Table of Contents
Click an item to jump directly to that question.
1. How can I restrict access to certain OpenVPN users?
Any networks you export in OpenVPN will be available to everyone; if you'd like to allow or deny access to specific resources for specific users you can use Firewall rules.
2. What operating systems are supported?
OpenVPN supports most operating systems.
Refer to this KB article for instructions on importing your client config file into the OpenVPN Client Config app in Windows: https://support.untangle.com/hc/en-us/articles/206259537
For all other operating systems NG Firewall offers a .zip with configuration and certificate files - these can be used with any OpenVPN-compatible VPN software on any operating system.
3. Is there a way to set up a password for OpenVPN users?
Yes, this can be configured on the server side and integrated with either Local Directory or Radius. Once enabled the clients will need to be redeployed to leverage the extra authentication.
4. Can I still use OpenVPN if my NG Firewall is in bridge mode?
Yes! Please refer to this article for details: OpenVPN on NG Firewall in Bridge Mode
5. OpenVPN connects, but I can't access anything. Why is this?
Many things could cause this issue. First, verify that the hosts you are trying to reach are exported in Exported Networks. After connecting OpenVPN, try to ping NG Firewall's LAN IP address (if exported), then try to bring up the UI by entering the IP in a browser. If these work your tunnel is up and operational.
If you can't reach a Windows machine, verify Windows Firewall is disabled on the target machine as it will block access from non-local subnets by default. If the target machine runs another OS, verify it is either using NG Firewall as a gateway or the machine its using as a gateway has a static route sending the VPN Address Pool to the NG Firewall.
6. Clients are getting disconnected after 60 seconds. Why?
Did you share the same client config between multiple machines? If both are running they will conflict. When the second one connects the first is disconnected. After 60 seconds the first will reconnect and disconnect the second. This repeats endlessly. Do not share the same client config with multiple machines.
7. Can I create site-to-site tunnels with non-Edge Threat Management devices?
When using OpenVPN for site-to-site tunnels, Edge Threat Management only supports using other Edge Threat Management devices as endpoints. If you need to connect a VPN tunnel to a non-Edge Threat Management device, we recommend using IPsec VPN.
8. My site-to-site tunnel is set up correctly, but it isn't working properly. Why?
If you have a site with a WAN IP of 22.214.171.124 and another site with a WAN IP of 126.96.36.199, the site-to-site VPN tunnel may not work if the IPs are in the same subnet or share the same gateway. In order for the site to site VPN to work, each location needs to be completely different from the other location. You might need to ask your ISP to change one of your sites IPs to a different subnet.
9. How can I get DNS resolution working over my site-to-site tunnel?
You'll need to go to Config > Network > DNS Server > Domain DNS Servers and add the IP of the DNS server on the far side of the tunnel, enter the domain in the Domain List column, and use the FQDN when accessing resources. Please note that you'll need to do this on both sides of the tunnel for it to work from either side.
10. How can I allow software clients to resolve DNS over the tunnel?
To allow DNS resolution for software clients you'll need to modify some OpenVPN settings - if NG Firewall is doing DNS resolution on your network, simply check Push DNS at OpenVPN Settings > Server > Groups for any Groups you want DNS resolution exported for. If NG Firewall is not resolving DNS on your network, you'll need to check Push DNS, set Push DNS Server to "Custom", then enter the IP address of the DNS Server(s) under DNS Custom 1 / 2. You may need to use the FQDN when accessing resources across the tunnel.