aXsGUARD Gatekeeper Open VPN How To v1.4 - Vasco

aXsGUARD Gatekeeper 

Open VPN How To v1.4

aXsGUARD Gatekeeper Open VPN How To v1.4 

Legal Notice 

VASCO Products 

VASCO Data Security, Inc. and/or VASCO Data Security International GmbH are referred to in this document as 

'VASCO'. VASCO Products comprise Hardware, Software, Services and Documentation. This document 

addresses potential and existing VASCO customers and has been provided to you and your organization for the 

sole purpose of helping you to use and evaluate VASCO Products. As such, it does not constitute a license to 

use VASCO Software or a contractual agreement to use VASCO Products. 

Disclaimer of Warranties and Limitations of Liabilities 

VASCO Products are provided ‘as is’ without warranty or conditions of any kind, whether implied, statutory, or 

related to trade use or dealership, including but not limited to implied warranties of satisfactory quality, 

merchantability, title, non-infringement or fitness for a particular purpose. 

VASCO, VASCO DISTRIBUTORS, RESELLERS AND SUPPLIERS HAVE NO LIABILITY UNDER ANY 

CIRCUMSTANCES FOR ANY LOSS, DAMAGE OR EXPENSE INCURRED BY YOU, YOUR ORGANIZATION OR ANY 

THIRD PARTY (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS 

INTERRUPTION OR LOSS OF DATA) ARISING DIRECTLY OR INDIRECTLY FROM THE USE, OR INABILITY TO USE 

VASCO SOFTWARE, HARDWARE, SERVICES OR DOCUMENTATION, REGARDLESS OF THE CAUSE OF THE 

LOSS, INCLUDING NEGLIGENCE, EVEN IF VASCO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH 

DAMAGES, OR IF THEY WERE FORESEEABLE. OUR MAXIMUM AGGREGATE LIABILITY TO YOU, AND THAT OF 

OUR DISTRIBUTORS, RESELLERS AND SUPPLIERS SHALL NOT EXCEED THE AMOUNT PAID BY YOU FOR THE 

PRODUCT. THE LIMITATIONS IN THIS SECTION SHALL APPLY WHETHER OR NOT THE ALLEGED BREACH OR 

DEFAULT IS A BREACH OF A FUNDAMENTAL CONDITION OR TERM, OR A FUNDAMENTAL BREACH. THIS 

SECTION WILL NOT APPLY ONLY WHEN AND TO THE EXTENT THAT APPLICABLE LAW SPECIFICALLY 

REQUIRES LIABILITY DESPITE THE FOREGOING EXCLUSIONS AND LIMITATIONS. 

Intellectual Property and Copyright 

VASCO Products contain proprietary and confidential information. VASCO Data Security, Inc. and/or VASCO 

Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, 

updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, 

database rights and all other intellectual and industrial property rights. No part of these Products may be 

transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, mechanical or 

otherwise, for any purpose, except as expressly permitted by VASCO or its authorized licensee in writing. 

This document is protected under US and international copyright law as an unpublished work of authorship. No 

part of it may be transferred, disclosed, reproduced or transmitted in any form or by any means, electronic, 

mechanical or otherwise, for any purpose, except as expressly permitted in writing by VASCO or its authorized 

licensee. 

Trademarks 

VASCO®, VACMAN®, IDENTIKEY®, aXsGUARD®, DIGIPASS®, and ® are registered or unregistered 

trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other 

countries. Other company brand or product names or other designations, denominations, labels and/or other 

tags, titles, as well as all URLs (Internet addresses) linked to such designations or communications (irrespective 

of whether protected by intellectual property law or not), mentioned in VASCO Products may be the trademarks 

or registered trademarks or be part of any other entitlement of their respective owners. 

Radius Disclaimer 

Information on the RADIUS server provided in this document relates to its operation in the aXsGUARD 

Gatekeeper environment. We recommend that you contact your NAS/RAS vendor for further information. 

Copyright © 2009 VASCO Data Security, Inc, VASCO Data Security International GmbH All rights reserved. 

© 2009 - VASCO Data Security 2

aXsGUARD Gatekeeper Open VPN How To v1.4 Table of Contents 

Table of Contents 

1 Introduction...............................................................................................................................................9 

1.1 Audience and Purpose of this document.............................................................................................9 

1.2 What is the aXsGUARD Gatekeeper?.................................................................................................11 

1.3 About VASCO..................................................................................................................................11 

2 Open VPN General Concept......................................................................................................................12 

2.1 Overview.........................................................................................................................................12 

2.2 What is OpenVPN?..........................................................................................................................12 

2.3 Data Encryption...............................................................................................................................13 

2.4 Authentication Methods...................................................................................................................13 

2.5 Supported Network Protocols...........................................................................................................14 

2.6 How a Client finds the OpenVPN Server.............................................................................................14 

3 OpenVPN Server Configuration.................................................................................................................15 

3.1 Overview.........................................................................................................................................15 

3.2 Feature Activation............................................................................................................................15 

3.3 Initializing the CA.............................................................................................................................17 

3.4 Generating a Server Certificate.........................................................................................................18 

3.5 Server Settings................................................................................................................................19 

3.5.1 Enabling the OpenVPN Server......................................................................................................19 

3.5.2 Connection Settings....................................................................................................................20 

3.5.3 Encryption and Authentication Settings.........................................................................................21 

3.5.4 Keepalive Settings......................................................................................................................22 

3.6 Authentication Settings....................................................................................................................23 

3.7 Generating Client Certificates...........................................................................................................25 

3.8 Exporting Client Certificates..............................................................................................................26 

3.9 Revoking Certificates.......................................................................................................................27 

3.10 User Settings..................................................................................................................................28 

3.10.1 Granting OpenVPN Access..........................................................................................................28 

3.10.2 VPN Firewall Rights....................................................................................................................29 

4 OpenVPN Client Windows XP Configuration..............................................................................................31 

4.1 Overview.........................................................................................................................................31 

4.2 Prerequisites...................................................................................................................................31 

4.3 Installing the OpenVPN Client...........................................................................................................31 

4.4 Configuring the OpenVPN Client.......................................................................................................32 



4.5 Starting the OpenVPN Connection.....................................................................................................42 

5 OpenVPN Client Windows Vista Configuration...........................................................................................45 

5.1 Overview.........................................................................................................................................45 





6 OpenVPN Client Windows 7 Configuration................................................................................................59 

6.1 Overview.........................................................................................................................................59 





7 Status and Logs.......................................................................................................................................75 

7.1 Overview.........................................................................................................................................75 

7.2 OpenVPN Status..............................................................................................................................75 

7.3 OpenVPN Logs................................................................................................................................75 

8 Troubleshooting.......................................................................................................................................77 

9 Support....................................................................................................................................................80 

9.1 Overview.........................................................................................................................................80 

9.2 If you encounter a problem...............................................................................................................80 

9.3 Return procedure if you have a hardware failure................................................................................80 



Illustration Index 

Image 1: OpenVPN Implementation...........................................................................................................................................................................12 

Image 2: OpenVPN Feature Activation.......................................................................................................................................................................16 

