NG Firewall Connect Apps

 

Contents

Captive Portal

Captive Portal allows administrators to require network users to log in or accept a network usage policy before accessing the internet.



Captive Portal can authenticate users against NG Firewall's built-in Local Directory, Active Directory (if Directory Connector is installed), or RADIUS. It can be used to set up policies (for Policy Manager) by username (or group name if using Active Directory) rather than IP. While Captive Portal is running, captured machines will be forced to authenticate (or just press OK) on the Captive Portal page before they are able to access the internet.

Captive Portal is a common technique used to identify users on the network as describe in Users.

Getting Started with Captive Portal

After installing Captive Portal, complete the following steps to get it working:

  1. Define which machines will be captured and required to complete the Captive Portal process before accessing the Internet - enabling the first example rule in the Capture Rules table will force all machines on the internal interface to use Captive Portal.
  2. Enter any IPs that unauthenticated machines will need to access - these can be entered in the Pass Listed Server Addresses section of the Passed Hosts tab.
  3. Enter any IPs that always need access to the internet - these can be entered in the Pass Listed Client Addresses section of the Passed Hosts tab.
  4. Customize the Captive Portal page on the Captive Page tab. If Basic Login is chosen, set the appropriate authentication method for users on the User Authentication tab.
  5. Turn on Captive Portal.

At this point, Captive Portal will evaluate your Capture Rules, and any traffic that matches will be stopped until that user has completed the Captive Portal process.

Settings

This section reviews the different settings and configuration options available for Captive Portal.

Status

This tab shows the current status of Captive Portal. You can see information about current captured IPs, such as the username and other session information. You can also logout of any active session.

Figure 1. Captive Portal Status

Capture Rules

The Capture Rules tab allows you to specify rules to Capture or Pass traffic that crosses the NG Firewall.

The Rules describe how rules work and how they are configured. Captive Portal uses rules to determine whether to capture or pass each network session. The rules are evaluated in order, and on the first match, the configured action will be applied. If no rules match, the traffic is allowed by default.

If the action is Pass, the session is passed, regardless of the clients authentication status. If the action is Capture, the session is "captured," which means several different things depending on several factors:
  • If the client is authenticated, the session is passed.
  • If the client is not authenticated the protocol is tcp and the destination port = 80, then a redirect to the captive portal page is sent.
  • If the client is not authenticated, the protocol is tcp and the destination port = 443, then a redirect to the captive portal page is sent. (The certificate will not match as the captive portal is not the requested server)
  • If the client is not authenticated and the destination port = 53, then a DNS response is sent after validating it is a valid DNS request.
  • If the client is not authenticated and the session has a destination port != 53,80,443, then the session is blocked.
Figure 2. Capture Rules Tab

Passed Hosts

The Pass Hosts tab allows you to specify machines that either a) should not be affected by Captive Portal or b) servers that machines behind Captive Portal should be able to access even if unauthenticated.
  • Pass Listed Client Addresses: These machines will not be affected by Captive Portal. This is useful for servers and devices without browsers.
  • Pass Listed Server Addresses: Machines behind Captive Portal can access these servers whether or not they have authenticated through Captive Portal. Typically, these will be any DNS or DHCP servers separated from their clients by NG Firewall. If NG Firewall is handling DHCP or DNS, this is not necessary.
Figure 3. Passed Hosts Tab

Captive Page

This tab controls the type of Captive Portal page displayed to unauthenticated users. Please note that you can use HTML in the Captive Portal page fields, however invalid HTML will prevent the page from properly rendering.
  • Basic Message: Select this option if users should see (or accept) a message before being allowed to the internet. It has several tunable properties such as Page Title, Welcome Text, Message Text, and Lower Text. If Agree Checkbox is enabled, users must check a checkbox (labeled with the Agree Text) before continuing.
  • Basic Login: Select this option if users should see a page that requires them to login. Similar to Basic Message, it has several properties that can be configured. When the login/continue button on the page is clicked the user will be authenticated. You must also set your authentication method on the User Authentication tab.
  • Custom: Select this option if you would like to upload a custom Captive Portal page. This is for experienced web developers who are comfortable with HTML, Python and JavaScript - the Edge Threat Management Support department can not help with development or troubleshooting of custom Captive Portal pages. If Custom is selected, it is advised to turn off automatic upgrades - newer versions of NG Firewall may be incompatible with any custom captive page.
Note:When using 'Any OAuth provider' for User Authentication, select 'Basic Message'. All the 'Page Configuration' options except the agree checkbox and text will be used when generating the OAuth provider selection page.
Figure 4. Captive Page Tab

HTTPS/Root Certificate Detection

This feature checks if the root certificate is installed on the client machine. If the root certificate is not installed, can display a warning or block the connection. The Certificates used by HTTPS Inspector and other HTTPS connections to the unit including Captive Portal. This feature is highly recommended if you have HTTPS installed. The Certificates must have all the names and IP addresses used on the NG Firewall.
  • Disable Certificate Detection: No checking for the root certificate.
  • Check Certificate. Show warning when not detected: Checks the root certificate. If not found, displays a warning with instructions on how to install the certificate.
  • Require Certificate. Prohibit login when not detected: Check the root certificate. If the root certificate is not found, the connection is blocked and the client is given instructions to install the certificate.

The Preview Captive Portal Page button can be used to view what the configured captive page looks like. This button only works when Captive Portal is on.

