2.7.4. OpenVPN Configuration Administrative Web Page

Note

Before you can start and use the OpenVPN Server you need to create a Certificate Authority.

2.7.4.1. Global settings

The first line in the Settings box indicates if the OpenVPN server is stopped or running.

Figure 2.66. Global settings

Global settings section

OpenVPN on RED.  Check this box to enable the OpenVPN server for RED.

OpenVPN on BLUE.  Only visible if you have configured a BLUE interface. Check this box to enable the OpenVPN server for BLUE.

Local VPN Hostname/IP.  Enter either the fully qualified domain name or the public IP address of the RED interface. If you are using a dynamic DNS service, you should use your dynamic DNS name here.

OpenVPN Subnet.  Content to be written...

Protocol.  Choose either UDP (default) or TCP. From the OpenVPN manual:

OpenVPN is designed to operate optimally over UDP, but TCP capability is provided for situations
where UDP cannot be used. In comparison with UDP, TCP will usually be somewhat less efficient and
less robust when used over unreliable or congested networks.

This article outlines some of problems with tunneling IP over TCP:


http://sites.inka.de/sites/bigred/devel/tcp-tcp.html

Destination port.  TCP/UDP port number used. The default of 1194 is the official IANA port number assignment for OpenVPN.

MTU Size.  The MTU (Maximum Transmission Units) is the maximum datagram size in bytes that can be sent unfragmented over a particular network path. OpenVPN requires that packets on the control or data channels be sent unfragmented.

LZO-Compression.  Use LZO compression.

Encryption.  OpenVPN can use several algorithms to encrypt packets. The default BF-CBC (Blowfish in Cipher Block Chaining) is both fast and very secure.

2.7.4.2. Advanced Server options

It is important that you select the correct route to push to clients, on the Advanced Server options page.

Figure 2.67. Advanced Server options (top)

Advanced Server options (top) section

DHCP push options.  The OpenVPN server can push DHCP options such as DNS and WINS server addresses to clients. Windows clients can accept pushed DHCP options natively, while non-Windows clients can accept them with some additional configuration. Refer to the OpenVPN HowTo for more details.

Domain name suffix Set a connection-specific DNS suffix, for example local.example.org This is optional.

Primary/Secondary DNS Add a domain name server address, for example 192.168.1.1

These are optional, but when redirect-gateway is used, OpenVPN clients will route DNS queries through the VPN, and the VPN server will need handle them. This can be accomplished by pushing a DNS server address to connecting clients which will replace their normal DNS server settings during the time that the VPN is active.

Primary/Secondary NTP servers Add the IP Address here of an NTP server, for example 192.168.1.1 to push to clients. These are optional.

Primary/Secondary WINS Server addresses Add the IP Address here of a WINS server, for example 192.168.1.254 to push to clients. These are optional.

Push Routes.  The OpenVPN server pushes routing information to clients. Select the network you want to route traffic to.

Redirect all traffic through Tunnel Enable this when you want a VPN client to tunnel all network traffic through the VPN, including general internet web browsing. The client will take a performance hit, when all traffic has to pass through the OpenVPN server.

This adds push "redirect-gateway def1" to the server configuration file.

Green Network Enable this checkbox to route traffic to the Green Network.

Blue Network This checkbox will only be visible if you have a Blue interface. Enable this checkbox to route traffic to the Blue Network.

Orange Network This checkbox will only be visible if you have an Orange interface. Enable this checkbox to route traffic to the Orange Network.

Note

The available Networks are disabled by default.

Miscellaneous options.  Content to be written...

Content to be written...

Max-Clients Limit server to a maximum of n concurrent clients. Default value is 100.

Keepalive Default values are 10 and 60.

Figure 2.68. Advanced Server options (bottom)

Advanced Server options (bottom) section

Logfile options.  Select the level of Verbosity for the logfile from the Detail level drop-down menu. 0 is no logging except fatal errors. 1 is lowest level of logging, and 11 is highest level of logging.

Radius server settings.  Content to be written...

Content to be written...

2.7.4.3. Client status and control

The Add button will be disabled until the settings have been saved.

Figure 2.69. Client status and control

Client status and control section

2.7.4.4. Connection Type

The only choice at present is a Host-to-Net VPN. Note that the Net-to-Net VPN radiobutton is greyed out.

Click the Add button to proceed.

Figure 2.70. Connection Type

Connection Type section

2.7.4.5. Connection & Authentication

Content to be written...

Figure 2.71. Connection

Connection section

Name The connection name can only contain letter and digit characters.

Enabled Check this box to enable the entry.

Remark (optional).  If you want, you can include a string of text to describe or identify the connection.

User's Full Name or System Hostname Content to be written.

User's E-mail Address (optional).  User's E-mail address.

User's Department (optional).  This is the department or suborganization name. Continuing the school district example, this could be My Elementary School.

Organization Name The organization name. For example, if this VPN tunnel is tying together schools in a school district, you may want to use something like Some School District.

City (optional).  The city.

State or Province (optional).  The state or province.

Country This pull down selection menu contains every ISO recognized country name. Use it to select the country associated with the tunnel.

PKCS12 File Password Content to be written.

2.7.4.6. Client status and control with a Connection

An example of a Host-to-Net connection with a Certificate is shown below.

Figure 2.72. Client status and control example

Example client status and control section

Status.  Closed (Stopped), Closed (Active) or Open.

Download Client Package (zip) Icon.  Content required...

Show Certificate Icon.  Content required...

Download Certificate Icon.  Content required...

Enabled/Disabled Icon.  Toggle the Connection between Enabled and Disabled.

Edit Icon.  Click the Yellow Pencil icon to edit the Remark.

Remove Icon.  Click the Trash Can icon to delete the Connection.