Openvpn Access Server

Starting OpenVPN. On both client and server, run OpenVPN from: Start Menu - All Programs - OpenVPN - OpenVPN GUI Double click the icon which shows up in the system tray to initiate the connection. The resulting dialog should close upon a successful start. Running OpenVPN as a Service. OpenVPN to be run from a non-administrator account.
Aug 02, 2021 OpenVPN access server is a tool that allows for the rapid installation & configuration of a VPN server. It is commercial software however the ‘free’ license allows for 2 concurrent connections. In this guide I am going to show you how to configure the access server, generate certificates for your domain & automatically renew them every 3.

Openvpn Access Server Api
Openvpn Access Server Client
Openvpn Access Server Raspberry Pi
Openvpn Access Server

This article will show you how to use SOU's VPN service to access our campus network remotely. VPN access must be approved through the Information Technology department before you can use the service or properly follow along with the instructions in this article. If you think you need VPN access, please contact your Computing Coordinator or email helpdesk@sou.edu.

What is OpenVPN? As noted previously in our OpenVPN article, this is an open-source Windows software package used to create a secure, site-to-site tunneled VPN connection that provides remote access between two locations. In this tutorial, we will be setting up an OpenVPN server on a Windows server. OpenVPN consists of three parts: The OpenVPN-AS.

If you receive a connection error after you install the OpenVPN Connect client and you have followed these instructions exactly, contact your Computing Coordinator right away. We have observed an issue where some computers running Windows 10 build 1803 cannot connect to our VPN service through the client. Updating to the latest build of Windows 10 fixes the issue, and your Computing Coordinator can guide you through that process if your device requires it.

FAQ

What is a VPN?

VPN stands for Virtual Private Network. A Virtual Private Network refers to a method of securely connecting remote computers to a host network over the Internet through a secure, encrypted tunnel. Computers connected to the SOU network over our VPN service appear on our network as though they were physically on campus even though they may be anywhere in the world, which makes all of our online campus resources available to them.

Is using the VPN service secure?

Yes, our VPN service is very secure. All of your data is encrypted between your computer and our servers as it travels over the Internet through the VPN tunnel. Using the VPN service is as safe as using your computer on our physical campus.

Is using the VPN service going to slow down my computer?

No, using the VPN service will not slow down your computer, but you may notice some latency in your web browsers or when you work with files on your P, S, or X drives because all of your data must travel over the Internet to our servers before anything else can happen. The latency should be very minor if you have a fast Internet connection. Unfortunately, there is nothing we can do to eliminate that latency because it will always take time for signals to travel over the distances involved in Internet transmission.

What should I do if my Internet connection is slow or unreliable?

We strongly recommend that you make arrangements to do your remote work where you can use the VPN service over a fast, reliable Internet connection. Talk to your Computing Coordinator if you think that is going to present a challenge.

What are the criteria for receiving approval to use the VPN service?

The IT Department evaluates requests for VPN access on a case-by-case basis. The following list of criteria is not exhaustive, nor is any single criterion both necessary and sufficient for approval, but hopefully the list will give you an idea of what we consider. Even if we determine that the VPN service is not the best solution for you, we will work with you to ensure that you have what you need to do your work remotely by other means.

Your job duties require you to have access to secure online systems that can normally only be accessed while on campus, such as Banner, Cognos, EMS for scheduling, Millennium FAST, and Perceptive Content.
Your job duties require you to use specialized software that would be impractical or impossible for us to make available through our Remote Desktop environments.
Your job duties require you to use software that would not perform adequately on our Remote Desktop servers because of their processor, memory, or graphical processing requirements.
You have a laptop that is managed by the IT Department that you can use with the VPN service. We are not authorizing VPN use from personal devices.

How to Install the VPN Service on Your Computer (FIRST TIME CONNECTING)

Follow these instructions to prepare your computer for connecting to the VPN service for the first time.