Session Redirect

  • Block instead of capture and redirect unauthenticated HTTPS connections: The browser redirecting from an HTTPS URL to the captive page will show a certificate error as the captive page is not the page requested. To avoid this error message, block the traffic and show nothing instead of showing the captive login page.
  • Use hostname instead of IP address for the capture page redirect: Create the browser redirect using the hostname instead of the IP address of the server.
    Warning: If enabled, the admin must ensure that the hostname properly resolves to the internal IP of NG Firewall on all internal networks. If internal hosts use NG Firewall for DNS, this is automatic. If using another internal DNS server it is the administrator's responsibility to configure DNS to properly resolve to the correct internal IP on all internal networks. If this is not configured properly, Captive Portal will not function properly, as clients will not be able to reach the captive portal page. Host will NOT be able to reach the captive portal page if the hostname resolves to the external IP of NG Firewall.
    This option is useful for organizations that have valid certificates on the NG Firewall server and want to avoid the cert warning on the capture page.
    Note: This has nothing to do with the first warning caused by serving/spoofing the 301 redirect from an internet site to the capture page.
  • Always use HTTPS for the capture page redirect: Always redirect to the HTTPS version of the login page when using Captive Portal.
  • Redirect URL: Users will be rerouted to this site after successful authentication. If Redirect URL is blank, they will be sent to the original destination. Make sure to enter a complete url (e.g. http://edge.arista.com) or this setting will not properly operate.

Custom Pages

You can create a custom.html file and place it, along with any supporting image files, etc., into a zip file and then upload it via the administrative interface. This allows you to customize the look and layout of the page while leveraging the existing code and application settings. To use this model, you need to be familiar with HTML and forms.

Note that customized Captive Portal pages are "used at your own risk". The Edge Threat Management Support department cannot assist you in creating, updating, or troubleshooting custom captive pages.

User Authentication

This section controls how users will be authenticated if the Basic Login page is used.
  • None: is used in the case where no login is required.
  • Local Directory: Use the NG Firewall's built-in Local Directory (Config > Local Directory) to authenticate users.
  • RADIUS: Use an external RADIUS server to authenticate users. This option requires Directory Connector to be installed, enabled and configured.
  • Active Directory: can be used if user should be authenticated against an Active Directory server. This option requires Directory Connector to be installed and enabled and configured.
  • Any Directory Connector: can be used to allow users to authenticate against any of the configured and enabled Directory Connector methods. This option requires Directory Connector to be installed and enabled and configured.
  • Google Account: can be used to allow users to authenticate via OAuth using a Google account.
  • Facebook Account: can be used to allow users to authenticate via OAuth using a Facebook account.
  • Microsoft Account: can be used to allow users to authenticate via OAuth using a Microsoft account.
  • Any OAuth Provider: can be used to allow users to select and authenticate using any of the supported OAuth providers. When this option is selected, unauthenticated users will first encounter the OAuth selection page where they will click the icon or link corresponding to the provider account they wish to use.
The Session Settings section controls the timeout and concurrent login settings for Captive Portal.
  • Idle Timeout: This option controls the amount of time before a host is automatically logged out if no traffic is seen. While a machine may be idle, it is still active on the network level. In this case Idle means no new TCP or UDP connections are seen by the Captive Portal.
    Important: It is recommended to leave this at zero (not enabled).
  • Timeout: This option controls the amount of time before a computer will be automatically logged out. After this the user must log in again through Captive Portal. Timeouts greater than 1440 minutes (1 day) is not recommended. The authenticated table is store in memory and will be flushed on reboot/upgrade. Additionally, the logout time should also be shorter than your DHCP lease time to assure IPs don't change before the Captive Portal timeout.
  • Allow Concurrent Logins: This option controls if multiple machines can use the same login credentials simultaneously. If enabled, two or more users can login with the same username/password at the same time.
  • Allow Cookie-based authentication: When enabled, a cookie is added to the users browser and used to authenticate the user in future sessions. Cookies must be allowed by the browser and not cleared when closing the browser or by other security programs. When the Cookie timeout is reached the user is forced to re-authenticate (regardless of activity). The default is 24 hours.
  • Track logins using MAC address: When enabled, Captive Portal will use the MAC address instead of IP address to identify the client machine. If the MAC address for a given IP address is not known it will revert to using an IP address. This option is useful on smaller flat networks where NG Firewall is on the same network segment as all the hosts, and you have a very long timeout period such that a client's IP address might change.
Figure 5. User Authentication Tab

Reports

The Reports tab provides a view of all reports and events for all traffic handled by Captive Portal.

This applications reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries:
Report Entry Description
Captive Portal Summary A summary of Captive Portal actions.
Activity Summary A summary of Captive Portal activity.
Top Active Users The top active users that logged in to Captive Portal.
Top Blocked Clients The top clients that were blocked by Captive Portal because they were not logged in.
All Session Events All sessions processed by Captive Portal.
Passed Session Events Sessions matching passed hosts.
Captured Session Events Sessions matching capture rules.
All User Events All user sessions processed by Captive Portal.
Login Success User Events Successful logins to Captive Portal.
Login Failure User Events Failed logins to Captive Portal.
Session Timeout User Events Sessions that reached the session timeout.
Idle Timeout User Events Sessions that reached the idle timeout.
User Logout User Events All user logout events.
Admin Logout User Events Sessions logged off by the admin.
The tables queried to render these reports:

Related Topics

Directory Connector

Captive Portal related topics

Captive Portal Reports

The Reports tab provides a view of all reports and events for all traffic handled by Captive Portal.

Reports

This application's reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries:
Report Entry Description
Captive Portal Summary A summary of Captive Portal actions.
Activity Summary A summary of Captive Portal activity.
Top Active Users The top active users that logged in to Captive Portal.
Top Blocked Clients The top clients were blocked by Captive Portal because they were not logged in.
All Session Events All sessions are processed by Captive Portal.
Passed Session Events Sessions matching passed hosts.
Captured Session Events Sessions matching capture rules.
All User Events All user sessions are processed by Captive Portal.
Login Success User Events Successful logins to Captive Portal.
Login Failure User Events Failed logins to Captive Portal.
Session Timeout User Events Sessions that reached the session timeout.
Idle Timeout User Events Sessions that reached the idle timeout.
User Logout User Events All user logout events.
Admin Logout User Events Sessions logged off by the admin.
The tables queried to render these reports:

Related Topics

Report Viewer

Reports

IPsec VPN

The IPsec VPN service provides secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.

