Quick Start / OpenVPN Cloud

Welcome to OpenVPN Cloud

Here you'll find a selection of configuration scenarios, a brief overview of the portals for OpenVPN Cloud, and details on how to connect to OpenVPN Cloud on your devices.

  1. Cyber Shield
  2. Configuration Scenarios
  3. The Admin Portal
  4. The User Portal
  5. Adding Users to your network and getting connected

Get worldwide Cyber Shield protection in just a few steps

Cyber Shield provides you with:

  • Security by encrypting your DNS traffic to eliminate various DNS attacks
  • Prevent being blocked from legitimate access to websites because of using a shared and possibly blacklisted IP address provided by your online security VPN provider
  • Protection by allowing you to block cyber threats and unwanted content

Here is how to get started:

  1. Create an OpenVPN Cloud account and select an identity for your Cloud (for example, cyberone)
  2. Go to the Shield section and turn ON blocking of dangerous and unwanted categories
  3. Download and launch the OpenVPN Connect app.
  4. Add a profile in the Connect app by using your OpenVPN Cloud URL (for example, cyberone.openvpn.com), authenticate, and select a Region to connect

Cyber Shield does not tunnel your internet traffic through the VPN. Read the “SaaS Whitelisting by configuring VPN for Secure Access to Internet” configuration scenario below if you want to tunnel all your internet traffic. Read the “Routing Traffic to select internet domains through the VPN tunnel” configuration scenario below if you want to tunnel only internet traffic to specific web destinations.

Configuration Scenarios

OpenVPN Cloud supports many different configuration scenarios, a sample of which we’ll cover here.

To start using Single Sign-On with your VPN, you’ll need to do the following:

  1. Navigate to Settings and use the User Authentication tab to configure the SAML option.
  2. Configure OpenVPN Cloud as an application in your Identity Provider and provide applicable users access to the OpenVPN Cloud application.
  3. Configure OpenVPN Cloud to work with the Identity Provider.
  4. After SAML configuration is done, enable SAML as the user authentication method.

OpenVPN Cloud supports Security Assertion Markup Language (SAML) 2.0 as an identity federation option. Identity Federation is the ability to authenticate access to Service Provider's (such as OpenVPN Cloud) services using an existing Identity Provider (such as Okta). You can now use your existing SAML 2.0 compliant Identity Providers to allow your users to authenticate prior to downloading VPN connection profiles, prior to VPN connection, and to log in to the User Portal.

Further Reading

See an example of configuring SAML for use of SSO with VPN

To start securing your DNS as an owner, you’ll need to do the following:

  1. Login to your user portal
  2. Download the Connect Client app.
  3. Launch the Connect Client app and import profile from the user portal. Read more.

Further Reading

As an owner, you can add others to your VPN by adding them as a User.

Read more about securing DNS requests here.

Domain Name System (DNS) can be thought of as the internet’s directory that is used to find the IP address for a given domain name such as openvpn.net. The IP address is needed for connecting to the webserver, but the DNS query and response are unprotected and anyone on your network can snoop and even modify the responses. Rogue public Wi-Fi hotspots can use this to surreptitiously redirect your browser to phishing websites.

You can secure your DNS traffic simply by connecting to your OpenVPN Cloud VPN. Once connected, all DNS traffic is encrypted and tunneled to the DNS servers configured for your VPN. Note that at this point only DNS traffic is secured; your internet traffic is not yet secured. To secure your internet traffic, please see ‘Configuring a VPN for Secure Access to Internet.’

To provide access to specific services on your private network, you’ll need to do the following:

  1. Add a Host for the service. Optionally, add a domain name for the host. For example, intraweb.company.com. Accessing the Host by name will automatically round-robin traffic to all of the Host’s Connectors.
  2. Add one or more Connectors to the Host.
  3. Install the Connector app on the server providing the service. In the case of multiple Connectors, install one on each server that provides the same service.

Instead of providing remote access to your Network, you can just provide access to specific services on your private network. This can be done by installing the Connector app on the same server that provides the service and then accessing the service by using the VPN IP address of the Connector or via domain name. Use this to secure remote desktop connection to workstations or to remotely access your file, web, and other private servers without enabling remote access to your entire private network.

Further Reading

You can read more about this scenario here

In order to have internet traffic secured by having it transported inside the VPN tunnel and entering the VPN, you first need to add a Network that will serve as an egress route to your VPN. This will allows all the internet traffic entering your VPN to exit from that Network. The key steps are:

  1. Add one or more Networks. Turn the VPN Egress setting for the network ON.
  2. Install Connector application on a computer in each Network. This computer will serve as the Internet Gateway
  3. Make the needed changes for proper traffic routing. See, Connecting Networks to OpenVPN Cloud Using Connectors
  4. For each User Group whose internet traffic needs to be secured, change Internet Access setting to Split Tunnel OFF

Traffic exiting your network will use the public IP address of Network Connector. This IP address can now be added to the whitelists of SaaS providers to allow only those employees connected to OpenVPN Cloud to login to these SaaS applications.

Further Reading

Configuring a VPN for secure access to Internet

Whitelisting access to SaaS

For using OpenVPN Cloud to remotely access your Virtual Private Cloud Networks, or on-premises networks like your office network, follow the steps below:

  1. Add one or more Networks. You can add one or more IP address subnet ranges belonging to your Network that you want to access remotely.
  2. Install the Connector application on a computer in each Network. If you use AWS, then you can install Network Connector using the CloudFormation template
  3. Make the needed changes for proper traffic routing.
  4. Add your employees as Users.