Windows Instructions

Step 1 - Locate the Remote Access folder on your desktop

After you are approved for VPN access, you will receive a folder on your laptop's desktop titled RemoteAccess as long as you are on-campus. If you are off-campus, use this link to download a zipped copy of the folder that you can extract onto your desktop. The folder contains useful shortcuts for starting the VPN service and connecting to your SOU network drives (P, S, and X). If you cannot locate the folder, contact your Computing Coordinator for assistance.

The RemoteAccess folder contains useful shortcuts to help you connect to the VPN service. If you are on Windows, you will find the following files in the RemoteAccess folder:

ReadMe.txt - This file contains condensed instructions for how to connect to the VPN service and how to use the other items in the Remote Access folder.
OpenVPN First Time Access - This is a shortcut to https://openvpn.sou.edu that will help you get started. It will open the webpage in your computer's default web browser.
OpenVPN Connect - This shortcut will launch the OpenVPN software only after you have completed the instructions for first time setup. We will be using it later.
MapNetworkDrives.cmd - This file is a batch script that will connect your computer to your Personal drive (P:) and your department Shared drive (S:) after you have connected to our network through the VPN service.
MapCourseDrive.cmd - This file is a batch script that will connect your computer to your Courses drive (X:) after you have connected to our network through the VPN service. (Note: This drive is not relevant to staff, only to faculty.)

Step 2 - Launch the OpenVPN First Time Access shortcut, Sign In, and Install the OpenVPN Connect Client

The OpenVPN First Time Access shortcut will take you to our VPN sign-in page in your default web browser. Enter your SOU credentials and then click Sign In to continue.

After you have provided your credentials, you will be required to complete your authentication with Duo. If you do not have a Duo device that you can access away from your office, contact your Computing Coordinator immediately or follow these instructions to self-enroll another Duo device, such as a cell phone or a home phone.

You may enter any of the following into the text field, then click Continue, to complete this step (don't include any quotation marks). If you have more than one phone enrolled in Duo, you can append '2' or '3' (or higher) to the push option, the sms option, and the phone option to refer to that device specifically. (Example: push2, phone2, sms2; push3, phone3, sms3) Because it is difficult to know which phone is identified by which number, we recommend that you start with no numbers, then append '2', then append '3' if '2' does not work, and so forth until you receive the push notification, the text message, or the phone call on whichever phone you have access to at the time.

'push' - Enter this to receive a push notification from Duo on your enrolled smart phone.
'sms' - Enter this to receive a text message from Duo on your enrolled smart phone or cell phone.
'phone' - Enter this to receive a phone call from Duo on your enrolled smart phone, cell phone, or desk phone.
token code - If you have a Duo token or want to use a passcode stored in the Duo app on your smart phone, enter the code in the text field.

After you have successfully authenticated with Duo, the web page will prompt you to download the OpenVPN client for your computer's operating system. It should automatically recommend the right one for you. Click on the button featuring the logo for your operating system to begin the download.

Find the downloaded installer on your computer and launch it. If you have any trouble installing the OpenVPN client, contact your Computing Coordinator.

Macintosh Instructions

Step 1 - Navigate to https://openvpn.sou.edu and download the software

Open your favorite web browser on your Macintosh computer and navigate to https://openvpn.sou.edu. Enter your SOU credentials.

'push' - Enter this to receive a push notification from Duo on your enrolled smart phone.
'sms' - Enter this to receive a text message from Duo on your enrolled smart phone or cell phone.
'phone' - Enter this to receive a phone call from Duo on your enrolled smart phone, cell phone, or desk phone.
token code - If you have a Duo token or want to use a passcode stored in the Duo app on your smart phone, enter the code in the text field.

How to Connect to the VPN Service

If you have not yet configured your computer to connect to the VPN service, follow the instructions provided above. Follow the instructions below only after you have installed the OpenVPN Connect client on your computer.

Windows Instructions

Step 1 - Launch the OpenVPN Connect client and connect to openvpn.sou.edu

You can conveniently launch the OpenVPN Connect client using the shortcut provided within the RemoteAccess folder on your desktop.

