How to configure VPN connections on RX300 thin clients and LEAF OS devices?
- Setup and initialize the VPN Server, including the VPN Server IP address, creating a DHCP pool to be used by connecting clients, and choosing the desired encryption type.
- Create user accounts. Input a username, create a password for the user, and select if the user will have access to the local network or just to the router.
- Configure thin clients to connect. Typically, all that is required is the VPN server address, username, and password.
4.1.6.
Configuring
VPN connections
The RX300, RX-RDP,
RX420(RDP) and LEAF OS devices support OpenVPN, OpenConnect (which allows
connections to Cisco AnyConnect VPN) and Point-to-Point Tunneling Protocol (PPTP)
VPN connections. To enable a VPN connection the Enable VPN connection
checkbox must be selected. The desired VPN type must be selected in the
combo-box. All VPN types can be configured in a way allowing the device to
automatically establish the VPN connection (with the VPN credentials stored in
device configuration) after booting up and connecting to Ethernet or Wi-Fi
network. The devices can also be configured to establish the VPN connections
with credentials provided by the user on the VPN logon screen. The OpenVPN
connections can additionally be configured in a way allowing the user to provide
the configuration file on a USB memory stick.
Configuring OpenVPN connection with
configuration file provided by the user
The OpenVPN connection
can be configured to let the user provide the configuration file (an .ovpn
file) on a USB memory stick. The provided configuration file must be located in
the root directory of a FAT-, NTFS-, ext3- or ext4-formatted USB stick. If
the configuration (.ovpn) file refers to any other files, like client
certificates, Certification Authority certificates, or private keys, then all
those files must be copied to the root directory of the USB memory stick too.
All files must be available as separate files. Compressed archives (ZIP, RAR,
7z, etc.), containing all files, are not supported.
OpenVPN connections using the user-provided configuration files can use
following authentication methods:
·
username
and password,
·
client
certificate password,
·
private
key password,
·
and
combinations of them.
Following settings must be configured to enable OpenVPN and allow the user to provide the OpenVPN configuration file:
- Enable VPN Connection - this checkbox must be selected.
- VPN type - OpenVPN must be selected
- Let user provide the .ovpn the certificate files - this checkbox must be selected.
For OpenVPN connections, for which the users
will provide the configuration files, the following optional settings can be
configured:
·
Cache the .ovpn
and certificate files – when selected, the device will copy from the USB
memory stick to internal storage the user-provided .ovpn file and its
associated certificate and/or key files, if necessary. This will allow reestablishing
the VPN connection without the necessity to provide the memory stick with the
files again.
·
Cache the client certificate password and/or user
credentials – when selected, the device will store the credentials provided by the
user on the VPN logon screen and will automatically establish the VPN connection
after reboot, without asking the user for any credentials. This option can only
be used when the Cache the .ovpn and certificate files option is
selected too.
Note: Enabling the above options opens the VPN connection to anybody who will
have physical access to the device, thus keeping them disabled increases the
security of the VPN connection.
Configuring OpenVPN connection with all settings
stored on the device
Preconfigured OpenVPN connections support VPN authentication with:
·
username
and password,
·
client (PKCS
#12) certificate (with password),
·
username, user
password and client (PKCS #12) certificate with password.
Following settings can be used to preconfigure an OpenVPN connection:
·
Enable
VPN Connection – this checkbox must be selected.
·
VPN type – OpenVPN must be selected.
·
Let user provide the .ovpn and certificate files – this checkbox must not
be selected.
·
VPN server address – the fully qualified domain name or IP address
of the OpenVPN server.
·
Credentials type – selection of authentication method. Depending
on this selection the appropriate input fields will appear on the VPN logon
screen. Possible selections:
o
Username and password
o
Client certificate
o Username, password and client certificate
·
Let user provide VPN username and password – when selected, the
device will display a VPN logon screen with username and password fields. When
not selected, the username and password from device configuration will be used
for VPN authentication.
·
Let user provide VPN client certificate password – when selected, the
device will display a VPN logon screen with prompt for client certificate
password. When not selected, the client certificate password from device
configuration will be used.
·
Re-use VPN credentials for terminal sessions – when selected, the
device will automatically attempt to authenticate the user (and possibly
establish a terminal session) in the remote desktop environment depending on
the selection of device
operation mode. The VPN logon screen will additionally contain the Domain
field when this option will be enabled. The username and password (without
Domain) provided on the VPN logon screen will be used for VPN authentication.
After successfully establishing the VPN connection the device will re-use the
provided username and password combined with the specified of preconfigured Domain
name to authenticate the user in the remote desktop environment and possibly
start a terminal session for the user, if some kind of terminal session
auto-start is configured.
Note: The Re-use VPN credentials for terminal sessions option is
only meaningful when the Let user provide VPN username and password
checkbox is selected.
·
User name – the name of the VPN user. This setting is only
meaningful when the Let user provide VPN username and password checkbox
is not selected.
·
User password – the password of the VPN user. This setting is
only meaningful when the Let user provide VPN username and password
checkbox is not selected.
·
CA certificate – selection of an uploaded Certification Authority certificate used for verification
of the certificate of the VPN server and/or of the client certificate.
·
Client certificate – selection of an uploaded Client (PKCS #12) certificate used during VPN
authentication.
·
Client certificate password – password for the
private key contained in the selected Client certificate.
Following advanced OpenVPN settings can be
configured after clicking the [Advanced Options] button:
·
Protocol – selection of the protocol to be used for the
communication with the OpenVPN server. TCP or UDP.
·
Port – number of the UDP or TCP port used for the
communication with the OpenVPN server. Default value: 1194.
·
Authentication – selection of the authentication algorithm.
Possible selections: SHA1, SHA128, SHA256, SHA512, MD5, NONE.
·
Cipher – selection of the cipher to be used for encryption of
the OpenVPN communication. Possible selections: BF-CBC, AES-128-CBC,
AES-256-CBC, NONE.
·
Custom parameters – additional command line parameters, which will
be passed to the OpenVPN client. If multiple parameters need to be passed, then
they must be separated with the semicolon (;) character (without any whitespaces
besides the semicolon). Please refer to OpenVPN documentation for the list of
available command line parameters: https://openvpn.net/community-resources/reference-manual-for-openvpn-2-3/
Configuring OpenConnect VPN connection
The OpenConnect VPN connection can be configured to allow RX300, RX-RDP,
RX420(RDP) or LEAF OS users to connect to Cisco AnyConnect (or compatible) VPN
servers.
OpenConnect
connections support VPN authentication with:
·
username
and password,
·
client (PKCS
#12) certificate with password,
·
username,
password and client (PKCS #12) certificate with password.
Note: The Authentication group, supplementing
the username- and password-based authentication (required by some Cisco
AnyConnect VPN servers), can be specified under Advanced Options, when
necessary.
Following settings can be used to configure an OpenConnect VPN connection:
·
Enable
VPN Connection – this checkbox must be selected.
·
VPN type – OpenConnect must be selected.
·
VPN server address – the fully qualified domain name or IP address
of the VPN server supported by the OpenConnect VPN client (e.g. Cisco
AnyConnect VPN).
·
Credentials type – selection of authentication method. Depending
on this selection the appropriate input fields will appear on the VPN logon
screen. Possible selections:
o
Username and password
o
Client certificate
o Username, password and client certificate
·
Let user provide VPN username and password – when selected, the
device will display a VPN logon screen with username and password fields. When
not selected, the username and password from device configuration will be used
for VPN authentication.
·
Let user provide VPN client certificate password – when selected, the
device will display a VPN logon screen with prompt for client certificate
password. When not selected, the client certificate password from device
configuration will be used.
·
Re-use VPN credentials for terminal sessions – when selected, the
device will automatically attempt to authenticate the user (and possibly
establish a terminal session) in the remote desktop environment depending on
the selection of device
operation mode. The VPN logon screen will additionally contain the Domain
field when this option will be enabled. The username and password (without
Domain) provided on the VPN logon screen will be used for VPN authentication.
After successfully establishing the VPN connection the device will re-use the
provided username and password combined with the specified of preconfigured Domain
name to authenticate the user in the remote desktop environment and possibly
start a terminal session for the user, if some kind of terminal session
auto-start is configured.
Note: The Re-use VPN credentials for terminal sessions option is
only meaningful when the Let user provide VPN username and password
checkbox is selected.
·
User name – the name of the VPN user. This setting is only
meaningful when the Let user provide VPN username and password checkbox
is not selected.
·
User password – the password of the VPN user. This setting is
only meaningful when the Let user provide VPN username and password
checkbox is not selected.
·
CA certificate – selection of an uploaded Certification Authority certificate used for verification
of the certificate of the VPN server and/or of the client certificate.
·
Client certificate – selection of an uploaded Client (PKCS #12) certificate used during VPN
authentication.
·
Client certificate password – password for the
private key contained in the selected Client certificate.
Following advanced OpenConnect settings can be
configured after clicking the [Advanced Options] button:
·
Server fingerprint – fingerprint of the VPN server certificate.
This optional parameter allows connections to VPN servers presenting an
untrusted SSL certificate. The fingerprint needs to be specified as a string
consisting of hexadecimal numbers, without any separators like colon (:) or
dash (-). E.g.: 67D961FB719FFC8425635431F9A547BA62D4851D.
·
Authentication group – the name of the
authentication group required by some Cisco AnyConnect VPN servers.
·
Custom parameters – additional command line parameters, which will
be passed to the OpenConnect VPN client. If multiple parameters need to be passed,
then they must be separated with the semicolon (;) character (without any
whitespaces besides the semicolon). Please refer to OpenConnect VPN client documentation
for the list of available command line parameters: https://www.infradead.org/openconnect/manual.html.
Configuring PPTP VPN connection
The RX-series and LEAF OS devices allow VPN connections based on the legacy
but still used Point-to-point-Tunneling Protocol (PPTP). The PPTP VPN
connections can be used with username- and password-based authentication only.
Following settings can be used to configure a PPTP VPN connection:
·
Enable
VPN Connection – this checkbox must be selected.
·
VPN type – OpenConnect must be selected.
·
VPN server address – the fully qualified domain name or IP address
of the VPN server supported by the OpenConnect VPN client (e.g. Cisco
AnyConnect VPN).
· Let user provide VPN username and password – when selected, the device will display a VPN logon screen with username and password fields. When not selected, the username and password from device configuration will be used for VPN authentication.
·
Re-use VPN credentials for terminal sessions – when selected, the
device will automatically attempt to authenticate the user (and possibly
establish a terminal session) in the remote desktop environment depending on
the selection of device
operation mode. The VPN logon screen will additionally contain the Domain
field when this option will be enabled. The username and password (without
Domain) provided on the VPN logon screen will be used for VPN authentication.
After successfully establishing the VPN connection the device will re-use the
provided username and password combined with the specified of preconfigured Domain
name to authenticate the user in the remote desktop environment and possibly
start a terminal session for the user, if some kind of terminal session
auto-start is configured.
Note: The Re-use VPN credentials for terminal sessions option is
only meaningful when the Let user provide VPN username and password
checkbox is selected.
·
User name – the name of the VPN user. This setting is only
meaningful when the Let user provide VPN username and password checkbox
is not selected.
·
User password – the password of the VPN user. This setting is
only meaningful when the Let user provide VPN username and password
checkbox is not selected.
·
Custom parameters – additional command line parameters, which will
be passed to the PPTP VPN client. If multiple parameters need to be passed,
then they must be separated with the semicolon (;) character (without any
whitespaces besides the semicolon). Please refer to PPTP VPN client documentation
for the list of available command line parameters: https://manpages.debian.org/stretch/pptp-linux/pptp.8.en.html.
Related Articles
How to configure VPN connections on RX-RDP, RX-RDP+, RX420(RDP) and RX300 thin clients?
Please refer to RX-series thin clients and LEAF OS user configuration guide for additional details: https://support.ncomputing.com/portal/kb/articles/rx300-rx-rdp-user-configuration-guide Both RX-RDP thin client (firmware version 2.11.0 and higher), ...How to configure router 'port forwarding rule' to remotely access my vSpace Pro server in the office from home, with L-series, RX300 or LEAF OS devices?
Customers who deploy vSpace Pro servers can access their user sessions remotely via the router port forwarding method. However, this approach can result in security vulnerabilities (port 27605 forwarding) and should be the last option if the customer ...How to deploy vSpace Pro for WAN access?
Considerations In the past, our networking products have mostly been mentioned as 'LAN only' devices, only, for practical purposes. However, products like the RX Series for vSpace are better equipped than their predecessors and their networking ...How to configure VPN connections on RX-HDX, RX420(HDX) or EX400 thin clients?
All three thin client families come with support for OpenVPN and OpenConnect (free Cisco VPN client). To setup OpenVPN, see below link for instructions: http://rx-hdx.ncomputing.com/kb/OpenVPN For OpenConnect, see below link for instructions: ...VPN Deployment Guide - vSpace Pro Enterprise Edition + RX300, LEAF OS and vSpace Client.
VPN Deployment Guide vSpace Pro Enterprise Edition with RX300, LEAF OS, and vSpace Client RX300 & Leaf OS are vSpace Pro end point devices, which are optimized for VPN secured WAN deployment, however, success in the deployment will ...