Image 3: CA Initialization.......................................................................................................................................................................................... 17 

Image 4: Creating a Server Certificate.......................................................................................................................................................................18 

Image 5: Enabling the OpenVPN Server.....................................................................................................................................................................19 

Image 6: OpenVPN Connection Settings....................................................................................................................................................................20 

Image 7: Encryption and Authentication Settings........................................................................................................................................................22 

Image 8: Keepalive Settings.....................................................................................................................................................................................23 

Image 9: Selecting the Authentication Method for OpenVPN........................................................................................................................................24 

Image 10: Creating an OpenVPN Client Certificate......................................................................................................................................................25 

Image 11: Exporting an OpenVPN Certificate.............................................................................................................................................................26 

Image 12: Revoking a Client Certificate.....................................................................................................................................................................27 

Image 13: Enabling OpenVPN for a User ...................................................................................................................................................................28 

Image 14: User VPN Firewall Settings.......................................................................................................................................................................30 

Image 15: Adding or Overruling User VPN Firewall Policies.........................................................................................................................................30 

Image 16: OpenVPN XP Shortcut..............................................................................................................................................................................31 

Image 17: Extracting the OpenVPN Config and Certificate...........................................................................................................................................32 

Image 18: OpenVPN Client Configuration Folder.........................................................................................................................................................32 

Image 19: Creating an OpenVPN Shortcut - Step 1....................................................................................................................................................33 

Image 20: Creating an OpenVPN Shortcut - Step 2....................................................................................................................................................33 

Image 21: Disabling Simple File Sharing....................................................................................................................................................................34 

Image 22: Log Folder Security Properties..................................................................................................................................................................35 

Image 23: Selecting Users and Groups......................................................................................................................................................................35 

Image 24: Adding Group Access – Step 1.................................................................................................................................................................36 

Image 25: Adding Group Access - Step 2..................................................................................................................................................................36 

Image 26: Log Properties - Setting Permissions.........................................................................................................................................................37 

Image 27: Managing your Computer in XP.................................................................................................................................................................38 

Image 28: Computer Management Console...............................................................................................................................................................39 

Image 29: Network Configuration Operators Properties...............................................................................................................................................39 


Image 31: Adding a User to the Network Configuration Operators Group......................................................................................................................40 

Image 32: Network Configuration Operators Properties Screen....................................................................................................................................41 

Image 33: Starting OpenVPN GUI..............................................................................................................................................................................42 

Image 34: OpenVPN Connecting...............................................................................................................................................................................42 

Image 35: OpenVPN User Credentials.......................................................................................................................................................................43 

Image 36: Certificate Passphrase.............................................................................................................................................................................43 



Image 37: Pinging a Machine in the LAN...................................................................................................................................................................44 

Image 38: OpenVPN Installation - Windows Vista.......................................................................................................................................................45 

Image 39: Vista OpenVPN Configuration....................................................................................................................................................................46 

Image 40: Config Directory of OpenVPN in Vista.........................................................................................................................................................47 

Image 41: Disabling UAC.........................................................................................................................................................................................47 

Image 42: Turning off UAC in Windows Vista.............................................................................................................................................................48 

Image 43: Disabling Simple File Sharing in Windows Vista..........................................................................................................................................48 

Image 44: Setting the Security Properties of OpenVPN log Folder................................................................................................................................49 

Image 45: Setting the Security Options for the log Folder – Step 1...............................................................................................................................49 

Image 46: Permissions for the log Folder ..................................................................................................................................................................50 

Image 47: Advanced Settings for User and Group Selection........................................................................................................................................50 

Image 48: Adding the Network Configuration Operators Group – Step 1.......................................................................................................................51 

Image 49: Adding the Network Configuration Operators Group - Step 2.......................................................................................................................51 

Image 50: OpenVPN Log Folder Permissions.............................................................................................................................................................52 

Image 51: Managing your Computer in Vista..............................................................................................................................................................52 

Image 52: Computer Management Screen Windows Vista..........................................................................................................................................53 

Image 53: Network Configuration Operators Group.....................................................................................................................................................53 

Image 54: Selecting Users – Step 1..........................................................................................................................................................................54 

Image 55: Selecting Users - Step 2...........................................................................................................................................................................54 



Image 58: Starting the OpenVPN GUI........................................................................................................................................................................56 

Image 59: OpenVPN Connecting...............................................................................................................................................................................56 

Image 60: Entering your OpenVPN User Credentials...................................................................................................................................................57 

Image 61: Entering the Certificate's Passphrase........................................................................................................................................................57 

Image 62: Pinging a Machine in the Secure LAN........................................................................................................................................................58 

Image 63: OpenVPN GUI Tray Icon............................................................................................................................................................................59 

Image 64: Extracting the OpenVPN config and Client certificate...................................................................................................................................60 

Image 65: OpenVPN Client Config Folder...................................................................................................................................................................60 

Image 66: Extracting the Config and Certificate Files..................................................................................................................................................61 

Image 67: User Accounts and Family Safety..............................................................................................................................................................61 

Image 68: Changing UAC Settings............................................................................................................................................................................62 

Image 69: OpenVPN Log Folder Properties................................................................................................................................................................63 

Image 70: Log Folder Properties Security Options......................................................................................................................................................64 

Image 71: Adding Group Permissions to the Log Folder..............................................................................................................................................64 

Image 72: Adding the Network Operators Group........................................................................................................................................................65 

Image 73: Adding Network Configuration Operators...................................................................................................................................................66 

Image 74: Setting the Log Folder Permissions...........................................................................................................................................................66 



Image 75: Accessing Computer Management............................................................................................................................................................67 

Image 76: Computer Management...........................................................................................................................................................................67 

Image 77: Adding a User to the Network Configuration Operators................................................................................................................................68 

Image 78: Adding users to the Network Configuration Operators Group........................................................................................................................68 

Image 79: Selecting a user to be added to the Network Configuration Operators Group.................................................................................................69 

Image 80: Adding a user to the Network Configuration Operators Group......................................................................................................................69 


Image 82: Starting OpenVPN GUI..............................................................................................................................................................................71 

Image 83: Connecting to the OpenVPN Server...........................................................................................................................................................72 

Image 84: User Name and Password Screen.............................................................................................................................................................73 

Image 85: Certificate Password................................................................................................................................................................................73 

Image 86: Pinging a Machine in the Secure LAN........................................................................................................................................................74 

Image 87: OpenVPN Status......................................................................................................................................................................................75 

Image 88: OpenVPN Logs........................................................................................................................................................................................76 

Image 89: Route Addition Fails.................................................................................................................................................................................77 



Index of Tables 

Table 1: OpenVPN Server Connection Settings.......................................................................................................................................21 

Table 2: OpenVPN Encryption and Authentication Settings......................................................................................................................22 

Table 3: OpenVPN Keepalive Settings....................................................................................................................................................23 

Table 4: VPN Firewall Configuration......................................................................................................................................................30 


aXsGUARD Gatekeeper Open VPN How To v1.4 Introduction 

1 Introduction 

1.1 Audience and Purpose of this document 

This aXsGUARD Gatekeeper Open VPN How To v1.4 guide serves as a reference source for technical 

personnel and / or system administrators. We start by explaining the basic concepts of OpenVPN. Then we 

provide step-by-step instructions to configure the OpenVPN server on the aXsGUARD Gatekeeper, including 

how to initialize and setup the aXsGUARD Gatekeeper Certificate Authority (CA). Finally, we show you how to 

connect to the aXsGUARD Gatekeeper OpenVPN server with a freely available OpenVPN client in a Windows 

environment. 

