Endian Firewall Reference Manual r. 2.2.0.2

Copyright (c) 2008 Endian srl, Italy.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

Chapter 7: The VPN Menu

Select VPN from the menu bar at the top of the screen.

Virtual private networks (VPNs) allow networks to connect directly to each other over potentially unsafe networks such as the internet. All network traffic through the VPN connection is transmitted securely, inside an encrypted tunnel, hidden from prying eyes. Such a configuration is called a Gateway-to-Gateway VPN. Similarly, a single computer somewhere on the internet can use a VPN tunnel to connect to a trusted LAN. The remote computer, sometimes called a Road Warrior, appears to be directly connected to the trusted LAN while the VPN tunnel is active.

Endian Firewall can create VPNs based on the IPsec protocol supported by most operating systems and network equipment, as well as VPNs based on the OpenVPN service.

Unfortunately, the tools needed to set up IPsec vary greatly among different systems, may be complicated to use or may have interoperability issues. Therefore, Endian recommends OpenVPN in situations where there is no need to support an existing IPsec infrastructure. Endian Firewall includes a user friendly OpenVPN client for Microsoft Windows, Linux and MacOS X.

Following is a list of links that appear in the submenu on the left side of the screen and that allow setting up VPNs of any of the types mentioned:

Each link will be explained individually in the following sections.

OpenVPN server

Select VPN from the menu bar at the top of the screen, then select OpenVPN server from the submenu on the left side of the screen.

Server configuration

In this panel you can enable the OpenVPN server and define the range of addresses within the GREEN zone that are going to be assigned to connecting clients.

Click on Save to save the settings and start the OpenVPN service. The first time the service is started a new (self-signed) certificate for this OpenVPN server is generated. Click on the Download CA certificate link to download it. You need it later for setting up the clients.

The following panel shows a list of currently connected clients, once OpenVPN is up and running and in use.

Accounts

This panel contains the list of OpenVPN accounts.

CLick on Add account to add an account. The following parameters can be specified for each account:

Account information
Username - user login name
Password / Verify password - specify password (twice)
Client routing
Direct all client traffic
through the VPN server
- if you check this, all the traffic from the connecting client (regardless the destination) is routed through the uplink of the Endian Firewall that hosts the OpenVPN server, whereas the default is to route traffic with an unrelated destination (such as internet hosts) through the client's uplink
Don't push any routes
to client
- (advanced users only) normally, when a client connects, tunneled routes to networks accessible via VPN are added to the client's routing table - check if you don't want this to happen and are prepared to manipulate your clients' routing tables manually
Networks behind client - only needed if you want to use this account as client in a Gateway-to-Gateway setup: enter the networks behind this client you would like to push to the other clients
Push only these networks - add your own network routes to be pushed to the client here (overrides all automatically pushed routes)
Custom push configuration
Static ip addresses - normally, clients are assigned dynamic IP addresses, you can override this here and assign a static address
Push these nameservers - assign nameservers on a per-client basis here
Push domain - assign search domains on a per-client basis here

In these fields, all addresses and network addresses must be given in CIDR notation (such as 192.168.0.0/24).

Click the Save button to save the account settings. You can at any moment disable/enable, edit or delete accounts from the list of accounts by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom).

If you're planning to have two or more branch offices connected through a Gateway-to-Gateway VPN it is good advice to choose different subnets for the LANs in the different branches. For example, one branch might have a GREEN zone with the 192.168.1.0/24 subnet while the other branch uses 192.168.2.0/24. In this way, correct routes will be assigned in a fully automatic way and you don't have to deal with pushing custom routes.

Advanced

Use this panel to change advanced settings. Among other things, certificate-based authentication (as opposed to password-based) can be set up in this section.

The first section has some generic settings regarding the server:

Port / Protocol - port 1194 / protocol UDP are the default OpenVPN settings. It is a good idea to leave them as they are - if you need to make OpenVPN accessible via other ports (possibly more than one), you can use port forwarding (see Firewall, Port Forwarding). A use case for setting TCP as the protocol is when you want to access the OpenVPN server through a third-party HTTP proxy.
Block DHCP responses coming
from tunnel
- check this if you're getting DHCP responses from the LAN at the other side of the VPN tunnel that conflict with your local DHCP server
Don't block traffic
between clients
- the default is to isolate clients from each other, check this if you want to allow traffic between different VPN clients

The second section lets you specify the authentication method:

Endian Firewall's default method is PKS (username/password). With this method, no settings need to be changed here.