To securely connect your private networks distributed among different physical sites or in multiple IaaS Clouds, you’ll need to do the following:

  1. Add a Network for each of the private networks you want to interconnect. You can add one or more IP address subnet ranges belonging to each Network.
  2. Install the Connector application on a computer in each Network. We recommend using a computer running Linux. If you use AWS, then you can install Network Connector using the CloudFormation template.
  3. Make the needed changes for proper traffic routing.

Once the Connectors in your networks establish VPN connections and all the routing configurations are followed, devices on all your connected networks can communicate with each other. Full-mesh access is created in spite of the Network Connectors connecting to different VPN Regions.

Further Reading

Read more about the site-to-site configuration scenario.

If you would just like traffic to a few websites to use the VPN tunnel, similar to per-app VPN, while other traffic goes directly to the internet, follow the steps below:

  1. Add one or more Networks, with the network's subnet IP address ranges, to represent your actual network that has a path to the internet.
  2. Install Connector application on a computer in each Network.
  3. Make the needed changes for proper traffic routing. See, Connecting Networks to OpenVPN Cloud Using Connectors
  4. Announce a route to the public website from one of the Networks by adding the domain of the website to that Network’s configuration. For example, salesforce.com. Once this is done, just the traffic destined to salesforce.com will be routed inside the VPN tunnel, in spite of Internet Access being set to split tunnel ON, and will exit the VPN via the Network configured with that domain name.

Traffic exiting your network will use the public IP address of the Network’s Connector or router. This IP address can now be added to the whitelists of SaaS providers to allow only those employees connected to OpenVPN Cloud to login to these SaaS applications.

Further Reading

Routing Traffic to Internet Domains Through VPN

To securely network your private networks distributed among different physical sites, or in multiple IaaS Clouds, that have overlapping IP address ranges follow the steps below:

  1. Add a Network for each of the private networks you want to interconnect (e.g., network1 and network2 both use 192.168.0.0/16). Since both the network's IP address ranges are overlapping, you cannot add their IP address subnet ranges instead you need to distinguish each network with a unique domain name (e.g., network1.net, network2.net).
  2. Install Connector application on a computer in each Network. We recommend using a computer running Linux.
  3. Make the needed changes for proper traffic routing. See, Connecting Networks to OpenVPN Cloud Using Connectors
  4. Now that the networks are identified by names, go to DNS settings page and added DNS records for the servers that need to be reached on each network. For example, video.network1.net to 192.168.0.100 and file.network2.net to 192.168.0.100

Once the Connectors in your networks establish VPN connections and all the routing configurations are followed, accessing video.network1.net will route to 192.168.0.100 on network1 and file.network2.net will route to 192.168.0.100 on network2.

Further Reading

Read more about this configuration scenario.

To block access to websites hosting content that is undesirable, follow the steps below:

  1. Access the Shield page in the administration portal, and on the Domain Filtering pane turn Monitoring on.
  2. Click on the edit icon, the domain Filters window will be displayed.
  3. Select the domain filter categories that you want to block.

Shield checks which content category each domain name being queried belongs in. If a domain name is matched to a category that is configured to be blocked, the domain name is not resolved as expected and a “This site can’t be reached” page is displayed.

Shield effectively blocks traffic bound for the intended destination even if the traffic isn’t passing through the VPN.

Further Reading

Read more about using Shield here.

You can create and assign your Users to different User Groups to create multiple groupings of your employees based on their organizational role or other factors. User Group properties such as the VPN Regions the users are allowed to connect to can be customized. User Groups can also be used in Access Groups to enforce role-based access privileges.

If you provide an email address while adding your employees as Users, OpenVPN Cloud sends an email invitation to them with instructions to download the OpenVPN Connect app and use the Connect application to login and connect to the OpenVPN Cloud.

Further Reading

User account activation

Downloading profile and connecting

Admin portal

The following modules are available inside the OpenVPN Cloud Admin Portal:

Status

Shows a summary of information about your connections.

Users

Allows to manage your Users and Groups.

Networks

Allows you to create Networks to connect sites to your VPN, or to enable VPN Egress.

Shield

Configure and use additional security features.

Hosts

Allows you to create Hosts to connect your servers to VPN.

Access

Create custom access rules for your VPN resources.

Settings

Allows to change setting related to your VPN and Users.

Documentation

Find more information about OpenVPN Cloud capabilities in our knowledge base.

Support Center

Create a support ticket, to reach our team with any technical or account-related questions.

User Portal

This website link for the User Portal can be found inside the Users module of the Admin Portal.

Tasks that can be completed inside the user portal include:

  • Downloading and installing the OpenVPN Connect App
  • Viewing instructions to import profile and connect to the VPN.
  • Managing devices.

Read more about the User Portal here

Adding Users to your Network and Getting Connected

You can create and assign your Users to different User Groups to create multiple groupings of your employees based on their organizational role or other factors. User Group properties such as the VPN Regions the users are allowed to connect to can be customized. User Groups can also be used in Access Groups to enforce role-based access privileges.

If you provide an email address while adding your employees as Users, OpenVPN Cloud sends an email invitation to them with instructions to download the OpenVPN Connect app and use the Connect application to login and connect to the OpenVPN Cloud.

Using OpenVPN Connect app

1. Get the App

Download and install OpenVPN Connect. You can get the app you need for your OS right here:

Desktop App
Mobile App

Looking for Linux? Follow these instructions.

2. Launch the App

Once the installation completes, open up the app and read through the license to accept it.

3. Import a profile

In the app, import a profile. Fill out the URL for your OpenVPN Cloud, then enter your username and password. Looking for your password? Check your email. If your administrator has set up SAML, you’ll log in with SSO credentials.

If you can’t find the invitation, ask your administrator to resend it.

Set your new password, complete two-factor authentication (optional), choose a region to connect to (optional), then click Add

Documentation on connecting users to VPN can be found here:

User Account Activation

User downloading app

Getting profile and connecting