Configuration: Advanced VPN
ON THIS PAGE
About the Page
Configuration: Advanced VPN provides you with more settings to configure the way the Access Server handles routing. Consider it an extension of Configuration: VPN Settings. The page itself is divided into three sections: Toggle Settings, Windows Settings, and Typed Input Settings. Notice that this division has no influence of how the setting affects the Access Sever; it is strictly a division in the context of this reference manual.
The first settings are all toggle settings that allow you to configure the Access Server to perform certain Client-related functions.
Inter Client Communication
This setting determines if users can connect with each other.
- Should clients be able to communicate with each other on the VPN IP Network? If allowed, packets can be exchanged between individual VPN clients on the VPN virtual subnet.
- Allow VPN users with Administrator privilege to access all VPN client IP addresses; This gives the administrator privileges to access all client VPN IP addresses. Admin users are configured on the user Permissions page.
Multiple Sessions per User
This setting determines if the same user should be allowed to have multiple simultaneous connections to the server. In terms of licensed user limits, each such connection is counted as a separate concurrent user. If a user is configured with a static IP address, they cannot have multiple concurrent VPN connections, regardless of this setting.
DEPRECATED: Default Compression Settings
Access Server uses LZO compression to maximize speeds, however everything in networking increases overhead. If your server does not have the processing resources to enable compression it can be turned off here. For more information about why we discourage this, please see the OpenVPN Security Advisories about the VORACLE attack vulnerability.
Default TLS Auth Settings
This setting determines if TLS authorization should be enabled or if the Access Server should only rely on password authentication.
Microsoft Windows Settings
In the middle of the page are Windows-specific settings. These can be used to enable/disable NetBios for connected clients. These settings do no affect clients installed on other operating systems. You should enable this setting in order to allow most Windows clients accessibility to your server.
What is NetBIOS?
Network Input/Output System, NetBIOS for short, is an API providing services for legacy applications to communicate with other computers within a local area network (LAN). A typical use case for NetBIOS is that a user running a page-formatting application might want to be able to print remotely to a printer within its LAN. In the case of Windows, many of its older operating systems uses Windows Internet Name Service (WINS) as a legacy name registration and resolution service. WINS maps NetBIOS names to IP address, hence why these settings may be important for Windows clients.
Don’t alter Windows networking settings on clients
This is the default setting for windows clients. Windows clients that use NetBIOS over TCP/IP will continue to do so. The settings that are configured on the client will be used when connecting to the VPN.
Disable NetBIOS over TCP/IP on clients
Disabling this protocol prevents the Windows clients from using NetBIOS over TCP/IP which can cause some issues when communicating with the client. It should be noted that disabling this may prevent Windows clients from connecting to your VPN host server.
Enabling NetBIOS over TCP/IP and use the Windows networking settings on clients
When this protocol is enabled, it allows Windows clients using NetBIOS to communicate through TCP/IP networks. This setting will use specified network settings for Windows clients when accessing the VPN. If enabled, NetBIOS settings should appear at the bottom of this section.
You are required to define the primary WINS server. This setting allows Windows VPN clients to convert NetBIOS host names into IP addresses. To provide fault tolerance, there is an optional secondary WINS server you can define.
You also have the option to chose the NetBIOS over TCP/IP node type. Click one of the radio buttons to determine which resolution method you would like Windows to resolve NetBIOS names with. By default, the b-node (broadcasts) is chosen.
Additionally, you can specify the IP address of a NBDD (NetBIOS over TCP/IP Datagram Distribution server). Since NBDD uses the UDP protocol, you will need to make sure that you set your VPN server protocol to Multi-daemon. You can enable this setting in the Network Settings page.
Optionally, the NetBIOS over TCP/IP Scope ID can be specified as a character string (which is appended to a NetBIOS name). The use of NetBIOS Scope IDs allow computers to use the same (NetBIOS) computer name, as long as they have different Scope IDs.
Typed Input Settings
The remaining settings of the page that are those that require typed input.
Connection Security Refresh
This setting determines the amount of time in minutes each TLS session is renegotiated by the Access Server.
Private Routed Subnets
If Routing is selected as the site-to-site communication method under VPN Settings, some subnets can still use NAT if they are added here.
Additional OpenVPN Config Directives
Directives that are not covered elsewhere can be configured in the text boxes for the Server and Client side. For instance, to push a specific interface metric to clients, you would enter the following in the Server Directives:
Push “route-metric 10”
To push a specific route to clients:
Push “route 10.0.0.0 255.255.255.0”
To alter the cipher used for the VPN tunnel to AES-256-CBC, enter the following in both Server and Client Config Directives:
This page gives you more settings that configure how the Access Server handle routing. The settings have be divided into toggle settings, then Windows specific settings, to the remaining typed input settings. The Additional OpenVPN Config Directives section allows you to configure the Access Server further by allowing you to define configuration directives for it.