From UntangleWiki

Untangle Server User's Guide

OpenVPN

Other Links: OpenVPN Description Page OpenVPN Screenshots OpenVPN Forums OpenVPN FAQs

---

Contents 1 About OpenVPN 2 Supported VPN Configurations 2.1 Key Distribution 2.2 Exports 2.3 Address Pools 3 Creating a Virtual Private Network 3.1 Prepare To Configure Your VPN Server 3.1.1 VPN Sites Only 3.1.2 VPN Sites & VPN Clients 3.2 Configure Untangle Server as a VPN Server 3.3 Add VPN Sites and VPN Clients 3.4 Distribute Keys and OpenVPN Client 3.5 Configure Untangle Server as a Remote VPN Site 3.6 Access Network Resources 4 Revoking Users' VPN Access Temporarily 5 Revoking Users' VPN Access Permanently 6 About OpenVPN Event Logs 7 OpenVPN FAQs 7.1 Can I install the OpenVPN client that came with Untangle Server onto a Vista Operating System? 7.2 What operating systems does OpenVPN support? 7.3 I started OpenVPN and my network died. Why? 7.4 Why is the hostname not resolving for VPN users? 7.5 What does Warning...files...no longer available... mean? 7.6 Why does OpenVPN provide a default IP address pool that is incompatible with my network? 7.7 How do I set up OpenVPN Server if my Untangle Server is behind another router? 7.8 If a user or site loses a secure key, how do I disable the old key and issue a new one? 7.9 Can I administer an Untangle Server over a VPN connection? 7.10 Can I use OpenVPN with my Mac OS X workstation? 7.11 Can I use OpenVPN on both of my WAN connections?

About OpenVPN

OpenVPN is an SSL-based VPN (virtual private network) that supports both site-to-site and client-to-site configurations. When you create new clients or sites, OpenVPN creates a custom executable for each client that contains the client, configuration, and authentication information. Users simply need to install the custom executable on their computers. OpenVPN supports the following operating systems:

• Windows 2000/XP and higher
• Linux
• OpenBSD
• FreeBSD
• NetBSD
• Mac OS X
• Solaris

Top

Supported VPN Configurations

A Virtual Private Network (VPN) is a secure connection between a remote host or network and a local network over an otherwise insecure medium (ie the internet). With any VPN connection, there is a client and server. Your Untangle Server can be a VPN server, allowing remote clients or sites to connect to the exported internal resources. Your Untangle Server can also be a VPN client, gaining access to remote VPN servers and their resources.

When you configure OpenVPN, you choose between two types of configurations:

Note: You can use both configurations simultaneously.

• VPN Server with Remote VPN Clients (Software Clients). Where remote VPN clients (remote computers) connect to a VPN server. The software VPN client connects to the server, establishing an encrypted communication channel. Each VPN client authenticates via a secure key unique to that client. Implicit is that the server is protecting network resources from another untrusted network (usually the Internet). The VPN connection allows the remote client to reside on an untrusted network yet access protected resources behind the VPN server.

VPN Server with Remote VPN Clients and Untangle as Router

VPN Server with Remote VPN Clients and Untangle as Bridge

• VPN Server with Remote VPN Sites (Hardware Clients). Where an entire remote network connects to a VPN server. A VPN site can represent many individual hosts (machines) within its protected network. This configuration is common for remote offices, where a handful of employees need to join the protected network at headquarters. When a group of computers (a network) establishes a VPN connection to a server, the group of computers is said to be a site. An Untangle Server can also act as a remote site, bridging the internal network at that remote location to another Untangle Server acting as a VPN server.

VPN Server with Remote VPN Sites

To create a VPN, the Untangle Server depends on the following:

• Key Distribution
• Exports
• Address Pools

Top

Key Distribution

Implied in the establishment of a secure connection is not only encryption thereby preventing eavesdropping by malicious parties between the VPN client and server, but also authentication. OpenVPN within Untangle Server implements this security using keys. Each computer that wants to connect to a VPN server must have a key installed. The process of installing this key is known as key distribution. The Untangle Server can distribute this key to each VPN Client and VPN Site using the following options:

• Email
• USB key

Caution: For security, if a key is lost (for example, because a VPN user loses a laptop that has a key installed), you must invalidate that key.

