If your users need to work remotely either from home or another location, and they need access to domain resources, or you need to route their traffic out through the firewall public IP, you can configure the Smoothwall Firewall to act as an SSL VPN endpoint with its own self-generated SSL VPN client using the OpenVPN framework.
A Smoothwall Firewall in other deployments (Transparent Bridge, Routed In-Line) can also make use of the SSL VPN. However, additional configuration is required on any upstream firewall to forward the relevant ports to the Smoothwall Firewall.
This procedure downloads a VPN client for Windows-based devices, for all other devices, see our knowledge base article, What SSL VPN Client to Use for iOS, Android and Mac OS.
The VPN Client
Please note: during this setup, the Smoothwall might prompt to restart the VPN systems. This will not restart the Firewall, just the VPN subsystems.
In your Smoothwall Firewall:
- Turn on the automatic control of VPN subsystems, see our help topic, Controlling the VPN system.
- Create a new local Certificate Authority if one doesn’t exist, see our help topic, Importing and creating certificate authorities and their certificates.
- Create a new self-signed certificate if one doesn’t already exist, see our help topic, Importing and creating certificates.
- As of iOS 13 and macOS 10.15 TLS server certificates must have a validity period of 825 days or fewer. Therefore, we recommend that you use the "User Defined' life-time for the Certificate Authority and nominating 825 as the life length.
- If the VPN is to be accessed by mobile devices (Android or iOS), export the newly created certificate as a PKCS#12 file:
- Select the new certificate, apply a password to the file and click Export certificate and key as PKCS#12.
- Save this file and the password used for later use as mobile devices will need it.
- Set these global network VPN settings are configured, see our help topic, Managing global VPN network settings:
- Default local certificate:
- Certificate: Select the certificate that you made.
- L2TP and SSL VPN client configuration settings:
- Primary DNS: Use a domain DNS to resolve internal hostnames.
- Secondary DNS: A secondary DNS server is not typically needed unless your domain utilises one.
- SSL VPN Settings: This works around DNS and traffic issues on some client devices.
- Enable SSL VPN: Yes
- SSL VPN Network Address: Ensure the SSL VPN Network Address and subnet mask does not conflict with any other internal networks.
- Force Clients to use SSL VPN as gateway: No. Most implementations of the SSL VPN do not need this setting to be enabled. If it is enabled, all traffic (including web traffic) is sent down the SSL VPN. This would then require the implementation of a transparent proxy policy applied to the 'Other' interface in order to allow Guardian to process the traffic. Otherwise, you will not have access to the internet when connected to the VPN.
- Enable TLS Authentication: Yes
- Warning: Changing this setting will invalidate any previously exported client archives.
- Transport protocol: HTTPS by default, but set it to whatever you need.
- SSL VPN Client Gateway(s): - You may nominate a public IP for the SSL VPN to connect too as per your network requirements.
- Choose random gateway: This is not typically needed but can be used to direct traffic to a random IP out of the supplied gateways.
- Default local certificate:
- Click Save, and then to download a configured ZIP file containing the installation package and .ovpn file, click Generate client archive and distribute it to your Windows-based devices.
For mobile devices, the PKCS#12 cert and .ovpn file are needed to connect to the VPN using OpenVPN. Administrators might want to extract the .ovpn file and bundle it with the PKCS#12 file for ease of deployment.
For help troubleshooting VPNs, see our knowledge base articles in the VPN section.
To allow traffic from the SSL VPN interface (essentially a virtual NIC) into the different LAN segments on the Smoothwall, you need to create Firewall rules.
In your Smoothwall Firewall:
- Navigate to Network > Firewall > Firewall rules.
- Create a new section, see our help topic, Adding sections.
- In the new section, create a new rule with the following settings:
- Name: SSL VPN Access
- Source IP: Any
- Inbound Interface: SSL VPN
- Destination IP: Any*
- Outbound Interface: All Internal & All External*
- Services: Any*
- Apps: Any
- Groups: Any
- Action: Accept
- Log: No - clear if selected.
* Outbound access on 'All External' interfaces need only apply if Internet access is required down the VPN.
* Select services as per your specific requirements - 'All' is an open rule permitting all ports.
More information on creating firewall rules here: Smoothwall Filter & Firewall: Creating Firewall Rules
Options marked with * are listed as such for maximum flexibility and permits outbound access through the firewall to the Internet. This is a very open rule, and you can restrict access to Internal Interfaces, IP/Subnets, and available services as per your security policies.
The Firewall makes use of connection tracking, so a reverse rule is not typically necessary.
The SSL VPN will prompt for a username and password upon connecting to the VPN interface to authenticate the user. Users can authenticate with Active Directory Credentials (assuming an active AD bind) or credentials set up in a Local Directory. In this instance, it is beneficial to reorder and move the Local Directory above any other directory listed on the Directories page, see our help topic, Managing directories.
Installing and Running the SSL VPN on Windows-Based Devices
- Extract the .zip file downloaded from the Smoothwall Firewall to a secure location on the client device (Program Files or direct to the C:/ directory) and run the installer. Accept the TAP device drivers and reboot the machine once completed.
- From the Windows Start Menu, open the Smoothwall SSL VPN app.
- From the system tray, double-click the shield icon.
- On the launcher, click Import.
- In the Import config file dialogue box, under Import existing Configuration section, click the ellipses and locate the .ovpn file.
- You can rename the .ovpn file to indicate the site a user is connecting too.
- The application will confirm a successful import, and the user can then connect to the VPN and enter their username and password.
For installing on macOS, iOS or Android, please see the documentation for the relevant application. On iOS and Android, the PKCS#12 cert will need to be installed to the User Certificate Store as a VPN certificate and the .ovpn file imported into the SSL VPN application. Also, see our knowledge base article, What SSL VPN Client to Use for iOS, Android and Mac OS.