OpenVPN Cloud Settings User Guide

Specify OpenVPN Cloud settings based on the needs of your organization. This will maximize the benefits of the product—thus enhancing your workflow experience.

It’s best to specify OpenVPN Cloud settings before using the product. However, settings can be specified at any time.

Here, you can learn how to do the following:

Specify VPN settings

Use VPN settings to specify how OpenVPN should use VPN functionality to enhance and secure your environment.

Specify full mesh or custom VPN topology

About:

VPN Topology enables you to configure access to your VPN—to determine whether access controls are used. When set to Custom, access groups are active. When your VPN topology is set to Full Mesh, there is unrestricted access between all users, networks, and hosts.

A full-access configuration between user devices and connectors can be helpful if you just want to deploy OpenVPN Cloud and verify the connectivity.  To specify granular access, use Access Groups. Setting VPN topology to Custom activates Access Groups (see OpenVPN Cloud Access Group).

You can switch between Full Mesh and Custom at any time. 

See also:

Change the VPN topology from full-mesh to custom

Prerequisite:

For custom VPN topology, you must configure access rules for the access policy, which is used to access to the VPN (see Configuring client-specific rules and access policies).

Procedure:

Location: left panel > Settings > VPN > VPN Topology

  1. Click Edit.
  2. Accept the Full Mesh default or select Custom.
    If you select Custom VPN topology, Full Mesh access to the VPN will be disabled.
  3. Specify another VPN setting or click Update to save and finish.

Specify the default region for user groups and connectors

About:

The default region is the parameter specifying the region that newly created user groups and connectors will use by default. Region is the physical location of cloud servers to which connector or user device is connected

You can change the default region for user group and connectors during or after their creation.

See also:

Procedure:

Location: left panel > Settings > VPN > Default Region

  1. Click Edit.
  2. Select the desired default region from the Regions drop-down.
  3. Specify another VPN setting or click Update to save and finish.

Enable SNAT so inbound traffic goes to VPN Gateway

About:

SNAT enables source NAT on the OpenVPN Cloud side. When traffic arrives to a connector or user device, it will have a source IP of the VPN Gateway. This is helpful in remote access scenarios where you don’t want to configure backward routing from destination resources.

When SNAT is off, the IP address of the source device is available instead of the IP address of the VPN Gateway. This might be preferred for some applications like VoIP.

Procedure:

Location: left panel > Settings > VPN > SNAT

  1. Click Edit.
  2. Click the toggle button to enable SNAT.
  3. Specify another VPN setting or click Update to save and finish.

Specify VPN subnets for assigning IP addresses to devices and connectors

About:

VPN IPs for connectors and user devices are assigned from the subnet range that you specify. The VPN subnet is the range of IPv4 address and IPv6 addresses from which IP addresses are assigned to connectors and devices belonging to users.

Note: OpenVPN Cloud supports the use of public IP address ranges and private IPv4 address ranges as specified in RFC 1918.

Attention: Ensure that the VPN subnet IP addresses that you specify do not overlap with the IP address ranges already in use on your current private network.

See also:

Procedure:

Location: left panel > Settings > VPN > VPN Subnets

  1. Click Edit.
  2. Specify in the IPv4 field the beginning of the IPv4 range and then click the plus button (+).
  3. From the second IPv4 field that appears, specify the ending of the IPv4 range.
  4. Specify in the IPv6 field the beginning of the IPv6 range and then click the plus button (+).
  5. From the second IPv6 field that appears, specify the ending of the IPv6 range.
  6. Specify another VPN setting or click Update to save and finish.

Use split subnets to route and filter traffic by domain names

About:

A split subnet is a special subnet which is routed to OpenVPN Cloud. Having this subnet enables domain routing and domain filtering capabilities.

Procedure:

Location: left panel > Settings > VPN > Split Subnets

  1. Click Edit.
  2. Specify in the IPv4 filed the subnet and subnet mask.
    The subnet mask cannot be greater than 16.
  3. Specify in the IPv6 filed the subnet and subnet mask.
    The subnet mask cannot be greater than 64.
  4. Specify another VPN setting or click Update to save and finish.

Advanced Configuration - Specify any OpenVPN client options

About:

You can push the client options you desire. When doing so, understand that the results they can produce. While enabling you extend OpenVPN Cloud using client options, we do not guarantee any results, either desired or undesired.

