16.4.2. SSL options

Special options of a particular SSL VPN connection can be set on the Options and the Keying tabs.

Note

Do not modify these options unless it is required and you have the necessary expertise.

Configuring OpenVPN options

Figure 16.21. Configuring OpenVPN options

The following options can be set on the Options tab:

  • Keep-alive timeout: PNS pings the remote endpoint periodically. This parameter specifies the time between two ping messages in seconds.

  • Keep-alive delay: The amount of time in seconds until PNS waits for a response to the ping messages. If no response is received within this period, PNS restarts the VPN connection.

  • Verbose: The verbosity level of the VPN tunnel.

  • Compression: Compress the data transferred in the VPN tunnel.

  • Propagate ToS: If enabled and the Type of Service (ToS) parameter of the packet transferred using the VPN is set, PNS sets the ToS parameter of the encrypted packet to the same value.

  • Persistent IP address: Preserve the initially resolved local IP address and the port number across SIGUSR1 or --ping-restart restarts.

  • Persistent TUN Interface: Create a persistent tunnel. Normally TUN/TAP tunnels exist only for the period of time that an application has them open. Enabling this option builds persistent tunnels that live through multiple instantiations of OpenVPN and die only when they are deleted or the machine is rebooted.

  • Duplicate CN: If enabled, multiple clients with the same common name can connect at the same time. If this option is disabled, PNS will disconnect new clients if a client having the same common name is already connected.

  • CCD Exclusive: If enabled, the connecting clients must have a --client-config-dir file configured, otherwise the authentication of the client will fail. This file is generated automatically if the Roadwarrior Server option is enabled on the General tab.

  • Additional options: Enter any additional options you need to set here. Options entered here are automatically appended to the end of the configuration file of the VPN tunnel.

  • SSL engine: Use the specified SSL-accelerator engine.

  • Enable management daemon: Enable a TCP server on an IP port to handle daemon management funtions. The password provided is used by the TCP clients to access management functions.

    While the management port is designed for the programmatic control of the OpenVPN by other applications, it is possible to telnet to the port, using a telnet client in raw mode. Once connected, type help for a list of commands.

  • Handle service manually: Do not start this VPN at boot (omit from the /etc/default/openvpn file). This VPN will be managed by other processes like by keepalived or by monitoring. You will not start or stop this tunnel accidentally with the global control button.

The options of the Keying tab specify the encryption used in the connection. Modify these parameters only if it is necessary for compatibility with the remote endpoint.