A Primer on SSL VPN
SSL VPN provides a secure and straight-forward client-server VPN solution for remote workers, allowing controlled access to site resources from remote locations. The Smoothwall Filter & Firewall can provide such functionality as part of the VPN module, with user authentication carried out against a Windows Domain, or local user accounts hosted on the Smoothwall.
Typically, a Smoothwall appliance should be deployed as an edge firewall for best connectivity, however the SSL VPN can work in other deployments, providing incoming connection for the VPN are forwarded to the Smoothwall correctly.
VPN services through a Smoothwall are a licenced module available in the UTM Software. If you are unsure as to VPN availability on your Smoothwall please contact Support.
SSL VPN Client Software.
The Smoothwall SSL VPN comes bundles with a branded SSL VPN client for Windows systems.
For Mac, iOS, Android and as a Windows alternative, our VPN client configuration files (.ovpn file extension) are compatible with 'Open VPN Connect V3' available on all major platforms.
Note: We cannot guarantee correct VPN function with third party VPN clients, due to disparities in supported OpenVPN configuration options and TLS version requirements.
2FA / MFA
At the time of writing, the Smoothwall SSL VPN does not support 2FA/MFA as additional authentication.
Configuring the SSL VPN Server
Assuming the VPN module is licenced and installed, the SSL VPN can be enabled and configures from the Smoothwall Admin UI.
Procedure
- Turn on the automatic control of VPN subsystems, see our help topic, Controlling the VPN system.
- Create a new local Certificate Authority if one doesn’t exist, see our help topic, Importing and creating certificate authorities and their certificates.
- Create a new self-signed certificate if one doesn’t already exist, see our help topic, Importing and creating certificates.
- As of iOS 13 and macOS 10.15 TLS server certificates must have a validity period of 825 days or fewer. Therefore, we recommend that you use the "User Defined' life-time for the Certificate Authority and nominating 825 as the life length.
- If the VPN is to be accessed by mobile devices (Android or iOS), export the newly created certificate as a PKCS#12 file:
- Select the new certificate, apply a password to the file and click Export certificate and key as PKCS#12.
- Save this file and the password used for later use as mobile devices will need it.
- Set these global network VPN settings are configured, see our help topic, Managing global VPN network settings:
-
Default local certificate:
- Certificate: Select the certificate that you made.
-
L2TP and SSL VPN client configuration settings:
- Primary DNS: Use a domain DNS to resolve internal hostnames.
- Secondary DNS: A secondary DNS server is not typically needed unless your domain utilises one.
-
SSL VPN Settings: This works around DNS and traffic issues on some client devices.
- Enable SSL VPN: Yes
- SSL VPN Network Address: Ensure the SSL VPN Network Address and subnet mask does not conflict with any other internal networks.
- Force Clients to use SSL VPN as gateway: No. Most implementations of the SSL VPN do not need this setting to be enabled. If it is enabled, all traffic (including web traffic) is sent down the SSL VPN. This would then require the implementation of a transparent proxy policy applied to the 'Other' interface in order to allow Guardian to process the traffic. Otherwise, you will not have access to the internet when connected to the VPN.
-
Enable TLS Authentication: Yes
- Warning: Changing this setting will invalidate any previously exported client archives.
- Transport protocol: HTTPS by default, but set it to whatever you need.
- SSL VPN Client Gateway(s): - You may nominate a public IP for the SSL VPN to connect too as per your network requirements.
- Choose random gateway: This is not typically needed but can be used to direct traffic to a random IP out of the supplied gateways.
-
Default local certificate:
- Click Save, and then to download a configured ZIP file containing the installation package and .ovpn file, click Generate client archive and distribute it to your Windows-based devices.
Configuring The Firewall
To allow traffic from the SSL VPN interface (essentially a virtual NIC) into the different LAN segments on the Smoothwall, you need to create Firewall rules.
Procedure
In your Smoothwall Firewall:
- Navigate to Network > Firewall > Firewall rules.
- Create a new section, see our help topic, Adding sections.
- In the new section, create a new rule with the following settings:
- Name: SSL VPN Access
- Source IP: Any
- Inbound Interface: SSL VPN
- Destination IP: Any*
- Outbound Interface: All Internal & All External*
- Services: Any*
- Apps: Any
- Groups: Any
- Action: Accept
-
Log: No - clear if selected.
* Outbound access on 'All External' interfaces need only apply if Internet access is required down the VPN.
* Select services as per your specific requirements - 'All' is an open rule permitting all ports.
More information on creating firewall rules here: Smoothwall Filter & Firewall: Creating Firewall Rules
Options marked with * are listed as such for maximum flexibility and permits outbound access through the firewall to the Internet. This is a very open rule, and you can restrict access to Internal Interfaces, IP/Subnets, and available services as per your security policies.
The Firewall makes use of connection tracking, so a reverse rule is not typically necessary.
VPN User Authentication
The SSL VPN will prompt for a username and password upon connecting to the VPN interface to authenticate the user. Users can authenticate with Active Directory Credentials (assuming an active AD bind) or credentials set up in a Local Directory. In this instance, it is beneficial to reorder and move the Local Directory above any other directory listed on the Directories page, see our help topic, Managing directories.
Multi-Tenant Authentication
If your Smoothwall is configured with multiple tenants, VPN authentication will not work unless:
- The SSL VPN Subnet is included in the IP ranges for the tenant using the VPN function, or...
- A separate VPN Tenant is created, listing the SSL VPN subnet as its IP location, and this tenant is listed against any domain VPN authentication needs to be carried out against.
Installing and Running the SSL VPN on Windows-Based Devices
Procedure
- Extract the .zip file downloaded from the Smoothwall Firewall to a secure location on the client device (Program Files or direct to the C:/ directory) and run the installer. Accept the TAP device drivers and reboot the machine once completed.
- From the Windows Start Menu, open the Smoothwall SSL VPN app.
- From the system tray, double-click the shield icon.
- On the launcher, click Import.
- In the Import config file dialogue box, under Import existing Configuration section, click the ellipses and locate the .ovpn file.
- You can rename the .ovpn file to indicate the site a user is connecting too.
- The application will confirm a successful import, and the user can then connect to the VPN and enter their username and password.
SSL VPN Certificate/CA Renewal
Depending on how long the VPN Certificate Authority and Server Certificate are set to last for, they will eventually need replacing, as upon expiry the SSL VPN client will no longer be able to connect to the Smoothwall.
Procedure
Having logged in to the Smoothwall Web-UI:
- Navigate to Network > VPN > Global. Disable the SSL VPN, save the change and restart the VPN module as prompted.
- From the 'Default local Certificate' drop-box at the top, select 'No Certificate' and save and restart the module again.
- Navigate to Network > VPN > Certificates - mark and delete the expired VPN certificate.
- If the CA has expired also, navigate to Network > VPN > Certificate Authorities - check the 'Confirm deletion' box and use the 'Delete Certificate Authority' tool to remove the invalid CA.
- Create a new Certificate Authority if required.
- Navigate to Network > VPN > Certificates - create a new server certificate.
- Navigate to Network > VPN > Global - select the new certificate from the 'Default local certificate' drop-box. Save and restart the VPN module as prompted.
- Re-enable SSL VPN at the bottom of the page, save and restart the VPN module again.
- Export a new client archive to your local machine. Extract the connection.ovpn file from the archive and distribute to the end users for import into the SSL VPN client software.