Settings

This section reviews the different settings and configuration options available for IPsec VPN.

Status

The Status tab shows the status of the different components of the IPsec application.
  • Enabled IPsec Tunnels
    This section shows a list of all IPsec tunnels that have been created and enabled. For tunnels that are active, the status will display the connection details reported by the IPsec subsystem. For inactive tunnels, the configuration information will be displayed.
  • Active VPN Sessions
    This section shows a list of all active L2TP and Xauth connections. In addition to the connection details, there is a Disconnect column that can be used to forcefully disconnect an active session. Please note that there is no confirmation when you click the Disconnect icon. The corresponding session will be immediately terminated.

IPsec Options
  • Bypass all IPsec traffic. When this checkbox is enabled, traffic from IPsec tunnels will bypass all applications and services on the NG Firewall server. This was the only behavior available in previous versions of NG Firewall, so this option is enabled by default to maintain equivalent functionality on upgrade. If you disable this checkbox, traffic from IPsec tunnels can now be filtered through all active applications and services. Also, note that this only applies to plain IPsec tunnels. Traffic from L2TP and Xauth VPN clients will always pass through all active applications and services.

IPsec Tunnels

The IPsec Tunnels tab is where you create and manage the IPsec VPN configuration. The main tab display shows a summary of all IPsec tunnels that have been created.
  • Tunnel EditorWhen you create a new tunnel or edit and existing tunnel, the tunnel editor screen will appear with the following configurable settings:
Name Description
Enabled This checkbox allows you to set a tunnel to either enabled or disabled.
Description This field should contain a short name or description.
Connection Type This field allows you to set the connection type to any of the following:
  • Select Tunnel to specify a host-to-host, host-to-subnet, or subnet-to-subnet tunnel. This is by far the most common connection type.
  • Select Transport to specify a host-to-host transport mode tunnel. This connection type is much less common and would generally only be used if you are attempting to establish an IPsec connection to another host which specifically requires this mode.
IKE Version The IKE version should use either version 1 or version 2. Both endpoints must use the same IKE version.
Connect Mode This field controls how IPsec manages the corresponding tunnel when the IPsec process re-starts:
  • Select Always Connected to have the tunnel automatically loaded, routes inserted, and connection initiated.
  • Select On Demand to have the tunnel load in standby mode, waiting to respond to an incoming connection request.
Interface This field allows you to select the network interface that should be associated with the IPsec tunnel on the NG Firewall server. For most situations, choose Active WAN to bind to the active Internet interface. This allows the VPN tunnel to reconnect using a secondary WAN interface in the event of Internet failover. The Active WAN option is available when using the WAN Failover app. Alternatively, you can select a specific interface, or you can manually configure an IP address using the Custom option and manually inputting the IP address.
Any remote host Enabling this option allows the VPN Server to accept tunnel connections from any IP Address. This option enables the remote side of the tunnel to connect from a dynamic IP address or via a secondary WAN link. This option switches the Connect Mode to On Demand and removes the Remote Host field, as these options are not used when allowing connections from any remote host.
Remote Host This field should contain the public IP address or DNS name of the host to which the IPsec VPN will be connected.
Warning: Using host names with IPsec tunnels can often cause problems, especially if you have enabled the L2TP/Xauth VPN server. We strongly recommend the use of IP addresses in the Remote Host field.
Local Identifier This field is used to configure the local identifier used for authentication. When this field is blank the value in the *External IP* field will be used.
Remote Identifier This field is used to configure the remote identifier used for authentication. When this field is blank, the value in the Remote Host field will be used.
Important: If the remote host is located behind any kind of NAT device, you may need to use the value %any in this field for a connection to be successfully established.
Local Network This field is used to configure the local network that will be reachable from hosts on the other side of the IPsec VPN.
Remote Network This field is used to configure the remote network that will be reachable from hosts on the local side of the IPsec VPN.
Shared Secret This field should contain the shared secret or PSK (pre-shared key) used to authenticate the connection and must be the same on both sides of the tunnel for the connection to be successful. Because the PSK is used as the encryption key for the session, using long strings of a random nature will provide the highest level of security.
DPD Interval The number of seconds between R_U_THERE messages. Enter 0 to disable this feature.
DPD Timeout The number of seconds for a dead peer tunnel to be restarted.
Ping Address The IP address of a host on the remote network to ping for verifying that the tunnel is connected and routing. Leave blank to disable.
Ping Interval The time in minutes between ping attempts of the ping address. Leave as 0 to disable. Recommended value is 1 when using a Ping address.
Authentication and SA/Key Exchange If you leave the Phase 1 and Phase 2 manual configuration checkboxes disabled, IPsec will attempt to automatically negotiate the encryption protocol with the remote peer when creating the tunnel. Given the number of different IPsec implementations and versions and the overall complexity of the protocol, best results can often be achieved by enabling manual configuration of these two options and selecting Encryption, Hash, DH Key Group, and Lifetime values that exactly match the settings configured on the peer device.

VPN Config

The VPN Config tab manages the L2TP/Xauth/IKEv2 server configuration, enabling VPN client connections from remote desktops and mobile devices. IPsec is a preferred option because it uses native VPN software built into most systems and, therefore, does not require installation of 3rd party software. When available, use IKEv2 type of VPN connections for optimal performance and compatibility.
  • Enable L2TP/Xauth/IKEv2 ServerUse this checkbox to enable or disable the L2TP/Xauth/IKEv2 server.
  • L2TP Address PoolThis field configures the pool of IP addresses assigned to L2TP clients while connected to the server. The default 198.18.0.0/16 is a private network that is generally reserved for internal network testing. It was chosen as the default because it is used less frequently than other RFC-1918 address blocks and, thus is less likely to conflict with existing address assignments on your network.
  • Xauth Address PoolThis field configures the pool of IP addresses assigned to Xauth clients while connected to the server. The default 198.19.0.0/16 is a private network generally reserved for internal network testing. It was chosen as the default because it is used less frequently than other RFC-1918 address blocks, and thus, is less likely to conflict with existing address assignments on your network.
  • Custom DNS ServersLeave both fields blank to have L2TP and Xauth clients use the NG Firewall server for all DNS resolution. Alternatively, if you have other DNS servers you want clients to use, you can enter IP addresses in these fields.
  • IPsec SecretThis is the shared secret that will be used between the client and server to establish the IPsec channel that will secure all L2TP and Xauth communications.
  • Allow Concurrent Logins

    If enabled, the same credentials can be authenticated simultaneously from multiple devices.

