OpenVPN is an SSL/TLS based virtual private network solution. It uses the industry standard SSL/TLS protocol to create the encrypted tunnel which can transmit packets of OSI layer 2 or 3. Pay attention to not confuse OpenVPN with what many vendors call SSL VPN. Most of them only claim to be real SSL VPNs, instead they actually are just application level gateways that tunnel only application streams of certain services through an encrypted tunnel without implementing a whole VPN, which in fact is a site-to-site tunnel. As a real SSL VPN, OpenVPN has the ability to tunnel all your traffic from OSI layer 2 on, so even ARP traffic can be transmitted to the remote endpoint.
Once logged in, click on the Downloads menu item, where you should see the available Endian ConnectAPP installer files, at which point you can click the file for your specific operating system Windows or Mac OS X. Once the download is complete, follow your operating system's normal procedure to run the Endian ConnectAPP's installation.
Free endian vpn client 2.1 download. Internet & Network tools downloads - Endian VPN Client by Endian and many more programs are available for instant and free download.
Mar 02, 2017.
The main advantage of this type of VPN is the ease of use. Since OpenVPN is an application on both sides of the tunnel, it runs of course in user-space instead of kernel space. Therefore it does not even need modifications of the kernel and furthermore minimizes the probability of a catastrophic failure which is certainly higher for software which runs in kernel space. This makes the whole A LOT easier to introduce in a network. In fact wherever you manage to establish a normal TCP or UDP connection, like from a browser to a server, you can use OpenVPN. There is no need for NAT traversal or the like. We strongly encourage you to use OpenVPN instead of IPSec if you can choose. The only argument which comes to our mind for using IPSec is interoperability to other vendors.
Figure 8.4. Figure of a VPN using OpenVPN as mixed VPN combining a Host-to-Net VPN (the Roadwarrior) and Net-to-Net VPNs in a hub-and-spoke topology
Endian Firewall implements both OpenVPN server and client. The administration interface is divided in two main parts Openvpn Server and Openvpn Net2Net client. Basically the OpenVPN server opens a virtual interface (the interface name begins with tap) whose function is to send bits to the OpenVPN server instead to the wire. The tap interface is joined with the GREEN bridge, so each connected client is - from the sight of the other machines behind GREEN - also directly part of the GREEN network. For the OpenVPN server it makes no difference at all if the client connects a whole net (Net-to-Net) or just a roadwarrior (Net-to-Host) and it makes no difference if there are connected one, two or many clients.
Another advantage compared to IPSec is the fact that the OpenVPN server acts like a switch (hub-and-spoke). Communication between the VPN endpoints is possible and communication between the connected OpenVPN clients is kept within the tunnel and goes always through the server process. It must not leave the tap interface on the server side and therefore must not be decrypted and then re-encrypted on the server.
As mentioned before, the OpenVPN web interface is split into two parts. The Openvpn Server and the Openvpn Net2Net client menu, which you can select on top of the page as a submenu of Virtual Private Networking. If you like to create a simple tunnel from one EFW to another, simlpy choose one side as server and configure it through the OpenVPN server page. The other side acts as a client and is configured on the client page. On the client's side there is certainly no need to start the server. Download n64 roms for mac. If you have one side with dynamic IP's, use that one as client, since the client establishes the connection and may reconnect if the IP address changes. If you have NAT between the endpoints on the clients side, there is no problem at all. If you have NAT on the server side, simply forward the UDP port 1194 to the EFW.
The following describes the OpenVPN Server admin interface which you can find by clicking on the OpenVPN Server tab on top of the page.
Figure 8.5. Global Settings
This box contains common configuration for the OpenVPN server.
OpenVPN Server enabled
Tick this on if you like to enable the OpenVPN server on this machine.
IP Pool
Fill in the start and end ip address of an ip range from GREEN network which you like to assign to the OpenVPN clients connecting to this server. Note that with Net-to-Net topology, only the remote EFW will get an IP from this range and not the workstations behind.
Port
This is the port on which the OpenVPN Server will listen for incoming requests.
Protocol
This option allows you to change your protocol from UDP to TCP.
Warning
Do not select TCP as protocol, unless you know exactly what you are doing!
Block DHCP responses coming from tunnel
Since the virtual tap device of the OpenVPN server is joined with the GREEN bridge, broadcast packets of your GREEN zone will pass the tunnel. This includes DHCP requests from your workstations. If the client on the other side is in bridged mode, DHCP responses will return from it if the remote side has a DHCP server running. This may cause problems - if you do not want the remote DHCP server to assign IP addresses to your local workstations within GREEN tick this option to block the responses.
Note
Pay attention, this will not block the DHCP responses which come from your local DHCP and go to the remote network! You need to block them on the remote side.
CA Certificate
This is the text representation of your Certification Authority Certificate. This is needed on every OpenVPN client that wants to connect to your OpenVPN server.
Download CA Certificate
By clicking this link you can download the CA Certificate which is needed by each OpenVPN client in order to be able to connect to your OpenVPN server.
Figure 8.6. Users which are allowed to connect to openvpn
Below the global settings box, you will find the possibility to manage accounts which can connect to the OpenVPN server.
All known users will be listed within a table. Each line has the following action icons which will apply for the respective user:
Configure Networks
When clicking this button you will be redirected to a new window where you can administer this user's network settings.
Enabled icon
If this appears as a ticked on checkbox, the user is enabled and can connect. Click on it to disable or enable the user. Note that disabling an already connected user does not kick it, it just refuses reconnecting.
Trash can icon
Click on it to remove the account.
Pencil icon
Click on it to edit the respective account. This will open a new page which will be described later in Add Account.
Below, you will find a single button, Add Account, which allows you to add a new account. This button will open a new page which will be described later in the Add Account section.
