FWCloud has full integration between VPN and secure Policy. From FWCloud-UI you can create and manage your Public Key Infrastructure (PKI).
In order to be able to issue and revoke certificates you need to have Certificate Authority (CA). It is the trusted entity that gives legitimacy to the relationship of a public key with the identity of a user or a service.
# New CA
In the PKI area right click on the icon and select
You need to provide a name and the valid period for the new CA.
The process of generating a new CA can last a little bit. It is carried out in the background, you can continue working with FCloud-UI.
The settings of a CA can be reviewed by double clicking over the CA name or right click and select
The information displayed cannot be modified.
In order to remove a CA, right click over the CA name and select
If you try to delete a CA that has issued certificates than has not been removed yet you will receive a warning and the deletion will not be carried out.
In case the deletion is possible first you will be asked for confirmation.
One of the objectives of the PKI is configuring VPN connections. You will need a certificate for the VPN server and a certificate for any of the clients that will connect to that server.
# New Server Certificate
New certificates can be issued from the CA.
For a server certificate select Server as the type of the certificate in the drop down selection box.
# New Client Certificate
The process for issuing a client certificate is almost the same as for a server certificate. From the CA select
New certificate and select
Client as the type of the certificate in the displayed form.
The form changes proposing a style for the name of the certificate that includes the name of the company, the country, the department, the name to whom the certificate is issued and a number in the event that more than one certificate is issued for the same person.
You can follow this nomenclature or hide this wizard by clicking on the "Wizard" button and directly write the name of the certificate.
You must fill the name and the validity period and save the changes. If every goes fine you will see a message in the right top corner of FWCloud-UI.
As a good practice, if the certificate is issued for a person, we recommend to include his name in the name of the certicate. Also, consider to append a number at the end of name of the certificate. If the client needs another certificate in the future just increase that number.
Server and client certificates can be reviewed by double clicking over the certificate name or right click and select
The information displayed cannot be modified.
In order to keep the certificates ordered you can create a folders. This are called
Prefix in FWCloud-UI terms. All certificates which their name start with that prefix name will be automatically included inside this folder. The prefixes group the certificates under one name. They can be created in the PKI section.
When a certificate is no longer needed, it can be removed. Right click over the certificate name and select
FWCloud-UI does not allow to delete certificates if they are in use. First remove any of the VPN settings that make use of them.
# Server Configuration
To use the server certificate drag it and drop it over the name of the firewall that is going to be the VPN server.
Automatically a new form is opened. You need write down the network and the mask of the network the VPN server is going to hand IP addresses from. This object is called LAN-VPN-xxxx by default, where xxxx is the name of the Sever Certificate. The name of the object can be modified if you double click the name of the Sever Certificate on the right panel or if you right click and select
Although the configuration in this form is enough for the VPN Sever configuration you can modify these settings and modify, add or delete the allowed options, like the name of the file that will store this configuration or its folder or other options like verbosity level.
For reference, next are the allowed options: server, port, proto, dev topology, ifconfig-pool-persist, ccd-exlusive, client-config-dir, keepalive, cipher, user, group, persist-key, persist-tun, status, verb, multihome, askpass, auth-nocache, auth-retry, auth-user-pass-verify, auth-user-pass, auth, bcast-buffers, ca, ccd-exclusive, cd, cert, chroot, client-cert-not-required, client-disconnect, client-to-client, client, connect-freq, comp-lzo, compress, connect-retry, crl-verify, cryptoapicert, daemon, dev-node, dev-type, dh, dhcp-option, dhcp-release, dhcp-renew, disable-occ, disable, down-pre, down, duplicate-cn, echo, engine, explicit-exit-notify, fast-io, float, fragment, hand-window, hash-size, http-proxy-option, http-proxy-retry, http-proxy-timeout, http-proxy-server, ifconfig-noexec, ifconfig-nowarn, ifconfig-pool-linear, ifconfig-pool, ifconfig-push, ifconfig, inactive, inetd, ip-win32-method, ipchange, iroute, key-method, key, key-size, learn-address, link-mtu, local, log-appeend, log, suppress-timestamps, lport, management-hold, management-log-cache, management-query-passwords, management, max-clients, max-routes-per-client