Caution 

The installation and some functionalities of the client software require Windows Administrator 

privileges. 

In sections 1.2 and 1.3, we introduce the aXsGUARD Gatekeeper and VASCO. 

In chapter 2, we introduce the concepts of OpenVPN. 

In chapter 3, we explain how to setup up your aXsGUARD Gatekeeper OpenVPN server. This includes 

initializing the CA, generating and issuing certificates, the configuration of the OpenVPN service, OpenVPN 

authentication service settings and finally the user-level settings. 

In chapter 4, we explain how to install and configure your OpenVPN client in Windows XP. 

In chapter 5, we explain how to install and configure your OpenVPN client in Windows Vista. 

In chapter 6, we explain how to install and configure your OpenVPN client in a Windows 7 environment. 

In chapter 7, we explain how to access the OpenVPN server's status and logs for troubleshooting. 

In chapter 8, we offer some solutions to solve potential difficulties. 

In section 9, we explain how to request support and how to return hardware for replacement. 



Other documents in the set of aXsGUARD Gatekeeper documentation include: 

aXsGUARD Gatekeeper Installation Guide, which explains how to set up the aXsGUARD Gatekeeper, and is 

intended for technical personnel and / or system administrators. 

'How to guides', which provide detailed information on configuration of each of the features available as 

'add-on' modules (explained in the next section). These guides cover specific features such as: 

aXsGUARD Gatekeeper Authentication 

aXsGUARD Gatekeeper Firewall 

aXsGUARD Gatekeeper Single Sign-On 

aXsGUARD Gatekeeper VPN 

aXsGUARD Gatekeeper Reverse Proxy 

aXsGUARD Gatekeeper Directory Services 

Access to aXsGUARD Gatekeeper guides is provided through the permanently on-screen Documentation 

button in the aXsGUARD Gatekeeper Administrator Tool. 

Further resources available include: 

Context-sensitive help, which is accessible in the aXsGUARD Gatekeeper Administrator Tool through the 

Help button. This button is permanently available and displays information related to the current screen. 

Training courses covering aXsGUARD Gatekeeper features in detail. These courses address all levels of 

expertise. Please see www.vasco.com for further information. 

Welcome to aXsGUARD Gatekeeper security. 



1.2 What is the aXsGUARD Gatekeeper? 

The aXsGUARD Gatekeeper is an authentication appliance, intended for small and medium sized enterprises. 

In addition to strong authentication, the aXsGUARD Gatekeeper has the potential to manage all of your Internet 

security needs. Its modular design means that optional features can be purchased at any time to support, for 

example, e-mail, Web access and VPN management. The aXsGUARD Gatekeeper can easily be integrated into 

existing IT infrastructures as a stand-alone authentication appliance or as a gateway providing both 

authentication services and Internet Security. 

Authentication and other features such as firewall, e-mail and Web access, are managed by security policies, 

which implement a combination of rules, for example, whether a user must use a Digipass One-Time 

Password in combination with a static password for authentication. Security Policies are applied to specific 

users or groups of users and can also be applied to specific computers and the entire system. 

1.3 About VASCO 

VASCO is a leading supplier of strong authentication and Electronic Signature solutions and services 

specializing in Internet Security applications and transactions. VASCO has positioned itself as a global software 

company for Internet Security serving customers in more than 100 countries, including many international 

financial institutions. VASCO’s prime markets are the financial sector, enterprise security, e-commerce and egovernment. 

Over 50 of VASCO’s client authentication technologies, products and services are based on the VASCO’s one 

and unique core authentication platform: VACMAN. VASCO solutions comprise combinations of the VACMAN 

core authentication platform, IDENTIKEY authentication server, aXsGUARD authentication appliances, 

DIGIPASS client Password and Electronic Signature software and DIGIPASS PLUS authentication services. For 

further information on these security solutions, please see www.vasco.com. 


aXsGUARD Gatekeeper Open VPN How To v1.4 Open VPN General Concept 

2 Open VPN General Concept 

2.1 Overview 

In this chapter, we introduce OpenVPN and its related concepts. Topics covered in this chapter include: 

2.2 What is OpenVPN? 

An introduction to and a definition of OpenVPN 

The Encryption used by OpenVPN 

Authentication Methods 

Supported Network Protocols 

How the OpenVPN server is detected by the client 

OpenVPN is an open source virtual private network (VPN) program for creating point-to-point or server-tomulticlient 

encrypted tunnels between hosts. It is capable of establishing direct links between computers 

across networks which use network address translation (NAT) and firewalls. 

Image 1: OpenVPN Implementation 



The aXsGUARD Gatekeeper OpenVPN server allows peers to authenticate via client certificates or via a 

combination of client certificates and username/password authentication, such as a DIGIPASS OTP. 

When used in a multiclient-server configuration, it allows the aXsGUARD Gatekeeper OpenVPN server to 

release an authentication certificate for every client, via a Signature and Certificate Authority. It uses the 

OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol. 

2.3 Data Encryption 

OpenVPN uses OpenSSL to provide encryption for the data and the control channel. 

OpenSSL is an open source implementation of the SSL and TLS protocols. The core library (written in the C 

programming language) implements the basic cryptographic functions and provides various utility functions. 

Detailed information about the OpenSSL core library is outside the scope of this manual. For more details and 

specifications, consult the online resources: http://www.openssl.org/ 

2.4 Authentication Methods 

As mentioned in section 2.2, OpenVPN offers several methods to authenticate peers. The aXsGUARD 

Gatekeeper OpenVPN server offers the following authentication methods: 

Tips 

Certificate-based authentication (PKI); the client is authenticated via a client certificate which is 

generated on the aXsGUARD Gatekeeper OpenVPN server and exported to the OpenVPN client. 

Certificate-based authentication, but in combination with username/password authentication (e.g. 

DIGIPASS OTP, back-end authentication). This requires extra configuration, since the 

Authentication Method has to be selected for the OpenVPN service, but it provides extra security in 

that physical access to the client is not sufficient to connect to the OpenVPN server. 

For details about supported Authentication Methods and their configuration, see the 

aXsGUARD Gatekeeper Authentication How To, which can be accessed by clicking on the 

permanently available Documentation button in the Administrator Tool. 

For details about PKI and certificates, see the aXsGUARD Gatekeeper IPsec How To, which can 

be accessed by clicking on the permanently available Documentation button in the 

Administrator Tool. 



2.5 Supported Network Protocols 

OpenVPN can run over UDP or TCP. It multiplexes all communications over a single TCP/UDP port. It has the 

ability to work through most proxy servers (including HTTP) and is effective at working through NAT and getting 

out through firewalls. 

