This how-to illustrates the necessary steps to configure a Roadwarrior SSL VPN (OpenVPN) tunnel between a remote user's computer and a Panda GateDefender eSeries device.
The example below will be creating a remote user (roadwarrior) connection to allow communication between any external remote computer and the internal site's Green network.
This will allow the user to act as though they were locally (directly) connected to the Green network and will be able to access the same internal resources.
Enable the VPN Server
To enable the OpenVPN server, In the Dashboard go to: VPN > OpenVPN Server and click on the Enable OpenVPN server switch. The button should turn green after it is enabled.
Then from the Certificate configuration drop-down menu under OpenVPN settings, choose Download certificate to save the certificate on your local workstation, which will then be needed for the client's configuration.
Create VPN Account
In order to create a VPN user go to VPN > Authentication and click on Add a new local user. The only necessary options to configure for the new VPN account are the Username and Password.
Now, depending on the type of scenario you want to deploy, either go to the next section to setup a Roadwarrior connection or follow this howto to set up a Net2Net connection.
Once you've completed the necessary fields, click on Save to proceed.
Connect the OpenVPN server from your computer
If you don’t have installed the GateDefender ConnectApp, go to https://managedperimeter.pandasecurity.com/downloads_panda.php.
Once logged in, click on the Downloads menu item, where you should see the available GateDefender ConnectAPP installer files, at which point you can click the file for your specific operating system Windows or Mac OS X. Once the download is complete, follow your operating system's normal procedure to run the GateDefender ConnectAPP's installation.
VPN Client Configuration
Launch the ConnectApp and create a new connection profile. The window below will appear. on which to configure the connection.
In order to complete the form that appears when creating a new profile follow the list below:
- Profile name: choose a name for your profile.
- Server type: from the drop-down menu select the OpenVpn.
- Configuration mode: select the Manual from the drop-down menu.
- Server address: write your server address (the GateDefender public IP address).
- Authentication type: select from the drop-down menu the Username/ Password option.
- Certificate file: search the CA certificate you downloaded in the third step (assumed that you saved it as cacert.pem).
- Insert the username and password created in Section 2.
OpenVPN is one of the opensource VPN solutions offered on the GateDefender UTM Appliances, whose main characteristics are security, scalability, support for many operating systems, speed, and easy integration with different authentication systems.
To connect Linux workstations to an OpenVPN server you need the Network Manager VPN plugin for OpenVPN, freely available in the repositories.Software installation
In case you already have the package installed, please skip this step and go to "Connection Configuration" below, otherwise please follow these steps to install and configure the network manager plugin from the CLI:
To install it, use it as root on Ubuntu/Debian:apt-get install network-manager-openvpn
On Fedora/Red Hat
yum install networkmanager-openvpn
Troubleshooting for Fedora 17 and /or SELinux users
Fedora 17 users and in general whoever uses the SELinux framework should pay attention to the following point: OpenVPN may not be allowed to access the .pem files that are mandatory for the connection to an GateDefender UTM Appliance.
To bypass this problem, grant to OpenVPN access to .pem files, which is a mandatory requirement for certificate-based OpenVPN connections. This can be achieved by issuing the followign commands as root:grep openvpn /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp
Go to the Network Manager icon in the tray and right-click on it. Next, go to VPN Connections > Configure VPN.
A window will appear allowing you to set up the connection by supplying all the necessary parameters. Click on OpenVPN.
Now, follow these steps in the VPN tab:
Click on Add > OpenVPN > Create.
- Write the OpenVPN server IP address.
- Fill in the Username and Password fields.
- Choose the CA certificate you received for this connection.
Click on Advanced. In the new window carry out the next two steps.
Tick the options: Use LZO data compression, and Use a TAP device > OK. (If the OpenVPN server is configured to use a TAP devive, otherwise do not tick it or specify TUN)
Go to IPv4 > Routes and tick Use this connection only for resources on its network.