Quick Start / OpenVPN Cloud
Welcome to OpenVPN Cloud
Here you'll find a selection of configuration scenarios, a brief overview of the portals for OpenVPN Cloud, and details on how to connect to OpenVPN Cloud on your devices.
Get worldwide Cyber Shield protection in just a few steps
Cyber Shield provides you with:
- Security by encrypting your DNS traffic to eliminate various DNS attacks
- Prevent being blocked from legitimate access to websites because of using a shared and possibly blacklisted IP address provided by your online security VPN provider
- Protection by allowing you to block cyber threats and unwanted content
Here is how to get started:
- Create an OpenVPN Cloud account and select an identity for your Cloud (for example, cyberone)
- Go to the Shield section and turn ON blocking of dangerous and unwanted categories
- Download and launch the OpenVPN Connect app.
- Add a profile in the Connect app by using your OpenVPN Cloud URL (for example, cyberone.openvpn.com), authenticate, and select a Region to connect
Cyber Shield does not tunnel your internet traffic through the VPN. Read the “SaaS Whitelisting by configuring VPN for Secure Access to Internet” configuration scenario below if you want to tunnel all your internet traffic. Read the “Routing Traffic to select internet domains through the VPN tunnel” configuration scenario below if you want to tunnel only internet traffic to specific web destinations.
Configuration Scenarios
OpenVPN Cloud supports many different configuration scenarios, a sample of which we’ll cover here.
To start using Single Sign-On with your VPN, you’ll need to do the following:
- Navigate to Settings and use the User Authentication tab to configure the SAML option.
- Configure OpenVPN Cloud as an application in your Identity Provider and provide applicable users access to the OpenVPN Cloud application.
- Configure OpenVPN Cloud to work with the Identity Provider.
- After SAML configuration is done, enable SAML as the user authentication method.
OpenVPN Cloud supports Security Assertion Markup Language (SAML) 2.0 as an identity federation option. Identity Federation is the ability to authenticate access to Service Provider's (such as OpenVPN Cloud) services using an existing Identity Provider (such as Okta). You can now use your existing SAML 2.0 compliant Identity Providers to allow your users to authenticate prior to downloading VPN connection profiles, prior to VPN connection, and to log in to the User Portal.
Further Reading
To start securing your DNS as an owner, you’ll need to do the following:
- Login to your user portal
- Download the Connect Client app.
- Launch the Connect Client app and import profile from the user portal. Read more.
Further Reading
As an owner, you can add others to your VPN by adding them as a User.
Domain Name System (DNS) can be thought of as the internet’s directory that is used to find the IP address for a given domain name such as openvpn.net. The IP address is needed for connecting to the webserver, but the DNS query and response are unprotected and anyone on your network can snoop and even modify the responses. Rogue public Wi-Fi hotspots can use this to surreptitiously redirect your browser to phishing websites.
You can secure your DNS traffic simply by connecting to your OpenVPN Cloud VPN. Once connected, all DNS traffic is encrypted and tunneled to the DNS servers configured for your VPN. Note that at this point only DNS traffic is secured; your internet traffic is not yet secured. To secure your internet traffic, please see ‘Configuring a VPN for Secure Access to Internet.’
To provide access to specific services on your private network, you’ll need to do the following:
- Add a Host for the service. Optionally, add a domain name for the host. For example, intraweb.company.com. Accessing the Host by name will automatically round-robin traffic to all of the Host’s Connectors.
- Add one or more Connectors to the Host.
- Install the Connector app on the server providing the service. In the case of multiple Connectors, install one on each server that provides the same service.
Instead of providing remote access to your Network, you can just provide access to specific services on your private network. This can be done by installing the Connector app on the same server that provides the service and then accessing the service by using the VPN IP address of the Connector or via domain name. Use this to secure remote desktop connection to workstations or to remotely access your file, web, and other private servers without enabling remote access to your entire private network.
Further Reading
In order to have internet traffic secured by having it transported inside the VPN tunnel and entering the VPN, you first need to add a Network that will serve as an egress route to your VPN. This will allows all the internet traffic entering your VPN to exit from that Network. The key steps are:
- Add one or more Networks. Turn the VPN Egress setting for the network ON.
- Install Connector application on a computer in each Network. This computer will serve as the Internet Gateway
- Make the needed changes for proper traffic routing. See, Connecting Networks to OpenVPN Cloud Using Connectors
- For each User Group whose internet traffic needs to be secured, change Internet Access setting to Split Tunnel OFF
Traffic exiting your network will use the public IP address of Network Connector. This IP address can now be added to the whitelists of SaaS providers to allow only those employees connected to OpenVPN Cloud to login to these SaaS applications.
Further Reading
For using OpenVPN Cloud to remotely access your Virtual Private Cloud Networks, or on-premises networks like your office network, follow the steps below:
- Add one or more Networks. You can add one or more IP address subnet ranges belonging to your Network that you want to access remotely.
- Install the Connector application on a computer in each Network. If you use AWS, then you can install Network Connector using the CloudFormation template
- Make the needed changes for proper traffic routing.
- Add your employees as Users.
To securely connect your private networks distributed among different physical sites or in multiple IaaS Clouds, you’ll need to do the following:
- Add a Network for each of the private networks you want to interconnect. You can add one or more IP address subnet ranges belonging to each Network.