  • User Authentication

    In addition to the IPsec Secret configured above, VPN clients must authenticate with a username and password. To use the Local Directory, select this option and click the Configure Local Directory button to manage use credentials. Alternatively, you can use an external RADIUS server for authentication by selecting the RADIUS option and clicking the Configure RADIUS button to configure the RADIUS server options.

  • Server Listen Addresses

    This list is used to configure one or more of your server IP addresses to listen for inbound VPN connection requests from remote clients. Clicking the add button will insert a new line, allowing the entry of another server IP address.


GRE Networks

The GRE Networks tab is where you create and manage connections to remote GRE servers. Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network.

GRE Address Pool

This field configures the pool of IP addresses assigned to interfaces created and associated with tunnels added on the GRE Networks tab. The default 198.51.100.0/24 is a private network generally reserved for internal network testing. It was chosen as the default because it is used less frequently than other RFC-1918 address blocks and, thus, is less likely to conflict with existing address assignments on your network. If you use GRE to connect multiple NG Firewall servers, you need to configure a different, unused pool on each server.

The main tab display shows a summary of all GRE Networks that have been created.

Network Editor

When you create a new GRE Network or edit and existing network, the network editor screen will appear with the following configurable settings:

Name Description
Enable This checkbox allows you to set a network to either enabled or disabled.
Description This field should contain a short name or description.
Interface This field allows you to select the network interface that should be associated with the GRE Network on the NG Firewall server. When you select a valid interface, the Local IP field (see below) will automatically be configured with the corresponding IP address. If, for some reason, you want to manually configure an IP address that is not currently active, you can set the Interface to Custom and manually input the IP address below.
External IP Use this field to configure the IP address that is associated with the GRE Network on the NG Firewall server. Normally this field will be read-only and will automatically be populated based on the Interface selected above. If you select Custom as the interface, you can then manually enter the local IP address.
Remote Host This field should contain the public IP address of the host to which the GRE tunnel will be connected.
Remote Networks This field is used to configure the list of remote network traffic that should be routed across this GRE tunnel. Networks should be entered one per line in CIDR (192.168.123.0/24) format.
Note: The subnets in Remote Networks must not conflict with your GRE Address Pool.

IPsec State

The IPsec State tab allows you to see the status of all established IPsec connections. There will typically be two entries per tunnel, one with details about the local side of the connection and another with details about the remote side.


IPsec Policy

The IPsec Policy tab allows you to see the routing table rules associated with each IPsec VPN that is active.

IPsec Log

The IPsec Log tab allows you to see the low level status messages that are generated by the underlying IPsec protocol components. This information can be very helpful when attempting to diagnose connection problems or other IPsec issues.

L2TP Log

The L2TP Log tab allows you to see the low level status messages that are generated by the underlying L2TP protocol daemon. This information can be very helpful when attempting to diagnose connection problems or other L2TP issues.

Reporting

The Reports tab provides a view of all reports and events for all connections handled by IPsec VPN.

Reports

This applications reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries:
Report Entry Description
IPsec VPN Summary A summary of IPsec VPN actions.
Hourly Tunnel Traffic The amount of IPsec tunnel traffic over time.
Top Tunnel Traffic The amount of traffic for each IPsec tunnel.
Top Active Users The top IPsec VPN users by number of sessions.
Top Download Users The top IPsec users are grouped by the amount of data downloaded.
Top Upload Users The top IPsec users are grouped by the amount of data uploaded.
Top Protocols The top IPsec VPN connections by protocol.
L2TP/Xauth Events Shows all user L2TP/Xauth events.
Tunnel Connection Events Shows all IPsec VPN tunnel connection events.
Tunnel Traffic Events Shows all IPsec tunnel traffic statistics events.
The tables queried to render these reports:

Related Topics

OpenVPN

IPsec VPN Reports

The Reports tab provides a view of all reports and events for all connections handled by IPsec VPN.

Reports

This application's reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries:
Report Entry Description
IPsec VPN Summary A summary of IPsec VPN actions.
Hourly Tunnel Traffic The amount of IPsec tunnel traffic over time.
Top Tunnel Traffic The amount of traffic for each IPsec tunnel.
Top Active Users The top IPsec VPN users by number of sessions.
Top Download Users The top IPsec users are grouped by the amount of data downloaded.
Top Upload Users The top IPsec users are grouped by the amount of data uploaded.
Top Protocols The top IPsec VPN connections by protocol.
L2TP/Xauth Events Shows all user L2TP/Xauth events.
Tunnel Connection Events Shows all IPsec VPN tunnel connection events.
Tunnel Traffic Events Shows all IPsec tunnel traffic statistics events.
The tables queried to render these reports:

OpenVPN

OpenVPN enables you to create an SSL-based VPN (virtual private network) that supports both site-to-site and client-to-site tunnels. This allows your road warrior users to connect to local resources as if they were in the office, or connect the networks of several geographically distant offices together - all with the added security of encryption protecting your data. OpenVPN supports any operating system with an OpenVPN-compatible VPN client (which is almost every OS), even smartphones! The OpenVPN application can run as a server, allowing for remote clients to connect to the NG Firewall server, and the OpenVPN application can connect to other remote NG Firewall servers as a client. The VPN Overview article provides some general guidance of which VPN technology may be the best fit for different scenarios.

Settings

This section reviews the different settings and configuration options available for OpenVPN.

Status

The Status tab shows you a list of open connections, the time the tunnels were created, and transmit statistics.

