Virtual Private Networks

OpenVPN

OpenVPN is a widely-used open-source VPN solution that enables secure communication over the internet by creating encrypted tunnels between remote clients and a server. When configured on iShield, OpenVPN acts as the central point for remote access, allowing users to connect to the internal network securely from anywhere.

Server / Client Setup

OpenVPN Server Setup

Generate the Server Certificate
- Select Server Certificates in the OpenVPN tab.
- Select the Generate Server Key button.
- Enter a Server Certificate Name (e.g. office), then select Generate Certificate.
Generate Client Certificates
- Select the edit icon for the newly created Certificate Name.
- Select the Create Client Key button.
- Enter the name of the remote user in the Client Certificate Name field (e.g. JohnDoe).
- Select the Generate Certificate button to create the client certificate.
Configure OpenVPN Server
- In the OpenVPN tab, select Configurations.
- Select the Add OpenVPN Config button.
- Config Name: The name of the VPN server, (e.g. officevpn).
- Config Mode: Select Server.
- Select Create Config to create and configure the new server.
  - Config Name: Displays the name of the server created earlier (officevpn).
  - Config Mode: Select between Server or Client, leave this on the Server option.
  - Network Mask: Enter the network range that will be used for VPN connections (e.g 172.16.16.0/24). Ensure the VPN server network range differs from any LAN or VLAN ranges to avoid configuration conflicts.
  - Keep Alive: Set the keep-alive settings to ensure that the VPN connection remains active. Default values are every 30 seconds and timeout value after 120 seconds.
  - Protocol: Select the desired protocol for VPN communication.. The default selection is TCP.
  - Port: Specify the port for OpenVPN communication. The default port number is 1194.
  - Key: Select the certificate that was created earlier (office).
  - Max Clients: Define the maximum number of clients that can connect simultaneously.
  - Enforce MFA: Enable or disable multi-factor authentication (MFA) for VPN connections by selecting either True or False.
    - Select the Manage MFA Credentials button to create MFA logins if the Enforce MFA option is set to True.
    - Select the Add MFA credential button to create a new MFA login.
    - Username: enter the username for the account (e.g. JohnDoe). Note: the username is case-sensitive.
    - ClientKey Restriction: Select the client key that was created earlier (JohnDoe) during certificate creation to apply MFA to a specific user, or any client key to apply the MFA account to any client. It's recommended to apply MFA to individual client certificates for increased security.
    - Auth Type: Select either 2FA (one time pin) or Password. Enter the password if the password option is selected. Select Save changes to create the login. If 2FA (one time pin) was selected, select the edit icon for the newly created account, then select View TFA Token to view the QR code that will be provided to the client.
    - Select Save changes to create the login.
  - MFA Renegotiation: Set the renegotiation interval for MFA (in seconds). The default value is 3600 (1 hour). This will require MFA to be renegotiated when a session reaches the specified time. Enter 0 seconds to disable renegotiation requirements.
  - Add Push Routes: Define the routes that will be pushed to connected VPN clients. These routes allow clients to access the LAN subnets behind the VPN. (e.g. 192.168.20.0/24). If clients require access to VLANs, enter these network ranges here as well.
  - Add Client Routes: If needed, add routes that apply only to specific clients, such as remote sites. This field is usually left blank for remote users.
  - Add DHCP Options: Optional, specify custom DHCP options for VPN clients:
    - DNS Server: (e.g.) internal domain controller.
    - WINS Server: (e.g.) internal legacy WINS server.
    - Domain: (e.g.) company.local
  - Select the Create Config button to finalise the creation of the new VPN server.
- Note: If MFA was enabled, the client will be prompted to enter their username (case-sensitive) and password. The password will either be the custom password, or the OTP code generated from the client's MFA authenticator app.
- Soft Reload the iShield to apply the changes.

OpenVPN Client

Under the OpenVPN tab, select Server Certificates from the menu.
Select the edit icon for the server certificate (e.g. office).
Download the certificate file (typically the ovpn icon) to your local machine.
Download and install the OpenVPN Client: Visit OpenVPN’s official download page.
Launch the installed OpenVPN client on the user’s machine.
In the OpenVPN application, select UPLOAD FILE.
Navigate to the directory where the previously downloaded certificate file (with an .ovpn extension) is stored.
Click BROWSE and select the file.
After uploading the certificate, you should now see the server configuration listed within the OpenVPN client.
Click Connect to establish a secure connection to the VPN server configured on iShield.

Revoke Client Certificates

By revoking a certificate, the VPN server will reject any connection attempts from the client associated with that certificate, improving security and maintaining control over who can access the VPN. This is typically done when:

- A device is lost or compromised: If a device that was previously granted access to the VPN is lost, stolen, or compromised, revoking its certificate prevents unauthorised access.
- Security breaches: If a user’s credentials or keys are suspected to have been leaked or compromised, revoking the certificate ensures that the compromised key cannot be used to establish a VPN connection.
- User/device decommissioning: When a user no longer requires VPN access, or their device is no longer in use, revoking their certificate is a clean way to remove access.

To revoke a client certificate:

- Under the OpenVPN tab on the OpenVPN Configuration page, select Server Certificates from the menu.
- Select the edit icon for the server certificate (e.g. office).
- Select the revoke icon to revoke the certificate.
- Note: revoking a certificate is a permanent action and cannot be undone.

