OpenVPN client (Gw2Gw)

Current tunnels

In this page appears the list of the UTM's connections as OpenVPN clients to remote OpenVPN servers. For every connection, the list reports the status, the name, additional options, a remark, and the available actions.

The status is closed when the connection is disabled, established when the connection is enabled, and connecting… while the connection is being established. When authentication fails, Authentication failed appears as status.

To create a new OpenVPN client connection, click on the Add new VPN tunnel button and configure the necessary options.

Note

Multiple OpenVPN client connections can be configured and running at the same time.

Configure a new tunnel

There are two types of settings that can be configured for each tunnel configuration: The basic one includes mandatory options for the tunnel to be established, while the advanced one is optional and normally should be changed only if the OpenVPN server has a non-standard setup.

Tunnel details

Tunnel name

A label to identify the connection.

Connect to

The remote OpenVPN server’s FQDN or IP address, port, and protocol in the form myvpn.example.com:port:protocol or ip.address:port:protocol.

Hint

The port and protocol are optional and, if not specified, fall back to their default values, which are 1194 and UDP respectively when not specified. The protocol must be written in lowercase letters.

Upload certificate file

The server certificate needed for the tunnel connection. Click on Choose certificate file to search for the file.

Note

If the server is configured to use PSK authentication (password/username), the server’s host CA certificate must be uploaded to the UTM. If the remote server is another Endian appliance, it can be downloaded from Menubar ‣ VPN ‣ OpenVPN server.

Otherwise, to use certificate-based authentication, the server’s PKCS#12 file must be uploaded. If the remote server is another Endian appliance, it can be downloaded by first going under Menubar ‣ VPN ‣ Certificates ‣ Certificates and then click on the corresponding icon in the action column of the certificate selected for the tunnel.

Depending on the uploaded certificate file, either of the next two options appears

PKCS#12 challenge password

Insert here the Challenge password, if one was supplied to the CA before or during the creation of the certificate. This is only needed when uploading a PKCS#12 certificate.

Username, Password

If the server is configured to use PSK authentication (password/username) or certificate plus password authentication, provide here the username and password of the account on the OpenVPN server.

Remark

A comment on the connection.

Authentication

If the tunnel requires also PSK besides the certificate, enter them here.

Username

The username needed to authenticate to the remote OpenVPN server.

Password

The password associated to the username.

advanced

Advanced settings

In the Advanced settings box, additional options can be modified, though the values should be modified only if the server side has been configured with non-standard values. The default values for these options are those of other typical Endian appliances.

connection configuration

Fallback VPN servers

One or more (one per line) fallback OpenVPN servers in the same format used for the primary server, i.e., myvpn.example.com:port:protocol or ip.address:port:protocol. The port and protocol values default to 1194 and udp respectively when omitted. If the connection to the main server fails, one of these fallback servers will take over.

Hint

The protocol must be written in lowercase letters.

Device type

The device used by the server, which is either TAP or TUN.

Connection type

This drop-down menu is not available if TUN has been selected as Device type, because in this case the connection type is always routed. Available options are routed (i.e., the client acts as a gateway to the remote LAN) or bridged (i.e., the client firewall appears as part of the remote LAN). the next two options

Bridge to

This field is only available if TAP has been selected as Device type and the connection type is bridged. From this drop-down menu, select the zone to which this client connection should be bridged.

NAT

This option is not available if the Connection type is Bridged. When this checkbox is ticked, The UTM will be hidden behind the OpenVPN servers’ IP address and not directly reachable from incoming connections to the OpenVPN server.

Block DHCP responses coming from tunnel

Tick this checkbox to avoid receiving DHCP responses from the LAN at the other side of the VPN tunnel that conflict with a local DHCP server.

Use LZO compression

Compress the traffic passing through the tunnel, enabled by default.

Disable channel encryption

When this option is ticked, the whole VPN traffic through this instance will NOT be encrypted, i.e., it will be in plain text. Moreover, the previous two options will disappear.

Warning

It is strongly suggested to not disable encryption on the OpenVPN server, as the whole traffic will not be encrypted and could be read in case the communication is intercepted.

Accept weak server certificate

This option allows to establish the tunnel to an OpenVPN server whose certificate has been signed with a weak cipher like MD5.

Warning

This option should remain disabled and certificates generated using MD5 should not be used anymore, because they are highly insecure. This option is meant as a temporary workaround and it is strongly suggested to regenerate all certificates if they are using MD5 ciphers.

How to use a VPN client behind a HTTP proxy.

If the UTM can access the Internet only through an upstream HTTP proxy, it can still be used as an OpenVPN client in a Gateway-to-Gateway setup, providing the following two requirements are satisfied.

  • The TCP protocol must be selected on both sides of the VPN tunnel (Server and Client).

  • The account information for the HTTP upstream proxy must be provided in the specific section of the OpenVPN configuration (see the next options right below this box).

Protocol

The protocol used by the server: UDP (default) or TCP. Set to TCP only if an HTTP proxy should be used: In this case, the next options show up.

HTTP proxy configuration

HTTP proxy

The HTTP proxy host, e.g., proxy.example.com:port, with the port defaulting to 8080 if not entered.

Proxy username, Proxy password

The proxy account information: The username and the password.

NTLM proxy authentication

Tick the checkbox to use NTLM authentication on the proxy.

Forge proxy user-agent

A forged user agent string can be used in some cases to disguise the UTM as a regular web browser, i.e., to contact the proxy as a browser. This operation may prove useful if the proxy accepts connections only for some type of browsers.

Encryption

Cipher

Select the cipher used to encrypt the OpenVPN traffic with the server. The default value is Auto, which means, that the cipher used by the client will be the same configured on the server.

TLS Authentication

Once the connection has been configured, a new box at the bottom of the page will appear, called TLS authentication, that can be used to upload a TLS key file to be used for the connection. These options are available.

Upload a TLS key

Click on the Choose TLS key file to choose the key file to upload, searchable on the local workstation.

Direction

This value is set to 0 on servers and to 1 on clients. A third option of omit can be used, to use the same key for both traffic directions.

Note

The omit value reduces the encryption security; for more information check the openvpn(8) manpage on a Linux box, especially section Data Channel Encryption Options, and the various options involved, --secret, --tls-auth, --tls-direction, and similar.