Connected Remote Clients

This grid shows the currently connected remote clients connected to this OpenVPN (if server is enabled.)
Name Description
Address The IP of the remote client.
Client The OpenVPN client name.
Start Time The time that the client connected.
Rx Data The amount of data received from this client in this session.
Tx Data The amount of data sent to this client in this session.

Remote Server Status

This grid shows the remote servers this OpenVPN is connecting to as a client.
Name Description
Name The name of the remote server.
Connected The current connection status
Rx Data The amount of data received from this client in this session.
Tx Data The amount of data sent to this client in this session.

Server


The Server tab includes all the configuration for OpenVPN's server functionality.

Site Name is the name of the this OpenVPN site. A random name is chosen so that it is unique. A new name can be given, but it should be unique across all NG Firewall sites in the organization. For example, if the company name is "MyCompany" then "mycompany" is a bad site name if you have multiple NG Firewalls deployed, as it might be used elsewhere. The Site Name must be unique.

Site URL shows the URL that remote clients will use to connect to this server. This is just for reference. Verify that this address will resolve and be publicly reachable from remote networks. This URL can be configured in Config > Network > Hostname .

If Server Enabled is checked, the OpenVPN server will run and accept connections from configured Remote Clients. If unchecked, the OpenVPN server will not run, and no server services will be provided.

Address Space defines an IP network/space for the VPN to use internally. The Address Space must be unique and separate from all existing networks and other address spaces on other OpenVPNs. A default will be chosen that does not conflict with the existing configuration.

NAT OpenVPN Traffic will NAT all traffic from remote networks to local networks to a local address. This helps solve routing and host-based firewall issues. The default and recommended value are enabled.

Username/Password Authentication can be enabled to activate two factor authentication, requiring clients to also provide a username and password when connecting.

Add MFA client configuration can be enabled to activate multi-factor authentication using a TOTP app. This feature uses the Local Directory users and requires each user to be configured with multi-factor authentication and paired with a TOTP app.

Authentication Method is used to select the authentication method for clients when Username/Password authentication is enabled.

Remote Clients

The Remote Clients sub-tab configures all the Remote Clients that can connect to this OpenVPN server. A Remote Client is any entity that connects to this OpenVPN server as a client. This includes both remote desktops, laptops, devices, road warriors, etc. This also includes remote OpenVPNs and remote NG Firewall networks.

Initially, there are no clients allowed to connect, and a unique entry must be created for each remote client you want to allow to connect to this server.

To add a new Remote Client click on the Add and provide the following information:
  • Enabled - If checked, this client is enabled. If unchecked, this client is disabled and can not connect.
  • Client Name - A unique name for the client. (alphanumerics only)
  • Group - The group for this client. More information below.
  • Type - The type of this client. Individual Client for a single host like a remote desktop or laptop. Network for an entire remote network that the server should also be able to reach.
  • Remote Networks - The remote network in CIDR notation if this remote client is of type Network. For example: 192.168.1.0/24 means that the 192.168.1.* network lives behind the remote client and should be reachable from the server. If there are multiple networks reachable through this remote client, a comma separated list of CIDR networks can be used. These networks are automatically exported such that hosts on the main network and other remote clients can reach these networks.
After configuring this information, save the new Remote Client by clicking OK, then Apply. After saving settings, click on the Download Client button in the Remote Clients table on the row for the new client. This will provide links to download the configuration profile for the configured client.
  • Click here to download this client's configuration zip file for other OSs (Apple/Linux/etc). provides a zip file with the OpenVPN client configuration files. This file can configure various OpenVPN clients for various OSs, like linux, apple, and even some phones/tables/devices.
  • Click here to download this client's configuration file for remote OpenVPN clients. provides a zip file with the OpenVPN client configuration for setting up a remote OpenVPN application to connect as a client to this server.
  • Click here to download this client's configuration onc file for Chromebook. provides an onc file that can be used to configure your Chromebook as a client to connect to the NG Firewall OpenVPN server. On the target device, browse to chrome://net-internals and use Import ONC file.
On the client system, you must first install the OpenVPN client. You can download client from here: https://openvpn.net/download-open-vpn/. After installing the OpenVPN client on the remote client, you can import the OpenVPN profile into the client.
Note: A client can only be connected once. If you install the same client on multiple remote devices, they will kick each other off when a new one logs in. In most cases, you need to setup a client for each remote device.

Groups

Groups are a convenience feature to "group" clients and apply some settings to that entire group. By default, there will be a Default Group. Each group has the following settings:
  • Full Tunnel - If checked, remote clients will send ALL traffic bound to the internet through the VPN. This allows for NG Firewall to filter ALL internet traffic for connected clients by "proxying" it through the VPN and then out through NG Firewall's internet connection. This will have no effect on remote OpenVPN clients. If unchecked, only traffic destined to the local network is subject to filtering.
  • Push DNS - If enable, OpenVPN will "push" some DNS configuration to the remote clients when they connect. This is useful if you want some local names and services to properly resolve via DNS that would not publicly resolve.
  • Push DNS Server - If set to OpenVPN Server, then the IP of the NG Firewall server itself will be pushed to the remote clients, and all remote clients will use NG Firewall for all DNS lookups. If Custom is selected, then one or two DNS entries can be specified that will be used for DNS resolution.
  • Push DNS Custom 1 - If Push DNS Server is set to custom, this IP will be pushed to remote clients to use for DNS resolution. It is important to export this address if that traffic should travel through the VPN tunnel. If this value is blank, nothing will be pushed.
  • Push DNS Custom 2 - Just like Push DNS Custom 1, except this sets the secondary DNS value. If blank, no secondary DNS will be pushed.
  • Push DNS Domain - If set, this domain will be pushed to remote clients to extend their domain search path during DNS resolution.

These settings will apply to all clients belonging to that group. Many sites will only have one group because all clients need the same settings. However, some clients have some Full Tunnel remote clients and some Split Tunnel remote clients. In this case, you need two groups where each client belongs to the appropriate group.

