Configure and deploy OpenVPN Clients for remote users


This article will describe how to enable OpenVPN access for remote users. 

Note: These steps are not intended for use when connected with "console access" (keyboard/mouse/monitor) to your NG Firewall server. It's best to be remoted into the server via ETM Dashboard, so you have an easy way to navigate to the downloaded VPN client file.


Configure OpenVPN in NG Firewall

The first step is to enable the OpenVPN server on your NG Firewall by navigating to Apps > OpenVPN > the Server tabOn this page, place a check next to "Server Enabled".



The Server tab includes all the configuration for OpenVPN's server functionality.

  • Site Name is the name of this OpenVPN site. A random name is chosen so that it is unique. A new name can be given, but it should be unique across all sites in the organization. For example, if the company name is "MyCompany" then "mycompany" is a bad site name if you have multiple NG Firewall units deployed as it might be used elsewhere. The Site Name must be unique.
  • Address Space defines an IP network/space for the VPN to use internally. The Address Space must be unique and separate from all existing networks and other address spaces on other OpenVPNs. A default will be chosen that does not conflict with the existing configuration.
  • NAT OpenVPN Traffic will NAT all traffic from remote networks to local networks to a local address. This helps solve routing and host-based firewall issues. The default and recommended value is enabled.
  • Site URL shows the URL that remote clients will use to connect to this server. This is just for reference. Verify that this address will resolve and be publicly reachable from remote networks. This URL can be configured in Config > Network > Hostname. You may need to change this if, for instance, you have a private IP address such as on the External (WAN) network interface rather than a public IP.


Next we can add the individual clients. Each remote user will need their own client configured. 

  1. Click Add on the "Remote Clients" sub-tab.
  2. Enter a unique Client Name that will help identify the client.

    • Group will in most cases be "Default Group" (see this Wiki article for more information)
    • Type will be "Individual Client"
  3. Click Done.

  4. Repeat steps 1-3 for additional clients.
  5. Click Save in the lower-right corner to save changes.

Deploying the OpenVPN Client

With clients configured, the next step is deploying the configuration profile to users.

  1. Go to OpenVPN, then browse to the Server tabClick the Download Client button for a user. This will generate the client installation files.
  2. Select the appropriate installation file for the user's operating system.
  3. Distribute OpenVPN configuration file to user through your preferred method (Ex: email, USB drive, Google Drive, Dropbox, shared folder on network, etc.)

    The following steps are for Microsoft Windows only. For macOS/Linux/Android/etc. installation, please see our OpenVPN Wiki page.

  4. Download the Community OpenVPN client here: 
    You can find other Operating System options linked from the OpenVPN wiki.
  5. Run the installer and follow the Installation Wizard:
  6. Open the OpenVPN client and choose to import the profile from a file.
  7. Browse to the configuration profile you obtained in steps two and three.
  8. Click Add.
  9. Toggle the switch to connect.
Was this article helpful?
10 out of 25 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

  • Avatar
    Spencer Kearton

    Can I use a dynamic DNS service like no-ip to access my untangle that's currently in transparent bridge?

  • Avatar
    Daniel Marrero

    You have to change the Public Address setting in Configuration->Administration. Select the option "Use Manually Specified Address" and enter the DNS name there.

  • Avatar
    Brandon Bryant

    Is it possible to deploy this via Group Policy? The /s silent install switch does not work with the packaged client that I downloaded.

  • Avatar

    Each user connecting should have their own unique client. If you download each client from the NGFW, then you may be able to push them all out via group policy, but I have never heard of this.

Powered by Zendesk