This article by Abd El-Monem A. El-Bawab, the author of Untangle Network Security, covers the Untangle solution, OpenVPN. OpenVPN is an SSL/TLS-based VPN, which is mainly used for remote access as it is easy to configure and uses clients that can work on multiple operating systems and devices. OpenVPN can also provide site-to-site connections (only between two Untangle servers) with limited features.
(For more resources related to this topic, see here.)
Untangle’s OpenVPN is an SSL-based VPN solution that is based on the well-known open source application, OpenVPN. Untangle’s OpenVPN is mainly used for client-to-site connections with a client feature that is easy to deploy and configure, which is widely available for Windows, Mac, Linux, and smartphones. Untangle’s OpenVPN can also be used for site-to-site connections but the two sites need to have Untangle servers. Site-to-site connections between Untangle and third-party devices are not supported.
How OpenVPN works
In reference to the OSI model, an SSL/TLS-based VPN will only encrypt the application layer’s data, while the lower layer’s information will be transferred unencrypted. In other words, the application packets will be encrypted. The IP addresses of the server and client are visible; the port number that the server uses for communication between the client and server is also visible, but the actual application port number is not visible. Furthermore, the destination IP address will not be visible; only the VPN server IP address is seen.
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) refer to the same thing. SSL is the predecessor of TLS. SSL was originally developed by Netscape and many releases were produced (V.1 to V.3) till it got standardized under the TLS name.
The steps to create an SSL-based VPN are as follows:
- The client will send a message to the VPN server that it wants to initiate an SSL session. Also, it will send a list of all ciphers (hash and encryption protocols) that it supports.
- The server will respond with a set of selected ciphers and will send its digital certificate to the client. The server’s digital certificate includes the server’s public key.
- The client will try to verify the server’s digital certificate by checking it against trusted certificate authorities and by checking the certificate’s validity (valid from and valid through dates).
- The server may need to authenticate the client before allowing it to connect to the internal network. This could be achieved either by asking for a valid username and password or by using the user’s digital identity certificates. Untangle NGFW uses the digital certificates method.
- The client will create a session key (which will be used to encrypt the transferred data between the two devices) and will send this key to the server encrypted using the server’s public key. Thus, no third party can get the session key as the server is the only device that can decrypt the session key as it’s the only party that has the private key.
- The server will acknowledge the client that it received the session key and is ready for the encrypted data transformation.
Configuring Untangle’s OpenVPN server settings
After installing the OpenVPN application, the application will be turned off. You’ll need to turn it on before you can use it.
You can configure Untangle’s OpenVPN server settings under OpenVPN settings | Server. The settings configure how OpenVPN will be a server for remote clients (which can be clients on Windows, Linux, or any other operating systems, or another Untangle server). The different available settings are as follows:
- Site Name: This is the name of the OpenVPN site that is used to define the server among other OpenVPN servers inside your origination. This name should be unique across all Untangle servers in the organization. A random name is automatically chosen for the site name.
- Site URL: This is the URL that the remote client will use to reach this OpenVPN server. This can be configured under Config | Administration | Public Address.
If you have more than one WAN interface, the remote client will first try to initiate the connection using the settings defined in the public address. If this fails, it will randomly try the IP of the remaining WAN interfaces.
- Server Enabled: If checked, the OpenVPN server will run and accept connections from the remote clients.
- Address Space: This defines the IP subnet that will be used to assign IPs for the remote VPN clients. The value in Address Space must be unique and separate across all existing networks and other OpenVPN address spaces. A default address space will be chosen that does not conflict with the existing configuration:
Configuring Untangle’s OpenVPN remote client settings
Untangle’s OpenVPN allows you to create OpenVPN clients to give your office employees, who are out of the company, the ability to remotely access your internal network resources via their PCs and/or smartphones. Also, an OpenVPN client can be imported to another Untangle server to provide site-to-site connection. Each OpenVPN client will have its unique IP (from the address space range defined previously). Thus, each OpenVPN client can only be used for one user. For multiple users, you’ll have to create multiple clients as using the same client for multiple users will result in client disconnection issues.
Creating a remote client
You can create remote access clients by clicking on the Add button located under OpenVPN Settings | Server | Remote Clients. A new window will open, which has the following settings:
- Enabled: If this checkbox is checked, it will allow the client connection to the OpenVPN server. If unchecked, it will not allow the client connection.