Procedure:

Location: left panel > Settings > VPN > Advanced Configuration > OpenVPN Client Options

  1. Click Edit.
  2. Specify in the custom option field the desired option.
  3. To add another option, click the plus button (+) and specify the additional option in the subsequent custom option filed.
  4. Specify another VPN setting or click Update to save and finish.

Specify users settings

Use User settings to tune configurations for users.

Specify VPN session duration

About:

OpenVPN Cloud by default has a 24-hour VPN session time-out period for user devices. If this session time-out period does not meet your needs, then OpenVPN Cloud enables you to set a period that’s more conducive to your environment. Therefore, OpenVPN Cloud enables you to set a session period that’s more conducive to your environment.

When a user device exceeds the number of hours in the specified VPN session, the user device will attempt to reconnect to the VPN.

Procedure:

Location: left panel > Settings > Users > VPN Session Timeout

  1. Click Edit.
  2. Specify in the Hours field how long you want a user device to have access to your VPN.
    The maximum number of hours your can specify is 168.
    This setting applies to all devices of all users.
  3. Specify another Users setting or click Update to save and finish.

Specify whether users are prompted for account credentials and how often

About:

Use this setting to specify whether user credentials are needed to connect to the OpenVPN Cloud, if they’re required for every VPN connection attempt, if they’re only required 12 hours after a successful connection, or not required at all.

Procedure:

Location: left panel > Settings > Users > Connect Auth

  1. Click Edit.
  2. Specify if you want users to authenticate or not when connecting to OpenVPN Cloud.
  3. Specify another Users setting or click Update to save and finish.

Specify maximum number of devices per user

About:

The value specified for this setting is the default for the maximum number of devices (number of generated profiles) that can access OpenVPN Cloud per user account. This value can be overwritten during the User Group configuration.

There is a limit of 100 devices that can access OpenVPN Cloud per user account.

See also:

Change the per user device allowance

Procedure:

Location: left panel > Settings > Users > Device Allowance

  1. Click Edit.
  2. Specify in the Devices field the desired maximum number of devices.
    Any new groups default to this number of allowed devices.
  3. To apply the specify number of maximum devices to existing user groups, select the check box.
  4. Specify another Users setting or click Update to save and finish.

Specify how OpenVPN profiles are distributed

About:

This setting enables users to import connection profiles (.ovpn files) automatically (users can obtain profiles themselves) or the admin can distribute them manually (admin will need to generate a profile and share it with a user) to users.

See also:

Switch to manual profile distribution and create a user device

Procedure:

Location: left panel > Settings > Users > Profile Distribution

  1. Click Edit.
  2. Accept the Automatic default or select Manual.
  3. If you select Manual, generate and download profiles to distribute to users.
    See Add a user.
  4. Specify another Users setting or click Update to save and finish.

Specify user-authentication settings

Use user-authentication settings to specify the type of authentication method, including two-factor authentication, and whether trusted devices are allowed.

Enable two-factor user authentication

About:

Administrators can enable two-factor authentication for their users to add an additional layer of identity verification. Once two-factor authentication is enabled, an authenticator application must be used to provide an authentication code at sign in. The authentication check is performed whenever the user attempts to:

  • Sign in to the user portal.
  • Sign in with the OpenVPN Connect app to add a connection profile.
  • Establish a VPN connection using the Connect app if Connect Auth is configured to require authentication.

Procedure:

Location: left panel > Settings > User Authentication > Two-Factor Authentication

  1. Click Edit.
  2. Click the toggle button to enable two-factor authentication.
    You can enable your users to allow for trusted devices (see Allow for trusted devices).
  3. Specify another User Authentication setting or click Update to save and finish.

Allow for trusted devices

About:

A device trusted by OpenVPN Cloud does not need to be validated with a security credentials each time you try to use the device to access sensitive information. Users are not prompted for additional authentication on a trusted device for 30 days after the initial authentication.

Prerequisite:

Two-factor authentication is enabled (see Enable two-factor user authentication)

Procedure:

Location: left panel > Settings > User Authentication > Two-Factor Authentication > Allow Trusted Devices

  1. Click Edit.
  2. Click the toggle button to enable the allowance of trusted devices.
  3. Specify another User Authentication setting or click Update to save and finish.