After you launch the client, you will need to locate its program icon in your Windows notification area icons and click it. Use the up arrow icon to show all of your hidden notification area icons if you do not see the orange OpenVPN Connect icon right away. (Tip: You can drag and drop the OpenVPN icon from the hidden icons to the 'pinned' icons to keep it there permanently.)

If this is your first time connecting or you see the 'No VPN servers found' item in the menu after you click on the OpenVPN Connect client icon, then you need to click on Connect.

If you see openvpn.sou.edu in the menu already, click it, then click Connect in the submenu. This simply allows you to skip the next step below.

If prompted, enter 'openvpn.sou.edu' into the text field for the hostname of the server, then click Continue.

If you receive a connection error at this point, contact your Computing Coordinator right away. We have observed an issue where some computers running Windows 10 build 1803 cannot connect to our VPN service through the client. Updating to the latest build of Windows 10 fixes the issue, and your Computing Coordinator can guide you through that process if your device requires it.

Enter your SOU username and your SOU password, then click Connect.

'push' - Enter this to receive a push notification from Duo on your enrolled smart phone.
'sms' - Enter this to receive a text message from Duo on your enrolled smart phone or cell phone.
'phone' - Enter this to receive a phone call from Duo on your enrolled smart phone, cell phone, or desk phone.
token code - If you have a Duo token or want to use a passcode stored in the Duo app on your smart phone, enter the code in the text field.

You should then see a message from Windows indicating that the VPN connection completed successfully. The OpenVPN Connect icon should also update with a green arrow to indicate that you are connected. Congratulations!

Step 2 - Connect Your SOU Network Drives (P, S, and X)

When you boot up your SOU laptop on campus, it automatically connects to your network drives for you because they are reachable. When you boot up your SOU laptop at home, it cannot reach the network drives yet, so it skips connecting to them. Now that you have connected to the VPN service, we can finally connect to your SOU network drives.

Connect to your P drive and the S drive

Double click the MapNetworkDrives.cmd script file in your RemoteAccess folder on your desktop. You should briefly see a command line window appear on your screen with some text in it. You can ignore the window. It will close on its own when the script finishes.

Connect to the X drive (for faculty)

Double click the MapCourseDrive.cmd script file in your RemoteAccess folder on your desktop. You should briefly see a command line window appear on your screen with some text in it. You can ignore the window. It will close on its own when the script finishes.

Verify that the drives connected

You should see them in the quick access columns along the left side of the File Explorer window where you just ran the scripts. You can now access them as you normally would at work.

Macintosh Instructions

Step 1 - Launch the OpenVPN Connect client and connect to openvpn.sou.edu

You will find the OpenVPN Connect client in your Applications folder. Launch it, then look for the OpenVPN Connect icon in your menu bar near your system clock in the top-right region of your screen.

Click on the menu bar icon for OpenVPN Connect and then select Connect from the menu.

Enter openvpn.sou.edu into the prompt and then click Connect.

On the next screen, enter your SOU credentials and then click Connect.

'push' - Enter this to receive a push notification from Duo on your enrolled smart phone.
'sms' - Enter this to receive a text message from Duo on your enrolled smart phone or cell phone.
'phone' - Enter this to receive a phone call from Duo on your enrolled smart phone, cell phone, or desk phone.
token code - If you have a Duo token or want to use a passcode stored in the Duo app on your smart phone, enter the code in the text field.

You will know that you have successfully connected when the OpenVPN Connect icon in your menu bar updates with a green check mark.

Step 2 - Connect your SOU Network Drives (P, S, and X)

After you have connected to the VPN service on your Macintosh, you can manually connect your SOU network drives as you normally would by following these instructions.

How to Disconnect from the VPN Service

When you are finished with your work, please disconnect from the VPN service to free up resources for other users.

