OpenVPN: Setting Up SSL-VPN accounts

Setting Up The OpenVPN Server:

1. Go to VPN --> OpenVPN and create an OpenVPN channel.
2. Select protocol as UDP. Selecting TCP would reduce the efficiency of your VPN.
3. OpenVPN default port is 1194, to use another port enter it in the text field.
4. Enter Address Pool IP address range. This is the address pool to be assigned to the VPN hosts. Expressed as an IP address range with CIDR value (eg. 10.0.8.0/24). If the 'Use Static IP' field isn't set, clients will be assigned IP addresses from this pool. Otherwise, this will be used to set the local interface's IP address.
5. Enter local Network IP address range. This is the Network that will be accessible from remote endpoint.
6. Choose a crytpographic option. Use BF-CBC (128bit) if in doubt.
7. As the authentication method choose either have PKI (Public Key Infrastructure) or Shared Key.
8. Generate certificates for server and VPN hosts. Creating Certificates and keys for server and hosts is explained in detail later in this section section.
9. CA certificate(ca.crt), Server certificate (server.crt), Server Key (server.key) and DH parameters (dh.pem) should be generated and pasted into their respective fields.
10. Enable LZO compression.
11. Give a meaningful description for OpenVPN channel that is created.

Defining User Access Control

Users can be issued with privileges and restriction by adding them in to groups which has been provided with firewall access control rules set on it. To implement SSL-VPN access control the network administrator should follow the following procedures:

Defining a user

1. Go to: VPN --> OpenVPN --> Users --> Click on the '+' button
2. Enter the user name in the field marked as 'User Name'. (This should match the common name in the user security certificate)
3. Give a description for the user.
4. Click on 'Save'.

The user should be added to a group which has a set of access rules bound to it. If no groups exist you should create one and set access rules.

Create a group

1. Go to:  VPN --> OpenVPN --> Access Control --> Click on '+' button
2. Enter a group name in the field marked 'Group Name'
3. Give a description for the group.
4. Click on 'Save'.

Adding users to a group

1. Go to: VPN --> OpenVPN --> Access Control --> Click on 'e' button next to a group
2. Click on the '+' button under 'User'
3. Select the user name you wish to add to the group from the drop down list box. (Users previously added to a group will not be listed)
4. Give a description for the user.
5. Click on 'Save'

To specify access control for a group

1. Assuming that you are in 'edit group' mode, click on '+' button under 'Protocol-Destination-Port'
2. From 'Protocol' drop down list box choose protocol you want to allow
3. Enter the IP address of the destination in the field 'Destination'
4. Enter the ports, separated by a comma for multiple ports, in the field 'Port'
5. Click on 'Save'

Setting Up Open VPN Client In Windows:

1. Download OpenVPN client from this location: http://openvpn.net/index.php/open-source/downloads.html
2. Install OpenVPN client that you have just downloaded.
3. OpenVPN requires a configuration file for VPN connection. Go to C:\program files\openvpn\config\ and create a new file called "mettlese.ovpn"
4. Ask the system administrator to provide three files that are required to establish connection with server. They are:- ca.crt, client1.crt & client1.key
5. Edit the file just created (mettlese.ovpn) with notepad and enter the following information. Values highlighted in bold should be replaced with appropriate values -
   1. In place of sslvpn enter name of the newly created OpenVPN Network interface.
   2. Replace your.mettle.se.box with FQDN of your Mettle SE or enter the WAN IP address of Mettle SE
   3. Replace 1194 with port specified for OpenVPN communication in the Mettle SE server.
   4. Replace client1.crt with name of the <*.crt> file system administrator provided; do same with client1.key file replace with name of the <*.key>.

Configuration file: mettlese.ovpn

port 1194
dev tun
dev-node sslvpn
proto tcp-client
remote your.mettlese.box 1194
ping-restart 30
persist-tun
persist-key
tls-client
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
pull

Note: In the case of Windows Vista you need to add following 2 lines to mettlese.ovpn

	route-method exe
	route-delay 2

Copy three files (client1.crt, client1.key & ca.crt) to openvpn\config in Windows machine. Right click on mettlese.ovpn file and select 'Connect' to test the connection. After this, click on the new OpenVPN icon in the system Status Bar. If it shows up a balloon with new IP address, it means it is connected.

Adding Firewall Rules:

To enable Traffic from VPN host computer to WAN interface:-

1. Go to Firewall --> Rules -->WAN--> Add Rule
2. Protocol: UDP
3. Destination: WAN Address
4. Destination Port: 1194
5. Save the configuration.

To enable Traffic from LAN to OpenVPN:-

1. Now go to LAN tab, make sure that LAN can talk to the new OpenVPN interface.
2. Go to Firewall --> Rules --> LAN --> Add Rule
3. Protocol: Any
4. Click on Save and Apply Changes.
5. Do this for any other subnets/DMZs that you want to be able to talk to clients on OpenVPN Network.

---