Specify authentication method

About:

Depending on your needs, you can authenticate users in OpenVPN Cloud using various methods. Use the OpenVPN Cloud setting if you don’t have users with single sign-on needs. Use SAML if your users are using an identity provider (IdP) and you want them to single sign-on using their IdP credentials. In this case, you have the option of having users authenticate in their native browser.

Finally, you can authenticate users with LDAP servers that are on your private network and reachable using VPN (see User Guide - Private LDAP Authentication).

OpenVPN Cloud supports authentication for SAML-compatible identity providers. If you have any difficulties configuring SAML for your IdP, contact Support.

Below, are identity providers for which there is user guidance.

Procedure:

Note: The steps to implement SAML authentication through an IdP are general. For detailed steps, refer to the desired IdP listed in About.

Location: left panel > Settings > User Authentication > Authenticate Users Using

  1. Click Edit.
  2. Select the type of authentication you want of users when connecting to OpenVPN Cloud.
  3. To implement the SAML authentication method:
    a. From the IdP administration console, configure OpenVPN Cloud as a SAML service provider.
    b. With the SAML/OpenVPN configuration complete, enable SAML as the user authentication method in OpenVPN.
  4. Specify another User Authentication setting or click Update to save and finish.

Specify DNS settings

Use DNS settings to specify DNS server usage, including DNS zones and FQDN names.

Specify DNS servers

About:

You can set the root DNS sever by either selecting the OpenVPN DNS server or specifying a custom DNS server.

For a custom DNS server, you can designate a DNS server as a primary or secondary server.

Maintaining secondary servers ensures that queries can be resolved even if the primary server becomes unresponsive.

Prerequisite:

The DNS IP addresses must belong to one of your network subnets or one of your hosts (see Adding a Network).

Procedure:

Location: left panel > Settings > DNS> DNS Servers tab > DNS Servers

  1. Click Edit.
  2. Accept the OpenVPN default or select Custom.
  3. If you select Custom, specify the IP addresses for the primary DNS server and the optional secondary DNS server.
  4. Specify another DNS setting or click Update to save and finish.

Advanced Configuration - Protect DNS requests using OpenVPN Cloud as a proxy

About:

Using this advanced configuration enables OpenVPN Cloud to act as a DNS proxy to both protect DNS requests and provide routing and filtering by domain name.

See also:

Procedure:

Location: left panel > Settings > DNS> DNS Servers tab > Advanced Configuration > DNS Proxy

  1. Click Edit.
  2. Click the toggle button to set OpenVPN Cloud as the DNS proxy.
    Attention: It is recommend not to disable DNS Proxy. Disabling DNS Proxy makes domain routing and filtering unavailable.
  3. Specify another DNS setting or click Update to save and finish.

Advanced Configuration - Resolve host names to FQDN names for Windows clients

About:

A fully qualified domain name (FQDN) is useful when you want a computer to be discoverable on an internet network, such as when you want to access a computer remotely. This makes it easier to track the activity on that computer. An FQDN for your computer makes it possible for it to be identified on the internet.

An FQDN help you access domain services such as File Transfer Protocol (FTP) and email. For example, if you wanted to connect a domain name email to an email app on your phone manually, you would also need to know the FQDN for the mail server, which could be like “mail.yourdomainname.com.” 

Setting a default suffix enables Windows clients to resolve host names to FQDNs. Only one default suffix can be specified.

Procedure:

Location: left panel > Settings > DNS> DNS Servers tab > Advanced Configuration > Default DNS Suffix

  1. Click Edit.
  2. Specify the DNS suffix for the desired host name.
    Example: your_company_name.com
  3. Specify another DNS setting or click Update to save and finish.

Advanced Configuration - Specify DNS servers which support certain DNS zones

About:

A DNS server that supports a DNS zone handles the requests of that zone.

Procedure:

Location: left panel > Settings > DNS> DNS Servers tab > Advanced Configuration > DNS Zones

  1. Click Edit.
  2. Click (+) beside DNS Zone.
  3. Specify the desired DNS zone and the IP address of the DNS server you want to support the DNS zone.
  4. Specify another DNS setting or click Update to save and finish.