Exports

A secure communication channel itself is of only limited value. Once a client established a VPN connection to a server, that server then exports network resources to the client. These exported resources are the protected machines or subnets, shielded from the untrusted network but through a VPN connection.

This concept of exporting resources is a subtle one. A very simple VPN deployment may export the entire internal (protected) network to VPN clients. This can be thought of as the VPN client simply joining the internal network from a remote location through a secure channel. For many deployments, this might be appropriate. In other deployments, a further level of protection might be appropriate. For example, the most common use of VPN is employees working from home. Many homes now have wireless networks, which are not always properly secured. When users establish VPN connections from their homes, they can expose the corporation to any malware residing on their home network. To minimize this risk, you might choose to export specific network resources (for example, the intranet server) to VPN clients and not export other resources such as file servers, printers, and ERP systems that they normally might be able to access when at their desks at work. Therefore, you can export one of the following:

• Exported Address. The IP Address of a host (machine) within the protected network which will be visible to VPN clients or sites after they establish a VPN connection.
• Exported Network. A range of addresses (expressed as a subnet) within the protected network which will be visible to VPN clients or sites after they establish a VPN connection.

Address Pools

An address pool specifies a range of IP addresses that your Untangle Server assigns to VPN clients as they establish a secure VPN connection. These IP addresses are used on the internal (protected) network. For example, Emma initiates a VPN connection from her home. Her Internet Service Provider assigns her computer IP address 10.0.0.40. Afterward, she establishes her secure VPN connection to an Untangle Server, and the computers within the protected network see that her computer's IP address is 192.1.1.4. The Untangle Server to which Emma connected assigned IP address 192.1.1.4 to Emma's computer because this is one of the IP addresses in the address pool.

Top

Creating a Virtual Private Network

Task	Go to
1. Perform all the necessary pre-requisite steps, and learn about the configuration requirements.	Prepare To Configure Your VPN Server
2. Configure your Untangle Server as a VPN server.	Configure Untangle Server as a VPN Server
3. Add VPN Sites and VPN Clients .	Add VPN Sites and VPN Clients
4. Distribute the key and OpenVPN client software.	Distribute Keys and OpenVPN Client
5. (VPN Site Configuration Only) Configure the branch office's router as a remote VPN site.	Configure Untangle Server as a Remote VPN Site
6. Access a network resource, to test the VPN that you created.	Access Network Resources

Prepare To Configure Your VPN Server

There are two things that you need to know before you try to connect a branch office to your company's main office, or provide VPN Clients access to the virtual private network.

VPN Sites Only

Endpoints and Address Pool must have unique IP address schemes. If the endpoints don't, you must change the address range on your DHCP server and any static IP addresses. You're probably asking yourself, "Which DHCP Server"? Good question. Choose the network that has the least number of static IP addresses, since changing static IP addresses is a manual task. You must make the change before you set up your virtual private network.

• Address Pool: 172.16.16.0
• VPN Server's Internal IP Address: 192.168.2.1
• VPN Site's Internal IP Address: 10.0.0.1

Must Have Unique IP Address Schemes

VPN Sites & VPN Clients

• Address Pool must be different from VPN Server's address scheme.
• Specific exports require static IP addresses. If you intend to provide remote clients access to a specific computer (such as a file server), provide that computer a static IP address if it does not already have a static IP address. Go to Assigning Network Computers Static IP Addresses.
• VPN Server (Untangle Server) must be configured to send email. Go to Configuring Server Email Traffic.
• OpenVPN must be installed. Go to Installing Software Products. Yes, this requirement is obvious, but I gotta say it.

Configure Untangle Server as a VPN Server

The first step in setting up a virtual private network is configuring the VPN Server. This procedure uses the OpenVPN Setup Wizard to configure your Untangle Server as a VPN Server so that VPN Clients and VPN Sites can connect to your company's protected network.

If you're trying to connect two site locations, and your Untangle Server is the gateway for the branch office and some other router acts as the gateway for the headquarters, configure the Untangle Server as a remote VPN Site, and configure the other router as the VPN Server. You're probably asking yourself, "What's the difference?" Good question.

The VPN Site can be a non-Untangle Server, but the troubleshooting is more complicated because you're working with third-party products: it's relatively easy to get a VPN Server to work, but sometimes getting a VPN Site to communicate with a VPN Server is a bit more challenging; however, Untangle is comfortable with getting its product to talk with any OpenVPN-based VPN Server. Of course, both endpoints can be Untangle Servers.

