21.2. OpenVPN Settings

You can find the OpenVPN Settings at VPN → OpenVPN.

Authentication Mode is either Certificate, User or Shared Key:

  • For the Certificate authentication mode the OpenVPN server needs a server certificate and the OpenVPN client needs a client certificate. Both have to be from the same Certificate Authority.
    Additionally you can enable the option Additional User Auth. to have a two factor authentication (Certificate + User). The same conditions apply to the additional user authentication then a user only authentication below.
  • For the User authentication mode both sides need the same Certificate Authority and the client needs to add a Username and Password at the User Authentication setting. This user needs to exist as system user on the VT AIR where the OpenVPN server is running. The user also needs the User permission open vpn - OpenVPN User Login which can be assigned at System → User. Alternatively you can add the user to the Group OpenVPN Access. This will also give them the same user permission.
  • For the Shared Key authentication mode both sides need a shared key. When you create the OpenVPN server the VT AIR can generate a shared key automatically. This shared key needs just to be copied to the OpenVPN client.

Protocol can be either UDP or TCP and whether it’s only for IPv4, only for IPv6 or for both. Both IPv4 and IPv6 is multihome only, which means the interface can not be specified and only All can be selected.

Device Mode is either tun (Layer 3) or tap (Layer 2)

Interface can be specified or just All selected. If the Interface is a VRRP virtual IP of a HA Setup, only the Master holding the IP has the OpenVPN activated. The Slave will be on standby for the OpenVPN.

Local Port can be definied or if left blank, a random port will be used.

Use TLS Key allows the usage of Transport Layer Security and can only be used in certificate or user authentication mode. The same TLS Key needs to be provided for both sides. The key can be automatically generated when creating an OpenVPN server.

Encryption Algorithm can be one of many algorithms. It’s also possible to select none. It has to be the same on both sides.

Enable NCP allows Negotiable Cryptographic Parameters. At NCP Algorithm(s) multiple algorithms can be selected. The order of the selected algorithms is respected by OpenVPN. It is only available for OpenVPN 2.4 and upwards.

Auth. Digest Algorith can be one of a few algorithms. It has to be the same on both sides. If none is selected, TLS can not be used.

IPv4 Tunnel Network and IPv6 Tunnel Network define the tunnel network for the connection.

Remote Network(s) allows the usage of multiple remote networks.

Compression is the compression for the tunnel packets using the LZO algorithm and can be one of the the following:

  • Omit Preference (Use OpenVPN Default)
  • LZ4 Compression [compress lz4]
  • LZ4 Compression v2 [compress lz4-v2]
  • LZO Compression [compress lzo, equivalent to comp-lzo yes for compatibility]
  • Enable Compression (stub) [compress]
  • Omit Preference, + Disable Adaptive LZO Compression [Legacy style, comp-noadapt]
  • Adaptive LZO Compression [Legacy style, comp-lzo adaptive]
  • LZO Compression [Legacy style, comp-lzo yes]
  • No LZO Compression [Legacy style, comp-lzo no]

Type-of-Service Set the TOS IP header value of tunnel packets to match the encapsulated packet value.

Topology specifies the method used to configure a virtual adapter IP address.

Custom Options is for custom configuration parameters for the config.

Gateways lets you choose which Gateways should be created in the System. Gateways can be used to create additional Routes or Routing Tables.

Send/Receive Buffer is the Send and Receive Buffer size for OpenVPN. The default buffer size can be too small in many cases, depending on hardware and network uplink speeds.

Log Level is the log verbosity level. 0 is silent, except for fatal errors. 4 is reasonable for general usage. 5 and 6 can help to debug connection problems. 9 is extremely verbose.

21.2.1. Server Only Settings

Peer to Peer can be enabled in certificate or user authentication mode. It allows only one client to be connected.

Authentication Server if you have user authentication enabled. It allows you to use a predefined authentication server from Authentication Server for authenticaion. The users do not need to be created in VT AIR and the control is only based on the response of the authentication server.

Use CRL enables the usage of the CRL of the selected Peer Certificate Authority.

Two Factor Authentication can be enabled if you use User Authentication. Only the TOTP authentication will be used, no One Time Password. Make sure that all relevant Users have the Two Factor Authentication enabled as they will not be able to login otherwise. It is NOT necessary to enable Two Factor Authentication for the webgui for this to work.

Certificate Depth defines the depth to which certificate-based client logins are accepted.

DH Parameter Length is the Diffie-Hellman parameter set used for key exchange.

ECDH Curve is the Elliptic Curve to use for key exchange.

Redirect Gateway can be enabled to force all client generated traffic through the tunnel.

Concurrent connections specifies the maximum number of clients allowed to concurrently connect to this server.

Push Compression can be enabled to push the selected Compression setting to connecting clients.

Inter-client communication can be enabled to allow communication between clients connected to this server. A Firewall Rule is still needed for this to work.

Duplicate Connection can be enabled to allow multiple concurrent connections from clients using the same Common Name.

Associate Firewall Rule can be enabled so an OpenVPN associated Firewallrule will be created and updated.

Dynamic IP can be enabled to allow connected clients to retain their connections if their IP address changes.

DNS Settings can be enabled to configure several advanced DNS options as well as four DNS Servers.

DNS Default Domain provides a default domain name to clients.

Block Outside DNS make Windows 10 Clients Block access to DNS servers except across OpenVPN while connected, forcing clients to use only VPN DNS servers.

Register DNS kicks Windows into recognizing pushed DNS servers.

NTP Settings can be enabled to configure two NTP Servers.

21.2.2. Client Only Settings

Server host or address and Server Port are the IP address or hostname of the OpenVPN server and the port it’s running at.

Limit outgoing bandwidth is the maximum outgoing bandwidth for this tunnel. Can be left empty for no limit. The input value has to be something between 100 bytes/sec and 100 Mbytes/sec.

Do not pull routes can be enabled to bar the server from adding routes to the client’s routing table.

Do not add/remove routes can be enabled to not add or remove routes automatically.

Proxy host or address is the address for an HTTP Proxy this client can use to connect to a remote server.

Proxy Port is the port of the proxy and its default is 1080.

Proxy Authentication can be enabled to use a Username and/or Password.

21.2.3. Import Settings

Instead of creating a new server or client you can import settings from an existing OpenVPN config. The VT AIR will preselect all matched settings and put the rest into the custom options field. Multiple entry settings like NCP Algorithms, Local Networks and Remote Networks are not matched at the moment.