EFW Support

I'm trying to configure OpenVPN on my Endian firewall 2.5.1 located in my office and my OpenVPN client located in my home.

Here, step by step, my EFW SERVER configuration:

SERVER CONFIGURATION > GLOBAL SETTINGS:

- OpenVPN server enabled [Yes]
- Bridged [No]
- VPN subnet: [255.255.255.248/29]


ACCOUNTS:

- Username: [myuser]
- Password: [mypwd]
- no other check-boxes flagged and no other data entered on this section


ADVANCED > ADVANCED SETTINGS:

- Port: 1194
- Protocol: UDP
- no other check-boxes flagged and no other data entered on this section


ADVANCED > GLOBAL PUSH OPTIONS:

- no check-boxes flagged and no data entered on this section (all disabled)


ADVANCED > AUTHENTICATION SETTINGS:

- PSK
- no other check-boxes flagged and no other data entered on this section


Here, step by step, my configuration file for the CLIENT installed on PC in my home:


Help me please to understand what is wrong or missing. Thanks in advance.


PS: I read that you need to set the rules for the VPN firewall. If so, how is it done?

The entry box VPN subnet can be a little misleading. you want to put your VPN network CIDR notation there. For example: I have entered [10.2.2.0/24]

hope that helps. if not i will post my full configuration.

-J

I will try, however if you will post your full configuration (server, client and vpn firewall), it surely will be appreciated.

PS: did you set any rule for VPN firewall? Is your EFW version 2.5.1?

Endian version 2.5.1 Community

Endian networks
 - GREEN = 192.168.10.0/24
 - BLUE = 192.168.11.0/24
 - ORANGE = 192.168.12.0/24
---------------------------------------------------------------------
OpenVPN COnfiguration
------------------------------------------------------------------------
OPENVPN
 - NOT bridged
 - VPN Subnet = 10.2.2.0/24
 
OpenVPN Account Setup
 - Direct all clients through server - [not checked]
 - push only global options to this client [checked]
 - push routes to blue and orange - [both checked]

static ip address: [10.2.2.2/24]

push nameserver and domain - [both not checked]

OpenVPN advanced settings
 - 1194 / UDP
 - Block DHCP - [NOT CHECKED]
 - dont block traffic - [checked]
 - allow multiple - [not checked]

Global push options:
 - push these networks - enabled - [0.0.0.0/1 & 128.0.0.0/1] (based on this post: htttp://www*efwsupport*com/index.php?topic=2989.0
 - push nameserver - enabled - [192.168.10.1]
 - push domain - enabled - [localdomain]
-----------------------------------------------------------------------------------
VPN Firewall Configuration
--------------------------------------------------------------------------------------
source = user
destination = GREEN, BLUE, ORANGE, OPENVPN SERVER
Service = <ANY>
Policy = Allow w/ IPS
enabled = checked
--------------------------------------------------------------------------------

Again, with this configuration I can access all the network resources, fileshares, printers, webpages, etc., on the GREEN and BLUE networks, but not the ORANGE. I am still trying to figure that one out. However, I can access the Web GUI by going to <htttps:// 192.168.12.1:10443>.

---------------------------------------------------------------------------------
OpenVPN client Config
--------------------------------------------------------------------------------
client
dev tap
proto udp
remote MY_DYNDNS_ADDRESS 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca MY_CERTIFICATE_FILE_FROM_ENDIAN_OPENVPN_SERVER.pem
auth-user-pass
comp-lzo
verb 3

Thank you very much.
As soon as I will get a free moment, I'll try

PS: I think, but not sure, ORANGE and BLUE are disabled on my server. I suppose I'll have to change some settings

Configuration tried. It doesn't run.

I also tried a few variations but nothing to do

192.168.10.1 is your green ip address?

Configuration retried this evening at home with more time.
Now it works but in "advanced settings" I had to remove network "0.0.0.0/1" from pushing.

I think I can clean my configuration even more (i.e. disabling "namesarver pushing" which I don't need)

Differences between my network and yours and summary of changes done in my configuration (for reminders and for helping other people in same situation):

- I have only two zones: red and green
- In "account setup" I do not have a check-box for pushing routes to blue and orange because, as just said, I have only two zones (green and red)
- My nameserver (for pushing) is 192.168.1.254 corresponding with ip I assigned to my green ethernet card (but I think I could remove this setting, as I already said, because I think I don't need it ...tomorrow I will try). Your is: 192.168.10.1 (each user can use a different address). EDIT: I've just tried and removing this setting does not affect vpn connection
- To let my vpn to work I had to remove network "0.0.0.0/1" from pushing (in advanced settings).

Despite my bad English I hope I was clear enough.

It remains to solve only one problem: from home pc, although I'm able to ping it, I'm not able to access endian firewall nor via web neither via ssh.


EDIT: solved adding a pair of rules in FIREWALL > SYSTEM ACCESS:

1) for enabling SSH access on EndianFW (for any PC connected via VPN):



2) for enabling WEB access on EndianFW (for any PC connected via VPN):

To avoid entering a username and password each time you connect, you can follow these guides. I tested them and they run:

- https://endian.zendesk.com/entries/21292467-how-to-manage-ca-server-and-client-certificates-with-easy-rsa-for-openvpn
- https://endian.zendesk.com/entries/21295816-how-to-configure-endian-utm-appliance-to-use-openvpn-certificate-authentication
- https://endian.zendesk.com/entries/21295696-how-to-configure-windows-openvpn-client-with-certificate-authentication
- https://endian.zendesk.com/entries/21285883-how-to-configure-linux-openvpn-client-with-certificate-authentication