Results 1 to 7 of 7
  1. #1
    Untangler
    Join Date
    Apr 2009
    Posts
    59

    Default Use enterprise CA for OpenVPN

    Hi Untanglers.

    I want to utilize Windows 10's device tunnel feature with the Untangle OpenVPN app.

    I would like to use our enterprise (Windows) CA which automatically provides certificates to each of our workstations. I would like the OpenVPN app to recognize those certificates and allow authentication. I would then configure the Windows VPN client using some GPO policies to connect to the OpenVPN server.

    Is this possible? Does it sound feasible?

    I see some advanced settings around certificates, and not sure how they are utilized if necessary.

    Thanks!

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,725

    Default

    Windows tunnel feature is L2TP which is completely different standard than OpenVPN. You will need to install OpenVPN client on Windows to use OpenVPN app on UT or use IPsec app on UT to connect to Windows built-in VPN.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler
    Join Date
    Apr 2009
    Posts
    59

    Default

    Ok, that is good information. Lets suppose I figure out how to install the OpenVPN client and make it pull a computer certificate for authentication. Is there a way to make Untangle trust them?

    I want an automated deployment of remote access. I don't want to have to create connections in OpenVPN. I would like for it to trust certificates signed by our internal CA.

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,725

    Default

    There is no supported way to override the certificate as each client as an individual certificate by the natural of OpenVPN. If the goal is to automate the deployment of VPN, I would use IPsec / L2TP app on UT and the built-in Windows VPN client and use RADIUS method for authentication. There are Windows built-in methods to deploy this type of VPN.
    Last edited by jcoffin; 10-03-2018 at 08:17 PM.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,276

    Default

    If you want to automate VPN rollouts, you abandon use of Untangle for VPN entirely and deploy an SSTP VPN on a Windows server, and configure group policy to push it out to users based on group membership.

    If you want a secure VPN, that's stable and consistent, while being easy to use for both users and admins, you use OpenVPN.

    L2TP is just a headache...

    But no, doing a certificate authority with OpenVPN won't do you any good. It's direct issued certificate authentication, it's not part of a chain, it's not supposed to be part of a chain.
    Last edited by sky-knight; 10-03-2018 at 11:38 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangler
    Join Date
    Apr 2009
    Posts
    59

    Default

    After playing with the windows VPN server a bit more I have some more clarity on this. It does look like the IPSec VPN app does have that functionality. I had trouble finding a guide really on how to configure this for always on VPN clients, other that with iOS.

    I have some questions:
    - What is the IPSec preshared key for, because that can't be configured in any Windows VPN IKEv2 connection.
    - Is the traffic NAT'd or directly routed to other networks from Untangle? Is there an option for that? Maybe use NAT rules?
    - How are the routes advertised to the client that I want to tunnel through the VPN? I want to use split-tunneling.

    Anyways, I'm not asking you to answer all of those, although you can. Just looking for a guide somewhere that may cover the deployment of an always on VPN using Untangle IPSEC and RADIUS for Windows clients?

    Thanks again for your help.

  7. #7
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,725

    Default

    - IPSec preshared key is for site to site connections. Not used for L2TP.
    - L2TP is routed based on the Pool.
    - I'm not clear on what you asking. L2TP is always split-tunnel. Xauth is full tunnel.

    Tech Talk on using IPsec on Untangle. https://www.youtube.com/watch?v=xR5wkydTtMs&t=4s
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2