Exported Networks

Exported Networks is a list of networks reachable through the OpenVPN server for remote clients. Exported Networks are routes pushed to remote clients when they connect, effectively telling remote clients to reach the specified network through the OpenVPN server.

For example, exporting 1.2.3.4/24 will result in all 1.2.3. traffic going through the OpenVPN server.

The Exported Networks grid is pre-populated on installation with the IP/netmask of each static non-WAN interface.
  • If Enabled is checked, this network will be exported/pushed to connect remote clients.
  • Export Name is a name that is purely used for documentation purposes.
  • Network is the network in CIDR notation.

Client

The Client tab is used to configure which remote servers this OpenVPN will connect to as a client.

Remote Servers

The Remote Servers grid lists the currently configured remote servers that OpenVPN is configured to connect.

To configure a new server to connect to, first login to the remote server and configure a new client as described above and click on the Download Client. After you have downloaded the distribution zip file, return to this OpenVPN and click on the Browse button below the Remote Servers grid. Select the zip file downloaded from the OpenVPN server and then press OK. Next, press the Submit button to upload the zip file to OpenVPN which will add a new entry into the Remote Servers grid based on the configuration in the submitted zip file.

If the remote server requires Username/Password authentication, you will have to edit the configuration, enabled the Username/Password authentication checkbox, and enter the username and password to be used when establishing the connection.

Once connected to a remote server, you can reach their exported networks. They will also be able to reach the networks on this server specified as the Remote Network configuration.
Note: Site to Site connections are not full-tunnel even if selected in the Group for the site to site. Internet traffic on the remote site will exit through its local gateway.

Advanced

The Advanced tab is provided for advanced users who have a detailed knowledge and understanding of OpenVPN and need very specific configuration changes to address unique or unusual situations. It is entirely possible to completely break your OpenVPN configuration with a single wrong character, misplaced space, or by changing a configuration option that probably shouldn't be changed. Changes you make on this page can possibly compromise the security and proper operation of your server and are not officially supported.

Common Settings

At the top of the Advanced page are the Protocol, Port, and Cipher options. These must be the same on both the client and server for connections to work. Since they are the options most frequently modified, they can be easily configured here and will apply to both the client and server.

The Client to Client Allowed checkbox is used to enable or disable traffic passing between OpenVPN clients. When enable, all clients will have full network access to each other when connected. If disabled, traffic will not be allowed to flow between connected clients.

Server Configuration and Client Configuration

If you require changes to other low level parameters, the Server Configuration and Client Configuration grids allow you to effectively have total control of the OpenVPN configuration file that is generated. Both grids work the same way, with each configuration applied to the corresponding server or client openvpn.conf file, respectively.

Both lists contain config items comprised of an Option Name and Option Value pair. By default, all items in both configuration grids are read only. The lists represent the default configuration settings used for the server and client configuration files. The default items cannot be modified or deleted, they can only be excluded. When you exclude an item, it is effectively removed from the resulting configuration file. To change one of the default items, simply add a new item with the same Option Name, and input the Option Value that you want to be used. This will effectively override the default. The same method can also be used to add configuration items that are not included in the default list.

Exclude Default Configuration Item

  • This example shows how to disable the comp-lzo option in the server configuration file to turn off compression:

Modify Default Configuration Item

This example shows how to change the default keepalive setting in the server configuration file:

Add New Configuration Item

This example shows how to add a socks-proxy setting to the client configuration file:

Reports

The Reports tab provides a view of all reports and events for all connections handled by OpenVPN.

Reports

This application's reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries:
Report Entry Description
OpenVPN Summary A summary of OpenVPN actions.
OpenVPN Bandwidth Usage The approximate amount of data transfered over openvpn connections.
OpenVPN Events The amount of login and logout events over time.
OpenVPN Sessions The amount of openvpn sessions over time.
Top Clients (by usage) The number of bytes transferred grouped by remote client.
Connection Events OpenVPN client connection events.
Statistic Events Shows all OpenVPN connection traffic statistics events.
The tables queried to render these reports:

Related Topics

OpenVPN

OpenVPN Reports

OpenVPN Reports

The Reports tab provides a view of all reports and events for all connections handled by OpenVPN.

Reports

This applications reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries:
Report Entry Description
OpenVPN Summary A summary of OpenVPN actions.
OpenVPN Bandwidth Usage The approximate amount of data transfered over openvpn connections.
OpenVPN Events The amount of login and logout events over time.
OpenVPN Sessions The amount of openvpn sessions over time.
Top Clients (by usage) The number of bytes transferred grouped by remote client.
Connection Events OpenVPN client connection events.
Statistic Events Shows all OpenVPN connection traffic statistics events.
The tables queried to render these reports:

Tunnel VPN

The Tunnel VPN service app provides secure tunnels to remote servers and services and determines which traffic on the network goes through these tunnels.

The VPN Overview article provides some general guidance on which VPN technology may be the best fit for different scenarios.

Use Cases

Tunnel VPN is used in a wide variety of configurations. Some common scenarios are described below.

Branch Offices

Organizations with one or more small branch offices can use Tunnel VPN to send all internet-bound traffic at the remote small branch through the central site for security and filtering. This alleviates the need to actively manage the security and filtering configuration at the branch offices and allows for easier management at the central site and centralized monitoring and reporting.

Remote Security Services

There are many cloud-based security services or Cloud Access Security Brokers (CASB) that will enforce policy and security network traffic as it transits from the local infrastructure to the internet.

Tunnel VPN can be configured to send traffic, either in total or selectively, to the desired cloud services. For example, Tunnel VPN can send all port 25 (SMTP) through a specific tunnel to a cloud email archiving service. Alternatively, you could send DNS, web, or all traffic through dedicated cloud services.

SD-WAN

SD-WAN (software-denfined networking) type deployments often need to maintain several tunnels to dedicated CASBs or internet "exit" points. Tunnel VPN allows you to maintain connections to several cloud exit points and prioritize the tunnels such that if one tunnel goes down, the next available tunnel will be leveraged.

