16.4.1. Procedure – Configuring SSL connections

  1. Navigate to the VPN component of the PNS host that will be the endpoint of the VPN connection. Select the Connections tab.

    Configuring SSL (OpenVPN) connections

    Figure 16.13. Configuring SSL (OpenVPN) connections

  2. Click New and enter a name for the connection.

  3. Select the SSL protocol option.

  4. Set the VPN topology in the Scenario section.

    Selecting the SSL (OpenVPN) scenario

    Figure 16.14. Selecting the SSL (OpenVPN) scenario

    To create a Roadwarrior server, select the Roadwarrior server option.

    Select the Peer to Peer option for other topologies.

    Note

    When creating a Network-to-Network connection, the two endpoints of the VPN tunnel are not used to communicate with each other. To encrypt the communication of the endpoints, create a separate Peer-to-Peer connection.

  5. Configure the local networking parameters. These parameters affect the PNS endpoint of the VPN connection.

    Configuring local networking parameters

    Figure 16.15. Configuring local networking parameters

    Set the following parameters in the Listen options section:

    • Local address: Select the IP address that PNS will use for the VPN connection. If PNS should accept incoming VPN connections on every interface, enter the 0.0.0.0 IP address.

    • Port: The port PNS uses to listen for incoming VPN connections. Use the default port (1194) if nothing restricts that.

      Note

      These parameters have no effect if PNS is the client-side of a VPN tunnel and does not accept incoming VPN connections.

    Set the following parameters in the Tunnel settings section:

    • Interface: The name of the virtual interface used for the VPN connection. MS automatically assigns the next available interface.

    • Local: The IP address of PNS as seen from the VPN tunnel. The tun interface will bind to this address, so PNS rules can use this address.

    • Remote: The IP address of the remote endpoint as seen from the VPN tunnel.

    • By default, the VPN connections use the UDP protocol to communicate with the peers. To use the TCP protocol instead, select Protocol > TCP.

    The Local and Remote addresses must be non-routable virtual IP addresses (for example, from the 192.168.0 0 range). These IP addresses are visible only on the tun interface, and are needed for building the VPN tunnel.

    Warning

    The Local and Remote addresses must be specified even for roadwarrior scenarios. Use the first two addresses of the dynamic IP range used for the remote clients.

  6. Configure the networking parameters of the remote endpoint.

    Configuring remote networking parameters

    Figure 16.16. Configuring remote networking parameters

    For Peer-to-Peer scenarios, set the following parameters:

    • Remote address: The IP address of the remote endpoint.

    • Remote port: The port that PNS connects on the remote VPN server. Use the default port (1194) if nothing restricts that.

    • Pull configuration: Download the configuration from the remote endpoint. (Works only if the remote endpoint has its push options specified.)

    • No local bind: Select this option if the PNS host that you are configuring should run in client-mode only, without accepting incoming VPN connections.

    When PNS acts as a roadwarrior server, set the IP address range using the Dynamic address from and Dynamic address to fields. Clients connecting to PNS will receive their IP addresses from this range.

    Note

    The configured address range cannot contain more than 65535 IP addresses.

    Every Windows client needs a /30 netmask (4 IP addresses). Make sure to increase the available address range when you have many Windows clients.

  7. When configuring Peer-to-Peer or Network-to-Network connections, select the Active side option so that PNS initiates the VPN connection to the remote endpoint. If possible, enable this option on the remote endpoint as well.

  8. Click on the Authentication tab and configure authentication.

    Configuring authentication

    Figure 16.17. Configuring authentication

    Set the following parameters:

    • Certificate: Select a certificate available on the PNS host. PNS will show this certificate to the remote endpoint.

    • CA: Select the trusted (Certificate Authority) CA group that includes the certificate of the root CA that issued the certificate of the remote endpoint. PNS will use this CA group to verify the certificate of the remote endpoint.

    Warning

    If several remote endpoints use the same certificate to authenticate, only one of them can be connected to PNS at the same time.

    Note

    See Chapter 11, Key and certificate management in PNS for details on creating and importing certificates, CAs, and trusted CA groups required for certificate-based authentication.

  9. Configure routing for the VPN tunnel. Click on the Routing tab, and add a routing entry for every network that is on the remote end of the VPN tunnel (or located behind the remote endpoint). PNS sends every packet that target these networks through the VPN tunnel. To add a new network, click New, and enter the IP address and the netmask of the network.

    Configuring tunnel routing

    Figure 16.18. Configuring tunnel routing

  10. Configure push options on the Push options tab.

    Configuring push options

    Figure 16.19. Configuring push options

    Tip

    Push options are most often used to set the configuration of roadwarrior clients. For example, it can be used to assign a fix IP address to a specific client.

    Configuring client routing

    Figure 16.20. Configuring client routing

    Click Route to add routing entries for the remote endpoint. These routing entries determine which networks protected by PNS are accessible from the remote endpoint.

    See Section 16.4.2.2, Push options for details.

  11. Set other options as needed. See Section 16.4.2, SSL options for details.