Figure 8.7. Add Account
If you create a new account, you find the following configuration fields:
Username
Fill in the username to be created
Verify Password
Fill in the same password as above. This is only for verification purposes in order to ensure that you typed the password correctly.
Remote network
This is not needed if the remote client which uses to connect with this new account, is in bridge mode. https://browndouble457.weebly.com/final-draft-torrent-download-mac.html. Otherwise you need to specify the network address of the remote GREEN network in order to let the Endian Firewall create correct routing entries on both sides.
Remote Network Mask
Fill in the netmask of the remote client if it is configured to be in routing mode.
use this firewall as default gateway
Tick this on of you'd like to have the remote client to create routing entries in order to redirect all the traffic of the remote side through the VPN tunnel to your EFW, where it then can leave the RED interface. You normally want this on roadwarriors in order to enforce security policies, otherwise the remote side certainly has its own internet connection and a possible intruder may come in through the VPN and compromise the local GREEN network. Basically this option does the following on the remote side:
Creates a host route which sends all traffic with our RED IP address as destination to the IP address which is used as default gateway.
Removes the default route entry.
Creates a new default route entry with our GREEN IP address as gateway.
push route to blue zone
This option will grant the new user access to your BLUE zone.
Note
This option is only available if you have configured your BLUE zone.
push route to orange zone
This option will grant the new user access to your ORANGE zone.
Note
This option is only available if you have configured your ORANGE zone.
The following is below the box Users which are allowed to connect to openvpn and shows you all currently connected users.
Figure 8.8. Connection status and control
The table shows you the following information:
User
The name of the user that is connected to the server.
Assigned IP
The IP address which has been assigned to the client by the server. This IP address belongs to the GREEN IP range configured above.
Real IP
The real public IP address of the connected client.
RX
The data volume that has been received through this tunnel.
TX
The data volume that has been transmitted through this tunnel.
Connected since
The timestamp when the client has connected.
Uptime
The amount of time the respective client is already connected.
The following actions can be performed on each connected user:
Kill
Kills the connection immediately. The user can reconnect and this will happen since the openvpn client on the remote side will automatically reconnect as soon as it recognizes the disconnect, which will take up to a couple of minutes.
Ban
Bans the user. In fact this deactivates and then kicks the user in a row. The user cannot reconnect.
This section describes the configuration of the OpenVPN client shipped with Endian Firewall. With this client, you can have the Endian Firewall connect to a remote OpenVPN server. Normally you will use this if you would like to create a Net-to-Net connection to another EFW. A client configuration needs the following information to be able to successfully connect to a remote OpenVPN server:
Username
Password
CA Certificate of the remote server.
You will get the CA certificate from the server if you push the Download CA Certificate link on Openvpn Server configuration page - on the remote Endian Firewall of course. This is needed to add an additional random information which one must have. In this manner it is not possible for attackers to connect to the VPN by only gathering the username and the password. They also need the certificate in order to be able to connect.
This page lists status-reports for the configured tunnels. You will notice that this page reloads every five seconds in order to update the status display if the status of some clients changes.
Figure 8.9. VPN tunnel and control
The following describes the displayed configuration items of each client and your action possibilites:
Status
Displays the connection status of the respective tunnel. The following values do exist:
closed
The tunnel is closed. There is no connection to the remote host.
established
The tunnel to the remote host is established and working.
connecting.
The client is actually trying to connect to the remote host.
resolve error
The client could not resolve the remote's hostname. Probably the hostname does not exist or you have a problem with your DNS resolver.
invalid ca cert
The CA certificate is invalid. Maybe you supplied the wrong certificate. Another possibility could be that the date on your host is wrong, so that the certificate is not yet valid.
authentication failed
The client could not authenticate to the remote host. You may have supplied the wrong username or password.
Remote Address
The remote host to which the client should connect.
Options
Displays configuration options if they are set. Possibly values are:
bridged
The client is in bridged mode.
drop DHCP
The client blocks DHCP responses coming from the tunnel.
Remark
Optional connection description.
Action
To edit an existing tunnel, click on its pencil icon. The VPN tunnel values will be displayed in the add vpn tunnel settings section of the page.
To remove an existing tunnel, click on its trash can icon. You will be asked if you really want to remove the tunnel, and if you choose Yes, the tunnel configuration will be removed.
To enable or disable a rule - click on the Enabled icon (the checkbox in the Action column) for the particular entry you want to enable or disable. The icon changes to an empty box when a tunnel is disabled. Click on the checkbox to enable it again
Below you find a single button Add tunnel configuration, which allows you to create a new client configuration in order to connect to a remote Endian firewall or another sort of OpenVPN server.
If you push the button Add tunnel configuration you will reach this page.
Figure 8.10. Add a VPN tunnel
In order to create a new tunnel configuration you need to provide the following information:
Connect to
IP address or public host name (FQDN) of the remote Endian Firewall (or other OpenVPN server).
Username and Password
Username and password of the OpenVPN account created on the remote host.
Bridged/routed
The OpenVPN client can run in either routed or bridged mode. The difference is in which OSI layer the client will act. If you specify bridged mode, the clients virtual tap device will be joined to the bridge of the GREEN zone (br0). As a member of the bridge, all traffic created within the GREEN network will also be passed through the tunnel to the remote side. This includes ARP traffic and other protocols which are below TCP. In this manner, the tunnel acts like a switchport. You can use this for example if you need to be able to browse the remote's Microsoft Windows servers. In order to access hosts on the remote side you certainly must use the same GREEN network address on both sides, since in fact those two GREEN networks will really be part of the same physical network.
Note
But pay attention, this option does not scale well and sends much unneeded traffic through the tunnel! Use it only if you really need it.