Before You Begin: Prepare To Configure Your VPN Server.

1. From OpenVPN, click the Configure as VPN Server button to launch the OpenVPN Setup Wizard. The Welcome page appears.
2. Click the Next button. The Certificate page appears.
3. Specify company and location information, and click the Next button. The Exports page appears.
4. Add additional exports, edit the default export, or accept the default. By default, OpenVPN exports the entire network.

Exports enable you to define the computers and networks that you want to make visible to VPN clients and sites. A VPN server must export at least one network or computer; otherwise, your clients won't have any network resources to access.

• If you want to accept the default and enable VPN users to access all resources on the network, in host/network name box, provide a descriptive name of the resource.
• If you only want VPN users to access a single computer, in the IP address text box and netmask text box, specify the computer's IP address and 255.255.255.255 subnet mask, then in host/network name text box, provide a descriptive name for the resource.

Tip: If you want to configure VPN, but do not want to activate the configuration yet, clear the enabled check box to temporarily hide the resource from VPN users.

5. Click the Next button.


Exporting the Entire Network
6. Click Close to complete the setup. Congratulations! Your Untangle Server is now a VPN server.


Untangle Server is a VPN Server

Next Step: Add VPN Sites and VPN Clients.

Top

Add VPN Sites and VPN Clients

Now that you've configured your VPN Server, let's add VPN Sites or VPN Clients.

1. From OpenVPN, click the Advanced tab.
2. Add at least one address pool as shown in Default Address Pool, and click the Next button.

• Untangle Client provides a default IP address for the address pool. Accept the default.
• Add more than one address pool if you plan to configure policies, as described in Policy Management. Normal installations only need one address pool.
• Each address pool describes a range of addresses, expressed in address and netmask syntax.



Default Address Pool
3. Do one of the following:
• To configure for VPN Clients, provide VPN clients access to the address pool that you just created as shown in Providing Users VPN Access:


Providing Access to VPN Users
1. Click the plus (add) button.
2. In the Client name text box, type a descriptive name to identify the user. For example, you might use the user's computer name.
3. In the Address pool drop-down list, choose the address pool to which you want to assign the user.

Note: The distribution button doesn't appear in the distribution column until you add and save the VPN Clients to your configuration.

• To configure for VPN Sites, provide the VPN Site access to the address pool that you just created as shown in Providing Access to VPN Site:


Providing Access to VPN Sites
1. Click the plus (add) button.
2. In the site name text box, specify a descriptive name of the site (for example, san_mateo_sales_office), and specify the internal IP address range on the remote network.
3. In the Address pool drop-down list, choose the address pool to which you want to assign the user.

Note: The distribution button doesn't appear in the distribution column until you add and save the VPN Sites to your configuration. As outlined in Prepare To Configure Your VPN Server, each endpoint must have a different IP address scheme.

4. Click the Update button, then Save. Congratulations! You've set up the virtual private network. Now you just need to give access.

Next Step: Generate the required key. Go to Distribute Keys and OpenVPN Client.

Top

Distribute Keys and OpenVPN Client

In order for VPN Clients and VPN Sites to connect to the VPN Server on the Untangle Server, they require site keys. VPN Clients, not VPN Sites, also require an OpenVPN client.

1. From OpenVPN, click the VPN Clients tab.
2. Scroll to the VPN Clients section or VPN Sites section.
3. In the distribute column, click the Distribute Client button as shown in Distributing Keys and OpenVPN Client. A Distribute VPN Client window appears.


Distributing Keys and OpenVPN Client
4. Do one of the following:
• For VPN Clients, specify the user's email address and click the Send Email button. The Untangle Server emails the VPN user a link to download the key and OpenVPN Client as the one shown in Downloading Key and OpenVPN Client. For greater security, you can download the key directly from the client to which you want to provide access, or to a USB key from another remote client.


Downloading Key and OpenVPN Client for VPN Clients
• For VPN Sites, specify an email address and click the Send Email button. The Untangle Server emails the credentials to configure your VPN Site as shown in Downloading Key for VPN Site. For greater security, you can download the key directly from the VPN Site to which you want to provide access, or to a USB key from another remote client; the result is a config.zip file.
  

