added to those of the connected clients.

Domain

The domain that will be used to identify the servers and network resources in the VPN network (i.e., the search domain).

Note

The options Push these nameservers and Push domain only work for clients running the Microsoft Windows operating system.

Authentication type

Authentication

The authentication type for this instance of OpenVPN. By default it will inherit the global configuration. However, this can be overridden by specifying manually one of the available options here, which are the same as in the global options: PSK (username/password), X.509 certificate and X.509 certificate & PSK (two factor).

Encryption

Cipher

This drop-down menu allows to choose the cipher that is used by the OpenVPN server. The default value is Auto, which means that the cipher is automatically negotiated.

Message digest algorithm

This drop-down menu allows to choose the message digest algorithm that is used by the OpenVPN server. The default value is Auto, which means that the cipher is automatically negotiated.

Disable channel encryption

When this option is ticked, the whole VPN traffic through this instance will NOT be encrypted, i.e., it will be in plain text. Moreover, the previous two options will disappear.

Warning

It is strongly suggested to not disable encryption on the OpenVPN server, as the whole OpenVPN traffic will not be encrypted but will flow as plain text and could be easily read in case the communication is intercepted.

Use certificates with weak signature algorithm

This option allows OpenVPN clients to connect to the Connect Switchboard's OpenVPN server even if the server’s CA has been signed with a weak cipher like MD5.

Warning

This option should remain disabled and certificates generated using MD5 should not be used anymore, because they are highly insecure. This option is meant as a temporary workaround and it is strongly suggested to regenerate all certificates if they are using MD5 ciphers.

Enabled

Tick this checkbox to make sure the OpenVPN server instance is started.

Troubleshooting VPN connections.

While several problem with VPN connections can be easily spotted by looking at the configuration, one subtle source of connections hiccups is a wrong value of the MTU size. The Connect Switchboard sets a limit of 1450 bytes to the size of the VPN’s MTU, to prevent problems with the common MTU value used by the ISP, which is 1500. However, some ISP may use a MTU value lower that the commonly used value, making the Endian MTU value too large and causing therefore connection issues (the most visible one is probably the impossibility to download large files). This value can be modified by accessing the Connect Switchboard from the CLI and following these guidelines:

  1. Write down the MTU size used by the ISP (see link below).

  2. Login to the CLI, either from a shell or from Menubar ‣ System ‣ Web Console.

  3. Edit the OpenVPN template with an editor of choice: nano /etc/openvpn/openvpn.conf.tmpl.

  4. Search for the string mssfix 1450.

  5. Replace 1450 with a lower value, for example 1200.

  6. Restart OpenVPN by calling: jobcontrol restart openvpnjob.

See also

More information about the MTU size.

EasyVPN

The page contains a switch Disabled that needs to be clicked to enable the Plug & Connect procedure, which allows the management of remote Endian devices from the current Connect Switchboard.

If the procedure has never been carried out, the page contains an empty table that will contain the list of remote devices, with the following information:

  • The device name, which must be unique.

  • The IP Address of the remote, assigned by the OpenVPN server.

  • The description of the device.

  • The available actions.

Above the table, there are three buttons: Plug & Connect (Autoregistration) starts the procedure to automatically register a device (see further on), Add gateway allows to manually define a gateway, while with a click on Advanced settings some global options can be configured.

Plug & Connect vs. Add gateway

Both autoregistration (Plug & Connect) and manual registration (Add gateway) methods are intended to allow client to remotely connect through the Connect Switchboard to gateways and endpoints by means of virtual IPs. The two procedures are however intended to be alternative one to each other and have different pros and cons.

Plug & Connect allows to deploy a device in a remote location and build an immediate VPN connection to the Connect Switchboard, register it to the Endian Network, and add endpoints that are located behind the remote appliance, that acts in fact as a gateway. Its strong point is that is quick and requires only a few information (activation code and passwords) and an internet connection to have a working remote gateway. It does not allow a thorough configuration of the gateway’s local network and other options.

Manual registration on the contrary gives more control over the configuration of the remote gateway, allowing to fully configure the company data and networking. It is however slower and may require to know in advance the network topology of the gateways and endpoints.

Plug & Connect (Autoregistration)

The Plug & Connect procedure allows to register a remote Endian appliance that can be managed by the current Connect Switchboard.

Note

The appliance must be registered to the Endian Network before the Plug & Connect procedure can be applied.

When clicking on the Plug & Connect Step (Autoregistration), the three-step procedure starts, provided the Endian Network credentials have been saved in the Advanced settings, otherwise a Step 0 will precede the procedure and allow to record the credentials:

Endian network account

Write the username used to register the Connect Switchboard to Endian Network.

Endian network password or registration key

Write the password or the registration key used to register the Connect Switchboard.

In the first step, only one option is available.

Activation Code

Enter the activation code of the remote appliance to register to the Connect Switchboard, then click on Next >> to proceed.

In the next step, the following options are available:

Device name

The name given to the device, which must be unique.

Description

An optional description of the gateway.

Admin (Web user) password

The password of the admin user on the remote device.

Note

The password must be at least 8 characters long and must include a non alphanumeric characters.

Use the same password for admin (Web) and root (SSH)

Tick the checkbox if the password of the admin and root users on the remote device are the same. If not ticked, the next option appears.

Root (SSH) user password

The password of the root user on the remote device.

Warning

The passwords provided here will overwrite those on the remote gateway!

Endpoints

Write the IP address of any endpoint that is reachable through the remote device. Click on the + to add more.