With routed mode the clients tap device will remain alone and will not be joined to the GREEN bridge. The device will obtain an IP address assigned by the remote OpenVPN server which selects it from the IP its configured pool. The two GREEN zones are splitted and the two networks will be routed. This all happens within a higher OSI layer. In order to make this work, you need to have different GREEN network addresses, since the two networks in this mode are not the same and need to be distinctable. You also need to specify your local GREEN network and network mask on the remote OpenVPN server in order to let the client set the needed routes.
block DHCP responses coming from the tunnel
If you selected routed mode, this does not interest you at all. Otherwise, if you have selected bridged mode, the virtual tap device of the OpenVPN client is joined to the GREEN bridge. Therefore broadcast packets of your GREEN zone will pass through the tunnel. This includes DHCP requests from your workstations. Since the server on the other side is also part of this GREEN bridge, DHCP responses will return from it if the remote runs a DHCP server. This may cause problems - if you do not want the remote DHCP server to assign IP addresses to your local workstations in the GREEN zone. Tick this on if you would like to block these responses.
Note
Pay attention, this will not block the DHCP responses which come from your local DHCP and go to the remote network! You need to block them on the remote side.
CA certificate
Endian Firewall OpenVPN server CA certificate. You get this certificate by pressing the Download CA Certificate link on the remote OpenVPN server configuration page.
CA certificate
you can paste your CA certifcate content (text) in this box or.
upload CA file
.you can upload the CA certificate file.
Net-to-Net Step by Step Connection (between 2 or more Endian Firewalls)
Situation: you have three branch offices with three Endian Firewall and you need to connect the offices in a unique network as star topology (hub-and-spoke) with encrypted tunnels.
Note
The clocks on either end of the EFW VPN tunnel should be up to date before configuring a VPN, otherwise the connection may not be established if the CA certificate is not yet valid because of a wrong clock.
Configure Endian Firewall OpenVPN server
One of the three Endian firewall must act as OpenVPN server (the hub):
Go to the OpenVPN server section (VPN > Openvpn Server)
Figure 8.11. Openvpn Server
Set an IP address range which will be used to assign an internal (GREEN) IP address to the other two Endian Firewalls.
Tick on the Enabled box.
Now add 2 users, office1 and office2 (one for each Endian Firewall that will be connected to our Endian Firewall OpenVPN server) pressing on Add Account button in the Users which are allowed to connect to openvpn section.
Figure 8.12. Users which are allowed to connect to openvpn
Fill in the information in the add new user form items. In this case we assume that it is enough to use routed mode. You need to specify the GREEN network address and network mask of the respective branch office. (office1 and office2). If you want the new user to be able to connect to your BLUE or ORANGE zone you have to tick the respective push route to blue/orange zone checkbox.
Figure 8.13. Add a new user
Repeat step 4 and 5 for the second user.
Figure 8.14. List of allowed users
Ok. The Endian Firewall in office0 is ready to receive VPN connections from the other offices.
Download the CA certificate file by clicking the link Download CA Certificate. You will need this file on both other Firewalls.
Username: the username created on office0 Endian Firewall (see 'Configure Endian Firewall OpenVPN server' point 4 and 5) (in this case: office1)
Password: the password for the user
Routed: in this case it probably would be better to choose routed.
Remark: insert a connection description (optional)
Upload CA file: click on the Browse button and choose the file which you saved before within step 8.
Click on Save button.
Repeat step 1 to 4 for the office2 Endian Firewall.
If all is ok, the page VPN > OpenVPN Server > Openvpn Net2Net client on your office1 and office2 firewall should show you this:
Figure 8.18. Connected to Office 0 tunnel
and the office0 Endian Firewall should show you the following on the VPN > OpenVPN Server page:
Figure 8.19. Connected Office 1 and 2 clients
With this configuration your workstations in the office1 and office2 nets should be able to reach the GREEN network of your office0.
Configuration of an OpenVPN client on the roadwarrior side
In order to connect to the Endian Firewall OpenVPN server you can choose from a list of free projects which implement an openvpn client with a graphical user interface. One you can find on Mathias Sundman's OpenVPN GUI site. You can also download openvpn from the OpenVPN Homepage, which does provide the sourcecode package or a packaged Microsoft Windows Installer. Each major Linux distribution should have an own package of it and it has also been ported to other unix derivates.
Tip
Endian Firewall Enterprise Edition has a Linux package as well as a Windows package of the OpenVPN client available for download in the VPN > OpenVPN > Download section.
Next you need a valid and most notably Endian Firewall compatible configuration file. The OpenVPN server on the Endian Firewall:
runs as server of course, so your openvpn installation must act as client (--client) in order to successfully establish a connection.
listens on the standard port 1194 (--port 1194).
uses the UDP protocol (--proto udp).
encapsulates ethernet 802.3, therefore uses tap devices (--dev tap).
uses static key mode (--auth-user-pass).
uses fast LZO compression (--comp-lzo).
Example 8.1. An example command line to start openvpn on your roadwarrior
Example 8.2. An example configuration file for openvpn on your roadwarrior
Note
Download the CA certificate using the appropriate link on the OpenVPN server configuration page and copy the certificate file to the location to which you point with the --ca parameter.
In this page you find:
OpenVPN server
IPsec/L2TP
Changed in version 2.5: The VPN module GUI has been partly redesigned.
A VPN allows two separated local networks to directly connect toeach other over potentially unsafe networks such as the Internet. Allthe network traffic through the VPN connection is securely transmittedinside an encrypted tunnel, hidden from prying eyes. Such aconfiguration is called a Gateway-to-Gateway VPN, or Gw2Gw VPN forshort. Similarly, a single remote computer somewhere on the Internetcan use a VPN tunnel to connect to a local trusted LAN. The remotecomputer, sometimes called a Road Warrior, appears to be directlyconnected to the trusted LAN while the VPN tunnel is active.