Windows Instructions

You can disconnect by clicking on the OpenVPN Connect client icon in the notifications area, then select Disconnect openvpn.sou.edu from the menu. (Note: You do not need to Exit the client entirely, but you can if you want to. It will disconnect your session before it closes.)

You will receive a notification from Widows that you are now disconnected from the VPN service. The OpenVPN Connect icon will also change back to its disconnected state.

Macintosh Instructions

Click on the OpenVPN Connect icon in your menu bar, then click Disconnect openvpn.sou.edu from the menu.

The OpenVPN wizard is a convenient way to setup a remote access VPN for mobileclients. It configures all of the necessary prerequisites for an OpenVPN RemoteAccess Server:

An authentication source (Local, RADIUS server, or LDAP server)
A Certificate Authority
A Server Certificate
An OpenVPN server instance.

By the end of the wizard a fully functioning sever will be configured and readyfor users. An example setup will be used to aide in explaining the optionsavailable in the wizard.

Before Starting The Wizard¶

Before starting the wizard to configure the Remote Access Server,there are some details that must be planned.

Determine an IP addressing scheme¶

An IP subnet must be chosen for use by the OpenVPN clients themselves. This isthe subnet filled in under Tunnel Network in the server configuration.Connected clients will receive an IP address within this subnet, and the serverend of the connection also receives an IP address used by the client as itsgateway for networks on the server side.

As always when choosing internal subnets for a single location, ideally thechosen subnet will be designed so that it can be CIDR summarized with otherinternal subnets. The example network depicted here uses 10.3.0.0/24 for LAN,and 10.3.201.0/24 for OpenVPN. These two networks can be summarized with10.3.0.0/16, making routing easier to manage. CIDR summarization is discussedfurther in CIDR Summarization.

Example Network¶

Figure OpenVPN Example Remote Access Network shows the networkconfigured in this example.

Choose Authentication Type¶

On the first screen of the OpenVPN Remote Access server wizard, choose a methodfor user authentication. The choices available for Authentication BackendType are Local User Access, LDAP, and RADIUS.

If an existing authentication system is already in place, such as ActiveDirectory, pick LDAP or RADIUS depending on how that system is configured.Local User Access may be selected to manage the users, passwords, andcertificates on the pfSense® firewall. When using Local User Access, per- usercertificates may be used easily, managed completely in the pfSense GUI. This ismuch more secure, but depending on the number of users which will access theservice, may be less convenient than using a central authentication system.

Note

For LDAP or RADIUS, per-user certificates cannot be used withoutgenerating them manually.

The Local User Access choice is the equivalent of choosing Remote Access(SSL/TLS + User Auth) mentioned earlier in this chapter. LDAP and RADIUSare equivalent to Remote Access (User Auth).

After selecting the authentication server type, click Next. If LDAP orRADIUS were chosen the server configuration for those choices will be the nextstep. If Local User Access was chosen, the LDAP and RADIUS wizard steps areskipped. For this example, Local User Access will be chosen, but the otheroptions are discussed for completeness.

Choosing an LDAP Server¶

If an LDAP server is already defined on the pfSense firewall it may be chosenfrom the list. To use a different LDAP server instead choose Add new LDAPserver. If there are no LDAP servers defined, this step is skipped.

Adding an LDAP Server¶

If no LDAP servers exist or Add new LDAP server is chosen a screen will bepresented with the options needed to add a new server. Many of these optionswill depend on the specific LDAP directory configuration and structure. If thereis any uncertainty about the settings, consult the LDAP server administrator,software vendor, or documentation.

Note

The details of LDAP servers are covered inAuthentication Servers. Some detail is omitted heresince the options are discussed in-depth elsewhere. For more information onthe options listed in this section, refer there instead.

Name

Descriptive name for this LDAP server, for reference.

Hostname or IP address

The hostname or IP address of the LDAP server.

Port

The port on which the LDAP server may be contacted. The default port is 389for standard TCP connections, and 636 for SSL.