When combined with WAN Failover and WAN Balancer, this provides an easy way to ensure the network is always online and the best possible tunnel is being used for connectivity, regardless of cloud services going up or down or individual ISPs or internet connections being up or down.

Privacy

Tunnel VPN can connect to other NG Firewall services or most Privacy VPN services (like NordVPN, ExpressVPN, Private Internet Access, and so on).

Many countries have imposed limits or monitoring on "forbidden" content. This can range from content expressing certain political views, information on historical events, region-locked content, unapproved types of entertainment, or copyrighted material. Also, many locations do not have access to ISPs (or governments) that respect net-neutrality.

For these locations, Tunnel VPN can provide safe encrypted passage to a location that supports freer internet and net neutrality. Rules can either statically determine what traffic goes through a tunnel (specific hosts or ports) or can dynamically shift which traffic uses the tunnel using tags. For example, a host can be switched to using a tunnel once Skype or Bittorrent usage is detected.

Settings

This section reviews the different settings and configuration options available for Tunnel VPN.

Status

The Status tab shows the on/off status of Tunnel VPN.

Tunnels

The Tunnels tab configures the encrypted tunnels to remote servers/services.

To add a new tunnel, simply click the Add button at the top.
  • Enabled - If checked, this tunnel is enabled. If not enabled, it will not connect and not be active.
  • Tunnel Name - A unique name for the tunnel.
  • Provider - this is the remote service/provider. Select the appropriate option for the remote service.
    • Arista - this is for connecting to a remote NG Firewall server.
    • NordVPN - this is for connecting to NordVPN at [nordvpn.com].
    • ExpressVPN - this is for connecting to ExpressVPN at [expressvpn.com].
    • Custom zip file - used for any remote service that supplies a zip file with an OpenVPN configuration inside.
    • Custom zip file with username/password - used for any remote service that supplies a zip file with an OpenVPN configuration inside and also requires a valid username and password.
    • Custom ovpn file - used for any remote service that supplies an ovpn file.
    • Custom ovpn file with username/password - used for any remote service that supplies an Ovpn file, which also requires a valid username and password.
    • Custom conf file - used for any remote service that supplies an openvpn conf file.
    • Custom conf file with username/password - used for any remote service that supplies an openvpn conf file, which also requires a valid username and password.
  • Select VPN Config File button to upload the zip/conf/ovpn file.
  • Username specifies the username (if required).
  • Password specifies the password (if required).

First, provide a name and choose the remote provider type. After choosing the provider type, the instructions will describe how to configure the rest of the fields.

On save, all enabled tunnels will attempt to connect to the remote services. The log can be viewed on the Log tab.

Rules

Rules control what traffic is routed through the tunnels. The Tunnel VPN rules are run before any WAN Balancer rules are evaluated and before the routing table is consulted. If a Tunnel VPN rule matches and the tunnel is active, the traffic will exit through the tunnel regardless of the WAN Balancer or routing configuration. In other words, Tunnel VPN takes precedence over any other routing configuration.

The Rules describe how rules work and how they are configured. As with all rules, rules are evaluated in order, and the action is taken from the first matching rule.

Example: Static Rules

  • If allow of the following conditions are met:
    • Destination Port is 25
  • Perform the following action(s):
    • Destination Tunnel: tunnel-1

This will route all port 25 traffic through tunnel-1. If tunnel-1 is offline, traffic will be routed normally.

Example: Preference Order

  • Rule 1: Always (no conditions) perform the following action, Destination Tunnel: 'tunnel-1'
  • Rule 2: Always (no conditions) perform the following action, Destination Tunnel: 'tunnel-2'
  • Rule 3: Always (no conditions) perform the following action, Destination Tunnel: 'tunnel-3'

Then traffic will always route to tunnel-1. If tunnel-1 is not available it will route to tunnel-2. If tunnel-2 is not available it will route to tunnel-3. If tunnel-3 is not available it will route normally.

Example: Dynamic Rules

Unlike most solutions, NG Firewall also allows for automatic dynamic adjustment of what traffic goes through the tunnel by using tags. Hosts can be tagged manually by tagging the appropriate device or username associated with a host or automatically using trigger rules Events.

For example, if you'd like a host using bittorrent to automatically be routed through the tunnel. Add a trigger rule to tag hosts detected as using bittorrent (an example is there by default), and then add the following Tunnel VPN rule:
  • If allow of the following conditions are met:
    • Client Tagged is bittorrent-use.
  • Perform the following action(s):
    1. Destination Tunnel: tunnel-1.

This will route any hosts tagged bittorrent-use through tunnel-1. The trigger rule will ensure that any host detected using Bittorrent will automatically be tagged so that each session after the detection will go through the tunnel.

Example: Multiple Triggers

If there are many scenarios in which a host should be routed through a tunnel, you can configure multiple triggers. For example, you can configure multiple trigger rules:
  • If host is using Skype, tag host tunnel expires in 10 minutes.
  • If host is accessing craigslist, tag host tunnel expires in 10 minutes.
  • If host is accessing Gaming category website, tag host tunnel expires in 10 minutes.
Then add the following Tunnel VPN Rule:
  • If allow of the following conditions are met:
    • Client Tagged is tunnel.
  • Perform the following action(s):
    • Destination Tunnel: tunnel-1.

If a host does any of that action, it will automatically be switched to the tunnel (until the tag expires, 10 minutes after the specified activity stops).

Log

This shows the raw OpenVPN log file. Beware: there are often many errors logged by OpenVPN that are not an issue.

This is useful for debugging issues if the tunnels are not initializing correctly to the service providers.

Reports

There are currently no specific reports for Tunnel VPN. However, all traffic is logged using the appropriate tunnel set as the destination interface.

All reports (Application Control, Web Filter.) are viewed and filtered per tunnel by adding a Destination Interface condition where the value equals the tunnel ID.