The Endian UTM Appliance supports the creation of VPNs based either onthe IPsec protocol, which is supported by most operating systems andnetwork equipment, or on the OpenVPN service.
A user friendly OpenVPN client for Microsoft Windows, Linux, and MacOSX can be downloaded from the Endian Network.
The Endian UTM Appliance can be set up either as an OpenVPN server or asa client, and even play both roles at the same time, in order tocreate a network of OpenVPN-connected appliances. The menu itemsavailable in the sub-menu are the following:
OpenVPN server - set up the OpenVPN server so that clients (bothroadwarriors and other Endian UTM Appliances in a Gateway-to-Gatewaysetup) can connect to one of the local zones.
OpenVPN client (Gw2Gw) - set up the client-side of aGateway-to-Gateway setup between two or more Endian UTM Appliances
IPsec/L2TP - set up IPsec-based VPN tunnels and L2TP connections
VPN Users - manage users of VPN connections.
New in version 2.5: Support for L2TP
Changed in version 2.5: Moved the management of all users under asubmenu.
Changed in version 2.5.1: Moved IPsec and L2TP under the same menu
When configured as an OpenVPN server, the Endian UTM Appliance can acceptremote connections from the uplink and allow a VPN client to be set upand work as if it were a local workstation or server.
The page opens with the summary of the current server configuration,separated into two boxes: Global settings and Connection status andcontrol. Two additional tabs give access to Advanced settings andto the VPN client download.
Note
Whenever a change to the configuration of the OpenVPN serveroccurs or the way a user interacts with the other users is modified(e.g., by altering the Networks behind client option, see below),the OpenVPN server must be restarted, for the changes to bepropagated to all users. This necessity is shown after somemodification by a small box carrying a message that remembers torestart the server. The connected clients will be disconnected andautomatically reconnected after a short timeout, usually withoutnoticing the interruption.
This page shows two boxes: one that allows to set up some globalsettings, and an informative one that shows the connected clients.
Global settings
The box on the top shows the current settings, that can be changed atwill right from there, by simply modifying the following options,which are all related to the bridged OpenVPN. When the choice is theuse of a routed VPN setup, however, there will be only one optionavailable: VPN Subnet.
OpenVPN server enabled
Tick this checkbox to make sure the OpenVPN server is started.
Bridged
Tick this option to run the OpenVPN server in bridged mode,i.e., within one of the existing zones.
Note
If the OpenVPN server is not bridged (i.e., it isrouted), the clients will receive their IP addresses from adedicated subnet. In this case, appropriate firewall rulesin the VPN firewall should be created, tomake sure the clients can access any zone, or someserver/resource (e.g., a source code repository). If theOpenVPN server is bridged, it inherits the firewallsettings of the zone it is defined in.
VPN subnet
This option is the only available if bridged mode isdisabled. It allows the OpenVPN server to run in its own,dedicated subnet, that can be specified in the text box andshould be different from the subnets of the other zones.
Bridge to
The zone to which the OpenVPN server should be bridged. Thedrop-down menu shows only the available zones.
Dynamic IP pool start address
The first possible IP address in the network of the selectedzone that should be used for the OpenVPN clients.
Dynamic IP pool end address
The last possible IP address in the network of the selectedzone that should be used for the OpenVPN clients.
Note
Traffic directed to this IP pool has to be filteredusing the VPN firewall.
The first time the service is started a new, self-signed CAcertificate for this OpenVPN server is generated, an operation thatmay take a long time. After the certificate has been generated, it canbe downloaded by clicking on the Download CA certificatelink. This certificate must be used by all the clients that want toconnect to this OpenVPN server, otherwise they will not be able toaccess.
After the server has been set up, it is possible to create andconfigure accounts for clients that can connect to the Endian UTM Appliance inthe Accounts tab.
Connection status and control
The box at the bottom shows a list of the currently connected clients,although the list will be empty until the OpenVPN server is runningand clients have been created and have accessed the OpenVPNserver. This box is identical to the one in Menubar‣ Status ‣ OpenVPN connections, and contains for each client, itsname, assigned and real IP address, the traffic (received andtransmitted) in bytes, the connection time, the uptime, and the onlypossible action:
kill
Immediately close the connection for that client.
Troubleshooting VPN connections.
While several problem with VPN connections can be easily spotted bylooking at the configuration, one subtle source of connectionshiccups is a wrong value of the MTU size. The Endian UTM Appliancesets a limit of 1450 bytes to the size of the VPN’s MTU, to preventproblems with the common MTU value used by the ISP, whichis 1500. However, some ISP may use a MTU value lower that thecommonly used value, making the Endian MTU value too large andcausing therefore connection issues (the most visible one isprobably the impossibility to download large files). This value canbe modified by accessing the Endian UTM Appliance from the CLI andfollowing these guidelines:
Write down the MTU size used by the ISP (see link below).
Login to the CLI, either from a shell or fromMenubar ‣ System ‣ Web Console.
Edit the OpenVPN template with an editor of choice:nano /etc/openvpn/openvpn.conf.tmpl.
Search for the string mssfix 1450.
Replace 1450 with a lower value, for example 1200.
Restart OpenVPN by calling: restartopenvpn.
In this tab, three boxes allow to specify advanced settings for theOpenVPN server. Among other settings, certificate-based authentication(as opposed to password-based) can be set here.
Hint
For a normal use these settings can be left at their defaultvalues.