Transport

This can be set to TCP - Standard for unencrypted connections, orSSL - Encrypted for secure connections. A standard connection may besufficient at least for local servers or initial testing. If the server isremote or crosses any untrusted network links, SSL is a more secure choice.If SSL is to be used, the CA Certificate from the LDAP server must beimported into pfSense, and the Hostname or IP address above must matchthe value in the Common Name field of the server certificate.

Search Scope Level

Selects how deep to search in the LDAP directory, OneLevel or Entire Subtree. Most commonly, Entire Subtree is the correctchoice.

Search Scope Base DN

The Distinguished Name upon which the search will bebased. For example DC=example,DC=com

Authentication Containers

These values specify where in the directory thatusers are found. For example, it may be CN=Users;DC=example.

LDAP Bind User DN

The Distinguished Name for a user that can be used to bindto the LDAP server and perform authentication. If this is left blank, ananonymous bind will be performed, and the password setting below will beignored.

LDAP Bind Password

The password to be used with the LDAP Bind User DN.

User Naming Attribute

Varies depending on the LDAP directory software andstructure. Typically cn for OpenLDAP and Novell eDirectory, andsamAccountName for Microsoft Active Directory.

Group Naming Attribute

Varies depending on the LDAP directory software andstructure, but is most typically cn.

Member Naming Attribute

Varies depending on the LDAP directory software andstructure. Typically member on OpenLDAP, memberOf on Microsoft ActiveDirectory, and uniqueMember on Novell eDirectory.

Choosing a RADIUS Server¶

If there is an existing RADIUS server defined on the pfSense firewall, choose itfrom the list. To use a different RADIUS server, instead choose Add new RADIUSserver. If no RADIUS servers are defined on pfSense, this step is skipped.

Adding a RADIUS Server¶

If no RADIUS servers exist, or Add new RADIUS server was selected, a screenis presented with the options needed to add a new server. If there is anyuncertainty about the settings, consult the RADIUS server administrator,software vendor, or documentation.

Note

The details of RADIUS servers are covered inAuthentication Servers. Some detail is omitted heresince the options are discussed in-depth elsewhere. For more information onthe options listed in this section, refer there instead.

Name

Descriptive name for this RADIUS server, for reference.

Hostname or IP address

The hostname or IP address of the RADIUS server.

Authentication Port

Port used by the RADIUS server for acceptingAuthentication requests, typically 1812.

Shared Secret

The Shared Secret is the password configured on the RADIUSserver for accepting authentication requests from the IP address of thepfSense firewall.

Choosing a Certificate Authority¶

If there is an existing Certificate Authority defined on the pfSense firewall,it may be chosen from the list. To create a new Certificate Authority, chooseAdd new CA. If no Certificate Authorities are defined, this step is skipped.

Openvpn Access Server Api

Creating a Certificate Authority¶

This step presents all of the necessary fields to create a new certificateauthority (CA). Every option on this page is required, and all fields must befilled out correctly to proceed. The CA is used to establish a trust base fromwhich the server certificates can be generated and deemed “trustworthy” byclients. Because this CA is self-generated, it will only be trusted by clientswho are also supplied with a copy of this CA certificate.

Choosing a Server Certificate¶

If there is an existing Certificate defined on the pfSense firewall, it may bechosen from the list. To create a new Certificate, choose Add newCertificate. If no Certificates are defined, this step is skipped.

Adding a Server Certificate¶

This screen creates a new server certificate which will be used to verify theidentity of the server to the clients. The server certificate will be signed bythe certificate authority chosen or created previously in the wizard. In mostcases, as with this example, the same information from the previous step isused and it will be pre-filled on the form automatically.

Descriptive Name

This is the Common Name (CN) field for the server certificateand is also used to reference the certificate in pfSense. Using the hostnameof the firewall is a common choice for a server certificate, such asvpn.example.com. Although using spaces in this field is allowed, westrongly discourage using spaces in a Common Name field because clients tendto have issues handling them properly.

