Any networks you export in OpenVPN will be available to everyone; if you'd like to allow or deny access to specific resources for specific users you can use Firewall rules.

OpenVPN supports most operating systems.

• Microsoft Windows

  Refer to this KB article for instructions on importing your client config file into the OpenVPN Client Config app in Windows: https://support.untangle.com/hc/en-us/articles/206259537

• macOS

  Click here for instructions on installing OpenVPN's mobile client for macOS.

• Linux

  For all other operating systems NG Firewall offers a .zip with configuration and certificate files - these can be used with any OpenVPN-compatible VPN software on any operating system.

Yes, this can be configured on the server side and integrated with either Local Directory or Radius. Once enabled the clients will need to be redeployed to leverage the extra authentication.

Yes! Please refer to this article for details: OpenVPN on NG Firewall in Bridge Mode

Many things could cause this issue. First, verify that the hosts you are trying to reach are exported in Exported Networks. After connecting OpenVPN, try to ping NG Firewall's LAN IP address (if exported), then try to bring up the UI by entering the IP in a browser. If these work your tunnel is up and operational.

If you can't reach a Windows machine, verify Windows Firewall is disabled on the target machine as it will block access from non-local subnets by default. If the target machine runs another OS, verify it is either using NG Firewall as a gateway or the machine its using as a gateway has a static route sending the VPN Address Pool to the NG Firewall.

Did you share the same client config between multiple machines? If both are running they will conflict. When the second one connects the first is disconnected. After 60 seconds the first will reconnect and disconnect the second. This repeats endlessly. Do not share the same client config with multiple machines.

When using OpenVPN for site-to-site tunnels, Edge Threat Management only supports using other Edge Threat Management devices as endpoints. If you need to connect a VPN tunnel to a non-Edge Threat Management device, we recommend using IPsec VPN.

If you have a site with a WAN IP of 1.2.3.4 and another site with a WAN IP of 1.2.3.5, the site-to-site VPN tunnel may not work if the IPs are in the same subnet or share the same gateway. In order for the site to site VPN to work, each location needs to be completely different from the other location. You might need to ask your ISP to change one of your sites IPs to a different subnet.

You'll need to go to Config > Network > DNS Server > Domain DNS Servers and add the IP of the DNS server on the far side of the tunnel, enter the domain in the Domain List column, and use the FQDN when accessing resources. Please note that you'll need to do this on both sides of the tunnel for it to work from either side.

To allow DNS resolution for software clients you'll need to modify some OpenVPN settings - if NG Firewall is doing DNS resolution on your network, simply check Push DNS at OpenVPN Settings > Server > Groups for any Groups you want DNS resolution exported for. If NG Firewall is not resolving DNS on your network, you'll need to check Push DNS, set Push DNS Server to "Custom", then enter the IP address of the DNS Server(s) under DNS Custom 1 / 2. You may need to use the FQDN when accessing resources across the tunnel.