The server configuration has the ability to "push" certain network configuration options to the clients. These 

include IP addresses, routing commands and a few other connection options. 

Port 1194 is the official IANA assigned port number for OpenVPN. Newer versions of the program now default 

to that port. 

Cautions 

On the aXsGUARD Gatekeeper OpenVPN server, port 443 and the TCP protocol are the 

recommended default for Firewall traversal. 

Verify if you have no other services running on TCP port 443, otherwise the OpenVPN server 

will not be able to receive connections. 

The use of common network protocols (TCP and UDP) makes OpenVPN a desirable alternative to IPsec in 

situations where an ISP blocks specific VPN protocols. 

2.6 How a Client finds the OpenVPN Server 

The name of the OpenVPN server on the Internet can be entered in the OpenVPN server configuration or the 

OpenVPN server certificate, which needs to be imported to the OpenVPN server. The configuration can include 

either the public IP address or the FQDN of the aXsGUARD Gatekeeper OpenVPN server. 

When a client certificate is issued for an OpenVPN user, two files (the client certificate and the OpenVPN 

configuration file) are compressed in a zip file when exporting the client certificate (see section 3.8). Since 

these files are needed on the client software and the OpenVPN configuration file includes the public IP address 

or the external FQDN of the OpenVPN server (either based on the information in the server certificate, as 

explained in section 3.4 or the information entered in the OpenVPN server configuration, as explained in 

section 3.5.2), the client automatically knows where it should connect. 


aXsGUARD Gatekeeper Open VPN How To v1.4 OpenVPN Server Configuration 

3 OpenVPN Server Configuration 

3.1 Overview 

In this chapter, we explain how to configure the aXsGUARD Gatekeeper OpenVPN server. Topics covered in 

this chapter include: 

3.2 Feature Activation 

How to activate the OpenVPN server 

How to initialize the aXsGUARD Gatekeeper Certificate Authority (CA) 

How to create a server certificate 

How to configure the aXsGUARD Gatekeeper OpenVPN server 

How to create, assign and export client certificates 

How to configure authentication for the OpenVPN service 

How to configure user-level settings, such as Firewall rights. 

Before you can configure and use the aXsGUARD Gatekeeper OpenVPN server, you first need to activate the 

OpenVPN feature: 

1. Log on to the aXsGUARD Gatekeeper Administrator Tool, as explained in the aXsGUARD 

Gatekeeper System Administration How To, which can be accessed by clicking on the permanently 

available Documentation button. 

2. Navigate to System > Feature Activation 

3. Expand the VPN & RAS tree 

4. Check Do you use OpenVPN? 

5. Click on Update 



Image 2: OpenVPN Feature Activation 



3.3 Initializing the CA 

Before your can generate a server or a client certificate, you first need to initialize the aXsGUARD Gatekeeper 

CA. If you already initialized the CA, you may skip to section 3.4, where we explain how to generate a server 

certificate. 

To initialize the CA: 

1. Log on to the aXsGUARD Gatekeeper as explained in the aXsGUARD Gatekeeper System 

Administration How To, which can be accessed by clicking on the permanently available 

Documentation button in the Administrator Tool. 

2. Navigate to PKI > CA. 

3. Enter the settings as requested on-screen (see the example below). 

4. Click on Initialize. 

Note 

Image 3: CA Initialization 

The passphrase used to unitialize the CA is also needed to sign new client certificates. 

Please memorize this passphrase carefully. 



3.4 Generating a Server Certificate 

This section explains how to generate the necessary OpenVPN server certificate. You will need this certificate 

to configure the OpenVPN server later on (explained in section 3.5). Only a single server certificate is needed 

for multiple clients, but you can create as many server certificates as desired. If you already generated a 

server certificate, you may skip to section 3.5, where we explain the OpenVPN server configuration. 

To create a new server certificate: 




2. Navigate to PKI > Certificates. 

3. Click on Issue new certificate. A screen similar to the one shown below appears. 

4. Select Server as the Certificate Use from the drop-down list. 

5. Enter the external FQDN or the public IP address of the OpenVPN server. 

6. Specify the duration of the validity of the certificate (the default is 365 days). 

7. Enter the passphrase you used to initialize the CA (see section 3.3). 

8. Click on Sign. 

Note 

Image 4: Creating a Server Certificate 

If your CA has been correctly initialized (see section 3.3), the first 3 fields should be grayed 

out as shown in the image above. 



3.5 Server Settings 

This section explains how to set up and configure the aXsGUARD Gatekeeper OpenVPN server. Topics covered 

in this section include: 

Enabling the OpenVPN server 

The OpenVPN connection settings 

The encryption and authentication settings 

The Keepalive settings 

3.5.1 Enabling the OpenVPN Server 

Before your can configure your aXsGUARD Gatekeeper OpenVPN server, you need to enable it first. You need 

to enable this option before you can access the OpenVPN configuration options explained further. 

To enable the OpenVPN server: 




2. Navigate to VPN & RAS > OpenVPN > General. 

3. Check the Enabled box. The other options will appear. 

4. Configure the Connection Settings (see section 3.5.2). 

Image 5: Enabling the OpenVPN Server 



3.5.2 Connection Settings 

The connection settings contain the parameters used by the OpenVPN server to listen for incoming client 

connections. The parameters listed in Table 1 are included in the client configuration file which is generated 

when you issue (export) an OpenVPN client certificate (see section 3.8). To configure the connection settings: 





3. Verify if the Connection Settings tab is selected (see Image 6). 

4. Enter the settings as explained in Table 1. 

5. Do not click on Update, since you first have to configure the Encryption and Authentication 

settings (see section 3.5.3). 

Image 6: OpenVPN Connection Settings 



Table 1: OpenVPN Server Connection Settings 

Parameter Description 

Protocol (Mandatory) Select the protocol to use for the OpenVPN connection. You can select 

TCP or UDP. Use TCP if you wish to traverse proxies. Note that changing 

this setting requires you to reconfigure all deployed clients too. 

OpenVPN runs on port (Mandarory) Enter the port to use for the OpenVPN connection. Use 443 (system 

default) to traverse proxies. Note that changing this setting will require 

you to reconfigure all deployed clients. 

Unused private IP range for Tunnels 

(Mandatory) 

This is the range of IP addresses that is distributed to the clients. Use 

the CIDR notation, e.g. 10.255.253.0/24. Make sure the entered 

range is not used in your network (unique). 

Hostname of the server (Optional) Enter the external FQDN or the external IP address of the OpenVPN 

server, e.g. my.server.net or 60.70.80.90 

(Only if you did not specify an FQDN or IP address in the server 

certificate, see sections 2.6 and section 3.4) 

Set OpenVPN connection as default 

gateway on the client (Optional) 

Allow multiple connections from the 

same user (Optional) 

3.5.3 Encryption and Authentication Settings 

If enabled, this option causes the client to route all its outgoing traffic 

over the VPN. If you disable this setting, you will need to add specific 

routes on the client for all the internal networks you wish to make 

available for that client. 

If enabled, a same aXsGUARD Gatekeeper user can establish multiple 

connections simultaneously. 