- Client Name: Give a unique name for the client; this will help you identify the client. Only alphanumeric characters are allowed.
- Group: Specify the group the client will be a member of. Groups are used to apply similar settings to their members.
- Type: Select Individual Client for remote access and Network for site-to-site VPN.
The following screenshot shows a remote access client created for JDoe:
After configuring the client settings, you’ll need to press the Done button and then the OK or Apply button to save this client configuration. The new client will be available under the Remote Clients tab, as shown in the following screenshot:
Understanding remote client groups
Groups are used to group clients together and apply similar settings to the group members. By default, there will be a Default Group. Each group has the following settings:
- Group Name: Give a suitable name for the group that describes the group settings (for example, full tunneling clients) or the target clients (for example, remote access clients).
- Full Tunnel: If checked, all the traffic from the remote clients will be sent to the OpenVPN server, which allows Untangle to filter traffic directed to the Internet. If unchecked, the remote client will run in the split tunnel mode, which means that the traffic directed to local resources behind Untangle is sent through VPN, and the traffic directed to the Internet is sent by the machine’s default gateway.
You can’t use Full Tunnel for site-to-site connections.
- Push DNS: If checked, the remote OpenVPN client will use the DNS settings defined by the OpenVPN server. This is useful to resolve local names and services.
- Push DNS server: If the OpenVPN server is selected, remote clients will use the OpenVPN server for DNS queries. If set to Custom, DNS servers configured here will be used for DNS queries.
- Push DNS Custom 1: If the Push DNS server is set to Custom, the value configured here will be used as a primary DNS server for the remote client. If blank, no settings will be pushed for the remote client.
- Push DNS Custom 2: If the Push DNS server is set to Custom, the value configured here will be used as a secondary DNS server for the remote client. If blank, no settings will be pushed for the remote client.
- Push DNS Domain: The configured value will be pushed to the remote clients to extend their domain’s search path during DNS resolution.
The following screenshot illustrates all these settings:
Defining the exported networks
Exported networks are used to define the internal networks behind the OpenVPN server that the remote client can reach after successful connection. Additional routes will be added to the remote client’s routing table that state that the exported networks (the main site’s internal subnet) are reachable through the OpenVPN server. By default, each static non-WAN interface network will be listed in the Exported Networks list:
You can modify the default settings or create new entries. The Exported Networks settings are as follows:
- Enabled: If checked, the defined network will be exported to the remote clients.
- Export Name: Enter a suitable name for the exported network.
- Network: This defines the exported network. The exported network should be written in CIDR form.
These settings are illustrated in the following screenshot:
Using OpenVPN remote access clients
So far, we have been configuring the client settings but didn’t create the real package to be used on remote systems. We can get the remote client package by pressing the Download Client button located under OpenVPN Settings | Server | Remote Clients, which will start the process of building the OpenVPN client that will be distributed:
There are three available options to download the OpenVPN client. The first option is to download the client as a .exe file to be used with the Windows operating system. The second option is to download the client configuration files, which can be used with the Apple and Linux operating systems. The third option is similar to the second one except that the configuration file will be imported to another Untangle NGFW server, which is used for site-to-site scenarios. The following screenshot illustrates this:
The configuration files include the following files:
The certificate files are for the client authentication, and the .ovpn and .conf files have the defined connection settings (that is, the OpenVPN server IP, used port, and used ciphers). The following screenshot shows the .ovpn file for the site Untangle-1849:
As shown in the following screenshot, the created file (openvpn-JDoe-setup.exe) includes the client name, which helps you identify the different clients and simplifies the process of distributing each file to the right user:
Using an OpenVPN client with Windows OS
Using an OpenVPN client with the Windows operating system is really very simple. To do this, perform the following steps:
- Set up the OpenVPN client on the remote machine. The setup is very easy and it’s just a next, next, install, and finish setup.
To set up and run the application as an administrator is important in order to allow the client to write the VPN routes to the Windows routing table. You should run the client as an administrator every time you use it so that the client can create the required routes.