, mktun, mlock, mode, mssfix, mtu-disc, mtu-test, mute-replay-warnings, mute, nice, no-iv, no-replay, nobind, ns-cert-type, passtos, pause-exit, persist-local-ip, persist-remote-ip, ping-exit, ping-restart, ping-timer-rem, ping, pkcs12, plugin, pull, push-reset, rcvbuf, reidrect-gateway, remap-usrl, remote-cert-tls, remote-random, reneg-bytes, reneg-pkts, reneg-sec, replay-persist, replay-window, resolv-retry, rmtun, route-delay, route-gateway, route-method, route-noexec, route, rport, secret, server-bridge, show-adapters, show-ciphers, show-digests, show-net-up, show-net, show-tls, show-valid-subnets, single-session, sndbuf, socks-proxy-retry, socks-proxy, status-vesion, syslog, tap-sleep, tcp-queue-limit, test-crypto, tls-auth, tls-cipher, tls-client, tls-exit, tls-remote, tls-server, tls-timeout, tls-verify, tls-version-min, tls-version-max, tmp-dir, tran-window, tun-ipv6, tun-mtu-extra, tun-mtu, txqueuelen, up-delay, up-restart, up-cmd, username-as-commond-name and writepid. More information about the options can be found in OpenVPN options
# Install Sever Configuration
Once the VPN Server configuration is created, it needs to be installed in the firewall. Right click over the server certificate and select
A pop up windows will ask for the credentials to access the firewall using the SSH protocol.
FWCloud-UI needs to have access by SSH to the firewall. The user provided also needs to be able to execute "sudo" commands, otherwise the next error will occur:
If no problems occur the VPN Server configuration will be installed on the target firewall
# Client Configuration
To use the client certificate drag it and drop it over the name of the VPN server. Note that the VPN server background turns green we you hover the certificate over it.
If the VPN server already has another certificate with the same name you will receive a warning and the certificate will not be moved to the server. The name of the certificates must be unique within the VPN server scope.
If this the first certificate you drop, automatically a new form is opened where you can configure the OpenVPN options for the client.
The most important option in this form you have to fill in is
remote. It makes reference to the IP address the VPN clients connect to stablish the VPN tunnel. This is normally the public IP address you use to reach the firewall. You can write it in the
Value field or use the magnifier icon in the Remote section.
When you click that icon a new menu displays the IP addresses configured in FWCloud-UI in tree way. Select the appropriate one and click the icon. Then modify the port if VPN server is not listening in the default one and finally click on the
+ icon next to the port number.
More than one remote option can be added and they will be used sequentially to connect if the others fail to connect.
In the VPN client configuration form you can also add delete or modify other options like: remote, client, dev, proto, resolv-retry, nobind, user, group, persist-key, persist-tun, chipher, auth, auth-nocache, tls-client, verb, float and remote-cert-tls.
If routes needs to be pushed to the client or added in the server, this can be done using the CCD options that are included in the bottom left side of this form.
The options available here are: push, push-reset, iroute, iroute-ipv6, ifconfig-push, ifconfig-ipv6-push, disable, config, max-routes-per-client and comp-lzo.
As the most used options in this section are push and iroute, there are two buttons that simplify the work.
If you push
New route button you get a piece of the FWCloud-UI object tree where you can select the IP or network addresses configured in FWCloud-UI. Then the push option will be added with the selected address and with the proper network mask configured. The same is for the
New iroute button. Note that the syntax of these options is different.
When you have the VPN client configuration ready press
Save changes button in right bottom side of the form. The new client certificate appears in the FIREWALLS/CLUSTER side with an icon by his name. This indicates this certificate is not yet installed in the firewall.
When you drop the client certificate in the VPN server, if this already have other client certificates you will be asked if you want to clone the configuration from another client VPN configuration.
In this form you can choose from the drop down field which client configuration you want to copy its options from. When you are configuring multiple clients this save you a lot of time and avoid mistakes. After that the client configuration form will be opened.
# Install Client Configuration
Once the VPN Client configuration is created, it needs to be installed in the firewall. Right click on the client configuration name and select
A pop up windows will ask for the credentials to access the firewall.
When the certificate is installed in the firewall the icon by his name will be cleared.
Prefixes can also be created in the FIREWALL/CLUSTER section.
Do not confuse with PKI prefixes
PKI prefixed are for organizational purposes only while OpenVPN server prefixes can be used in the security policy.