This section explains how to select your OpenVPN server certificate, configure the encryption strength and 

whether or not extra authentication (besides the authentication provided by the certificates) is required. To 

configure the connection settings: 

To configure the Encryption and Authentication settings of the OpenVPN server: 


2. Select the Encryption/Authentication Settings tab (see). 

3. Enter the settings as explained in Table 2. 

4. Click on Update. The Keepalive Settings (see section 3.5.4) have default (recommended) values. 



Table 2: OpenVPN Encryption and Authentication Settings 


Server Certificate Serial (Mandatory) Select a server certificate (see section 3.4) from the 

drop-down list. 

Encryption (Mandatory) Select the desired encryption cipher (enryption algorithm) 

for the connection. Blowfish and AES are both supported. 

AES is highly recommended. The higher the selected 

value, the stronger the encryption. Note that changing 

this setting will require the reconfiguration of all deployed 

clients. 

Require Clients to authenticate with OpenVPN 

Authentication Service (Optional) 

Note 

3.5.4 Keepalive Settings 

If enabled, this option forces users to authenticate with a 

username and a password, e.g. a DIGIPASS OTP. The 

authentication method for OpenVPN is configured under 

Authentication > Services. (see section 3.6). 

Once you click on Update, the stat-openvpn Firewall Policy is automatically added / 

configured, so the aXsGUARD Gatekeeper is ready to receive OpenVPN connection requests. 

The purpose of the Keepalive settings are to check whether an OpenVPN client is still connected. They allow to 

automatically abort the connection if the OpenVPN server detects that the client is no longer responding. This 

provides an extra layer of security, since idle sessions are terminated. 

The values which are pre-configured are recommended by VASCO. You may change these values at your own 

risk, however this is not required to get your OpenVPN server up and running. 

To configure the Keepalive settings: 

Image 7: Encryption and Authentication Settings 







3. Click on the Keepalive Settings Tab. 

4. Modify the settings as explained in Table 3 (optional). 

5. Click on Update. 

Table 3: OpenVPN Keepalive Settings 


DPD delay in seconds This is the number of seconds between keep alive pings. 

DPD timeout in seconds If no ping replies are received within this period, the 

connection is reset. 

3.6 Authentication Settings 

This section explains how to configure the Authentication Method to be used for OpenVPN users. Detailed 

information about Authentication is available in the aXsGUARD Gatekeeper Authentication How To, which can 

be accessed by clicking on the permanently available Documentation button in the Administrator Tool. 

Cautions 

The instructions provided in this section only apply if you enabled the authentication option 

on the OpenVPN server (see section 3.5.3 and the 3rd setting explained in Table 2). 

To configure the Authentication Method for OpenVPN: 




2. Navigate to Authentication > Services. 

3. Click on OpenVPN. 

4. Choose the Authentication Policy by clicking on the Select button, e.g. DIGIPASS if you want users 

to authenticate with an OTP. 


Image 8: Keepalive Settings 



Image 9: Selecting the Authentication Method for OpenVPN 



3.7 Generating Client Certificates 

This section explains how to generate the necessary OpenVPN client certificate. You will need to export this 

certificate to configure the OpenVPN client later on (see section 3.8). 

To create a new client certificate: 





3. Click on Issue new certificate. A screen similar to the one shown below appears. 

4. Select Client (Sentinel/L2TP/OpenVPN) as the Certificate Use from the drop-down list. 

5. Select the user for whom the certificate is intended. 

6. Specify the duration of the validity of the certificate (the default is 365 days). 


8. Click on Sign. 

Image 10: Creating an OpenVPN Client Certificate 



3.8 Exporting Client Certificates 

To import a client certificate to your OpenVPN client software, you must first export the generated client 

certificate to a location of your choice (e.g. a USB drive). To export a client certificate: 





3. Click on the Export icon of the desired client certificate. 

4. Select the OpenVPN Configuration Pack option from the drop-down menu (see image below). 

5. Enter a password to protect the certificate. The password needs to be entered twice for verification. 

(This is not the same password used to initialize the CA as explained in section 3.3). This password 

provides protection while the certificate is transported from one location to another. It is required 

when connecting with the OpenVPN client (see sections 4.5, 6.5). 

6. Click on Export. 

7. Save the resulting zip file to a desired location, e.g. a USB drive. 

Note 

The client certificate and the OpenVPN server configuration file (see sections 2.6 and 3.5) 

are stored together in a zip file. 

Image 11: Exporting an OpenVPN Certificate 



3.9 Revoking Certificates 

To revoke a certificate on the aXsGUARD Gatekeeper: 

1. Follow steps 1 and 2 as explained in section 3.8. 

2. Click on Valid in the state column of the certificate you wish to revoke. After this, a screen as 

shown below appears. 


4. Select the appropriate reason for which the certificate is being revoked from the drop-down list. 

5. Click on Revoke. 

Tips 

Image 12: Revoking a Client Certificate 

You should only revoke a client certificate in case a user is no longer authorized to access the 

aXsGUARD Gatekeeper OpenVPN server. 

You can also disable OpenVPN access for a user is his/her user settings. Navigate to 

Users&Groups > Users. Select the user from the list and click on the Remote Access tab. 

Uncheck the OpenVPN RAS option (also see section 3.10.1). 



3.10 User Settings 

3.10.1 Granting OpenVPN Access 

Before an aXsGUARD Gatekeeper user can connect to the OpenVPN server, you need to allow this in his/her 

user settings. To enable OpenVPN access for a user: 




2. Navigate to Users&Groups > Users. 

3. Click on the user who should have access to OpenVPN. 

4. Click on the Remote Access tab. 

5. Check the OpenVPN RAS option. 


Image 13: Enabling OpenVPN for a User 



3.10.2 VPN Firewall Rights 

To grant access to your internal network to a user who is connected to your aXsGUARD Gatekeeper OpenVPN 

server, you must configure that user's VPN Firewall options in his/her user settings. 

System-Wide Firewall Rights: 

System-Wide Firewall Rights apply to all users in the aXsGUARD Gatekeeper network. Since connected 

OpenVPN users are considered a part of the secure zone, it is extremely important to restrict the System-Wide 

Firewall Rights as much as possible. 

The default aXsGUARD Gatekeeper System-Wide Firewall Policies (stat-sec and stat-z-fix) provide appropriate 

security for OpenVPN access. However, you can overrule these default Policies simply by creating separate 

Firewall Policies which deny the default traffic. The created Firewall Policies should then be added to the Group 

or User's VPN & RAS Firewall settings (see below for the configuration steps). 

This solution allows you to: 

Maintain any changes you have made to System-Wide Firewall Policies. 

To implement even stricter Firewall Policies than the system default Policies. 

A list and description of aXsGUARD Gatekeeper Firewall Rules which are active by default is available in the 

aXsGUARD Gatekeeper Firewall How To, which can be accessed by clicking on the permanently available onscreen 

Documentation button in the Administrator Tool. You can also click on a Firewall Rule / Policy in the 

Administrator Tool to view its details. 

