Configure and deploy OpenVPN Clients for remote users

This article will describe how to enable OpenVPN access for remote users.


Configure OpenVPN in NGFW

The first step is to enable the OpenVPN server on your NG Firewall by navigating to Apps > OpenVPN > the Server tabOn this page, place a check next to "Server Enabled".



The Server tab includes all the configuration for OpenVPN's server functionality.

  • Site Name is the name of this OpenVPN site. A random name is chosen so that it is unique. A new name can be given, but it should be unique across all Untangle sites in the organization. For example, if the company name is "MyCompany" then "mycompany" is a bad site name if you have multiple Untangles deployed as it might be used elsewhere. The Site Name must be unique.

  • Address Space defines an IP network/space for the VPN to use internally. The Address Space must be unique and separate from all existing networks and other address spaces on other OpenVPNs. A default will be chosen that does not conflict with the existing configuration.

  • NAT OpenVPN Traffic will NAT all traffic from remote networks to local networks to a local address. This helps solve routing and host-based firewall issues. The default and recommended value is enabled.

  • Site URL shows the URL that remote clients will use to connect to this server. This is just for reference. Verify that this address will resolve and be publicly reachable from remote networks. This URL can be configured in Config > Network > Hostname. You may need to change this if, for instance, you have a private IP address such as on the External (WAN) network interface rather than a public IP.


Next we can add the individual clients. Each remote user will need their own client configured. 

  1. Click Add on the "Remote Clients" sub-tab.

  2. Enter a unique Client Name that will help identify the client.

    • Group will in most cases be "Default Group" (see this Wiki article for more information)

    • Type will be "Individual Client"

  3. Click Done.

  4. Repeat steps 1-3 for additional clients.

  5. Click Save in the lower-right corner to save changes.


Deploying the OpenVPN Client

With clients configured, the next step is deploying the installation files to users.

  1. Go to OpenVPN, then browse to the Server tabClick the Download Client button for a user. This will generate the client installation files.

  2. Select the appropriate installation file for the user's operating system.

  3. Distribute OpenVPN configuration file to user through your preferred method (Ex: email, USB drive, Google Drive, Dropbox, shared folder on network, etc.)

    The following steps are for Microsoft Windows only. For OSX/Linux/Android/etc. installation, please see our OpenVPN Wiki page.

  4. Run the client installation file. The OpenVPN client that Untangle distributes is compatible with all versions of Windows. However, if you're using Windows Vista or Windows 7 you'll need to both install and run the application as an Administrator (simply right-click and choose Run as Administrator). Running as an administrator is necessary to allow the application to write routes for the VPN and must be done every time the application is started on Windows Vista or 7.

    Follow the Installation Wizard:

    After installation is complete you will need to run OpenVPN (as administrator) in order to complete the connection process.

  5. Start OpenVPN

  6. Locate OpenVPN in system tray. Right-click, then click "Connect".

  7. The system tray icon will turn green and display a message that OpenVPN is now connected. The IP Address assigned by the OpenVPN server will be displayed.

    To disconnect, right-click the OpenVPN system tray icon and select "Disconnect".

Was this article helpful?
2 out of 4 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

  • Avatar
    Spencer Kearton

    Can I use a dynamic DNS service like no-ip to access my untangle that's currently in transparent bridge?

  • Avatar
    Daniel Marrero

    You have to change the Public Address setting in Configuration->Administration. Select the option "Use Manually Specified Address" and enter the DNS name there.

  • Avatar
    Brandon Bryant

    Is it possible to deploy this via Group Policy? The /s silent install switch does not work with the packaged client that I downloaded.

  • Avatar

    Each user connecting should have their own unique client. If you download each client from the NGFW, then you may be able to push them all out via group policy, but I have never heard of this.

Powered by Zendesk