Untangle OpenVPN

Untangle OpenVPN Overview:

OpenVPN lets administrators provide secure remote access to the internal network. Untangle’s intuitive GUI makes it easier to:

• Configure basic settings through a setup wizard
• Generate custom certs for each client
• Easily distribute client software via email

OpenVPN is one of two solutions Untangle offers to enable secure, remote access to your network. OpenVPN requires a client on each host, meaning a small application must be installed on each computer that is going to require access.

OpenVPN makes the most sense for persistent site-to-site connections and remote access to non-web (e.g. client/server) applications.

OpenVPN is an SSL-based virtual private network. Supporting a range of platforms, including Windows 2000/XP and higher, Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Solaris, OpenVPN can tackle all of your VPN needs. Powerful security and control features and intuitive set-up make this an ideal solution for your business.

Key Features:

• Open source & Free under the GNU General Public License (GPL)
• Status & Wizard for basic settings and set-up
• Custom executable automatically generated for each client
• Event Log shows VPN login/logout events
• Reports show general statistics on VPN usage

Technical Specifications:

OpenVPN is an SSL-based VPN (virtual private network) that supports both site-to-site and client-to-site VPN. When you create new clients or sites, OpenVPN creates a custom executable for each client that contains the client, configuration, and authentication information. Users simply need to install the custom executable on their computers. OpenVPN supports the following operating systems:

• Windows 2000/XP and higher
• Linux
• OpenBSD
• FreeBSD
• NetBSD
• Mac OS X
• Solaris

Under The Hood
Unlike most other VPN protocols, SSL runs on the application level (user space), enabling a highly secure and reliable connection without the implementation complexities that are inherent in VPN protocols that use the network level.

The key to this user-space implementation is a tun/tap virtual network adapter. A tun adapter is a simulated point-to-point link, like a T-1, while a tap adapter simulates ethernet.

In a nutshell, SSL encapsulates IP in UDP. IP packets sent from a tun or tap virtual network adapter are encrypted and encapsulated onto a UDP connection, and sent to a remote host over the Internet. The remote host decrypts, authenticates, and de-encapsulates the IP packets using a tun/tap virtual adapter.

A user-space VPN model links a local tun/tap virtual adapter with a remote tun/tap virtual adapter, just as other VPN protocols use hardware adapters. When the connection is forwarded over SSH, a secure port forwarding tool, the VPN connection is very secure.

What It Does

Provides SSL-based virtual private networking

How It Does It

Based on OpenVPN, with Untangle custom interface and pre-built client distribution feature

Controls

• Setup Wizard for site-to-site and client-to-site VPNs
• Selectable server port and DNS override settings
• You can specify what hosts/networks are exported through the VPN
• Includes a client distribution utility for secure distribution of keys via email with URL link or USB key

Screenshots:

OpenVPN FAQs:

Can I install the OpenVPN client that came with Untangle Server onto a Vista 32-bit Operating System?

No. The OpenVPN version that came with Untangle Server is incompatible with Vista. Compatibility is available through use of a new OpenVPN client that must be obtained separately, as follows:

1. Download the OpenVPN configuration file (obtained via email from the Untangle administrator or via USB key)

• If obtained via email, the filename is config.zip, which can be uncompressed using WinRAR or WinZIP
• If obtained on a USB key, the filename is config-<site>-<user>.zip, where <site> and <user> identify its planned usage.

1. Download and install OpenVPN 2.1_rc7 from the OpenVPN website.
2. Load your configuration files into the OpenVPN executable's configuration directory, typically c:\Program Files\OpenVPN\config

That's it. Your VPN client is installed and ready!

What operating systems does OpenVPN support?

OpenVPN supports the following operating systems:

• Windows 2000/XP and higher
• Linux
• OpenBSD
• FreeBSD
• NetBSD
• Mac OS X
• Solaris

I started OpenVPN and my network died. Why?

The most common cause is because the address pool assigned to VPN users is in the same address range used by LAN users. Unless your LAN uses addresses that are in the default VPN address pool, leave the VPN address pool as is. Otherwise, change the pool as needed to make sure they are different. For more information, go to Prepare To Configure Your VPN Server.

Why is the hostname not resolving for VPN users?

If you mapped a hostname to an IP address so that VPN users can access that network resource using the hostname instead of the IP address, and those users can only access the network resource using the IP address, you probably didn't select the export DNS check box when you mapped the hostname to the IP address as outlined in Mapping Computer Hostnames To IP Addresses.