Advanced settings
The first box contains some global settings about the daemon:
Port, Protocol
The combination (1194, UDP) for port and protocol is thedefault OpenVPN setting and it is a good practice to keep itunchanged. To make OpenVPN accessible via other ports,appropriate port forwarding rules should be defined (seeMenubar ‣ Firewall ‣ Port Forwarding) toredirect incoming traffic to port 1194. The protocol should beset as TCP only in some borderline case, like e.g., whenaccessing the OpenVPN server through a third-party HTTP proxy,otherwise the default settings (1194, UDP) should always beused.
Block DHCP responses coming from tunnel
Tick this checkbox when receiving DHCP responses from the LANat the other side of the VPN tunnel that conflict with thelocal DHCP server.
Don’t block traffic between clients
By default, the OpenVPN server isolates clients from eachother. To change this behaviour, and allow traffic betweendifferent VPN clients, tick this option.
Allow multiple connections from one account:
Normally, one client is allowed to connect from one locationat a time. Selecting this option permits multiple clientlogins, even from different locations. However, when the sameclient is connect twice or more, the VPN firewall rules do notapply anymore.
New in version 2.5: An option to allow multipleconnections.
Global push options
In the second box the network setting sent to the client can bemodified. Each option, after having been changed, should be enable byticking the respective checkbox.
Push these networks
The routes to the specified networks defined here are sent tothe connected clients.
Push these nameservers
The specified nameservers are sent to the connected clients.
Push domain
The search domains used for local name resolution are added tothose of the connected clients.
Note
The options Push these nameservers and Push domain onlywork for clients running the Microsoft Windows operatingsystem.
Authentication settings
The last box concerns the choice of the authentication method amongthe three available, which also determines the configuration optionsavailable.
PSK (username/password)
Endian UTM Appliance‘s default method is PSK (username/password): Theclient authenticates using username and password. To use this method,no additional change is needed, while the other two methods aredescribed below.
By clicking on the Download CA certificate link, thepublic certificate of this OpenVPN server is downloaded. It is neededby the clients to verify the authenticity of the server they areconnecting to. Furthermore, a click on the Export CA asPKCS#12 file link download the certificate in PKCS#12 format (whichshould be kept private), which can be imported into any OpenVPNserver that should be used as a fallback server.
Finally, should this system be a fallback system, two further optionare available:
PKCS#12
Use the Browse button to select the certificate filethat exported from the primary server, or provide its pathand name.
Challenge password
The password to read the certificate. Leave it empty if thecertificate comes from another Endian UTM Appliance.
X.509 certificate and X.509 certificate & PSK (two factor)
When configuring the X.509-certificate-based authentication method(either certificate only or certificate plus username and password),the configuration becomes a bit more complicated. It is assumed (andrequired) that an independent certificate authority (CA) be employedfor this purpose. It is neither possible nor desired to host such acertificate authority on Endian UTM Appliance.
It is necessary to generate and sign certificates for the server andfor every client using the chosen certificate authority. Thecertificates type must be explicitly specified and be one of “server”and “client” in the “Netscape certificate type” field.
The server certificate file in PKCS#12 format must be uploaded in thissection (specify the Challenge password that has been specified tothe certificate authority before or during the creation of thecertificate).
The client certificates need to have the common name fields equalto their OpenVPN user names.
Warning
When employing certificate-only authentication, a clientwith a valid certificate will be granted access to the OpenVPNserver even if it has no valid account!
Finally, a revocation list (CRL) can be uploaded, in case a clientcertificate has been lost, to revoke that client certificate on theCA.
Click on the link to download the Endian VPN client for MicrosoftWindows, MacOS X, and Linux from the Endian Network. A valid account isneeded to download the client.
In this page appears the list of the Endian UTM Appliance‘s connectionsas OpenVPN clients, i.e., all tunnelled connections to remote OpenVPNservers. For every connection, the list reports the status, the name,any additional option, a remark, and the actions available. The statusis closed when the connection is disabled, and established whenthe connection is enabled. Beside to enable and to disable aconnection, the available actions are to edit or delete it. In theformer case, a form will open, that is the same as the one that openswhen adding a connection (see below) in which to see and modifythe current settings, whereas in the latter case only deletion ofthat profile from the Endian UTM Appliance is permitted.
The creation of a new OpenVPN client connections is straightforwardand can be done in two ways: Either click on the Add tunnelconfiguration button and enter the necessary information about theOpenVPN server to which to connect (there can be more than one) orimport the client settings from the OpenVPN Access Server by clickingon Import profile from OpenVPN Access Server.
Add tunnel configuration
There are two types of settings that can be configured for each tunnelconfiguration: The basic one includes mandatory options for the tunnelto be established, while the advanced one is optional and normallyshould be changed only if the OpenVPN server has a non-standardsetup. To access the advanced settings, click on the >>button next to the Advanced tunnel configuration label. The basicsettings are:
Connection name
A label to identify the connection.
Connect to
The remote OpenVPN server’s FQDN, port, and protocol in theform myvpn.example.com:port:protocol. The port andprotocol are optional and left on their default values whichare 1194 and udp respectively when not specified. Theprotocol must be specified in lowercase letters.
Upload certificate
The server certificate needed for the tunnel connection.Browsing the local filesystem is admitted, to search for thefile, of the path and filename can be entered. If the serveris configured to use PSK authentication (password/username),the server’s host certificate (i.e., the one downloaded fromthe Download CA certificate link in the server’sMenubar ‣ VPN ‣ OpenVPN server section)must be uploaded to the Endian UTM Appliance. Otherwise, to usecertificate-based authentication, the server’s PKCS#12 file(i.e., the one downloaded from the Export CA asPKCS#12 file link on the server’s Menubar ‣VPN ‣ OpenVPN server ‣ Advanced section) must beuploaded.
PKCS#12 challenge password
Insert here the Challenge password, if one was supplied tothe CA before or during thecreation of the certificate. This is only needed whenuploading a PKCS#12 certificate.