WireVPN

WireVPN makes use of WireGuard, a modern, lightweight VPN protocol designed to be simple, fast, and secure. When configured on iShield, WireGuard provides a streamlined approach to secure remote access and is the preferred solution for site-to-site deployments.

The steps outlined below assume the following:

The main office network range is 192.168.20.0/24
A domain controller with DNS Server services has a configured IP address of 192.168.20.250.
The branch office network range is 192.168.50.0/24

WireVPN Server (Main Office)

- Select the WireVPN tab in the VPN Configuration screen.
- Select the Add WireVPN Config button.
  - Config Name: Enter a name for your WireVPN configuration (e.g. mainoffice).
  - Listen Port: Set the port for incoming connections (e.g. 51821).
  - Private Key: Generate your private key. This key should be kept secure and not shared.
  - Public Key: This is automatically generated based on your private key.
  - Interface: Choose any available network interface (e.g. wg0).
  - IP Address: Specify the IP address for the WireGuard interface (e.g. 172.16.16.1) and subnet mask (255.255.255.0/24).
  - Remote Peers: Select the Add Peer button.
    - Peer Name: Enter a descriptive name for the peer (e.g. branch1).
    - Peer Public Key: This key should be obtained from the peer device that will connect to the WireGuard server.
    - Preshared Key: Optional additional shared secret used alongside WireGuard’s public/private keys to add an extra layer of security. When configured on both peers, the preshared key provides post-quantum resistance and helps protect encrypted traffic even if a device’s private key is later compromised.
    - Peer Endpoint: Input the IP address or hostname of the remote peer (e.g. branch1.is5.co.za).
    - Peer Endpoint Port: Specify the port that the peer will use to connect (e.g. 51822). This would usually be unique to each peer.
    - Keep Alive: Set the keep-alive interval in seconds (e.g. 25). A value of 0 disables keep-alive.
    - Select the Add Networks button.
    - Enter required network ranges located on the remote site (e.g. 192.168.50.0/24). Ensure the remote peer IP is added here as well (e.g. 172.16.16.2/32 for the branch1 peer.
    - Select the Update Peer button to save changes.
    - If you're adding another branch peer, click on Add Networks and enter the necessary details.
    - After entering all the necessary details, click the Update WireVPN Config button to save the changes.

WireVPN Server (Branch Office)

- Select the WireVPN tab in the VPN Configuration screen.
- Select the Add WireVPN Config button.
  - Config Name: Enter a name for your WireVPN configuration (e.g. branchoffice).
  - Listen Port: Set the port for incoming connections (e.g. 51822).
  - Private Key: Generate your private key. This key should be kept secure and not shared.
  - Public Key: This is automatically generated based on your private key.
  - Interface: Choose any available network interface (e.g. wg0).
  - IP Address: Specify the IP address for the WireGuard interface (e.g. 172.16.16.2) and subnet mask (255.255.255.0/24).
  - Remote Peers: Select the Add Peer button.
    - Peer Name: Enter a descriptive name for the peer (e.g. main).
    - Peer Public Key: This key should be obtained from the peer device that will connect to the WireGuard server.
    - Preshared Key: Optional additional shared secret used alongside WireGuard’s public/private keys to add an extra layer of security. When configured on both peers, the preshared key provides post-quantum resistance and helps protect encrypted traffic even if a device’s private key is later compromised.
    - Peer Endpoint: Input the IP address or hostname of the remote peer (e.g. main.is5.co.za).
    - Peer Endpoint Port: Specify the port that the peer will use to connect (e.g. 51821). This would usually be unique to each peer.
    - Keep Alive: Set the keep-alive interval in seconds (e.g. 25). A value of 0 disables keep-alive.
    - Select the Add Networks button.
    - Enter required network ranges located on the remote site (e.g. 192.168.20.0/24). Ensure the remote peer IP is added here as well (e.g. 172.16.16.1/32 for the main peer.
    - Select the Update Peer button to save changes.
    - If you're adding another branch peer, click on Add Networks and enter the necessary details.
    - After entering all the necessary details, click the Update WireVPN Config button to save the changes.

WireVPN Client

- Navigate to the WireGuard Installation Page to download and install the appropriate client for your device.
- Launch the WireGuard app on your device. Select the down arrow next to the Add Tunnel button.
- Choose the Create Empty Tunnel option to start with a blank configuration.
- Copy the following template and paste it into Edit tunnel window below the last line:
  
  ListenPort = 51825
  Address = 172.16.16.5/32
  DNS = 192.168.20.250
  
  [Peer]
  PublicKey = paste-the-Public-Key-from-mainserver-here
  PresharedKey = paste-the-Preshared-Key-from-mainserver-here
  AllowedIPs = 192.168.20.0/24, 172.16.16.1/32
  Endpoint = main.is5.co.za:51821
  PersistentKeepalive = 25
  [Peer]
  PublicKey = paste-the-Public-Key-from-branch1server-here
  PresharedKey = paste-the-Preshared-Key-from-branch1server-here
  AllowedIPs = 192.168.50.0/24, 172.16.16.2/32
  Endpoint = branch1.is5.co.za:51822
  PersistentKeepalive = 25
- Select Save to save the tunnel configuration.
- Click on the Activate button to initiate the VPN connection.
- Note: The client peer must be added to the peer configuration of each WireVPN server to ensure access to their respective networks as required.

Page updated

Report abuse