When done, click on Next >> to proceed to the last step. Here, no option is available, follow the instructions and click on Continue. Once done, the appliance will appear on the list.

See also

A detailed description of the plug & connect procedure, which includes the requirements to start the procedure, a more in-depth description, and troubleshooting options, can be found in article Endian Cloud - Plug & Connect.

Add Gateway

When clicking on Add gateway, it will be possible to manually add a device.

Note

This page is the same that is displayed when editing a gateway, by clicking on the edit icon in the Actions column of the Gateway table.

In the new page, options are grouped in two tabs, Gateway and Provisioning.

Gateway

In this tab it is possible to modify some of the properties of the remote gateway.

Name

The name assigned to the new gateway, which must be unique.

Description

A description for the device.

Password, Confirm password

The password to access the gateway. Tick the eye icon on the right-hand side of the textbox to show in clear text the password.

Maximum number of endpoints

The first information to be supplied is an approximate estimate of the endpoint that will be governed by the gateway.

Endpoints

A table showing all the endpoints controlled by the gateway, along with those information:

  • The name of the endpoint.

  • The endpoint’s IP address.

  • A description of the endpoint.

Each field in each table’s row can be edited by double-clicking on it.

The management of the endpoints can be done using the buttons at the bottom of the table:

Add row

This option allows a new endpoint to be added to the gateway. Its configuration can be carried out by double-clicking on the fields of the new row.

Delete row

By clicking on this button, the highlighted endpoint is removed from the gateway. This button is active only when one row is selected.

Warning

The deletion of a row is immediate and can not be reversed.

Show CSV

This button toggles the table with a textfield, containing the same information present in the table in CSV format, useful to export the configuration of all endpoints.

Provisioning

In this section it is possible to define more precisely the configuration of a remote gateway. The available configurations options are:

Model

Choose the model of the device from those available in the drop-down menu.

Activation code

The activation code used to set up the gateway.

Note

Depending on the type of the model chosen, some of the options available will be automatically filled in with suitable values.

General settings

Root password

Choose the password for the root user, used for SSH (console) access.

Admin password

Choose the password for the admin user, used for HTTPS (browser) access.

Host name

The hostname of the gateway

Domain name

The gateway’s domain name.

Company

The company to which the gateway belongs

E-mail

The reference e-mail for the gateway, usually of the responsible person for that gateway.

Timezone

The timezone in which the gateway is located.

Country

The country where the gateway is located.

uplink

Red type

The type of the RED interface, i.e., how the gateway connects to the Internet. Four types are available: DHCP, Static, No uplink, Mobile Broadband 3G/4G, and UMTS.

Red device

The interface that connects the gateway to the Internet. The available options in this drop-down menu are determined by the Model chosen above. This option does not appear when the Red type is set as No uplink

The following options are displayed according to the selected type of red device. By choosing DHCP, none of them will appear.

Red IPs/CIDRs

The IP address of the RED interface. This option appears only when the RED type is Static.

Red gateway IP

The IP address of the gateway for the RED interface. This option and the next one is needed to access the Internet and appears only when the RED type is Static or No uplink.

DNS Servers

The IP addresses of the DNS server used by the gateway, one per line. It appears only when the RED type is Static or No uplink.

Access Point Name

The name of the access point, appears only in the Mobile Broadband 3G/4G and UMTS Red Type.

Modem Type

This option appears only for the 3G/4G Red Type and allows to select the type of modem to be used from the drop-down menu, among those available: GSM or CDMA

Zones

Green device

The interface of the GREEN zone, i.e., the one in which the endpoints are situated.

Green IPs/CIDRs

The IP address pool assigned to the GREEN zone.

Blue device

The interface of the BLUE zone.

Blue IPs/CIDRs

The IP address pool assigned to the BLUE zone.

Orange device

The interface of the ORANGE zone.

Orange IPs/CIDRs

The IP address pool assigned to the ORANGE zone.

OpenVPN

Custom OpenVPN server IP/FQDN, port, and protocol

A custom address used by the endpoint to connect to the OpenVPN server.

Hint

The format to be used for the address in this and in the next option is hostname.domain:port:protocol or IP.address:port:protocol, with the port or protocol as optional, hence valid values include vpn.example.com:1197:udp and 123.45.67.89:1192.

If the protocol is specified, the port must be specified as well.

OpenVPN through HTTP proxy

Tick the checkbox when the gateway uses a proxy for its connection to the Internet. The next four options will appear to configure that proxy.


Upstream server

The IP address of the upstream proxy server.

Upstream port

The port on which the proxy service runs on the server.

Upstream username

The username to connect to the proxy server, if needed.

Upstream password

The password to connect to the proxy server, if needed.

Upstream NTLM proxy authentication

Click the checkbox if the upstream HTTP proxy requires NTLM Authentication.

Forge proxy user-agent

If the upstream HTTP proxy needs to be contacted with a given user-agent, write it here.


Advanced settings

In this section it is possible to configure a few additional options.

Network

Global virtual IP pool

This options defines the IP address subnet for the addresses of the gateways.

OpenVPN server public IP/FQDN and port

The public IP address or FQDN to be assigned to the OpenVPN server.

provisioning

Endian Network account

The username used to access Endian Network.

Endian Network password or registration key

The password of the Endian Network account or the Connect Switchboard's registration key.

New gateways default model

Choose from the drop-down which should be the default model of new-added gateways.

VPN client download

Click on the Download … button to download the Endian ConnectApp, a friendly OpenVPN client for Microsoft Windows and MacOS X from the Endian Network.

Note

A valid account on Endian Network is required for the download.