Set up SSL VPN

This article outlines how to set up SSL VPN to allow controlled access to site resources from remote locations.

Before you begin

• Ensure you have the Tunnel module installed. 
• For users to sign in to the VPN, you’ll need one of these:
  • A Local Users Directory.
  • Credentials synced with Smoothwall Appliance from Active Directory.
• If you have a Multi-tenant setup, choose one of these approaches:
  • Add the IP range used for SSL VPN to an existing tenant. The tenancy decides policies and what to authenticate users against. Adding the SSL VPN subnet to a tenancy allows users to be authenticated according to that tenancy and get web filter policies for that tenancy.
  • Create a new tenant to be used for SSL VPN, adding the SSL VPN subnet as the IP address, and adding this tenant to any domain that VPN authentication needs to be carried out against. 

Step 1: Turn on the automatic control of VPN subsystems

To let remote users tunnel in without waiting for the system to be started manually, and to allow site-to-site tunnels to negotiate a connection automatically:

1. Go to Network > VPN > Control. 
2. Select the Start VPN sub-system automatically checkbox.
3. Select Save.

To manually control the VPN system:

1. Go to Network > VPN > Control. 
2. Ensure the Start VPN sub-system automatically checkbox is clear.
3.  Use the Manual control section:
   1. Select Restart to start the VPN system. The Current status shows RUNNING when all tunnels have connected.
   2. Select Stop. The Current status shows STOPPED when all tunnels have disconnected.

Step 2: Create a VPN certificate

If no certificates exist, create a VPN Certificate Authority and VPN Certificate.

Step 3: Set global VPN settings

1. Go to Network > VPN > Global.
2. Set the certificate:
   1. In the Default local certificate section, change the Certificate dropdown from No certificate to a Certificate. 
   2. Select Save. 
   3. A banner appears with this message: ‘Warning: There are unsaved changes. To activate them, press the Restart button.’ 
   4. Select Restart. Once your Smoothwall restarts, it uses this certificate by default for future VPN tunnels, unless you specify otherwise.
3. In the SSL VPN settings section:
4. Select the Enable SSL VPN checkbox.
5. For Transport protocol, select either:
   • TCP (HTTPS) to run the SSL VPN connection over port 443.
   • UDP (1194) to run the SSL VPN connection over port 1194.
6. Enter the Primary DNS.
7. You can fill in or leave the Secondary DNS field blank.
8. Ignore and leave blank the Primary WINS server and Secondary WINS fields.
9. For SSL VPN network address, enter the network address for the SSL VPN network clients connect to. Ensure the address is large enough to accommodate the maximum expected number of concurrent VPN users.
10. Enter your network subnet in the SSL VPN netmask field.
11. For the Force clients to use SSL VPN as gateway checkbox:
    • Recommended: Keep this checkbox clear so traffic destined for the remote network goes over the VPN. All other traffic routes via the default gateway.
    • Only select this checkbox for Smoothwall to send all traffic through the SSL VPN. This includes traffic usually destined for the Internet. Ensure you configure firewall and routing policies to allow outbound traffic to the internet, and to route the return traffic back to the VPN client.
12. For SSL VPN client gateway(s), enter the host names or IP addresses for devices to connect.
13. Keep the Enable TLS authentication checkbox selected to use Transport Layer Security (TLS) authentication.
14. Only select the Choose random gateway checkbox if you want Smoothwall to direct traffic to a random IP out of the supplied gateways.
15. Select Save.

Step 4: Allow access through the Firewall

To allow traffic from the SSL VPN interface into the different LAN segments on the Smoothwall Appliance, create a Firewall rule with these settings:

• Inbound Interfaces: SSL VPN
• Outbound Interface: 
  • Select All external interfaces to allow access from the SSL VPN to the Internet.
  • Select All internal interfaces, or select the specific interface(s) to allow access from the SSL VPN interface to the LAN.
• Action: Accept
• Don’t select the Log checkbox.

Set the Source IP addresses, Destination IP addresses, Services, Applications (Apps) and Groups as required.

Step 5: Distribute the client archive

Download and install the SSL VPN archive to client devices.

When users connect to the VPN, the VPN interface asks for their username and password. They must use their Active Directory credentials synced to Smoothwall or Local Users Directory credentials.

(Optional) Turn SSL VPN off for User Groups

All users can use the SSL VPN by default, or you can turn SSL VPN off for specific User Groups.

1. Go to Network > VPN > SSL roadwarriors and go to the Select group section.
2. By default, the Select group field is set to Global. Select a built-in or custom User Group .
3. Select Select.
4. You’ll see a new SSL VPN group settings section with an Enable checkbox. Clear the checkbox to turn SSL VPN off for this User Group.
5. Select Save.
6. You’ll see a banner with this message: ‘ Warning: There are unsaved changes. To activate them, press the Restart button.’ Select Restart.

(Optional) Use custom scripts

You can add custom scripts to run commands before or after a VPN goes up or down.

1. Go to Network > VPN > SSL roadwarriors.
2. By default, the Select group field is set to Global. Select a built-in or custom User Group to apply the scripts to the User Group selected.
3. To manage your scripts:
• In the Custom client scripts section, you can upload or remove a Preconnect, Connect or Disconnect script.
• Select Advanced to see the Additional custom client configuration section. Here you can upload or remove a configuration file.