Key Length

Size of the key which will be generated. The larger the key, themore security it offers but larger keys are generally slower to use. 2048is a good choice.

Lifetime

Lifetime in days. This is commonly set to 3650 (Approximately 10years).

Country Code

Two-letter ISO country code (e.g. US, AU, CA)

State or Province

Full State of Province name, not abbreviated (e.g. Texas,Indiana, Ontario).

City

City or other Locality name (e.g. Austin, Indianapolis, Toronto).

Organization

Organization name, often the Company or Group name. Do not useany special characters in this field, not even punctuation such as a periodor comma.

E-Mail

E-mail address for the Certificate contact. Often the e-mail of theperson generating the certificate. (e.g. vpnadmin@example.com)

Click Create New Certificate to store the settings and continue to the nextstep of the wizard.

Configuring OpenVPN Server Settings¶

The options on this step of the wizard configure each aspect of how the OpenVPNserver itself will behave as well as options which are passed on to clients. Theoptions presented here are the same as those discussed previously inOpenVPN Configuration Options, refer to that section fordetails. Because the options are covered in detail in that section, only thesettings for this example will be mentioned.

General OpenVPN Server Information¶

These options control how the OpenVPN instance operates.

Interface

Since incoming connections will be from the WAN side, select WAN.

Protocol

The default of UDP is acceptable.

Local Port

This will be the first OpenVPN server instance so the default of1194 is preferred. If there is an existing OpenVPN on that port, use adifferent port number. The wizard will suggest an unused port number.

Description

As this will be for remote user access, ExampleCoMobileVPNClients is a fitting description.

Cryptographic Settings¶

These options control how traffic in the tunnel is encrypted and authenticated.

TLS Authentication

TLS is highly desirable so check Enable authentication ofTLS packets.

Generate TLS Key

There is no existing TLS key, so check Automaticallygenerate a shared TLS authentication key.

TLS Shared Key

Since there is no existing TLS key, leave this blank.

DH Parameters Length

Select 2048, as it is good balance of speed andstrength.

Encryption Algorithm

This can be left at the default value of AES-128-CBC,but any other option would also work well as long as the clients are set tomatch.

Auth Digest Algorithm

Leave at the default SHA1 (160-bit)

Hardware Crypto

The target device has no accelerator, so leave this set to NoHardware Crypto Acceleration

Tunnel Settings¶

These options control how traffic coming from the remote clients will be routed.

Tunnel Network

As in the diagram at the start of this example, the subnet10.3.201.0/24 has been chosen for the VPN clients.

Redirect Gateway

For ExampleCo’s setup, The VPN will only carry traffic whichis destined for the subnets at the main office so this box is leftunchecked.

Local Network

This is the main office subnet, which in this example is10.3.0.0/24.

Concurrent Connections

ExampleCo does not want to limit the number of clientswhich can connect at the same time, so this is left blank.

Compression

To improve throughput of traffic on the VPN tunnel at the expenseof some CPU power, this is set to Enabled with Adaptive Compression.

Type-of-Service

This box is unchecked, as there is no traffic on this VPNwhich requires prioritization/QoS.

Inter-Client Communication

Because the clients on this VPN have no need toconnect to other client machines, this box is unchecked.

Duplicate Connections

Because unique certificates exist for every client, thisis unchecked.

Client Settings¶

These options control specific settings given to the clients when a connectionis established.

Dynamic IP

The clients will connect from all over the country and unknownmobile networks and their IP addresses are likely to change without notice sothis option is checked.

Address Pool

The clients will be assigned addresses from the tunnel networkabove, so this is checked.

Topology

The method used to assign IP addresses to clients. The default ofSubnet is the best choice.

DNS Default Domain

Enter the domain for ExampleCo here, example.com.

DNS Servers

Any internal DNS server could be used here. ExampleCo has aWindows Active Directory Domain Controller which is configured to act as aDNS server, 10.3.0.5.

