Client VPN

Topic

This article provides Client VPN configuration instructions for the Datto Networking Appliance (DNA).

Environment

  • Datto Networking Appliance (DNA)

Description

  1. To configure Client VPN, log into the DNA web interface, and click Networks.
    mceclip1.png

  2. On the Networks page, click the Client VPN option in the left pane.

  3. Enter the Shared Secret (password) of your choice. The password must be between 16 and 40 characters long.

  4. The configuration will depend on the client VPN chosen and the operating system that you are connecting from. Expand the section and follow the steps for the appropriate client VPN below:

    This feature allows a user to configure an SSL Client VPN connection using the same client VPN feature currently in place.

    When enabled, the subnet is divided in two, allowing half of the subnet to use IPSec IKEv1 or IKEv2 client VPN connectivity, while allowing the other half of addresses to be configured for SSL (OpenVPN) client connectivity.

    Requirements

    • DNA firmware v0.9.0.64 or higher
    • OpenVPN installed on the PC you will be using to connect to the DNA
    • You must use the actual OpenVPN client. OpenVPN Connect will not function properly.

    Follow the process for the operating system you will be connecting from.

    1. Follow the steps described in DNA: Client VPN to configure your Datto Networking Appliance.

    2. Install the VPN Client via the method described for your operating system. Download and install the OpenVPN Windows installer (external link).

    3. Download the OpenVPN config file from the DNA to the target computer by clicking the OpenVPN Config File on the Client VPN card.

      Save the file to %systemroot%\Program Files\OpenVPN\config.

    4. By default, it will use a split tunnel. If you would like to change it to a full tunnel, add redirect-gateway def1 to the config file above the certificate.

    5. Open the OpenVPNclient and click connect.

    6. Log in using the credentials you created in the DNA: Client VPN article.

    1. Follow the steps described in DNA: Client VPN to configure your Datto Networking Appliance.

    2. Install the VPN Client via the method described for your operating system.

      sudo apt-get install openvpn

    3. Download the OpenVPN config file from the DNA to the target computer by clicking the OpenVPN Config File on the Client VPN card.

      Save the file to the desktop.

    4. By default, it will use a split tunnel. If you would like to change it to a full tunnel, add redirect-gateway def1 to the config file above the certificate.

    5. To connect to the VPN client, launch OpenVPN with the --config argument to specify the configuration file to use:

      openvpn --config client.ovpn

    6. Log in using the credentials you created in the DNA: Client VPN article.

    1. Follow the steps described in DNA: Client VPN to configure your Datto Networking Appliance.

    2. For Mac, you will need to install Tunnelblick (external link), instead of OpenVPN.

    3. Download the OpenVPN config file from the DNA to the target computer by clicking the OpenVPN Config File on the Client VPN card.

      Save the file to the desktop.

    4. By default, it will use a split tunnel. If you would like to change it to a full tunnel, add redirect-gateway def1 to the config file above the certificate.

    5. Add the config file you saved in the Download the OpenVPN Config File section of this article to Tunnelblick by dragging it from the desktop into the left-hand pane.

    6. Select the configuration in the Configurations sidebar, and click Connect.

    7. Log in using the credentials you created in the DNA: Client VPN article.

    On the client machine

    1. From an Admin user account, open Microsoft Management Console (search for or run "mmc.exe").

    2. In the Console dialog box, select FileAdd or Remove Snap-in.

    3. From the Available snap-ins list, select Certificates, then click Add.

    4. In the resulting window, select Computer Account and click Next.

    5. Select Local Computer and click Finish.

    6. Click OK to close the Add or Remove Snap-ins dialog.

      add_remove_snapins.jpg

    7. In the Console1 dialog, expand the Certificates category and navigate to Trusted Root Certification AuthoritiesCertificates.

      Cert.PNG

    8. Choose Action in the menu bar, then navigate to All tasksImport.

      Action.PNG

    9. Click Next on the Welcome screen.

      IKEv2.KB1.PNG

    10. Click Browse and make sure the drop-down for File type is set to All Files, then choose the Certificate you saved earlier and click Open. Click Next and then Finished.

      IKEv2.KB2.png

    11. Click the Windows start button and type "network." From the list of options, choose Network and Sharing Center.

    12. Select Set Up a new Connection or Network, then navigate to Connect to a WorkplaceUse my Internet Connection (VPN).
      IKEv2.KB3.PNG

    13. Enter the DNA's assigned public address. You can find this address in the DNA UI on the Network Overview tab under Router Details.

      router_deets.jpg

    14. On the Network and Sharing Center screen, click Change Adapter Settings, then right-click on the VPN Connection and click properties.

      IKEv2.KB5.PNG

    15. Click the Security tab and choose IKEv2 in the Type of VPN drop-down menu. For Authentication, choose Microsoft: Secured Password (EAP-MSCHAP v2) (encryption enabled)

    16. Click the Networking tab, then select IPv4.

    17. Click Properties, then select Advanced and verify that Use default gateway is checked. Click OK to and exit all dialogue boxes.

      properties.jpg

      You should now be able to connect to the VPN. When you click Connect for the first time, it will prompt you for the login credentials you set on the DNA client VPN page.

      vpn_connect.jpg

    Using ClientVPN with Windows IKEv2

    To configure IKEv2 settings will to work with Client VPN, you must change the VPN connection's default ciphers.

    1. Open PowerShell.

    2. Run the following command:

      Set-VPNConnectionIPsecConfiguration -Name "[Connection Name]" -AuthenticationTransformConstants SHA1 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup ECP384

    In macOS

    1. Navigate to System Preferences > Network.

    2. Click + to create a new network connection.

    3. Select VPN from the Interface drop-down menu.

    4. Select Cisco IPSec in the VPN Type field.

    5. In the Service Name field, enter a connection name that clearly identifies the interface's purpose.

    6. Click Create.

    In Network Manager

    1. Click the Status tab.

    2. Make a note of your DNA's Assigned Public IP Address value. Enter it in the Server Address field of the macOS VPN connection settings.

    1. Navigate to Network > Client VPN. Make a note of the username and password of the account you'd like to use to authenticate the VPN connection. Enter these value in the Account Name and Password fields of the macOS VPN connection settings.

    1. Copy the Authentication Shared Secret value from the Client VPN page. In the macOS VPN connection settings, click Authentication Settings. Paste the Authentication Shared Secret into the Machine Authentication: Shared Secret field.

    2. Apply the settings. You can now connect to the DNA as an IPSec VPN client.

  5. Enter the subnet to assign to VPN users and select the appropriate option from the Subnet Mask drop-down menu.

  6. Under Allow Access To, select the internal networks to whom you'd liketo assign VPN users access. If you'd like, you can also allow access to all Remote Sites, but note that all remote sites must allow access to a common local subnet for this to work correctly.

  7. Click the New User button to begin adding users.

  8. With your users entered, select Yes under Enable Client VPN to activate Client VPN.

  9. Click Save Changes to complete the process.

VPN performance limitations

The DNA has no set limitations on the number of clients that can connect via VPN at any time. However, performance for client connections are subject to the ISP resources and bandwidth available, as well as the size of the subnet in use.

Additional Resources