What does Warning...files...no longer available... mean?

If you receieve the following message when you try to download the VPN Client:

Warning The files that you requested are no longer available, please contact your network administrator for more information

...your VPN Client key is no longer valid. Ask your Untangle Server administrator to resend the VPN Client key.

Why does OpenVPN provide a default IP address pool that is incompatible with my network?

IAs discussed in Configuring Untangle Server as a VPN Server, Untangle Client provides a default IP address pool (also known as virtual IP addresses). Accept the default. By design, this default IP address pool does not match your current network's IP address scheme, ensuring that remote VPN clients do not conflict with non-VPN clients on the same network.

How do I set up OpenVPN Server if my Untangle Server is behind another router?

Use port forwarding to enable users outside to connect to the VPN Server. Do the following:

1. Add a redirect or port forward from some external IP UDP port 1194 to the Untangle Server port 1194. Go to Redirecting External and Internal Traffic.
2. Configure Untangle Server to use the external IP so Untangle Server will distribute the correct client configuration by doing one of the following:

• If you have a DNS name that looks up to the external IP, configure Untangle Server to use that hostname: Config > Networking > Hostname. Specify the hostname and select the hostname resolves publicly check box.

• If you do not have a hostname that looks up externally, configure Untangle Server to use the external IP: Config > Administration > Public Address.

If a user or site loses a secure key, how do I disable the old key and issue a new one?

When you remove a user from a VPN Site or VPN Client, you revoke that user's certificate and invalidate the key that was previously issued to that user. To permanently revoke a user's key, go to Revoking Users' VPN Access Permanently.

Can I administer an Untangle Server over a VPN connection?

Yes. To administer the Untangle Server, you must include the internal address of the system in one of the Exported hosts networks. This internal address can either be one of the following:

• A single entry that contains the IP address with a 255.255.255.255 netmask. For example, 192.168.1.1/255.255.255.255.

• An entry that contains a network that includes the IP address. For example, 192.168.1.0/255.255.255.0.

Can I use OpenVPN with my Mac OS X workstation?

Yes. OpenVPN supports many platforms including Mac OS X. You will need to install a VPN client on your Mac.

To install a Mac OS X VPN client:

1. Download the Tunnelblick client at http://www.tunnelblick.net (Release Candidate 3).
2. Unzip the download and copy the Tunnelblick application to your Applications Folder.

To configure Tunnelblick client:

1. Download VPN configuration files from Untangle Server.
2. Copy the config files to /Users/_USERNAME_/Library/openvpn

To start Tunnelblick client:

1. Execute client from the Applications folder.
2. The icon will appear in the top right corner of the Menu Bar. Click on the icon and select Connect 'office-mv'.
3. To view websites hosted inside the VPN you may need to do the following:
   1. click on "Details" in the Tunnelblick menu (see image below)
   2. check the "Set Nameserver" box (see 2nd image below)
   3. Disconnect and Re-Connect your VPN

Can I install the OpenVPN client that came with Untangle Server onto a Vista 32-bit Operating System?

No. The OpenVPN version that came with Untangle Server is incompatible with Vista. Compatibility is available through use of a new OpenVPN client that must be obtained separately, as follows:

1. Download the OpenVPN configuration file (obtained via email from the Untangle administrator or via USB key)

• If obtained via email, the filename is config.zip, which can be uncompressed using WinRAR or WinZIP
• If obtained on a USB key, the filename is config-<site>-<user>.zip, where <site> and <user> identify its planned usage.

1. Download and install OpenVPN 2.1_rc4 from the OpenVPN website.
2. Load your configuration files into the OpenVPN executable's configuration directory, typically c:\Program Files\OpenVPN\config

That's it. Your VPN client is installed and ready!

Hardware Requirements:

• The Untangle Server requires a dedicated PC installed at the gateway to your network.
• Your hardware does not need an operating system - the Untangle Server installs its own operating system.
• The Untangle Server software completely erases any content or data that may exist on your PC hard drive.

Sizing Guidance

Recommended Configurations (New Hardware)

When purchasing new hardware, spending a couple of extra dollars to meet the following recommended configurations provides the best value.

Verified Configurations (Trials, Refurbished or Repurposed Hardware)

These are the lowest verified hardware configurations that provide reliable — albeit sometimes slower — performance in production. However, it may be possible for organizations with lower than average network traffic or organizations that do not wish to use all of the modules to run Untangle on smaller systems.