Extend or overwrite DNS server configurations using a DNS record

About:

A DNS record enables you to configure DNS in OpenVPN Cloud itself, and not in DNS server. Instead of making changes to your private DNS server entry or even using private DNS servers, you can add a DNS record directly to your VPN configuration.

Note: Before making a DNS record entry, ensure that the IP addresses to which you want to route traffic are accessible from a device connected to OpenVPN Cloud.

See also:

Procedure:

To add a DNS record, follow the steps:

Location: left panel > Settings > DNS> DNS Records tab > DNS Records

  1. Click (+) beside DNS Records.
  2. Enter a fully qualified domain name (example: hostname.example.com) or a root domain name (example: example.com) in the Domain Name field.
    All subdomains of the domain name are mapped to this entry if there are no other DNS entries that match the specific subdomain names.
  3. Add one or multiple IPv4 and IPv6 addresses that map to the domain name.
  4. Click the checkmark to save each entry.

Specify notification settings

Use notification settings to warn of important VPN events related to potential failures or reached limits in OpenVPN Cloud.

Set notification warning of exceeded subscription limit

About:

This notification—enabled by default, notifies administrators that one or more VPN connections were terminated because the number of simultaneous VPN connections — including those from connectors and users — exceeded the subscribed limit. A notification is sent once every hour that VPN sessions are being disconnected because of the number is exceeding the subscription limit..

Procedure:

Location: left panel > Settings > Notifications > Subscription Limit Exceeded

  1. Click Edit.
  2. Click the toggle button to enable the notification.
  3. Specify another Notifications setting or click Update to save and finish.

Set notification warning of reached VPN connection threshold

About:

If enabled, this optional notification informs administrators that a configured threshold for the number of active VPN connections is exceeded. The threshold is configured as a percentage of the subscribed VPN connections. For example, a threshold set at 80 percent for a customer that has subscribed to 100 VPN connections will send an email notification when 80 or more VPN connections are active. This alert serves as an advance warning that the number of active VPN connections might soon exceed the number of subscribed VPN connections and may lead to VPN sessions being disconnected.

Procedure:

Location: left panel > Settings > Notifications > High Subscription Usage

  1. Click Edit.
  2. Click the toggle button to enable the notification.
  3. Specify in the Threshold field the desired VPN connection threshold.
    The threshold should be between 1 and 99 percent.
  4. Specify another Notifications setting or click Update to save and finish.

Set notification warning of connector status change

About:

If enabled, this optional alert notifies administrators that a device running connector software has lost its VPN connection. Typically, connectors serve to extend the VPN to a network or directly to a private server. This alert may indicate a critical service failure if a connector is the only instance for the network or host. Note that multiple connectors can be used with a network. An alert is sent once every hour that connector VPN sessions are being disconnected.

Note: The Network page shows the status of each network. If a network is offline or online with issues, the associated connector will be offline. The Network page provides a quick visual status of networks and connectors, which is useful during troubleshooting.

Procedure:

Location: left panel > Settings > Notifications > Connector Status

  1. Click Edit.
  2. Click the toggle button to enable the notification.
  3. Specify another Notifications setting or click Update to save and finish.

Set notification warning for disconnected LDAP server

About:

You’ll receive a notification if a network or host to which an LDAP server is connected is disconnected from OpenVPN Cloud.

Prerequisite:

Ensure that you have Private LDAP set for your user-authentication method (see Specify authentication method).

Procedure:

Location: left panel > Settings > Notifications > LDAP Server Offline Warning

  1. Click Edit.
  2. Click the toggle button to enable the notification.
  3. Specify another Notifications setting or click Update to save and finish.

Set notification warning for failed user-authentication events due to LDAP communication issues

About:

You can receive this notification under two conditions. Either, the LDAP server is unreachable. In most cases, this happens due to a network connectivity issue. Or, when connectivity and reachability of the LDAP server are fine but the LADP settings for user authentication failed.

Prerequisite:

Ensure that you have Private LDAP set for your user-authentication method (see Specify authentication method).

Procedure:

Location: left panel > Settings > Notifications > LDAP Server Connectivity Warning

  1. Click Edit.
  2. Click the toggle button to enable the notification.
  3. Specify another Notifications setting or click Update to save and finish.