- Double-click on the OpenVPN icon on the Windows desktop:
- The application will run in the system tray:
- Right-click on the system tray of the application and select Connect. The client will start to initiate the connection to the OpenVPN server and a window with the connection status will appear, as shown in the following screenshot:
- Once the VPN tunnel is initiated, a notification will appear from the client with the IP assigned to it, as shown in the following screenshot:
If the OpenVPN client was running in the task bar and there was an established connection, the client will automatically reconnect to the OpenVPN server if the tunnel was dropped due to Windows being asleep.
By default, the OpenVPN client will not start at the Windows login. We can change this and allow it to start without requiring administrative privileges by going to Control Panel | Administrative Tools | Services and changing the OpenVPN service’s Startup Type to automatic. Now, in the start parameters field, put –-connect <Site_name>.ovpn; you can find the <site_name>.ovpn under C:Program FilesOpenVPNconfig.
Using OpenVPN with non-Windows clients
The method to configure OpenVPN clients to work with Untangle is the same for all non-Windows clients. Simply download the .zip file provided by Untangle, which includes the configuration and certificate files, and place them into the application’s configuration folder. The steps are as follows:
- Download and install any of the following OpenVPN-compatible clients for your operating system:
- For Mac OS X, Untangle, Inc. suggests using Tunnelblick, which is available at http://code.google.com/p/tunnelblick
- For Linux, OpenVPN clients for different Linux distros can be found at https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html
- OpenVPN connect for iOS is available at https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8
- OpenVPN for Android 4.0+ is available at https://play.google.com/store/apps/details?id=net.openvpn.openvpn
- Log in to the Untangle NGFW server, download the .zip client configuration file, and extract the files from the .zip file.
- Place the configuration files into any of the following OpenVPN-compatible applications:
- Tunnelblick: Manually copy the files into the Configurations folder located at ~/Library/Application Support/Tunnelblick.
- Linux: Copy the extracted files into /etc/openvpn, and then you can connect using sudo openvpn /etc/openvpn/<Site_name>.conf.
- iOS: Open iTunes and select the files from the config ZIP file to add to the app on your iPhone or iPad.
- Android: From OpenVPN for an Android application, click on all your precious VPNs. In the top-right corner, click on the folder, and then browse to the folder where you have the OpenVPN .Conf file. Click on the file and hit Select. Then, in the top-right corner, hit the little floppy disc icon to save the import. Now, you should see the imported profile. Click on it to connect to the tunnel. For more information on this, visit http://forums.untangle.com/openvpn/30472-openvpn-android-4-0-a.html.
- Run the OpenVPN-compatible client.
Using OpenVPN for site-to-site connection
To use OpenVPN for site-to-site connection, one Untangle NGFW server will run on the OpenVPN server mode, and the other server will run on the client mode. We will need to create a client that will be imported in the remote server. The client settings are shown in the following screenshot:
We will need to download the client configuration that is supposed to be imported on another Untangle server (the third option available on the client download menu), and then import this client configuration’s zipped file on the remote server. To import the client, on the remote server under the Client tab, browse to the .zip file and press the Submit button. The client will be shown as follows:
You’ll need to restart the two servers before being able to use the OpenVPN site-to-site connection. The site-to-site connection is bidirectional.
Reviewing the connection details
The current connected clients (either they were OS clients or another Untangle NGFW client) will appear under Connected Remote Clients located under the Status tab. The screen will show the client name, its external address, and the address assigned to it by OpenVPN. In addition to the connection start time, the amount of transmitted and received MB during this connection is also shown:
For the site-to-site connection, the client server will show the name of the remote server, whether the connection is established or not, in addition to the amount of transmitted and received data in MB:
Event logs show a detailed connection history as shown in the following screenshot:
In addition, there are two reports available for Untangle’s OpenVPN:
- Bandwidth usage: This report shows the maximum and average data transfer rate (KB/s) and the total amount of data transferred that day
- Top users: This report shows the top users connected to the Untangle OpenVPN server
Troubleshooting Untangle’s OpenVPN
In this section, we will discuss some points to consider when dealing with Untangle NGFW OpenVPN.
- OpenVPN acts as a router as it will route between different networks. Using OpenVPN with Untangle NGFW in the bridge mode (Untangle NGFW server is behind another router) requires additional configurations. The required configurations are as follows:
- Create a static route on the router that will route any traffic from the VPN range (the VPN address pool) to the Untangle NGFW server.