Related Topics

OpenVPN

OpenVPN Reports

Tunnel VPN Reports

There are currently no specific reports for Tunnel VPN. However, all traffic is logged using the appropriate tunnel set as the destination interface.

All reports (Application Control, Web Filter, etc.) can be viewed and filter per tunnel by adding a Destination Interface condition where the value equals the tunnel ID.

WireGuard VPN

The WireGuard VPN service provides virtual private networking via Wireguard VPN, which is an open source lightweight VPN application and protocol designed to be fast, secure, and easy to configure.

Settings

This section reviews the different settings and configuration options available for WireGuard VPN.

Status

The Status tab shows the status of the WireGuard VPN service

  • Local Service Information
This section displays information about the local WireGuard service, such as the public key, endpoint address and port, peer address, and the list of local networks.
  • Enabled Tunnels
This section shows a list of active WireGuard tunnels.


Settings
  • Listen port
Sets the port where the WireGuard server will listen for inbound tunnel connections from peers.
  • Keepalive interval
Sets the passive keepalive interval, which ensures that sessions stay active and allows both peers to passively determine if a connection has failed or been disconnected.
  • MTU
Sets the MTU size for WireGuard tunnels.

Remote Client Configuration

These fields are used when generating the Remote Client configuration.

  • DNS Server
IP Address of local DNS server that will be added to client configuration. It is initially populated using the first defined DHCP DNS Server Override address is used it found. If not, the IP address of your first non-WAN interface is used.
  • Networks
These are networks added to the client's allowed IP list. It is initially populated with all known local networks discovered from non-WAN interfaces (and their aliases) and static routes.
Peer IP Address Pool
  • Assignment
Used to select the method for address pool assignment. Can be set for Automatic to allow the system to automatically select an unused network space or Self-assigned to configure a user entered network space.
  • Network Space
Shows the automatically assigned networks space or allows editing the self-assigned network space.
  • New Network Space
Click when using Automatic assignment to select a new random network space.

Tunnels

The Tunnels tab is where you create and manage WireGuard VPN tunnels. Each tunnel in the table has options to view the client configuration or edit the tunnel.

For a step by step guide to setting up WireGuard VPN tunnels, see Setting up WireGuard VPN site-to-site connections in NG Firewall.
  • Remote Client
Clicking this icon will display a window showing the recommended client configuration in both Quick Reference (QR) Code, which many WireGuard mobile apps can scan with the devices camera and import a text file suitable for copying and pasting into the remote client.
  • Tunnel Editor
When you add a tunnel or edit and existing tunnel, the tunnel editor screen will appear with the following configurable settings:
Note: You can copy the configuration from a remote NG Firewall peer and paste it into any of the configurable fields. The screen automatically populates all of the relevant fields from the remote side. This simplifies the configuration of tunnels and is recommended to avoid misconfiguration.
Name Description
Enabled This checkbox allows you to set a tunnel toenabled or disabled.
Description This field should contain a short name or description.
Remote Public Key This field is for the public key of the tunnel peer.
Remote Endpoint Type This field controls the endpoint type for the peer.
  • Select Roaming if the remote endpoint is a mobile device using the WireGuard app or if the remote network is used for client access only and does not host any resources.
  • Select Static for a traditional site to site tunnel configuration where each network hosts resources that must be accessible over the virtual private network.
Remote Endpoint IP Address Sets the IP address for a static endpoint.
Remote Endpoint Port Sets the port for a static endpoint.
Remote Peer IP Address This field sets the IP address that will be used by the remote peer.
Remote Networks This field is used to configure the list of remote networks that should be routed across this WireGuard tunnel. Networks should be entered per line in CIDR (192.168.123.0/24) format.
Monitor Ping IP Address The IP address of a host on the remote network to ping for verifying that the tunnel is connected. Leave blank to disable.
Monitor Ping Interval The time in seconds between attempts to ping the configured ping monitor address.
Monitor Alert on Tunnel Up/Down When enabled, CONNECT and DISCONNECT alerts will be generated when the configured ping monitor transitions from reachable to unreachable and unreachable to reachable.
Monitor Alert on Ping Unreachable When enabled, UNREACHABLE alerts will be generated for each monitor ping that fails when the target is unreachable.
Local Service Information This section includes information from the Status tab that is useful when doing copy/paste configuration between peers.

WireGuard VPN client

The WireGuard VPN client app is available for download on a variety of mobile devices and desktop operating systems, including iOS, macOS, Android, Windows, and Linux.The download links for each supported OS are available from the WireGuard Website.

For a step by step setup guide, refer to the KB article Setting up WireGuard VPN on mobile devices and desktops.

Reporting

The Reports tab provides a view of all reports and events for all connections handled by WireGuard VPN.

Reports

This application's reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries:
Report Entry Description
WireGuard VPN Summary A summary of WireGuard VPN traffic.
WireGuard VPN Bandwidth Usage The amount of traffic processed by the WireGuard service.
WireGuard VPN Events Time chart of WireGuard VPN connection events.
Top Remove Clients (by usage) The top WireGuard VPN peers by traffic usage.
Connection Events Shows all WireGuard VPN tunnel monitoring events.
Tunnel Traffic Events Shows all WireGuard tunnel traffic statistics events.
The tables queried to render these reports:

Related Topics

IPsec VPN

OpenVPN

WireGuard VPN Reports

The Reports tab provides a view of all reports and events for all connections handled by WireGuard VPN.

Reports

This applications reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries:
Report Entry Description
WireGuard VPN Summary A summary of WireGuard VPN traffic.
WireGuard VPN Bandwidth Usage The amount of traffic processed by the WireGuard service.
WireGuard VPN Events Time chart of WireGuard VPN connection events.
Top Remove Clients (by usage) The top WireGuard VPN peers by traffic usage.
Connection Events Shows all WireGuard VPN tunnel monitoring events.
Tunnel Traffic Events Shows all WireGuard tunnel traffic statistics events.