In the next figure you can see PKI prefixes on the left side are represented by while the prefixes created in the OpenVPN server have a different icon.
You can use the
Prefix when creating the policy rules. Instead of needing to add all IP addresses of every VPN connections of any client which his certificate name starts with a common part (the prefix), you can add that
Prefix in the rule. The prefix can be dragged and dropped in the rule fields. FWCloud-UI will display the prefixes in the Policy section when you expand the OpenVPN branch inside the firewalls in the Firewalls group.
Only OpenVPN server prefixes will be displayed here.
Here you have an example with two rules using prefixes
In this case since we have two VPN client configurations with the prefix ENGINEERS, the rule number 10 refers to any connections established from this two VPN clients
The use of prefixes makes the security policy more clear and easy to read. Also when you create new VPN client configurations with the same prefix you do not need to modify or create new rules. Although the policy needs to be compiled and installed again, since when it was installed in the firewall it did not yet have the new clients configurations.
# Server Config File
Although the VPN server configuration can be installed on the firewall from the FWCloud-UI, also you can get access to the file that stores this configuration, just right click and select
A new form is opened where you can download or copy the content of the file to the clipboard.
# Clients Config File
The configuration file of the VPN clients can also be obtained by right clicking on the client configuration name and select
A new form is opened where you can download or copy the content of the file to the clipboard.
If you copy it to the clipboard a popup message in the right top corner will indicate when the copy has finished.
This file will be needed if you want to install the a VPN connection in the client equipment. This configuration file is ready to be use with the majority VPN client programs like Tunnelblick on OSX based systems or OpenVPN-Gui on Windows based systems.
For Windows based systems you can use the FWCloud-UI Windows installer feature that will provide an installer that bundles the VPN client program and the configuration file.
# Edit Configurations
In order to edit the VPN server configuration right click on the VPN server name and select
The configuration form for the server is opened and you can make any notifications to it.
Also the VPN configuration of a client can be edited if you right click on the client configuration name and select
The configuration form for the client is opened.
# Synchronize CCD files
You can reinstall all client VPN configurations into the VPN server.
This option is useful if you have several client configurations pending to be installed.
# Block / Unblock Client Configurations
When a VPN connection is not going to be used for a temporal period it can be blocked, not allowing the connection to be established
The process will install the CCD in the server to start to blocking the connection. If the password of the the firewall is not stored it will be required.
A message informs the connection has been successfully blocked:
VPN connections blocked are displayed in gray text and the icons change to reflect that.
Any blocked VPN connection can the unblocked from the context menu:
Again the modified client configuration will be installed in the firewall, and a message will inform it has been unblocked:
# Uninstall Configurations
The VPN server configuration can be uninstalled from the firewall. All client configuration of the VPN server must be uninstalled first.
FWCloud will check if there are client configurations for the server configuration. In that case it will not proceed and will show an error message.
To uninstall a client configuration, right click over the name and select
FWCloud-UI will ask for the credentials to access the firewall.
ccd-exclusive option is configured in the OpenVPN server, when a VPN client configuration is unstalled that client will no longer be able to connect to the VPN server. This option is configured by default when an OpenVPN server is configured in FWCloud-UI.
This a very fast and ease way to block a VPN user.
# Delete Configurations
If a VPN configuration is no longer needed it can be removed. This can be done from the context menu of the configuration name. Right click and select
A server configuration can only be deleted if there are no client configurations. FWCloud will detect if client configurations exist.
To delete a client configuration select
Delete configuration from the client context menu.
Again FWCloud will check first if there is any conflict that not allows the deletion and it will warn if that is the case.
You can uninstall the configuration first and remove it later or do both actions at the same time by marking the box
Uninstall configuration first.
# Windows Installer
Directly from the VPN client configuration you can obtain a wizard that will guide you installing a VPN client on Windows systems. Select
FWCloud-UI will generate a Windows executable program for the selected client. By default it is name after the client connection name by you can modify this name, then press the bottom
Generate file to continue.
A new form indicates the generation is in progress.
Once the program it is ready it will be automatically downloaded from your browser.
Save this program and copy in the Windows computer you want to install the VPN client connection. For the installation process no Internet access is required. Just execute the generated installer and click next. It will guide you screen by screen. This program will install or upgrade OpenVPN-GUI and create a new VPN connection for the client it was generated for against the VPN server. It will ask if you want to run it after the installation is finished.