User / Group Firewall Rights: 

VASCO highly recommends the use of a strong client-side firewall and to create dedicated Firewall Policies for 

OpenVPN access on the aXsGUARD Gatekeeper. 

The configuration of Firewall Rules and Policies is fully explained in the aXsGUARD Gatekeeper Firewall How 

To, available by clicking the permanently on-screen Documentation button in the Administrator Tool. 

A predefined Firewall Policy, fwd-access-lan, is available in case administrators choose not to create their own 

Firewall Policies. This Policy allows access from the VPN to the aXsGUARD Gatekeeper's secure LAN. 

However, VASCO strongly recommends to create your own OpenVPNFirewall Policies. 

To adjust a user's VPN Firewall settings: 

1. Navigate to Users&Groups > Users. 

2. Click on the desired user name. 

3. Select the Firewall tab and adjust the VPN & RAS Policy Mode as explained in Table 4. 




Table 4: VPN Firewall Configuration 

VPN Firewall setting Description 

Use Group Firewall Policies Select this option if you wish to apply the same VPN Firewall 

policies as defined for the user's group. 

Add to Group Firewall Policies Use this option to add additional policies to the VPN Firewall 

Policies defined for the user's group (see Image 15). 

Overrule Groups Firewall 

Policies 

Image 14: User VPN Firewall Settings 

Use this option to overrule the user's group VPN Firewall 

policies (see Image 15). 

Image 15: Adding or Overruling User VPN Firewall Policies 


aXsGUARD Gatekeeper Open VPN How To v1.4 OpenVPN Client Windows XP Configuration 

4 OpenVPN Client Windows XP Configuration 

4.1 Overview 

4.2 Prerequisites 

In this chapter we explain how to install and configure a free OpenVPN client in Windows XP. 

You need the following to successfully configure your OpenVPN client: 

A fully configured OpenVPN server with the required client certificate (see chapter 3) 

The freely available OpenVPN client, which can be downloaded from http://openvpn.net 

Windows XP with an active Internet connection 

Windows XP administrator privileges 

4.3 Installing the OpenVPN Client 

The OpenVPN client installs just like any other Windows program. Download and install the OpenVPN Windows 

executable to the location of your choice and double-click the file to start the installation. Follow the on-screen 

instructions. Make sure you have the required access rights in Windows to install software (Administrator 

rights). You can also start the installation of the software package by right-clicking on the executable and 

selecting “Run as administrator”. You may safely ignore the warning messages about unsigned drivers and 

software. 

Once the installation is complete, the OpenVPN GUI icon will be accessible on your desktop (see below). 

Image 16: OpenVPN XP Shortcut 



4.4 Configuring the OpenVPN Client 

To configure the OpenVPN client, you will need the zip file which contains your client certificate and the 

OpenVPN server configuration (see sections 2.6 and 3.8). Make sure you are logged on as an administrator. 

1. Save the zip file containing your OpenVPN configuration and client certificate to your desktop. 

2. Right click on the file and select Extract All as shown in Image 17. 

Image 17: Extracting the OpenVPN Config 

and Certificate 

3. Extract the contents of the zip file to the config folder in the OpenVPN directory (Program Files > 

OpenVPN > config as shown below). 

Image 18: OpenVPN Client Configuration Folder 



4. Click on Finish when the file extraction is complete and navigate to your Windows desktop. 

5. Add a shortcut to the OpenVPN GUI on the user's Desktop as shown below. The default OpenVPN 

directory is Program Files > OpenVPN > bin. 

Image 19: Creating an OpenVPN Shortcut - Step 1 

6. Copy / paste the new shortcut to the OpenVPN user's Desktop directory (Documents and Settings 

> username > Desktop) as shown below. 

Image 20: Creating an OpenVPN Shortcut - Step 2 



7. Navigate back to your desktop. 

Note 

The following steps are only required if you are configuring the OpenVPN client for a nonadministrator 

account. 

8. Click Start, and then click My Computer. 

9. On the Tools menu, click Folder Options. 

10. Click on the View tab. 

11. Scroll all the way down and clear the Use simple file sharing (Recommended) check box. 

12. Click on Apply, then on OK. 

Image 21: Disabling Simple File Sharing 

13. Navigate to the OpenVPN installation log folder. The default location is Program Files > OpenVPN. 



14. Right-click on the log folder and click on Properties. 

15. Select the Security Tab and click on Add. 

Image 22: Log Folder Security Properties 

16. In the Select Users or Groups screen, click on Advanced as shown below. 

Image 23: Selecting Users and Groups 



17. Click on Find Now as shown below. 

18. Highlight the Network Configuration Operators group and click on OK. 

Image 24: Adding Group Access – Step 1 

19. In the next screen (see below), click on OK again. 

Image 25: Adding Group Access - Step 2 



20. Highlight the Network Configuration Operators group as shown below. 

21. Set the permissions exactly as shown below. 

22. Click on Apply, then on OK. 

Image 26: Log Properties - Setting Permissions 



23. Navigate back to your desktop. 

24. Click on Start and navigate to My Computer. 

25. Right-click on My Computer and select Manage as shown below. 

Image 27: Managing your Computer in XP 



26. In the Computer Management console, navigate to Local Users and Groups. 

27. Expand the Groups folder. 

Image 28: Computer Management Console 

28. Right-click on Network Configuration Operators and select Properties, as shown below. 

Image 29: Network Configuration Operators Properties 



29. In the Network Configuration Operators Properties screen, click on Add (see below). 


30. Enter the name of the user(s) who will be using the OpenVPN client and click on Check Names, as 

shown below. 

31. When finished, click on the OK button. 

Image 31: Adding a User to the Network Configuration Operators Group 



32. In the Network Configuration Operators Properties Screen, the added user(s) will be listed as shown 

below. Click on Apply and then OK to finish. 


Screen 



4.5 Starting the OpenVPN Connection 

Once you have configured your OpenVPN client as explained in section 4.4, you can test the connection by 

following the instructions below. 

1. Log on to Windows XP with the OpenVPN user account (not as an administrator). 

2. Start the OpenVPN GUI as shown below (Either by right-clicking the shortcut and selecting open or 

by double-clicking on the shortcut). An inactive OpenVPN GUI icon will appear in the task pane. 

Image 33: Starting OpenVPN GUI 

3. In the task pane, right-click on the OpenVPN GUI icon and click on Connect. 

Image 34: OpenVPN Connecting 



4. Enter the aXsGUARD Gatekeeper user credentials as requested and click on OK. 

Image 35: OpenVPN User Credentials 

5. Enter the passphrase of the client certificate (this is the passphrase used to export the certificate, 

as explained in section 3.8) and click on OK. 

Image 36: Certificate Passphrase 



6. After a few seconds, you should receive a notification message indicating that the connection is 

successful. Test your connection by pinging a machine in the LAN of the aXsGUARD Gatekeeper 

(see below). 

Image 37: Pinging a Machine in the LAN 


aXsGUARD Gatekeeper Open VPN How To v1.4 OpenVPN Client Windows Vista Configuration 

5 OpenVPN Client Windows Vista Configuration 

5.1 Overview 


In this chapter we explain how to install and configure a free OpenVPN client in Windows Vista. 