Username, Password
If the server is configured to use PSK authentication(password/username) or certificate plus passwordauthentication, provide here the username and password of theaccount on the OpenVPN server.
Remark
A comment on the connection.
Advanced tunnel configuration
In this box, that appears when clicking on the >> buttonin the previous box, additional options can be modified, though thevalues in this box should be modified only if the server side has notbeen configured with standard values.
Fallback VPN servers
One or more (one per line) fallback OpenVPN servers in thesame format used for the primary server, i.e.,myvpn.example.com:port:protocol. The port and protocolvalues default to 1194 and udp respectively when omitted. Ifthe connection to the main server fails, one of these fallbackservers will take over.
Hint
The protocol must be written in lowercase letters.
Device type
The device used by the server, which is either TAP or TUN.
Connection type
This drop-down menu is not available if TUN has been selectedas Device type, because in this case the connection type isalways routed. Available options are routed (i.e., theclient acts as a gateway to the remote LAN) or bridged(i.e., the client firewall appears as part of the remoteLAN). Default is routed.
Bridge to
This field is only available if TAP has been selected asDevice type and the connection type is bridged. Fromthis drop-down menu, select the zone to which this clientconnection should be bridged.
NAT
This option is only available if the Connection type isrouted. Tick this checkbox to hide the clients connectedthrough this Endian UTM Appliance behind the firewall’s VPN IPaddress. This configuration will prevent incoming connectionsrequests to the clients. In other words, incoming connectionswill not see the clients in the local network.
Block DHCP responses coming from tunnel
Tick this checkbox to avoid receiving DHCP responses from theLAN at the other side of the VPN tunnel that conflict witha local DHCP server.
Use LZO compression
Compress the traffic passing through the tunnel, enabled bydefault.
Protocol
The protocol used by the server: UDP (default) or TCP. Set toTCP only if an HTTP proxy should be used: In this case, a formwill show up to configure it.
If the Endian UTM Appliance can access the Internet only through an upstreamHTTP proxy, it can still be used as an OpenVPN client in aGateway-to-Gateway setup, but the TCP protocol for OpenVPN must beselected on both sides. Moreover, the account information for theHTTP upstream proxy must be provided in the text fields:
HTTP proxy
The HTTP proxy host, e.g., proxy.example.com:port, withthe port defaulting to 8080 if not entered.
Proxy username, Proxy password
The proxy account information: The username and thepassword.
Forge proxy user-agent
A forged user agent string can be used in some casesto disguise the Endian UTM Appliance as a regular web browser,i.e., to contact the proxy as a browser. This operation mayprove useful if the proxy accepts connections only for sometype of browsers.
Once the connection has been configured, a new box at the bottom ofthe page will appear, called TLS authentication, from which toupload a TLS key file to be used for the connection. These options areavailable:
TLS key file
The key file to upload, searchable on the local PC’s file system.
MD5
The MD5 checksum of the uploaded file, which will appear assoon as the file has been stored on the Endian UTM Appliance.
Direction
This field is set to 0 on servers and to 1 on clients.
Import profile from OpenVPN Access Server
The second possibility to add an account is to directly import theprofile from an OpenVPN Access Server: In this case, the followinginformation must be provided:
Connection name
A custom name for the connection.
Access Server URL
The URL of the OpenVPN Access Server.
Note
Note that the Endian UTM Appliance only supportsXML-RPC configuration of the OpenVPN Access Server,therefore a URL input here has the form:https://<SERVERNAME>/RPC2.
Username, Password
The username and password on the Access Server.
Verify SSL certificate
If this checkbox is ticked and the server is running on an SSLencrypted connection, then the SSL certificate will be checkedfor validity. Should the certificate not be valid then theconnection will be immediately closed. This feature might bedisabled when using a self-signed certificate.
Remark
A comment to recall the purpose of the connection.
The IPsec page contains two tabs (IPsec and L2TP), that allow toset up and configure the IPsec tunnels and to enable the L2TP support,respectively.
The IPsec tab contains three boxes: First, Global settings, servesto enable and configure IPsec. The second, Connection status andcontrol, shows all the connections and allows to add a newone. Finally, the Certificate authorities box allows to manage thecertificates. Note that by adding a new connection, new boxes will beshown, that help in the configuration of the connections’ types and oftheir options.
IPsec in a nutshell.
IPsec is a generic standardised VPN solution,in which the encryption and the authentication tasks are carriedout on the OSI layer 3 as an extension to the IPprotocol. Therefore, IPsec must be implemented in the kernel’s IPstack. Although IPsec is a standardised protocol and it iscompatible to most vendors that implement IPsec solutions, theactual implementation may be very different from vendor to vendor,sometimes causing severe interoperability issues.
Moreover, the configuration and administration of IPsec is usuallyquite difficult due to its complexity and design, while someparticular situations might even be impossible to handle, forexample when there is the necessity to cope with NAT.
Compared to IPsec, OpenVPN is easier to install, configure, andmanage. The Endian UTM Appliance implements an easy to useadministration interface that supports different authenticationmethods. It is suggested to use IPsec only if absolutely needed,for example to support existing IPsec installations or when dealingwith devices that do not support OpenVPN, because ofinteroperability problems that may arise, while the use of OpenVPNis encouraged in all other cases, especially if there is thenecessity to work with NAT.
Global settings
In this box can be done the configuration of the main parameters forthe IPsec configuration:
Enabled
Enable IPsec by ticking the checkbox (it is disabled by default).
Debug options
By clicking on the small + sign, some checkboxes willappear: Show the structure of input messages, Show thestructure of output messages, Show interaction with kernelIPsec support (KLIPS), and Show interaction with DNS. Byticking them, more detailed messages will be logged to the/var/log/messages file.
