This topic is ONLY relevant to security gateways. It is NOT relevant to managed switches.
The OpenVPN Settings page (Fig. 1) allows you to enable and configure OpenVPN service for registered VPN users.
You can manage VPN users on the Manage Access page.
Use the OpenVPN Configuration form (Fig. 1) to customize OpenVPN to suit your needs.
By default, OpenVPN Service is set to “Off,” i.e. disabled. To enable it, click the “On” radio button. The other settings fields will then be shown.
To disable OpenVPN Service, click the “Off” radio button. The other settings fields will then be hidden.
By default, Multi-Factor Method is set to “Password and Certificate.” The other option is “Password and Multi-Factor Code and Certificate.”
When set to require a Multi-Factor Code, VPN users must append the current six-digit access code to the end of their password every time they log in to their OpenVPN account. This is in addition to the existing multi-factor authentication (MFA) certificate and credentials that are always required.
All access using OpenVPN uses multiple authentication factors. At a minimum, both a client certificate (“something you have”) and password (“something you know”) are used. You can also require users to enter a rolling Multi-Factor Code (another “something you have”) at the end of their password for added security. For example, if a user’s password is “secret” and the Multi-Factor Code is currently “123456,” the user would enter “secret123456” as the password when prompted by the OpenVPN client.
Enter a network IP address and subnet using CIDR notation.
When OpenVPN Service is first enabled, Network Subnet is set to a default value automatically. You can manually reset it to the default value by clicking the “Use Default” link.
DNS 1 & DNS 2 (Optional)
If desired, enter up to two DNS servers, which will provide a system of mapping domains to IP addresses in your network.
If desired, enter the IP address of a WINs server, which is a Microsoft service that translates hostnames into IP addresses.
DNS Domain (Optional)
If desired, enter a DNS domain, which is a suffix appended to hostnames to create fully qualified domain names.
Client Certificate Lifetime
Choose the maximum duration that MFA client certificates remain valid for Open VPN access. Options range rom “1 month” to “5 years.” The default option is “3 years.”
Each OpenVPN user is issued with a client certificate as part of their downloaded client configuration. This certificate has a specified lifetime after which the user must download a new client configuration to be able to access the VPN. A user cannot connect using OpenVPN without both a valid certificate and a current username/password combination.
Allow Use as Default Route
By default, this is disabled. If you want to enable it, click the checkbox. This will allow OpenVPN to be used as a default route. VPN users will need to configure their client to use OpenVPN as their default route for this to work.
Allow OpenVPN Users To Access Each Other
By default, this is disabled. If you want to enable it, click the checkbox. This will allow OpenVPN users to access each other’s devices.
Click the “Save OpenVPN Settings” button to save any changes made in this form.