- Install the Connector application on a computer in each Network. We recommend using a computer running Linux. If you use AWS, then you can install Network Connector using the CloudFormation template.
- Make the needed changes for proper traffic routing.
Once the Connectors in your networks establish VPN connections and all the routing configurations are followed, devices on all your connected networks can communicate with each other. Full-mesh access is created in spite of the Network Connectors connecting to different VPN Regions.
Further Reading
If you would just like traffic to a few websites to use the VPN tunnel, similar to per-app VPN, while other traffic goes directly to the internet, follow the steps below:
- Add one or more Networks, with the network's subnet IP address ranges, to represent your actual network that has a path to the internet.
- Install Connector application on a computer in each Network.
- Make the needed changes for proper traffic routing. See, Connecting Networks to OpenVPN Cloud Using Connectors
- Announce a route to the public website from one of the Networks by adding the domain of the website to that Network’s configuration. For example, salesforce.com. Once this is done, just the traffic destined to salesforce.com will be routed inside the VPN tunnel, in spite of Internet Access being set to split tunnel ON, and will exit the VPN via the Network configured with that domain name.
Traffic exiting your network will use the public IP address of the Network’s Connector or router. This IP address can now be added to the whitelists of SaaS providers to allow only those employees connected to OpenVPN Cloud to login to these SaaS applications.
Further Reading
To securely network your private networks distributed among different physical sites, or in multiple IaaS Clouds, that have overlapping IP address ranges follow the steps below:
- Add a Network for each of the private networks you want to interconnect (e.g., network1 and network2 both use 192.168.0.0/16). Since both the network's IP address ranges are overlapping, you cannot add their IP address subnet ranges instead you need to distinguish each network with a unique domain name (e.g., network1.net, network2.net).
- Install Connector application on a computer in each Network. We recommend using a computer running Linux.
- Make the needed changes for proper traffic routing. See, Connecting Networks to OpenVPN Cloud Using Connectors
- Now that the networks are identified by names, go to DNS settings page and added DNS records for the servers that need to be reached on each network. For example, video.network1.net to 192.168.0.100 and file.network2.net to 192.168.0.100
Once the Connectors in your networks establish VPN connections and all the routing configurations are followed, accessing video.network1.net will route to 192.168.0.100 on network1 and file.network2.net will route to 192.168.0.100 on network2.
Further Reading
To block access to websites hosting content that is undesirable, follow the steps below:
- Access the Shield page in the administration portal, and on the Domain Filtering pane turn Monitoring on.
- Click on the edit icon, the domain Filters window will be displayed.
- Select the domain filter categories that you want to block.
Shield checks which of the 43 content categories each domain name being queried belongs in. If a domain name is matched to a category that is configured to be blocked, the domain name is not resolved as expected and a “This site can’t be reached” page is displayed.
Shield effectively blocks traffic bound for the intended destination even if the traffic isn’t passing through the VPN.
Further Reading
You can create and assign your Users to different User Groups to create multiple groupings of your employees based on their organizational role or other factors. User Group properties such as the VPN Regions the users are allowed to connect to can be customized. User Groups can also be used in Access Groups to enforce role-based access privileges.
If you provide an email address while adding your employees as Users, OpenVPN Cloud sends an email invitation to them with instructions to download the OpenVPN Connect app and use the Connect application to login and connect to the OpenVPN Cloud.
Further Reading
Admin portal
The following modules are available inside the OpenVPN Cloud Admin Portal:
Status
Shows a summary of information about your connections.
Networks
Allows you to create Networks to connect sites to your VPN, or to enable VPN Egress.
Shield
Configure and use additional security features.
Hosts
Allows you to create Hosts to connect your servers to VPN.
Access
Create custom access rules for your VPN resources.
Documentation
Find more information about OpenVPN Cloud capabilities in our knowledge base.
Support Center
Create a support ticket, to reach our team with any technical or account-related questions.
User Portal
This website link for the User Portal can be found inside the Users module of the Admin Portal.
Tasks that can be completed inside the user portal include:
- Downloading and installing the OpenVPN Connect App
- Viewing instructions to import profile and connect to the VPN.
- Managing devices.
Adding Users to your Network and Getting Connected
You can create and assign your Users to different User Groups to create multiple groupings of your employees based on their organizational role or other factors. User Group properties such as the VPN Regions the users are allowed to connect to can be customized. User Groups can also be used in Access Groups to enforce role-based access privileges.
If you provide an email address while adding your employees as Users, OpenVPN Cloud sends an email invitation to them with instructions to download the OpenVPN Connect app and use the Connect application to login and connect to the OpenVPN Cloud.
Using OpenVPN Connect app
Ready to connect to your private OpenVPN Cloud? All it takes are these three steps:
1. Get the App
Download and install OpenVPN Connect. You can get the app you need for your OS right here:
Desktop App
Mobile App
Looking for Linux? Follow these instructions.
2. Launch the App
Once the installation completes, open up the app and read through the license to accept it.
3. Import a profile
In the app, import a profile. Fill out the URL for your OpenVPN Cloud, then enter your username and password. Looking for your password? Check your email. If your administrator has set up SAML, you’ll log in with SSO credentials.
If you can’t find the invitation, ask your administrator to resend it.
Set your new password, complete two-factor authentication (optional), choose a region to connect to (optional), then click Add
Documentation on connecting users to VPN can be found here: