How to configure VPN connections on RX300 thin clients and LEAF OS devices?

How to configure VPN connections on RX300 thin clients and LEAF OS devices?


Please refer to RX-series thin clients and LEAF OS user configuration guide for additional details:  https://support.ncomputing.com/portal/kb/articles/rx300-rx-rdp-user-configuration-guide


Both RX300 thin client (firmware version 3.8.1 or higher) and LEAF OS (firmware version 2.1.2 or higher) come with integrated VPN support to enable secure remote access of vSpace Pro Enterprise Edition software in the WAN environment (e.g. work-from-home scenarios).




VPN allows individuals to establish secure connections with a remote computer network. They can access the protected resources on that network as if they connect directly to the
network’s servers. Customers who deploy vSpace Pro software can access their user sessions remotely via NComputing thin clients that support VPN.

The VPN setup process typically involves the following:
  1. Setup and initialize the VPN Server, including the VPN Server IP address, creating a DHCP pool to be used by connecting clients, and choosing the desired encryption type.
  2. Create user accounts. Input a username, create a password for the user, and select if the user will have access to the local network or just to the router.
  3. Configure thin clients to connect. Typically, all that is required is the VPN server address, username, and password.
This KB will focus on the 3rd step (configure the thin client for VPN connect). If you wish to learn more about the 1st and 2nd steps (setting up VPN server), please refer to our writeup on the VPN deployment guide here.

Configuring  VPN Connection - Extracted from section 4.11.6 of the RX-series and LEAF OS Guide: 

4.1.6.      Configuring VPN connections

The RX300, RX-RDP, RX420(RDP) and LEAF OS devices support OpenVPN, OpenConnect (which allows connections to Cisco AnyConnect VPN) and Point-to-Point Tunneling Protocol (PPTP) VPN connections. To enable a VPN connection the Enable VPN connection checkbox must be selected. The desired VPN type must be selected in the combo-box. All VPN types can be configured in a way allowing the device to automatically establish the VPN connection (with the VPN credentials stored in device configuration) after booting up and connecting to Ethernet or Wi-Fi network. The devices can also be configured to establish the VPN connections with credentials provided by the user on the VPN logon screen. The OpenVPN connections can additionally be configured in a way allowing the user to provide the configuration file on a USB memory stick.

Configuring OpenVPN connection with configuration file provided by the user

The OpenVPN connection can be configured to let the user provide the configuration file (an .ovpn file) on a USB memory stick. The provided configuration file must be located in the root directory of a FAT-, NTFS-, ext3- or ext4-formatted USB stick. If the configuration (.ovpn) file refers to any other files, like client certificates, Certification Authority certificates, or private keys, then all those files must be copied to the root directory of the USB memory stick too. All files must be available as separate files. Compressed archives (ZIP, RAR, 7z, etc.), containing all files, are not supported.

OpenVPN connections using the user-provided configuration files can use following authentication methods:

·         username and password,

·         client certificate password,

·         private key password,

·         and combinations of them.

Following settings must be configured to enable OpenVPN and allow the user to provide the OpenVPN configuration file:

  1. Enable VPN Connection - this checkbox must be selected.
  2. VPN type - OpenVPN must be selected
  3. Let user provide the  .ovpn the certificate files - this checkbox must be selected.


For OpenVPN connections, for which the users will provide the configuration files, the following optional settings can be configured:

·         Cache the  .ovpn and certificate files – when selected, the device will copy from the USB memory stick to internal storage the user-provided .ovpn file and its associated certificate and/or key files, if necessary. This will allow reestablishing the VPN connection without the necessity to provide the memory stick with the files again.

·         Cache the client certificate password and/or user credentials – when selected, the device will store the credentials provided by the user on the VPN logon screen and will automatically establish the VPN connection after reboot, without asking the user for any credentials. This option can only be used when the Cache the .ovpn and certificate files option is selected too.

Note: Enabling the above options opens the VPN connection to anybody who will have physical access to the device, thus keeping them disabled increases the security of the VPN connection.

Configuring OpenVPN connection with all settings stored on the device

Preconfigured OpenVPN connections support VPN authentication with:

·         username and password,

·         client (PKCS #12) certificate (with password),

·         username, user password and client (PKCS #12) certificate with password.

Following settings can be used to preconfigure an OpenVPN connection:

·        
Enable VPN Connection – this checkbox must be selected.

·         VPN type – OpenVPN must be selected.

·         Let user provide the .ovpn and certificate files – this checkbox must not be selected.

·         VPN server address – the fully qualified domain name or IP address of the OpenVPN server.

·         Credentials type – selection of authentication method. Depending on this selection the appropriate input fields will appear on the VPN logon screen. Possible selections:

o   Username and password

o   Client certificate

o   Username, password and client certificate


·         Let user provide VPN username and password – when selected, the device will display a VPN logon screen with username and password fields. When not selected, the username and password from device configuration will be used for VPN authentication.

·         Let user provide VPN client certificate password – when selected, the device will display a VPN logon screen with prompt for client certificate password. When not selected, the client certificate password from device configuration will be used.

·         Re-use VPN credentials for terminal sessions – when selected, the device will automatically attempt to authenticate the user (and possibly establish a terminal session) in the remote desktop environment depending on the selection of device operation mode. The VPN logon screen will additionally contain the Domain field when this option will be enabled. The username and password (without Domain) provided on the VPN logon screen will be used for VPN authentication. After successfully establishing the VPN connection the device will re-use the provided username and password combined with the specified of preconfigured Domain name to authenticate the user in the remote desktop environment and possibly start a terminal session for the user, if some kind of terminal session auto-start is configured.
Note: The Re-use VPN credentials for terminal sessions option is only meaningful when the Let user provide VPN username and password checkbox is selected.

·         User name – the name of the VPN user. This setting is only meaningful when the Let user provide VPN username and password checkbox is not selected.

·         User password – the password of the VPN user. This setting is only meaningful when the Let user provide VPN username and password checkbox is not selected.

·         CA certificate – selection of an uploaded Certification Authority certificate used for verification of the certificate of the VPN server and/or of the client certificate.

·         Client certificate – selection of an uploaded Client (PKCS #12) certificate used during VPN authentication.

·         Client certificate password – password for the private key contained in the selected Client certificate.

Following advanced OpenVPN settings can be configured after clicking the [Advanced Options] button:

·         Protocol – selection of the protocol to be used for the communication with the OpenVPN server. TCP or UDP.

·         Port – number of the UDP or TCP port used for the communication with the OpenVPN server. Default value: 1194.

·         Authentication – selection of the authentication algorithm. Possible selections: SHA1, SHA128, SHA256, SHA512, MD5, NONE.

·         Cipher – selection of the cipher to be used for encryption of the OpenVPN communication. Possible selections: BF-CBC, AES-128-CBC, AES-256-CBC, NONE.

·         Custom parameters – additional command line parameters, which will be passed to the OpenVPN client. If multiple parameters need to be passed, then they must be separated with the semicolon (;) character (without any whitespaces besides the semicolon). Please refer to OpenVPN documentation for the list of available command line parameters: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-3/

Configuring OpenConnect VPN connection

The OpenConnect VPN connection can be configured to allow RX300, RX-RDP, RX420(RDP) or LEAF OS users to connect to Cisco AnyConnect (or compatible) VPN servers.

OpenConnect connections support VPN authentication with:

·         username and password,

·         client (PKCS #12) certificate with password,

·         username, password and client (PKCS #12) certificate with password.

Note: The Authentication group, supplementing the username- and password-based authentication (required by some Cisco AnyConnect VPN servers), can be specified under Advanced Options, when necessary.

Following settings can be used to configure an OpenConnect VPN connection:

·        
Enable VPN Connection – this checkbox must be selected.

·         VPN type – OpenConnect must be selected.

·         VPN server address – the fully qualified domain name or IP address of the VPN server supported by the OpenConnect VPN client (e.g. Cisco AnyConnect VPN).

·         Credentials type – selection of authentication method. Depending on this selection the appropriate input fields will appear on the VPN logon screen. Possible selections:

o   Username and password

o   Client certificate

o   Username, password and client certificate


·         Let user provide VPN username and password – when selected, the device will display a VPN logon screen with username and password fields. When not selected, the username and password from device configuration will be used for VPN authentication.

