Configuration: Advanced VPN
About the Page
Configuration: Advanced VPN provides you with more settings to configure the way the Access Server handles routing. Consider it an extension of Configuration: VPN Settings. The page itself is divided into three sections: Toggle Settings, Windows Settings, and Typed Input Settings. Notice that this division has no influence of how the setting affects the Access Sever; it is strictly a division in the context of this reference manual.
Advanced VPN page:
The first settings are all toggle settings that allow you to configure the Access Server to perform certain Client-related functions.
Advanced VPN Settings top sections:
This setting determines if users can connect with each other.
- Should clients be able to communicate with each other on the VPN IP Network? If allowed, packets can be exchanged between individual VPN clients on the VPN virtual subnet.
- Allow VPN users with Administrator privilege to access all VPN client IP addresses: This gives the administrator privileges to access all client VPN IP addresses. Admin users are configured on the user Permissions page.
Multiple Sessions per User
Default Compression Settings (discouraged)
Access Server uses LZO compression to maximize speeds, however everything in networking increases overhead. If your server does not have the processing resources to enable compression it can be turned off here. For more information about why we discourage this, please see the OpenVPN Security Advisories about the VORACLE attack vulnerability.
TLS Control Channel Security
OpenVPN protocol uses two communication channels during the VPN session. One is the control channel where key negotiation, authentication, and configuration takes place. The other is the data channel where the encryption packets are. The control channel can be secured further by signing and verifying the packets with a shared key. This is called TLS Auth. With TLS Crypt for OpenVPN, we add another layer of encryption to the control channel, on top of signing and verifying with a shared key as TLS Auth does. This extra layer of encryption applies even to the key-exchange before the TLS session is started.
You can choose from these values:
- none: no additional signing and verification is done on packets
- tls-auth: use shared secret key to sign and verify packets
- tls-crypt: same as tls-auth but additionally also encrypts TLS control channel (default)
- tls-cryptv2: same as above but uses a per-client key instead of a shared secret key
OpenVPN Access Server 2.9.0 and higher support all the above options, and tls-crypt is the default. For details about advanced management of TLS Control Channel Security with the command line, refer to Additional Security Command Line Options.
Microsoft Windows Settings
In the middle of the page are Windows-specific settings. These can be used to enable/disable NetBios for connected clients. These settings do no affect clients installed on other operating systems. You should enable this setting in order to allow most Windows clients accessibility to your server.
What is NetBIOS?
Network Basic Input/Output System, NetBIOS for short, is an API providing services for legacy applications to communicate with other computers within a local area network (LAN). A typical use case for NetBIOS is that a user running a page-formatting application might want to be able to print remotely to a printer within its LAN. In the case of Windows, many of its older operating systems uses Windows Internet Name Service (WINS) as a legacy name registration and resolution service. WINS maps NetBIOS names to IP address, hence why these settings may be important for Windows clients.
Don't alter Windows networking settings on clients
This is the default setting for windows clients. Windows clients that use NetBIOS over TCP/IP will continue to do so. The settings that are configured on the client will be used when connecting to the VPN.
Disable NetBIOS over TCP/IP on clients
Disabling this protocol prevents the Windows clients from using NetBIOS over TCP/IP which can cause some issues when communicating with the client. It should be noted that disabling this may prevent Windows clients from connecting to your VPN host server.
Enabling NetBIOS over TCP/IP and use the Windows networking settings on clients
When this protocol is enabled, it allows Windows clients using NetBIOS to communicate through TCP/IP networks. This setting will use specified network settings for Windows clients when accessing the VPN. If enabled, NetBIOS settings should appear at the bottom of this section.
You are required to define the primary WINS server. This setting allows Windows VPN clients to convert NetBIOS host names into IP addresses. To provide fault tolerance, there is an optional secondary WINS server you can define.
You also have the option to chose the NetBIOS over TCP/IP node type. Click one of the radio buttons to determine which resolution method you would like Windows to resolve NetBIOS names with. By default, the b-node (broadcasts) is chosen.
Additionally, you can specify the IP address of a NBDD (NetBIOS over TCP/IP Datagram Distribution server). Since NBDD uses the UDP protocol, you will need to make sure that you set your VPN server protocol to Multi-daemon. You can enable this setting in the Network Settings page.
Optionally, the NetBIOS over TCP/IP Scope ID can be specified as a character string (which is appended to a NetBIOS name). The use of NetBIOS Scope IDs allow computers to use the same (NetBIOS) computer name, as long as they have different Scope IDs.
Typed Input Settings
The remaining settings of the page that are those that require typed input.
Additional Advanced VPN Settings
Connection Security Refresh
This setting determines the amount of time in minutes each TLS session is renegotiated by the Access Server.
Private Routed Subnets
If Routing is selected as the site-to-site communication method under VPN Settings, some subnets can still use NAT if they are added here.
Additional OpenVPN Config Directives
Directives that are not covered elsewhere can be configured in the text boxes for the Server and Client side. For instance, to push a specific interface metric to clients, you would enter the following in the Server Directives:
Push “route-metric 10”
To push a specific route to clients:
Push “route 10.0.0.0 255.255.255.0”
To alter the cipher used for the VPN tunnel to AES-256-CBC, enter the following in both Server and Client Config Directives:
This page gives you more settings that configure how the Access Server handles routing. The settings have been divided into toggle settings, then Windows specific settings, to the remaining typed input settings. The Additional OpenVPN Config Directives section allows you to configure the Access Server further by allowing you to define configuration directives for it.