Configuration: Advanced VPN
About the Page
The Configuration: Advanced VPN page provides you with advanced settings to configure routing and security settings. Consider it an extension of Configuration: VPN Settings.
OpenVPN data channel offloading
The OpenVPN data channel offloading (DCO) setting allows you to enable DCO and displays information about whether or not DCO is installed and loaded.
OpenVPN DCO provides performance improvements when enabled on the VPN server and clients by offloading the data channel encryption and decryption to the kernel space. Handling encryption in the kernel space, rather than the user space, improves performance.
|Prefer kernel OpenVPN data channel offloading if available (ovpn-dco)||This setting enables DCO for Access Server when the kernel module, openvpn-dco-dkms, is installed on the server.|
|VPN tunnel MTU||Set the maximum transmission unit (MTU) for Access Server.|
Note: For VPN tunnel MTU, the minimum allowable value is 576, and the maximum is 65536. We recommend setting it to 1420 when you enable DCO.
This setting determines if users can connect with each other.
- Should clients be able to communicate with each other on the VPN IP Network? If allowed, VPN clients can exchange packets with each other on the VPN virtual subnet.
- Allow VPN users with Administrator privilege to access all VPN client IP addresses: This gives the administrator privileges to access all client VPN IP addresses. You configure admin users on the user permissions page.
Multiple Sessions per User
Default Compression Settings (discouraged)
Note: This setting displays on older versions of Access Server.
Access Server uses LZO compression to maximize speeds, however everything in networking increases overhead. If your server does not have the processing resources to enable compression you can turn it off here. For more information about why we discourage this, please see the OpenVPN Security Advisories about the VORACLE attack vulnerability.
TLS Control Channel Security
OpenVPN protocol uses two communication channels during the VPN session. One is the control channel where key negotiation, authentication, and configuration takes place. The other is the data channel where the encryption packets are. The control channel can be secured further by signing and verifying the packets with a shared key. This is called TLS Auth. With TLS Crypt for OpenVPN, we add another layer of encryption to the control channel, on top of signing and verifying with a shared key as TLS Auth does. This extra layer of encryption applies even to the key-exchange before the TLS session starts.
You can choose from these values:
- none: no additional signing and verification is done on packets.
- tls-auth: use a shared secret key to sign and verify packets.
- tls-crypt: same as tls-auth but also encrypts TLS control channel (default).
- tls-cryptv2: same as above but uses a per-client key instead of a shared secret key.
Access Server 2.9.0 and newer support all the above options, with tls-crypt as the default.
The data-channel encryption cipher encrypts and decrypts the data packets transmitted through the OpenVPN tunnel. Here, you can configure it on the server and client sides. The server and client must agree on a cipher that both support and allow. Enter the ciphers here in a string format with multiple ciphers separated by a colon, for example, AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305.
For more details refer to Change Encryption Cipher In Access Server.
Microsoft Windows Settings
You can configure Windows-specific settings to enable/disable NetBios for connected clients. These settings don’t affect clients installed on other operating systems.
What is NetBIOS?
Network Basic Input/Output System (NetBIOS), is an API providing services for legacy applications to communicate with other computers within a local area network (LAN). A typical use case for NetBIOS is that a user running a page-formatting application might want to print remotely to a printer within its LAN. In the case of Windows, many of its older operating systems use Windows Internet Name Service (WINS) as a legacy name registration and resolution service. WINS maps NetBIOS names to IP addresses, hence why these settings may be important for Windows clients.
Don't alter Windows networking settings on clients
This is the default setting for Windows clients. Windows clients that use NetBIOS over TCP/IP will continue to do so. The settings configured on the client are used when connecting to the VPN.
Disable NetBIOS over TCP/IP on clients
Disabling this protocol prevents the Windows clients from using NetBIOS over TCP/IP which can cause some issues when communicating with the client. It should be noted that disabling this may prevent Windows clients from connecting to your VPN host server.
Enabling NetBIOS over TCP/IP and use the Windows networking settings on clients
When you enable this protocol, Windows clients using NetBIOS can communicate through TCP/IP networks. This setting uses specified network settings for Windows clients when accessing the VPN. If enabled, NetBIOS settings appear at the bottom of this section.
You are required to define the primary WINS server. This setting allows Windows VPN clients to convert NetBIOS host names into IP addresses. To provide fault tolerance, you can define an optional, secondary WINS server.
You also have the option to choose the NetBIOS over TCP/IP node type. Click one of the radio buttons to determine which resolution method you would like Windows to resolve NetBIOS names with. By default, the b-node (broadcasts) is chosen.
Additionally, you can specify the IP address of an NBDD (NetBIOS over TCP/IP Datagram Distribution server). Since NBDD uses the UDP protocol, you will need to make sure that you set your VPN server protocol to Multi-daemon. You can enable this setting in the Network Settings page.
Optionally, the NetBIOS over TCP/IP Scope ID can be specified as a character string (which is appended to a NetBIOS name). The use of NetBIOS Scope IDs allow computers to use the same (NetBIOS) computer name, as long as they have different Scope IDs.
Connection Security Refresh
This setting determines the amount of time in minutes Access Server renegotiates each TLS session.
Private Routed Subnets (optional)
If you select routing as the site-to-site communication method under VPN Settings, some subnets can still use NAT if you add them here.
Additional OpenVPN Config Directives (Advanced)
You can configure directives that aren’t covered elsewhere in the text boxes for the Server and Client side. For instance, to push a specific interface metric to clients, you would enter the following in the Server Directives:
Push “route-metric 10”
To push a specific route to clients:
Push “route 10.0.0.0 255.255.255.0”
To alter the cipher used for the VPN tunnel to AES-256-CBC, enter the following in both Server and Client Config Directives:
The Advanced VPN page gives you more settings that configure Access Server routing and security. The settings have been divided into toggle settings, then Windows specific settings, then typed input settings. The Additional OpenVPN Config Directives section allows you to configure the Access Server further by allowing you to define configuration directives for it.