Connection status and control
Here there is a list of accounts and their connection status. The listshows the name, type, common name, remark, and status of eachconnection. New connections are added by clicking on theAdd button (see below). Possibleactions on each connection are: To restart, to enable or disable ,to edit or to delete it.
Certificate authorities
In the last box of the IPsec main page, the root and host certificatesare shown and the existing certificates can be managed. If root andhost certificates have yet to be generated, a “Not present”message is shown.
Generate root/host certificates
Click on the button to generate new root and hostcertificates. In the page that will open, all the requiredinformation (see Generate root/host certificates further on)can be provided.
CA name
In case that a CA certificate signed by an Authority isavailable, enter the name of the Authority in the first textbox, and the certificate file in the second one. The fileselector to facilitate the search for the file can be opened byclicking on the Browse. button, and thecertificate uploaded by clicking on the Upload CAcertificate button.
Reset
To erase an already created Certificate, click on this button atthe bottom of the page.
Warning
Please note that by resetting the root certificates,not only the certificates but also certificate-basedconnections will be erased.
Generate root/host certificates
The following information shall be entered to create new host and rootcertificates.
Organization name
The organization name to use in the certificate. Forexample, if the VPN is connecting together the schools in aschool district, it can be something like “SchoolDistrict of Aberdeen.”
Endian Firewall hostname
The hostname used to identify the certificate. It should beeither the FQDN or the REDIP address of the Endian UTM Appliance.
Your email address
A contact e-mail address.
Your department
The department name.
City
The name of the town or city.
State or province
The name of the state or province.
Country
Country of residence.
The certificates are created after clicking on the Generateroot/host certificates button. The process can take up to severalminutes to complete.
Subject alt name
An alternative hostname for identification.
Instead of generating new certificates, a previously created PKCS12certificate file can be upload using the lower box of the page.
Upload PKCS12 file
Open the file selection dialogue box by clicking on theBrowse. button and select the PKCS12 file.
PKCS12 file password
The password of the certificate, if the file is protected.
Upload PKCS12 file
Click this button to upload the PKCS12 file.
Add a tunnel/Connection type
Upon clicking on Add under Connection status and control,a page will open from which to select either a Host-to-Net VirtualPrivate Network, a Net-to-Net Virtual Private Network, or an L2TPHost-to-Net Virtual Private Network. After the choice of the type ofconnection, and one click on the Add button, the page forthe connection editor will open, that contains two boxes grouping thetypes of options: Connection configuration and Authentication.
Endian Vpn Client Download Mac Software
Connection configuration
The first box is used to configure the network parameters:
Name
The name of the connection.
Enabled
If ticked, the connection is enabled.
Interface
The interface through which the host is connecting. InNet-to-Net it is always the uplink.
Local subnet
The local subnet.
Local ID
A string that identifies the local host of the connection.
Remote host/IP
the IP or FQDN of the remote host.
Remote subnet
Only available for net-to-net connections, it specifies theremote subnet.
Remote ID
The ID that identifies the remote host of this connection.
Dead peer detection action
The action to perform if a peer disconnects. Available choicesfrom the drop-down menu are to Clear, to Hold, or toRestart the peer.
Note
Unlike in other places, clicking or moving the mouseover the ? Download printer driver photosmart c4280 mac. will not provide a tooltip, but open a web pagewith a detailed description of the functionalities of the deadpeer detection.
Remark
A comment for the connection.
Edit advanced settings
Tick this checkbox to edit more advanced settings. They will beaccessible and editable after saving the current settings(at the bottom of the next box).
Authentication
This box serves to configure the authentication.
Use a pre-shared key
Enter a pass phrase to be used to authenticate the other sideof the tunnel. Choose this option for a simple Net-to-NetVPN.
Warning
Do not use PSKs to authenticate Host-to-Netconnections!
Upload a certificate request
Some roadwarrior IPsec implementations do not have their ownCA. If they wish to use IPsec’s built-in CA, they can generatea so-called certificate request, which is a partial X.509certificate that must be signed by a CA. During thecertificate request upload, the request is signed and the newcertificate will become available under theMenubar ‣ VPN section of the Endian UTM Appliance.
Upload a certificate
In this case, the peer IPsec has a CA available for use. Boththe peer’s CA certificate and host certificate must beincluded in the uploaded file.
Upload PKCS12 file - PKCS12 file password
Choose this option to upload a PKCS12 file. If the file issecured by a password, it must be supplied in the text fieldbelow the file selection field.
Generate a certificate
A new X.509 certificate can also be created. In this case, therequired fields must be defined. Optional fields are indicatedby red dots. If this certificate is for a Net-to-Netconnection, the User’s Full Name or System Hostname field mustcontain the fully qualified domain name of the peer. ThePKCS12 File Password fields ensure that the host’s generatedcertificates cannot be intercepted and compromised while beingtransmitted to the IPsec peer.
Advanced settings
In this page, that opens upon defining and saving a new connection,some advanced setting for that connection can be defined.
Warning
Unexperienced users should not change the followingadvanced settings!
IKE encryption
The encryption methods that should be supported by IKE.
IKE integrity
The algorithms that should be supported to verify theintegrity of packets.
IKE group type
The IKE group type.
IKE lifetime
How many hours are the IKE packets valid.
ESP encryption
The encryption methods that should be supported by the ESP.
ESP integrity
The algorithms that should be supported to verify theintegrity of packets.
ESP key life
How many hours should an ESP key be valid.
IKE aggressive mode allowed
Tick this box to enable IKE aggressive mode. It is suggestedNOT to do so.
Changed in version 2.5: This option was removed from the2.5 version.
Perfect Forward Secrecy
If this box is ticked, perfect forward secrecy is enabled.