  

  Downloading Key for VPN Sites

Next Step:

• For VPN Clients:
1. Ensure that VPN users download the key and OpenVPN Client properly. Users should click on the OpenVPN link as shown in Downloading Key and OpenVPN Client.
2. To test your VPN, access a network resource. Go to Accessing Network Resources.
• For VPN Sites:
Configure the remote office's Untangle Server as a VPN Site. Go to Configure Untangle Server as a Remote VPN Site.

Top

Configure Untangle Server as a Remote VPN Site

Perform this procedure on the remote VPN Site, not the VPN Server. This procedure assumes the following:

• Your company's branch office is the remote VPN Site, and you're trying to connect the branch office to a VPN Server at your company's headquarters.

• Both the VPN Site and the VPN server are Untangle Servers.

The remote VPN Site can have a server other than an Untangle Server, but it must be running OpenVPN. For example, Untangle Server running OpenVPN can communicate with a Mac running OpenVPN; simply use tunnelblick (see Can I use OpenVPN with my Mac OS X workstation?) that you can easily download the VPN Server's (Untangle Server) config.zip file into your VPN Site's Mac environment.

1. Log on to the VPN Site's Untangle Server.
2. From OpenVPN, click the Setup tab.
3. Click the Status tab.
4. In the Wizard section, click the Configure as VPN Client button to launch the OpenVPN Setup Wizard. The Welcome page appears.
5. Click Next. The Download Configuration page appears.
6. Do one of the following:
• If you chose to have the credentials emailed to you (see Downloading Key for VPN Site), Download from Server radio button, specify the Server IP Address and Password.
• If you chose to download the config.zip file, click the Upload Configuration radio button, and browse to and select the config.zip file. You do not need to extract this file.
7. Click the Next button, then Save.
Your VPN Site can now connect to the VPN Server! However, don't "take my word for it". Test connectivity.

Next Step: To test your VPN, access a network resource. Go to Access Network Resources.

Top

Access Network Resources

Network resources include computers. For example, desktops or file servers.

1. Log on to the VPN. Do one of the following:
• If you have are connecting to a VPN Site, you are always connected. Proceed to the next step.
• If you are connecting to the VPN in a VPN Client configuration and you only have one connection, double-click on the OpenVPN Client icon. A window appears.
• If you are connecting to the VPN in a VPN Client configuration and you have more than one connection, right-click on the OpenVPN Client icon and select sitename > Connect. A window appears.

You successfully logged on to the VPN if:

• The OpenVPN Connection window reads Successful, then the window disappears.
• The OpenVPN icon turns green.


Logging On To a VPN Using OpenVPN Client Software
2. Access a network resource. For example, in Windows XP:
1. Launch a Windows Explore window.
2. Type \\IPAddressofComputer or \\ComputerHostname, and press Enter.


Accessing a Network Resource by Hostname

Top

Revoking Users' VPN Access Temporarily

To secure your network, temporarily disable a user's key if that user does not intend to use the VPN for an extended period of time, such as in the event of an employee's leave of absence. If you want to permanently remove a user's key, go to Revoking Users' VPN Access Permanently.

1. From OpenVPN, click the Show Setting button.
2. Click the VPN Clients tab.
3. In the VPN Clients area, clear the Enabled check box that corresponds to the user, then click the Save button.

Top

Revoking Users' VPN Access Permanently

To secure your network, always disable a user's key if that user loses a laptop on which a key is installed. To revoke a user's VPN access, you must disable the user's key. In this case, the user needs to reinstall the VPN client and key. This procedure removes a user from a VPN Site or VPN Client, revokes the user's certificate, and permanently invalidates the key that was previously issued to the user.

If you want to temporarily remove a user's key, go to Revoking Users' VPN Access Temporarily.

1. From OpenVPN, click the Show Setting button.
2. Click the VPN Clients tab.
3. In the VPN Clients area, delete the the row that corresponds to the user's account.
4. Create a new user account with the same parameters.
5. Distribute the client and key. Go to Distribute Keys and OpenVPN Client.

Top

About OpenVPN Event Logs

Use the following terms and definitions to understand the OpenVPN Event Log:

start time	The time the connection was established.
end time	The time the connection was terminated.
client name	The name of the connection's client.
client address	The IP address of the connection's client.
Kbytes sent	The number of Kilo bytes that have been sent on the connection.
Kbytes received	The number of Kilo bytes that have been received on the connection.

