3.1.9.3.7. OpenVPN

From this section you can define the VPN configurations for OpenVPN.

Configuring OpenVPN depends on the previous configuration of CMDB objects, Radius authentications, Certificate authorities, and Server certificates. For more information, see the VPNGW CMDB section.

This view displays two different tabs:

../../../../_images/farm_openvpn.png


3.1.9.3.7.1. Farm configuration

The Farm configuration tab allows you to configure Backend Settings, Cryptographic Settings, Tunnel Settings, and Client Settings.

../../../../_images/farm_openvpn_farmconfig1.png


General

  • Protocol: Protocol to be used (UDP or TCP).

  • Device mode: Select the device mode (turn or tap).

Backend settings

  • Radius Authentication: Select the RADIUS authentication protocol (previously configured in the CMDB).

  • Use OpenNAC Agent: Flag to enable using the OpenNAC Agent.

  • NAS identifier: Desired identifier for this VPN Gateway. It will be the one that appears in the RADIUS logs.

  • NAS IP address: IP that is sent to the RADIUS. It was obtained when Configuring the Huntgroups file. See the 2SRA configuration section for more information.

  • Dynamic VPN zone: Zone that will be dynamically associated to the VPN access groups.

../../../../_images/farm_openvpn_farmconfig2.png


Cryptographic settings

  • Certificate Authority: Select a certificate authority (previously configured in the CMDB).

  • Server Certificate: Select a server certificate (previously configured in the CMDB).

  • TLS Authentication: Flag to enable TLS Authentication (enable it).

  • DH Parameter Length (bits): The number of bits that the DH prime must have. Recommended minimum 2048.

  • Encryption Algorithm: The encryption algorithm to be used. It’s recommended to use the AES-256-CBC algorithm.

  • Auth Digest Algorithm: The algorithm to use to make the hash. It’s recommended to use the SHA256 algorithm.

Tunnel Settings

  • Inter-client Communication: If enabled, all communication between connected users will only go through the VPN server. If it is disabled, the communication will reach the IP layer, which means it will be subject to firewall rules and could potentially be less secure.

  • Duplicate Connection: If enabled, multiple connections with the same user are allowed, so a certificate can be used by more than one connection/user. If disabled, each VPN certificate must have its own CN, so each connection/user has a unique certificate.

  • IPv4 Local Networks: Local networks in CIDR IPv4 format that can be accessed through the VPN. When the connection is established, the connection routes are sent to the client so that it knows these networks.

  • IPv6 Local Networks: Local networks in CIDR IPv6 format that can be accessed through the VPN. When the connection is established, the connection routes are sent to the client so that it knows these networks.

  • Max Clients Connections: Maximum number of users that can connect through the VPN.

  • Compression: Choose the type of compression to use. We recommend the “Enabled with Adaptive Compression” option.

  • Monitor Network Behaviour: If enabled, the traffic that passes through the VPN connection will be monitored.

  • Redirect Gateway: If enabled, all traffic, including internet traffic, is redirected via VPN. In this case, it is necessary to configure the DNS so that the resolution is internal. If disabled, only local networks can be accessed through the VPN.

../../../../_images/farm_openvpn_farmconfig3.png


Client Settings

  • Dynamic IP: Enabling this flag allows the VPN to assign IPs dynamically.

  • DNS Default Domain: Defaulf domain name.

  • DNS Server enable: Flag to enable the configuration of the DNS servers.

  • DNS Block Outside: Flag to enable DNS blocking outside.

  • Force DNS cache update: Flag to force clearing the client’s DNS server cache.

  • DNS Server 1: Fill in if you want to use a specific DNS server.

  • DNS Server 2: Fill in if you want to use another specific DNS server.

  • NTP Server enable: Enable the configuration of the NTP servers.

  • NTP Server 1: Fill in if you want to use a specific NTP server.

  • NTP Server 2: Fill in if you want to use another NTP server.

3.1.9.3.7.2. Node configuration

The Node configuration tab allows you to configure OpenVPN nodes.

../../../../_images/farm_openvpn_nodeconfig.png


By clicking on the Add new button, it will display the following configuration window:

../../../../_images/farm_addnew_node.png


Client

  • Node: Select the client node.

  • Local Port: Select a local port to the node.

  • Interface: Select an interface.

  • Start on Boot: Enable if you want that the VPN Gateway starts when rebooting the machine. If it is disabled, you have to manually turn on the VPN after reboot.

  • Connection IP: Connection IP or domain.

Tunnel

  • IPv4 Tunnel Network: Network in IPv4 format where the tunnel will be deployed. This network must be unique in your organization.

  • IPv6 Tunnel Network: Network in IPv6 CIDR where the tunnel will be deployed. This network must be unique in your organization.