Negotiate payload compression
Tick this box to use payload compression.
Roadwarrior virtual IP
This option allows to assign a virtual IP (“inner IP”) to theuser when the connection is established.
See also
On the website help.endian.com, the followingtutorials are available:
IPsec VPN - How to Create a Roadwarrior Connection (Shrewsoft)
SSL VPN - How to Create a Net-to-Net Connection
SSL VPN - How to Create a Net-to-Net Connection (over HTTP)
IPsec VPN - How to Create a Net-to-Net Connection(Endian-to-Endian)
SSL VPN - How to Create a Roadwarrior Connection
IPsec VPN - How to Create a Net-to-Net Connection(Endian-to-Cisco ASA)
L2TP, the Layer 2 Tunnelling Protocol, is described in RFC 2661. https://scoutheavenly862.weebly.com/bloodshed-dev-c-android.html. Ina nutshell, it is a protocol that allows a tunnel connection thatcarries PPP packets. It is used to support VPN connections usingIPSec.
The following options are available to configure L2TP.
Enable L2TP
The checkbox must be ticked to enabled L2TP support in theEndian UTM Appliance.
Zone
The zone to which the L2TP connections are directed. Only theactivated zones can be chosen from the drop-down menu.
L2TP IP pool start address, L2TP IP pool end address
The IP range from which L2TP users will receive an IP address whenconnecting to the Endian UTM Appliance.
Enable debug
Tick this checkbox to let L2TP produce more verbose logs.
See also
On the website help.endian.com, there are severaltutorials available, that help in the set up of the Endian UTM Applianceas IPsec server and smartphones as clients:
Setup of a VPN with IPsec and an L2TP tunnel
Connecting to an Endian UTM via L2TP (IPSec) using Android
Connecting to an Endian UTM via L2TP (IPSec) using iOS
Connecting to an Endian UTM via L2TP (IPSec) using Windows 7
Changed in version 2.5: This configuration page was moved fromMenubar ‣ VPN ‣ OpenVPN server ‣ Accountsand its layout was improved.
The box in this page contains the list of OpenVPN users, which isinitially empty. The only available action is therefore toAdd new User, while the list contains the list of theaccounts already defined with some information on it: The account’sname, a remark, whether it is an OpenVPN or L2TP user, the networksused by the account, its status and the available actions.
Click on Add new User to add a VPN account. In the form thatwill show up, the following options can be specified for each user:
Add User
Name
The login name of the user
Enabled
Tick the checkbox to enable the user, i.e., to allow her toconnect to the OpenVPN server on the Endian UTM Appliance.
Password, Confirm password
The password for the user, to be entered twice. The passwordsare actually not shown: To see them, tick the two checkboxeson their right.
Remark
An additional comment.
Under the VPN protocols panel, two checkboxes allow to chose theprotocol used for the VPN connection:
OpenVPN
Tick this checkbox to allow the OpenVPN protocol to be used.
L2TP
Tick this checkbox to allow the L2TP protocol to be used.
Note
This option can not be selected if no L2TP tunnelhas yet been configured. In such a case, aninformative message appears as a hyperlink: Uponclicking on it, the IPsec connection editoropens. Once done, it will be possible to allow a VPNuser to connect using the L2TP Protocol.
Right below, it is possible to specify more advanced settings foreach of the protocols that the user shall use. A click on theAdvanced Settings hyperlink shows two more hyperlinks:Clicking on each of them reveals a new panel in which to configurefurther settings for the connection.
Endian Vpn Client Download Mac Download
OpenVPN Options
direct all client traffic through the VPN server
If this option is checked, all the traffic from the connectingclient, regardless of the destination, is routed through theuplink of the Endian UTM Appliance. The default is to route all thetraffic whose destination is outside any of the internal zones(such as Internet hosts) through the client’s uplink.
Push only global options to this client
For advanced users only. Normally, when a client connects,tunneled routes to networks that are accessible via VPN areadded to the client’s routing table, to allow it to connect tothe various local networks reachable from the Endian UTM Appliance. Thisoption should be enabled if this behaviour is not wanted, butthe client’s routing tables (especially those for the internalzones) should be modified manually.
Push route to blue zone, Push route to orange zone
When this option is active, the client will have access to theblue or the orange zone. These options have no effect if thecorresponding zones are not enabled.
Networks behind client
This option is only needed if this account is used as a clientin a Gateway-to-Gateway setup. In the box should be writtenthe networks laying behind this client that should be pushedto the other clients. In other words, these networks will beavailable to the other clients.
Push only these networks
The local network routes that should be pushed to theclient. This options overrides all automatically pushed routes
Static IP addresses
Dynamic IP addresses are assigned to clients, but a static IPaddress provided here will be assigned to the client wheneverit connects.
Enable push these nameservers
Assign custom nameservers on a per-client basis here. Thissetting (and the next one) can be defined, but enabled ordisabled at will.
Enable push domains
Assign custom search domains on a per-client basis here.
One-to-One NAT
In the two textfield below it is possible to specify customone-to-one NAT-ed sources and destinations.
Note
When planning to have two or more branch offices connectedthrough a Gateway-to-Gateway VPN, it is good practice to choosedifferent subnets for the LANs in the different branches. Forexample, one branch might have a GREEN zone with the192.168.1.0/24 subnet while the other branch uses192.168.2.0/24. Using this solution, several possible sourcesfor errors and conflicts will be avoided. Indeed, severaladvantages come for free, including: The automatic assignment ofcorrect routes, without the need for pushing custom routes, nowarning messages about possibly conflicting routes, correct localname resolution, and easier WAN network setup.
L2TP Options
IPsec Tunnel
This drop-down menu allows to choose the tunnel that will beemployed by the user, among those already defined.