- Create a Port Forward rule for the OpenVPN port 1194 (UDP) on the router to Untangle NGFW.
- Verify that your setting is correct by going to Config | Administration | Public Address as it is used by Untangle to configure OpenVPN clients, and ensure that the configured address is resolvable from outside the company.
- If the OpenVPN client is connected, but you can’t access anything, perform the following steps:
- Verify that the hosts you are trying to reach are exported in Exported Networks.
- Try to ping Untangle NGFW LAN IP address (if exported).
- Try to bring up the Untangle NGFW GUI by entering the IP address in a browser.
- If the preceding tasks work, your tunnel is up and operational. If you can’t reach any clients inside the network, check for the following conditions:
- The client machine’s firewall is not preventing the connection from the OpenVPN client.
- The client machine uses Untangle as a gateway or has a static route to send the VPN address pool to Untangle NGFW.
- In addition, some port forwarding rules on Untangle NGFW are needed for OpenVPN to function properly. The required ports are 53, 445, 389, 88, 135, and 1025.
- If the site-to-site tunnel is set up correctly, but the two sites can’t talk to each other, the reason may be as follows:
- If your sites have IPs from the same subnet (this probably happens when you use a service from the same ISP for both branches), OpenVPN may fail as it consider no routing is needed from IPs in the same subnet, you should ask your ISP to change the IPs.
- To get DNS resolution to work over the site-to-site tunnel, you’ll need to go to Config | Network | Advanced | DNS Server | Local DNS Servers and add the IP of the DNS server on the far side of the tunnel. Enter the domain in the Domain List column and use the FQDN when accessing resources. You’ll need to do this on both sides of the tunnel for it to work from either side.
- If you are using site-to-site VPN in addition to the client-to-site VPN. However, the OpenVPN client is able to connect to the main site only:
- You’ll need to add VPN Address Pool to Exported Hosts and Networks
This section will provide training for the OpenVPN site-to-site and client-to-site scenarios. In this lab, we will mainly use Untangle-01, Untangle-03, and a laptop (192.168.1.7).
The ABC bank started a project with Acme schools. As a part of this project, the ABC bank team needs to periodically access files located on Acme-FS01. So, the two parties decided to opt for OpenVPN. However, Acme’s network team doesn’t want to leave access wide open for ABC bank members, so they set firewall rules to limit ABC bank’s access to the file server only.
In addition, the IT team director wants to have VPN access from home to the Acme network, which they decided to accomplish using OpenVPN.
The following diagram shows the environment used in the site-to-site scenario:
To create the site-to-site connection, we will need to do the following steps:
- Enable OpenVPN Server on Untangle-01.
- Create a network type client with a remote network of 172.16.1.0/24.
- Download the client and import it under the Client tab in Untangle-03.
- Restart the two servers.
- After the restart, you have a site-to-site VPN connection. However, the Acme network is wide open to the ABC bank, so we need to create a firewall-limiting rule.
- On Untangle-03, create a rule that will allow any traffic that comes from the OpenVPN interface, and its source is 172.16.136.10 (Untangle-01 Client IP) and is directed to 172.16.1.7 (Acme-FS01). The rule is shown in the following screenshot:
- Also, we will need a general block rule that comes after the preceding rule in the rule evaluation order.
The environment used for the client-to-site connection is shown in the following diagram:
To create a client-to-site VPN connection, we need to perform the following steps:
- Enable the OpenVPN server on Untangle-03.
- Create an individual client type client on Untangle-03.
- Distribute the client to the intended user (that is 192.168.1.7).
- Install OpenVPN on your laptop.
- Connect using the installed OpenVPN and try to ping Acme-DC01 using its name. The ping will fail because the client is not able to query the Acme DNS.
- So, in the Default Group settings, change Push DNS Domain to Acme.local.
Changing the group settings will not affect the OpenVPN client till the client is restarted.
- Now, the ping process will be a success.
In this article, we covered the VPN services provided by Untangle NGFW. We went deeply into understanding how each solution works. This article also provided a guide on how to configure and deploy the services. Untangle provides a free solution that is based on the well-known open source OpenVPN, which provides an SSL-based VPN.
Resources for Article:
- Important Features of Gitolite [Article]
- Target Exploitation [Article]
- IPv6 on Packet Tracer [Article]