·         Let user provide VPN client certificate password – when selected, the device will display a VPN logon screen with prompt for client certificate password. When not selected, the client certificate password from device configuration will be used.

·         Re-use VPN credentials for terminal sessions – when selected, the device will automatically attempt to authenticate the user (and possibly establish a terminal session) in the remote desktop environment depending on the selection of device operation mode. The VPN logon screen will additionally contain the Domain field when this option will be enabled. The username and password (without Domain) provided on the VPN logon screen will be used for VPN authentication. After successfully establishing the VPN connection the device will re-use the provided username and password combined with the specified of preconfigured Domain name to authenticate the user in the remote desktop environment and possibly start a terminal session for the user, if some kind of terminal session auto-start is configured.
Note: The Re-use VPN credentials for terminal sessions option is only meaningful when the Let user provide VPN username and password checkbox is selected.

·         User name – the name of the VPN user. This setting is only meaningful when the Let user provide VPN username and password checkbox is not selected.

·         User password – the password of the VPN user. This setting is only meaningful when the Let user provide VPN username and password checkbox is not selected.

·         CA certificate – selection of an uploaded Certification Authority certificate used for verification of the certificate of the VPN server and/or of the client certificate.

·         Client certificate – selection of an uploaded Client (PKCS #12) certificate used during VPN authentication.

·         Client certificate password – password for the private key contained in the selected Client certificate.

Following advanced OpenConnect settings can be configured after clicking the [Advanced Options] button:

·         Server fingerprint – fingerprint of the VPN server certificate. This optional parameter allows connections to VPN servers presenting an untrusted SSL certificate. The fingerprint needs to be specified as a string consisting of hexadecimal numbers, without any separators like colon (:) or dash (-). E.g.: 67D961FB719FFC8425635431F9A547BA62D4851D.

·         Authentication group – the name of the authentication group required by some Cisco AnyConnect VPN servers.

·         Custom parameters – additional command line parameters, which will be passed to the OpenConnect VPN client. If multiple parameters need to be passed, then they must be separated with the semicolon (;) character (without any whitespaces besides the semicolon). Please refer to OpenConnect VPN client documentation for the list of available command line parameters: https://www.infradead.org/openconnect/manual.html.

Configuring PPTP VPN connection

The RX-series and LEAF OS devices allow VPN connections based on the legacy but still used Point-to-point-Tunneling Protocol (PPTP). The PPTP VPN connections can be used with username- and password-based authentication only.

Following settings can be used to configure a PPTP VPN connection:

·        
Enable VPN Connection – this checkbox must be selected.

·         VPN type – OpenConnect must be selected.

·         VPN server address – the fully qualified domain name or IP address of the VPN server supported by the OpenConnect VPN client (e.g. Cisco AnyConnect VPN).

·         Let user provide VPN username and password – when selected, the device will display a VPN logon screen with username and password fields. When not selected, the username and password from device configuration will be used for VPN authentication.



·         Re-use VPN credentials for terminal sessions – when selected, the device will automatically attempt to authenticate the user (and possibly establish a terminal session) in the remote desktop environment depending on the selection of device operation mode. The VPN logon screen will additionally contain the Domain field when this option will be enabled. The username and password (without Domain) provided on the VPN logon screen will be used for VPN authentication. After successfully establishing the VPN connection the device will re-use the provided username and password combined with the specified of preconfigured Domain name to authenticate the user in the remote desktop environment and possibly start a terminal session for the user, if some kind of terminal session auto-start is configured.
Note: The Re-use VPN credentials for terminal sessions option is only meaningful when the Let user provide VPN username and password checkbox is selected.

·         User name – the name of the VPN user. This setting is only meaningful when the Let user provide VPN username and password checkbox is not selected.

·         User password – the password of the VPN user. This setting is only meaningful when the Let user provide VPN username and password checkbox is not selected.

·         Custom parameters – additional command line parameters, which will be passed to the PPTP VPN client. If multiple parameters need to be passed, then they must be separated with the semicolon (;) character (without any whitespaces besides the semicolon). Please refer to PPTP VPN client documentation for the list of available command line parameters: https://manpages.debian.org/stretch/pptp-linux/pptp.8.en.html