An Overview of VPN Settings for OpenVPN Access Server
The VPN Settings page allows you to configure options like dynamic or static IP address networks, routing or Network Address Translation (NAT), split tunneling, and DNS settings.
This guide provides an overview of these sections so that you can get started on configuring your network. For detailed information on these settings, refer to the VPN Settings page of the Admin Web UI User Manual.
Dynamic and Static IP Address Networks
By default, users connecting to your Access Server are assigned IP addresses dynamically, managed by OpenVPN Access Server. This is similar to an internal DHCP system and the default subnet for any new server is set to 172.27.224.0/20. If necessary, you can change this default subnet by changing the value in the Network Address and # of Netmask bits fields.
A dynamic IP address is one that can and will change. For example, when ‘user_1’ connects to the VPN, the Access Server assigns the IP address 172.27.224.3. As long as the connection is active, that assigned IP address remains the same. However, if the user disconnects, the next time they connect they may be assigned any other available IP address within the subnet.
If you choose to change the default subnet, you must make sure that you don’t choose the same subnet as your internal network. For instance, if you have 192.168.0.0/16 for your office network, you must not assign the same IP and subnet mask to your remote, VPN network.
If you have clients that need to maintain a static IP address, you can use the Static IP Address Network, as well as the User Permissions page to set this up.
More details on static IP addresses can be found here: Assigning a Static VPN Client IP Address to a User.
Routing and NAT
In the Routing section you can grant your remote users access to private subnets and routes that your server sits on. Depending on your network configuration, you can choose to do this using NAT or routing.
NAT is often the preferred setup. NAT grants VPN clients access to private subnets, and each client’s virtual address is transformed via NAT. This means that the host IP address of the Access Server is used as the source address on client packets that are destined for private subnets.
Routing requires more advanced configurations. In routing mode, you’ll see an additional configuration option: “Allow access from these private subnets to all VPN client IP addresses and subnets”. Here are some example routing setups:
- Site to site VPN Routing explained in detail
- Reach OpenVPN Clients directly from a private network
- How to set up Global Routing
The VPN Settings page also includes an option for split tunneling. Split tunneling determines whether traffic flowing through the VPN is only destined for private subnets or carries all internet traffic.
More details on split tunneling can be found here: Understanding how split tunneling works with OpenVPN Access Server.
If you activate split tunneling, you can set the toggle to No for “Should client Internet traffic be routed through the VPN?” If you set the toggle to No, you must define the private subnets that your clients need to access. Subnets are defined in the “Specify the private subnets to which all clients should be given access (one per line)” field.
You also have the option of listing the internal domains that clients resolve through Access Server-pushed DNS servers with split tunnels. These domains are managed in DNS resolution zones. This configuration functions like a split-DNS where only queries for a specific DNS zone are sent to the VPN server. More details can be found here: Troubleshooting DNS resolution problems.
Some administrators run their own DNS servers to resolve DNS names to private IP addresses, which makes it easier for users to access certain systems. Running a private DNS server can also be an additional security measure, where the DNS server acts as a filter against malicious websites.
You can set up a specific DNS server in the DNS Settings section. When you select Yes for “Have clients use specific DNS servers”, you’ll be able to enter those DNS server addresses as primary and secondary servers.
More details on DNS can be found here:
We’ve provided a general overview of some of the configuration settings on the VPN Network page, which are important steps in completing the setup for your VPN.
Have you already set up the hostname for your server? If not, refer to Setting up your OpenVPN Access Server Hostname.
After that, it’s time to add users: Setting up users.
You can find additional details for final steps here:
- Recommendations to improve security after installation
- Installing a properly signed web SSL certificate
- Access Server Command Line Interface Tools