NTP Servers

The server above, 10.3.0.5, is also used to synchronize clientPC clocks.

NetBIOS Options

Clients will need access to Windows shares behind the VPN, socheck Enable NetBIOS over TCP/IP.

NetBIOS Node Type

Because DNS is used primarily, select h-node.

NetBIOS Scope ID

This will be left blank, since the NetBIOS scope is notlimited.

WINS Servers

WINS has been deprecated, so this is left blank.

Advanced

At this time no additional tweaks are needed, so this is left blank.

Firewall Rule Configuration¶

As with other parts of the firewall, by default all traffic is blocked fromconnecting to VPNs or passing over VPN tunnels. This step of the wizard addsfirewall rules automatically to allow traffic to connect to the VPN and also soconnected clients can pass traffic over the VPN.

Traffic from clients to server¶

Check this box to add a firewall rule on the chosen interface for the tunnel(e.g. WAN) which lets clients connect. It allows all clients from any sourceaddress to connect by default. To allow connections from a limited set of IPaddresses or subnets, either make a custom rule or check this box and alter therule it creates. Since in this example clients are connecting from all over thecountry, the rule created by this checkbox is ideal, so the box is checked.

Traffic from clients through VPN tunnel¶

This setting allows all traffic to cross the OpenVPN tunnel, which is desirablefor this example, so this box is checked.

Finishing the Wizard¶

Click Finish and the wizard is now complete; The tunnel is fully configuredand ready for client connections. From here the next steps are to add users andconfigure client devices. If adjustments to the automatically generated firewallrules are required, make them now.

Verifying the Setup¶

Look at firewall rules (WAN and OpenVPN tabs)

Openvpn Access Server Client

WAN tab rule should pass from any to the OpenVPN port on theWAN address

OpenVPN tab rule should allow anything from any/to any

Adjustments¶

Some settings are not presented in the wizard but might be a better fitfor some situations than the defaults chosen by the wizard.

Server Mode¶

Openvpn Access Server Raspberry Pi

The OpenVPN Server Mode allows selecting a choice between requiringCertificates, User Authentication, or both. The wizard defaults toRemote Access (SSL/TLS + User Auth). The possible values for thischoice and their advantages are:

Remote Access (SSL/TLS + User Auth)
- Requires both certificates AND username/password
- Each user has a unique client configuration that includes theirpersonal certificate and key.
- Most secure as there are multiple factors of authentication (TLSKey and Certificate that the user has, and the username/passwordthey know)
Remote Access (SSL/TLS)
- Certificates only, no auth
- Each user has a unique client configuration that includes theirpersonal certificate and key.
- Useful if clients should not be prompted to enter a username andpassword
- Less secure as it relies only on something the user has (TLS keyand certificate)
Remote Access (User Auth)
- Authentication only, no certificates
- Useful if the clients should not have individual certificates
- Commonly used for external authentication (RADIUS, LDAP)
- All clients can use the same exported client configuration and/orsoftware package
- Less secure as it relies on a shared TLS key plus only somethingthe user knows (Username/password)

Certificate Revocation¶

Openvpn Access Server

Compromised certificates can be revoked by creating a CertificateRevocation List (CRL) in System > Cert Manager on the CertificateRevocation tab, adding the certificate to it, and then selecting thatCRL on the OpenVPN server settings.

Adding a User with a Certificate¶

If the mode has been left at the wizard’s default or on a mode thatincludes local user authentication, a user must be created in the usermanager.

Navigate to System > User Manager
Click To add a user
Fill in Username
Fill in Password / Confirm password
Check Click to create a user certificate.
Fill in the Descriptive Name as the username

Choose the appropriate Certificate Authority
Click Save

OpenVPN Client Export Package¶

The OpenVPN Client Export Package allows exporting configurationsformatted for a wide variety of platforms. It also allows exporting apre-packaged Windows installer executable which includes theconfiguration bundled inside for a painless client installation.

See OpenVPN Client Export Package for more.