The Download CA certificate link lets you download the certificate for this OpenVPN server as needed by the clients (this is public, just to verify the authenticity of the server) and the Export CA as PKCS#12 file link lets you download the certificate exported as a PKCS#12 file (keep it private!) to be imported into any OpenVPN server that you wish to use as fall back server.

Finally, if this is a fall back system, you can upload the PKCS#12 file that you exported from your primary server (leave "Challenge password" empty if the file came from an Endian Firewall).

If you rather use a X.509-certificate-based method here (either certificate only or certificate plus password), things get a bit more complicated. It is assumed (and required) that you use a independent certificate authority (CA) for this purpose. It is neither possible nor desired to host that on Endian Firewall.

You need to generate and sign certificates for the server and for each client using your CA. The certificates must explicitly be of type "server" and type "client" ("netscape certificate type" field).

The server certificate file in PKCS#12 format must be uploaded in this section (specify the "Challenge password" if you had given one on your CA software).

The client certificates need to have the common name fields equal to their OpenVPN user names. Watch out: if you use certificate-only authentication a client that has a valid certificate can connect even if there is no corresponding OpenVPN user account!

You can also upload a revocation list, in case you lost a client certificate and hence have revoked it on your CA.

The third section lets you specify global push options (valid for each account):

Push these networks - add network routes to be pushed to all clients (overrides all automatically pushed routes)
Push these nameservers - assign nameservers to be pushed to all clients
Push domain - assign search domains to be pushed to all clients

All addresses and network addresses must be given in CIDR notation (such as 192.168.0.0/24).

VPN client download

Click on the link to download the Endian VPN client for Microsoft Windows, MacOS X and Linux from Endian Network.

OpenVPN client (Gw2Gw)

Select VPN from the menu bar at the top of the screen, then select OpenVPN client (Gw2Gw) from the submenu on the left side of the screen.

This section allows setting up the client side of a Gateway-to-Gateway VPN setup. CLick on Add tunnel configuration to enter information about the OpenVPN server you intend connecting to (there can be more than one):

Connection name - just a label for this connection
Connect to - the remote OpenVPN server's fully qualified domain name and port (such as efw.example.com:port) - the port is optional and defaults to 1194
Upload certificate - if the server is configured to use PSK authentication (password/username), you need to upload the server's host certificate (the one you get from the Download CA certificate link at the server). Otherwise, if you use certificate-based authentication, you need to upload the PKCS#12 file of the server (the one you get from the Export CA as PKCS#12 file link at the server (advanced section of the OpenVPN submenu).
PKCS#12 challenge password - specify the password this file is encrypted with (if you had given one on your CA software)
Username / Password - if the server is configured to use PSK authentication (password/username) or certificate plus password authentication, give the username and password of the OpenVPN server account here
Remark - your comment

CLick on Advanced tunnel configuration to see more options:

Fallback VPN servers - specify one or more (one per line) fall back OpenVPN servers in the form efw.example.com:port (the port is optional and defaults to 1194). If the connection to the main server fails, a fall back server will take over.
Connection type - "routed" (the client firewall acts as a gateway to the remote LAN) or "bridged" (as if the client firewall was part of the remote LAN). Default is "routed".
Block DHCP responses coming from tunnel - check this if you're getting DHCP responses from the LAN at the other side of the VPN tunnel that conflict with your local DHCP server
NAT - check this if you want to hide the clients connected via this Endian Firewall behind the firewall's VPN IP address. Doing so will prevent incoming connections requests to your clients.
Protocol - UDP (default) or TCP. Set to TCP if you want to use a HTTP proxy (next option).
HTTP proxy - if your Endian Firewall can access the internet only through an upstream HTTP proxy, you can still use it as an OpenVPN client in a Gateway-to-Gateway setup: you need to use the TCP protocol for OpenVPN on both sides and fill in the HTTP proxy account informations here: proxy host (such as proxy.example.com:port, where port defaults to 8080), username and password. You can even give a forged user agent string if you want to camouflage your Endian Firewall as a regular web browser.

Click the Save button to save the tunnel settings. You can at any moment disable/enable, edit or delete tunnels from the list of tunnels by clicking on the appropriate icon on the right side of the table (see the icon legend at the bottom).

IPsec

Select VPN from the menu bar at the top of the screen, then select IPsec from the submenu on the left side of the screen.

This section of the reference guide will be added in a future update.