Windows Vista with an active Internet connection 

Windows Vista Administrator privileges 





rights). You can also start the installation of the software package by right-clicking on the executable and 

selecting “Run as administrator”. You may safely ignore the warning messages about unsigned drivers and 

software. 

Once the installation is complete, the OpenVPN GUI icon will be accessible on your desktop (see image below). 

Image 38: OpenVPN Installation - Windows Vista 





OpenVPN server configuration (see sections 2.6 and 3.8). 

1. Log on to Windows Vista with full administrative privileges. 


3. Right click on the file and select Extract All as shown below. 

Image 39: Vista OpenVPN Configuration 



4. Extract the contents of the zip file to the config directory of OpenVPN. The default installation 

directory is Program Files > OpenVPN > config. 

Note 

Image 40: Config Directory of OpenVPN in Vista 

The following steps are only required if you are configuring the OpenVPN client for a 

non-administrator account. 

5. Navigate to the Vista Control Panel and double-click on User Accounts. 

6. Disable UAC by clicking on Turn User Account Control on or off. 

Image 41: Disabling UAC 



7. Make sure UAC is unchecked, as shown in the image below. 

8. Click on OK. 

Image 42: Turning off UAC in Windows Vista 

9. Navigate back to your Windows desktop and go to the Control Panel. 

10. In the Control Panel, click on Folder Options. 

11. Click on the View Tab and scroll all the way down. 

12. Disable Use Sharing Wizard and click on Apply, followed by OK. 

Image 43: Disabling Simple File Sharing in Windows Vista 



13. Navigate to the OpenVPN log folder. 

14. Right-click on the folder and select Properties. 

Image 44: Setting the Security Properties of OpenVPN log 

Folder 

15. Select the Security Tab and click on Edit. 

Image 45: Setting the Security Options for the log 

Folder – Step 1 



16. In the Permissions for log screen, click on the Add button. 

Image 46: Permissions for the log Folder 

17. In the Select Users or Groups screen, click on Advanced. 

Image 47: Advanced Settings for User and Group Selection 



18. Click on the Find Now button as shown below. 

19. Select the Network Configuration Operators Group and click on OK. 

Image 48: Adding the Network Configuration Operators Group – Step 1 

20. The screen below will appear, showing that the Network Configuration Operator Group has been 

selected. Click on OK. 

Image 49: Adding the Network Configuration Operators Group - Step 2 



21. Make sure the newly added group (Network Configuration Operators) is highlighted as shown 

below. 

22. Set the permissions exactly as shown below and click on Apply, then on OK. 

Image 50: OpenVPN Log Folder Permissions 

23. Close the remaining Window and navigate back to the Windows Desktop. 

24. Click on start and right-click on Computer. Select Manage (see below). 

Image 51: Managing your Computer in Vista 



25. In the Computer Management Screen, navigate to Groups in the right pane. 

26. Right-click on Network Configuration Operators in the left pane and select Properties. 

Image 52: Computer Management Screen Windows Vista 

27. Add the user who will be using the OpenVPN client as a member to the Network Configuration 

Operators Group, by clicking on Add. 

Image 53: Network Configuration Operators Group 



28. In the Select Users screen, click on the Advanced button. 

Image 54: Selecting Users – Step 1 

29. Click on Find Now and select the user who will be needing access to the OpenVPN client program. 

30. Click on OK when the user has been selected. 

Image 55: Selecting Users - Step 2 



31. The added user is diplayed as shown below. Click on OK. 


32. In the Network Configuration Operators Screen, click on Apply then on OK. 





Once you have configured your OpenVPN client as explained in section 5.4, you can start the connection by 


1. Log on to Windows as the OpenVPN user (not as an administrator). 

2. Start the OpenVPN GUI by clicking on Start > All Programs > OpenVPN > OpeVPN GUI (see below). 

Image 58: Starting the OpenVPN GUI 

3. Right-click on the OpenVPN GUI icon in the system tray and select Connect. 

Image 59: OpenVPN Connecting 



4. Enter the aXsGUARD Gatekeeper user credentials as requested. 

Image 60: Entering your OpenVPN User Credentials 

5. Enter your certificate passphrase. This is the passphrase you used to export the certificate, as 

explained in section 3.8. 

Image 61: Entering the Certificate's Passphrase 



6. After a few seconds, you should receive a notification message indicating that the connection is 

successful. You can tes the connection by pinging a machine in the secure network of the 

aXsGUARD Gatekeeper OpenVPN server (see below). 

Image 62: Pinging a Machine in the Secure LAN 


aXsGUARD Gatekeeper Open VPN How To v1.4 OpenVPN Client Windows 7 Configuration 

6 OpenVPN Client Windows 7 Configuration 

6.1 Overview 


In this chapter we explain how to install and configure a free OpenVPN client in a Windows 7 environment. 




Windows 7 with an active Internet connection 

Windows 7 Administrator privileges 





rights). You can start the installation of the software package by right-clicking on the executable and selecting 

“Run as administrator”. You may safely ignore the software signature and driver signature warning messages. 

Once the installation is complete, the OpenVPN GUI icon will be accessible by clicking on the arrow in your 

system tray as shown below. 

Image 63: OpenVPN GUI Tray Icon 





OpenVPN server configuration (see sections 2.6 and 3.8). 


2. Right click on the file and select Extract All as shown in Image 64. 

Image 64: Extracting the OpenVPN config 

and Client certificate 

3. Extract the file to the config folder of your OpenVPN installation. The default installation folder is 

shown in Image 65. 

Image 65: OpenVPN Client Config Folder 



4. Click on Extract. 

5. Once the files are extracted, close all unecessary windows and go back to the Windows desktop. 

Note 

Image 66: Extracting the Config and Certificate Files 

The following steps are only required if you are configuring the OpenVPN client for a nonadministrator 

account. 

6. Go to the Control Panel and click on the User Accounts and Family Safety link to disable UAC. 

Image 67: User Accounts and Family Safety 



7. Click on the User Accounts Link as shown below. 

8. Click on Change User Account Control Settings. 

Image 68: Changing UAC Settings 



9. Slide the slider bar to the lowest value (towards Never Notify), with the description showing Never 

notify me (see below). 

10. Reboot your Windows system to make the changes effective (mandatory). 

11. Log in as system administrator and navigate to the OpenVPN log folder 

(Program Files > OpenVPN > log). 

12. Right-click the log folder and select Properties. 

Image 69: OpenVPN Log Folder Properties 



13. Click on the Security Tab and then on Edit. 

14. Click on Add as shown below. 

Image 70: Log Folder Properties Security Options 

Image 71: Adding Group Permissions to the Log 

Folder 



15. In the Select Users or Groups screen, click on Advanced. 

16. Click on Find Now and select the Network Configuration Operators Group, then click on OK. 

Image 72: Adding the Network Operators Group 



17. Click on OK again. 

Image 73: Adding Network Configuration Operators 

18. Highlight the Network Configuration Operators Group and make sure the permissions are set as 

shown below. Click on OK when finished and navigate back to your Windows desktop. 

