OpenVPN Access Server System Administrator Guide

More documents

Recommendations

Info

connection has been established, the browser window will show the connection status and list the address of the server the user is connected to along with the amount of data that has been transferred between the users client and the vpn server. The systray icon will also show the connection status and will display a status message informing the user they are connected after the connection has been established. 2 OpenVPN Access Server Operation This section elaborates on some of the characteristics of OpenVPN Access Server deployments and further describes the operation of several components of the Access Server. 2.1 Services and TCP/UDP Ports The OpenVPN Access Server provides three network services: Network Service TCP/UDP Default VPN Server TCP or UDP TCP port 443, if forwarding service for Connect Client Connect Client (HTTPS) Admin Web UI (HTTPS) OpenVPN Access Server System Administrator Guide UDP port 1194 TCP port 443 (via service forwarding) port 943 (direct) TCP port 443 (via service forwarding) port 943 (direct) Table 2 Access Server Services and Ports The VPN Server is the daemon that creates the VPN tunnels with VPN clients. If TCP is configured as the protocol for VPN Server communication, the VPN Server can also forward services to the Connect Client and/or Admin Web UI The Client Web Service is a secure Web service handling SSL-protected HTTP from Web browsers. Users log in to the Connect Client in order to download a pre-configured OpenVPN Windows client installer file or a client configuration file. The normal port for such traffic is TCP port 443. The VPN Tunnel service can be configured to use either TCP or UDP. In the TCP case, it can also be configured to forward the Connect Client and/or Admin Web UI services. If service forwarding is used, only one TCP port needs to be made available to Internet clients. If applications requiring UDP communication (such as VoIP) are to be used over the VPN, configuring OpenVPN Access Server to use UDP for VPN Tunneling will result in a the VPN tunnel communication being more efficient. In this case, the UDP port (number 1193, by default) on the server must also be made available to Internet clients. 2.2 Typical Network Configurations The following sections describe the three most common supported network configurations used with OpenVPN Access Server deployments. 5
2.2.1 One Network Interface on Private Network Behind the Firewall This configuration is most commonly seen when the Access Server resides in an internal corporate network, providing VPN access to users outside the corporate network. In this configuration the Access Server has one network interface connected to the private network (note that other interfaces may be present on the system but will not be utilized in by the Access Server). This scenario is illustrated in Figure 2. PRIVATE IP NETWORK PRIVATE IP Internet Gateway / Firewall PUBLIC IP PUBLIC IP NETWORK (INTERNET) OpenVPN Access Server System Administrator Guide PRIVATE IP OpenVPN ACCESS SERVER Figure 2: Access Server on Private Network Behind a Firewall In this configuration, it is required that the Internet Gateway be set up to forward desired TCP/UDP port traffic from the public IP to the Access Server‟s private IP address. At a minimum, one TCP port (typically port 443) needs to be forwarded,. That can carry both the VPN tunnel traffic and the Web Client Server/Connect Client traffic. Optionally, the VPN tunneling can be separated from the Web Client Server traffic, in which case an additional TCP or UDP port (e.g., UDP port 1193) must be forwarded for the VPN tunnel purposes. A variation on this network configuration has the Access Server with one interface attached to a DMZ network provided by the firewall. The same forwarding of client traffic is required (as above); additionally, the firewall may need to be configured to allow traffic between the Access Server and the private network behind the firewall. 2.2.2 Two Network Interfaces, One on Public and One on Private Network This configuration is most commonly seen when the Access Server resides in an internal corporate network but it also has its own public IP address (see Figure 3). The Access Server communicates with clients outside the corporate network via its public IP interface. It uses another network interface to communicate with hosts on the private IP network and to propagate packets between VPN tunnels and the private network. 6
Page 1 and 2: OpenVPN Access Server System Admini
Page 3 and 4: TABLE OF CONTENTS 1 Introduction ..
Page 5 and 6: 1 Introduction The OpenVPN Access S
Page 7: 1.3 Deployment Overview (Quick Star
Page 11 and 12: 2.3 User Authentication and Managem
Page 13 and 14: 3 Installation This section describ
Page 15 and 16: You will need to list whether this
Page 17 and 18: Getting hostname... Hostname: vpn-g
Page 19 and 20: Note that the “At a glance” rig
Page 21 and 22: 4.1.2 Log Reports The Log Reports p
Page 23 and 24: 4.2 Configuration Pages 4.2.1 Licen
Page 25 and 26: The Hostname or IP Address is the n
Page 27 and 28: https://192.168.1.20/ and the Admin
Page 29 and 30: VPN Clients (provided that the Acce
Page 31 and 32: 4.2.5 Advanced VPN 4.2.5.1 Inter-Cl
Page 33 and 34: Figure 27: Connection Security Refr
Page 35 and 36: 4.2.6 User Permissions Figure 30: U
Page 37 and 38: 4.2.7 Group Permissions Figure 31:
Page 39 and 40: 4.3.2 PAM Figure 33: PAM Authentica
Page 41 and 42: 4.3.4 LDAP Figure 35: LDAP Authenti
Page 43 and 44: 4.4.1.1 Active Profile and Edit Pro
Page 45 and 46: Figure 38: Connectivity Test page N
Page 47 and 48: 5 Connect Client The Connect Client
Page 49 and 50: Tray Icon: The tray icon is a featu
Page 51 and 52: 5.3 Rebranding the Admin UI OpenVPN
Page 53 and 54: # openssl genrsa -out new.key 1024
Page 55 and 56: 7 How to authenticate users with Ac
Page 57 and 58: 8 Failover OpenVPN Access Server ha

OpenVPN Access Server System Administrator Guide

Create successful ePaper yourself

Delete template?

Save as template?