OpenVPN FAQs

All Untangle FAQs

Can I install the OpenVPN client that came with Untangle Server onto a Vista Operating System?

Yes! The OpenVPN client that Untangle bundles with the Untangle server has been upgraded for compatibility with Vista, both 32-bit and 64-bit versions. Please note, you might need to login as the administrator to the Vista machine or disable the UAC. To disable the UAC, please check out this URL: [1]

What operating systems does OpenVPN support?

OpenVPN supports the following operating systems:

• Windows 2000/XP and higher
• Linux
• OpenBSD
• FreeBSD
• NetBSD
• Mac OS X
• Solaris

I started OpenVPN and my network died. Why?

The most common cause is because the address pool assigned to VPN users is in the same address range used by LAN users. Unless your LAN uses addresses that are in the default VPN address pool, leave the VPN address pool as is. Otherwise, change the pool as needed to make sure they are different. For more information, go to Prepare To Configure Your VPN Server.

Why is the hostname not resolving for VPN users?

If you mapped a hostname to an IP address so that VPN users can access that network resource using the hostname instead of the IP address, and those users can only access the network resource using the IP address, you probably didn't select the export DNS check box when you mapped the hostname to the IP address as outlined in Mapping Computer Hostnames To IP Addresses.

What does Warning...files...no longer available... mean?

If you recieve the following message when you try to download the VPN Client:

Warning The files that you requested are no longer available, please contact your network administrator for more information

...your VPN Client key is no longer valid. Ask your Untangle Server administrator to resend the VPN Client key.

Why does OpenVPN provide a default IP address pool that is incompatible with my network?

As discussed in Configuring Untangle Server as a VPN Server, Untangle Client provides a default IP address pool (also known as virtual IP addresses). Accept the default. By design, this default IP address pool does not match your current network's IP address scheme, ensuring that remote VPN clients do not conflict with non-VPN clients on the same network.

How do I set up OpenVPN Server if my Untangle Server is behind another router?

Use port forwarding to enable users outside to connect to the VPN Server. Do the following:

1. Add a redirect or port forward from some external IP UDP port 1194 to the Untangle Server port 1194. Go to Redirecting External and Internal Traffic.
2. Configure OpenVPN to use the correct public external IP. (It may be necessary to redistribute your client configurations after making this change)

• If the hostname that looks up in DNS to the external IP, configure Untangle Server to use that hostname: Config > Administration > Public Address and specify the 'Use Hostname.'

• If you do not have a hostname that looks up externally, configure Untangle Server to use the external IP: Config > Administration > Public Address and choose 'Use a Manually Specified IP.'

If a user or site loses a secure key, how do I disable the old key and issue a new one?

When you remove a user from a VPN Site or VPN Client, you revoke that user's certificate and invalidate the key that was previously issued to that user. To permanently revoke a user's key, go to Revoking Users' VPN Access Permanently.

Can I administer an Untangle Server over a VPN connection?

Yes. To administer the Untangle Server, you must include the internal address of the system in one of the Exported hosts networks. This internal address can either be one of the following:

• A single entry that contains the IP address with a 255.255.255.255 netmask. For example, 192.168.1.1/255.255.255.255.

• An entry that contains a network that includes the IP address. For example, 192.168.1.0/255.255.255.0.

Can I use OpenVPN with my Mac OS X workstation?

Yes. OpenVPN supports many platforms including Mac OS X. You will need to install a VPN client on your Mac.

To install a Mac OS X VPN client:

1. Download the Tunnelblick client at http://www.tunnelblick.net (Release Candidate 3).
2. Unzip the download and copy the Tunnelblick application to your Applications Folder.

To configure Tunnelblick client:

1. Download VPN configuration files from Untangle Server.
2. Copy the config files to /Users/_USERNAME_/Library/openvpn

To start Tunnelblick client:

1. Execute client from the Applications folder.
2. The icon will appear in the top right corner of the Menu Bar. Click on the icon and select Connect 'office-mv'.
3. To view websites hosted inside the VPN you may need to do the following:
   1. click on "Details" in the Tunnelblick menu (see image below)
   2. check the "Set Nameserver" box (see 2nd image below)
   3. Disconnect and Re-Connect your VPN

Can I use OpenVPN on both of my WAN connections?

No. OpenVPN will only function on your primary WAN connection.