Image 74: Setting the Log Folder Permissions 



19. Click on Start and right-click on Computer. 

20. Select Manage. 

Image 75: Accessing Computer Management 

21. In the left pane, click on Local Users and Groups and select Groups. 

22. In the right pane, right-click on the Network Configuration Operators and select Properties. 

Image 76: Computer Management 



23. In the Network Configuration Operators Properties screen, click on Add. 

Image 77: Adding a User to the Network Configuration Operators 

24. In the Select Users screen, click on Advanced. 

Image 78: Adding users to the Network Configuration Operators Group 



25. Click on Find Now. Highlight the user who will be using the OpenVPN client. Click on OK to finish. 

Image 79: Selecting a user to be added to the Network Configuration 

Operators Group 

26. In the Select Users screen, the added user will be displayed. Click on OK again to add the user to 

the Network Configuration Operators Group. 

Image 80: Adding a user to the Network Configuration Operators Group 



27. In the Network Configuration Operators Properties window, click on OK. 





Once you have configured your OpenVPN client as explained in section 6.4, you can start the connection by 


1. Log on to Windows 7 as the user who will be using the OpenVPN client (not as administrator). 

2. Click on the Start Button > All Programs > OpeVPN > OpenVPN GUI. 

Image 82: Starting OpenVPN GUI 



3. Click on the arrow in the system tray and right-click on the OpenVPN icon (see below). 

4. Click on Connect as shown below. 

Image 83: Connecting to the OpenVPN Server 



5. Enter the aXsGUARD Gatekeeper user name and password of the connecting use. If you configured 

the OpenVPN service with DIGIPASS authentication (see sections 3.5.3 and 3.6), enter the OTP 

generated by the DIGIPASS in the password field. 

6. Click on OK or press Enter. You will be prompted to enter the password of the client certificate. 

7. Enter the password of the client certificate (see section 3.8). 

8. Click on OK or press Enter. 

Image 84: User Name and Password Screen 

Image 85: Certificate Password 

After a few seconds, you should receive a notification message indicating that the connection is successful. 



9. Once the connection is up, you can test it by pinging a machine in the secure LAN of your 

aXsGUARD Gatekeeper VPN server (see below). 

Image 86: Pinging a Machine in the Secure LAN 


aXsGUARD Gatekeeper Open VPN How To v1.4 Status and Logs 

7 Status and Logs 

7.1 Overview 

In this chapter, we explain how to check the status of connected users and the OpenVPN logs. 

7.2 OpenVPN Status 

To check the status of a connected OpenVPN user: 

7.3 OpenVPN Logs 




2. Navigate to VPN&RAS > Status > OpenVPN. 

Image 87: OpenVPN Status 

To check the logs of the aXsGUARD Gatekeeper OpenVPN server: 




2. Navigate to VPN&RAS > Logs > OpenVPN. 

3. Click on the desired log date (see Image 88). 


aXsGUARD Gatekeeper Open VPN How To v1.4 Status and Logs 

Image 88: OpenVPN Logs 


aXsGUARD Gatekeeper Open VPN How To v1.4 Troubleshooting 

8 Troubleshooting 

The connection to the OpenVPN server is successful, but I cannot connect to the corporate LAN 

Windows XP, Vista and Windows 7 require administrator privileges to execute some functions, such as adding 

network routes. Make sure that the Windows user who will be using the OpenVPN client is added to the 

Network Configuration Operators group. 

The OpenVPN client indicates that the route addition failed using CreateIpForwardEntry. 

See above. Add the connecting Windows user to the Network Configuration Operators group. 

Image 89: Route Addition Fails 

The OpenVPN client indicates that the user cannot write to the log folder 

Make sure the Windows user has the necessary permissions (Read / Write and Modify) for the folder. 



I would like to authenticate without providing a certificate password. 

Caution 

This is possible, but not advised by VASCO. The certificate passphrase (see section 3.8) 

protects your certificate when it's copied from one location to another. It also prevents abuse 

in case it is intercepted or stolen by a third party and provides authentication if no other 

authentication method has been selected for the OpenVPN service. 

This operation requires you to use the command line. Note that the openssl binary, which is needed to remove 

the certificate password, is NOT included with the OpenVPN client, so this method only works on a Linux 

machine or on a Windows machine with the cygnus or openssl package installed. 

If a user insists on removing the password of the pkcs12 client certificate, you can retrieve it with the following 

command: 

openssl pkcs12 -in -nodes -out file.pem 

Put this file in C:\Program Files\OpenVPN\config Then modify the ovpn config file as follows: 

Remove: 

pkcs12 

And add: 

ca file.pem 

cert file.pem 

key file.pem 



The OpenVPN server does not start / does not function 

On the aXsGUARD Gatekeeper, OpenVPN uses port 443 by default (see section 2.5). Make sure you have no 

other aXsGUARD Gatekeeper services listening to this port. Such services include: 

Note 

The SSL VPN server 

The Webmail server 

The Reverse Proxy server 

Contact VASCO Support if you need to change your Webmail service port. 


aXsGUARD Gatekeeper Open VPN How To v1.4 Support 

9 Support 

9.1 Overview 

In this section we provide instructions on what to do if you have a problem, or experience a hardware failure. 

9.2 If you encounter a problem 

If you encounter a problem with a VASCO product, please follow the steps below: 

1. Check whether your problem has already been solved and reported in section 8 or in the Knowledge 

Base at the following URL: http://www.vasco.com/support. 

2. If there is no solution in the Knowledge Base, please contact the company which supplied you with the 

VASCO product. 

3. If your supplier is unable to solve your problem, they will automatically contact the appropriate VASCO 

expert. If necessary, VASCO experts can access your aXsGUARD Gatekeeper remotely to solve any 

problems. 

9.3 Return procedure if you have a hardware failure 

If you experience a hardware failure, please contact your VASCO supplier. 


aXsGUARD Gatekeeper Open VPN How To v1.4 Support 

Alphabetical Index 

Accessing Documents........................................................................10 

Authentication..............................................................................10, 23 

authentication methods.......................................................................13 

CA....................................................................................................17 

Certificate.........................................................................18, 21, 25pp. 

Certificate Authority............................................................................13 

client certificate..................................................................................17 

DIGIPASS...........................................................................................13 

Directory Services..............................................................................10 

Documents........................................................................................10 

Encryption.........................................................................................21 

Firewall.....................................................................................10, 29p. 

FQDN................................................................................................14 

Keepalive...........................................................................................22 

NAT............................................................................................12, 14 

OpenSSL...........................................................................................13 

OpenVPN......................................................................................12pp. 

OTP..................................................................................................13 

PKI....................................................................................................13 

Return Procedure...............................................................................80 

Reverse Proxy....................................................................................10 

Single Sign-On...................................................................................10 

SSL...................................................................................................13 

Support.............................................................................................80 

TCP...................................................................................................14 

TLS...................................................................................................13 

Training Courses................................................................................10 

UDP..................................................................................................14 

VPN............................................................................................10, 30

aXsGUARD Gatekeeper Open VPN How To v1.4 - Vasco

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?