In Part 1, we installed the Endian router/firewall/server, performed the initial configuration, and enabled the VPN server. Now, we’re going to continue the set up process with the creation of OpenVPN client accounts. Then we’ll see how to connect Road Warrior clients and create Gateway-to-Gateway connections.
Create OpenVPN Client Accounts
We’ve stepped through a basic Endian config, now we’ll take it to the next step, including creating OpenVPN client accounts, connecting road warrior clients, and configuring gateway-to-gateway connections.
You must define accounts for Road Warriors or gateway-to-gateway connections. Select the Accounts tab and click Add Account. Start by entering the desired username and password.
If this account is for a Road Warrior that will be connecting from public networks (like from hotels or Wi-Fi hotspots), you probably want to enable the first option in the Client Routing section: Direct all client traffic through the VPN server. This ensures all of the client’s Internet traffic goes through the VPN tunnel, protecting any unsecured Internet traffic from local eavesdroppers at the remote location.
The other account settings are more for advanced applications. You can refer to the online documentation for full details on all settings.
Once you’re done, hit Save, and the account will be created.
Connecting Road Warrior Clients
For road warriors to connect to the VPN server, they must have an OpenVPN client program installed and configured on their computers. Endian provides a custom client for its premium server. However, for the community release, you must download the generic client directly from the OpenVPN project. They provide a client program for Windows, Mac OS X and Linux.
Road warrior clients will need the CA certificate of the OpenVPN server, so the client can verify if he or she is speaking to the correct server before authenticating. You can download this from the Endian front end: Click VPN, and in the Global settings area, click Download CA Certificate.
They also must have a configuration file with the proper settings defined. Use a text editor like Notepad in Windows to create this config file. Just be sure to save it with an .ovpn extension. Here’s an example to use PSK authentication, where you must insert your Internet IP address and path/filename of the CA certificate:
client
dev tap
proto udp
remote INTERNET IP (RED INTERFACE) OF ENDIAN
resolv-retry infinite
nobind
persist-key
persist-tun
ca FILENAME OF YOUR CA CERTFICATE
auth-user-pass
comp-lzo
Now copy both files (your CA Certificate and config file) to the OpenVPN config directory. In Windows, you will likely find this at C:Program FilesOpenVPNconfig.
To connect, simply right-click the OpenVPN icon in the system tray, and select Connect for the desired configuration. A status window will pop up, and you’ll be prompted to enter a username and password.
Remove the default test configuration by deleting the test.ovpn file from the OpenVPN config directory. To connect to the Endian server, simply double-click the OpenVPN icon. Another approach is to just copy the CA certificate file to the OpenVPN config directory and edit the existing test configuration by copying and pasting your configuration into the test.ovpn file. You can access the test configuration by right-clicking the OpenVPN icon in the system tray and selecting Edit Config.
Configuring Gateway-to-Gateway Connections
To connect an additional Endian machine at another office to the OpenVPN server, you must enable and configure the OpenVPN client on the additional Endian machine.
Like with road warrior connections, you’ll need the OpenVPN server CA certificate when setting up the gateway-to-gateway connection on the additional machine. On the front end of the Endian machine hosting the server, click VPN, and in the global settings area, click Download CA Certificate. Then take this with you when you go to the additional Endian machine.
To get started setting up the gateway-to-gateway connection, log in to the
web-based front end, click VPN, and select OpenVPN
client (^20Endian21^). Then click the Add tunnel configuration button.
Give it some Connection Name, enter the Internet hostname
or IP address of the machine hosting the OpenVPN server in the Connect
To field, and select the CA certificate in the Upload Certificate field.
Then, enter the Username and Password.
Remember, we’re using PSK authentication, however, you could use certificate-based authentication, or both. You can read more about setting these and other advanced settings up in Endian’s online documentation.
When you’re done, click Save. It will be added to the tunnel list, and it will attempt to connect. On the OpenVPN Client tab, you can disable, edit or delete the connection. On the Endian machine hosting the server, you’ll see the connection status.
Discovering What Else Endian offers
Now that you’ve setup Endian for OpenVPN, consider the many other features and functionalities. Use the firewall, implement application-level proxies with antivirus support, enable virus and spam-filtering for email, or enable content filtering of Web traffic.
If you have questions or run into problems, you can refer to Endian’s online documentation, support forum, or mailing list.
Eric Geier is the founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books, for brands such as For Dummies and Cisco Press.