This article collects some common questions regarding OpenVPN.
How can I restrict access to certain OpenVPN users?
Any networks you export in OpenVPN will be available to everyone; if you'd like to allow or deny access to specific resources for specific users you can use Filter Rules or Firewall rules. More details here: How can I restrict VPN users to a single server or subnet?
Is there a way to set up a password for OpenVPN users?
Yes, this can be configured on the server side and integrated with either Local Directory or Radius. Once enabled the clients will need to be redeployed to leverage the extra authentication.
OpenVPN also supports multifactor authentication: Setting up multi-factor authentication for OpenVPN
Clients are getting disconnected after 60 seconds. Why?
If you have shared a single client config file with more than one device, the two will conflict if they are used simultaneously: when the second one connects, the first is disconnected. After 60 seconds, the first will reconnect and disconnect the second.
Each client device must have its own, unique client config file. This is true even if they belong to the same user.
Can I create site-to-site tunnels with non-Edge Threat Management devices?
When using OpenVPN for site-to-site tunnels, Edge Threat Management only supports using other Edge Threat Management devices as endpoints. Some other products do support OpenVPN, but the ETM Support team cannot assist with setting up site-to-site tunnels to those devices.
If you need to connect a VPN tunnel to a non-Edge Threat Management device, we recommend using IPsec VPN.
How can I get DNS resolution working over my site-to-site tunnel?
DNS resolution isn't designed to work across a tunnel; it's a local technology. The best solution is not to rely on the tunnel at all: ensure that devices have the ability to resolve remote domain names themselves, either via their HOSTS file (or equivalent) or via entries in a local DNS server.
If you're not able to configure local DNS resolution, here's an approach you can try. Go to Config > Network > DNS Server > Domain DNS Servers and add the IP of the DNS server on the far side of the tunnel, enter the domain in the Domain List column, and use the FQDN when accessing resources. Please note that you'll need to do this on both sides of the tunnel for it to work from either side.
How can I allow software clients to resolve DNS over the tunnel?
To allow DNS resolution for software clients you'll need to modify some OpenVPN settings - if NG Firewall is doing DNS resolution on your network, simply check Push DNS at OpenVPN Settings > Server > Groups for any Groups you want DNS resolution exported to. If NG Firewall is not resolving DNS on your network, you'll need to check Push DNS, set Push DNS Server to "Custom", then enter the IP address of the DNS Server(s) under DNS Custom 1 / 2. You may need to use the FQDN when accessing resources across the tunnel.