Client to Site VPN

CyberEdge Client to Site VPN enables remote users to connect to the corporate network. The following outlines the initial setup and configuration requirements. Recommended setup flow includes:

• Network Configuration
• SNAT Configuration
• DNS Configuration
• Zone Access Configuration
• Access Policy Configuration
• Client to Site VPN Configuration

If you have already created a network zone and virtual connection, you can skip ahead to SNAT Configuration to configure SNAT rules.

Important

• CyberEdge client to site VPN supports the OpenVPN client application for both Microsoft Windows and Apple MacOS. The client to site VPN configuration file generated by the CyberEdge should be uploaded into the OpenVPN client application.
• Supported OpenVPN client application version for Windows 10/11: OpenVPN Version 3.3.7 (2979)
• Supported OpenVPN client application version for MacOS: Version 3.3.5 (4310)
• OpenVPN client application automatic updates should be set to monthly

Network Configuration

To enable Client-to-Site VPN access, a virtual network connection must be established. This virtual network serves as the subnet allocated to remote clients. It is recommended to configure the Client-to-Site VPN Subnet within a dedicated network zone, providing granular control over VPN client access. Alternatively, the Client-to-Site VPN Subnet can be added to the Local zone.

Create a Zone (Optional)

If you intend to add a VPN subnet to an existing zone, you can skip this step.

To create a zone, perform the following:

1. Navigate to the Networks > Zones page and click "+ Add" to create a new zone
2. Name: Enter a meaningful name for the zone
3. Description: Enter a meaningful description for the zone, if desired
4. Colour: Select a colour for your new zone, if desired
5. Enable both of the following:
   • Apply routing policies
   • Allow traffic between subnets
6. Click "Save" to save the new zone and apply the pending configuration change

Create a VPN Subnet

The following steps describe how to create a Client to Site VPN Subnet which will be used by your VPN clients:

1. Navigate to the Networks > Connections page, click "+ Add" and choose "Client to Site VPN Subnet". Add the following;
   • Name: Add a meaningful name for the VPN Subnet
   • Network Zone: Choose the newly created network zone for this subnet. This will affect how VPN client traffic is routed to other networks managed by the CyberEdge, and how firewall policies are applied
   • IPv4 client network: Assign an IPv4 network to be used for VPN clients using the CIDR format, eg. 172.18.1.0/24
   • IPv6 client network: Unless required for your specific network, this field can be left blank
   • Traffic Shaping Profile: If configured, a traffic shaping policy can be applied to the Client to Site VPN Subnet, which shapes the total traffic of the subnet
2. Click "Save"
3. Clock "Save and "Apply changes"

Once a VPN subnet has been created, it can be viewed at Network > Connections within the configured zone. It will be labelled with a status of "Virtual"

Important tip

• You can add static routes that may be required for your VPN clients from this network. To do so, Edit the VPN subnet and "Add Static Route"
• Depending on your VPN requirements, you can create multiple VPN subnets. This is often used to split users from third parties to limit access to specific destinations by network

SNAT Configuration

For VPN configurations with Split Tunnelling disabled, you must create a SNAT rule to correctly NAT traffic out of the Internet zone. If split tunnelling is enabled, this step is not required. To configure SNAT rules, perform the following:

1. Navigate to the Routing > SNAT page, click "+ Add" to add a SNAT . Add the following;
   • Name: Add a meaningful name for the SNAT rule
   • Source Zone: Select the custom zone created for VPN clients
   • Destination Zone: Select the Internet Zone
2. Click "Save"
3. Clock "Save and "Apply changes"

DNS Configuration

To allow VPN clients to utilize the CyberEdge for DNS (including forward lookup zones back to the domain DNS servers) perform the following:

1. Navigate to the Services > DNS > Network Zones
2. Add the custom zone for your virtual connection
3. Click "Save"
4. Clock "Save and "Apply changes"

Zone Access Configuration

Restricting access by group requires Zone authentication to be configured and enabled. To enable this for an already configured Zone Access, perform the following:

1. Navigate to the Authentication > Zone Access
2. Add the custom Zone that was created for Client to Site VPN
3. Click "Save" and apply changes

Access Policy Configuration

Access Policies are used to control what can be accessed between zones. To configure Access Policies for your client VPN -> Network/Internet zones, perform the following:

1. Navigate to the Security Centre > Access Policies
2. Identify your zone pairing and create Access Policies that meet your business requirements

By default, all traffic will be dropped until access policy changes have been created

Note

Configuration of Zone based Access Policies is not covered in this setup guide

Client to Site VPN Configuration

After setup, a client configuration file can be obtained and shared with users, offering them a pre-configured VPN profile that can be easily imported into the VPN client software. To enable and configure the Client to Site VPN, perform the following:

1. Navigate to the Networks > Client to Site VPN
2. Enable the VPN and add the following;
   • Hostname/IP: Enter the hostname or IP address of your CyberEdge. This will be used by the VPN client to connect and must be accessible from the Internet
   • Listen connections: Select the network connection that will be used to listen for client VPN connections
   • Protocol: Set the protocol to be used by your VPN client. UDP/TCP
   • Port: The default port is 1194 however a custom port can be provided. Select the port to be used by your VPN client
   • Local client connection: Select the virtual connection to be used for your VPN clients
3. Click "Save"
4. Clock "Save and "Apply changes"

Authentication

CyberEdge supports multiple methods of authentication for VPN clients, including username/password, username/password + certificate or username/password + certificate + MFA (from CE version 0.15.1). It is recommended administrators enable at least username/password + certificate authentication or MFA (TOTP). The following steps describe how to configure username/password + certificate authentication;

• Authentication method: Set authentication method to shared certificate and password
• Authentication Provider: Specify an authentication provider to be used by the client VPN
• Allowed groups: Specify any and all groups that are allowed to connect to the VPN
• Allow duplicate usernames: Specify if duplicate usernames are allow on the network. This should be enabled if users have more than one device requiring a remote VPN connection. In the event this is not enabled and a second device is connecting using the same credentials, the initial Client VPN connection will be dropped.

Multi-factor Authentication (MFA)

Enabling Multi-factor Authentication(MFA) is as simple as enabling Require TOTP authentication option in the Client to Site VPN Configuration page. To ensure users are able to successfully register a TOTP authenticator(eg. Microsoft Authenticator) the following steps should also be performed:

1. Navigate to the LiveZone > General and ensure LiveZone is enabled
2. Validate the LiveZone configuration and ensure it is reachable by your users, for further details see LiveZone Initial Setup
3. Go to https://live.localnetwork.zone > Profile to setup your MFA token

Important tip

If a user is unable to access the TOTP authenticator app to obtain an MFA token, the system administrator must reset the MFA . To do so, navigate to Authentication > MFA users and select the user to be reset. Once complete, the user will be required to setup MFA using the standard MFA process.

Certificates

Allocate the certificates required to perform authentication to the Client VPN when Username/Password + Certificate authentication method has been configured.

1. CA certificate: Specify a CA certificate to be used for the Client to Site VPN configuration
2. Server certificate: Specify the certificate to be used by the VPN server
3. Shared client certificate: Specify the certificate to be used by the VPN client. Note, this is shared certificate and not unique per VPN client

Tip

Certificates can be uploaded via System > Certificates

Client Options

• Expose routes from zones: This will allow clients to route traffic through the CyberEdge for all subnets associated with connections in the selected zones. This does not affect the security of zone to zone traffic, which must be configured using access policies
• Custom DNS servers: DNS servers to be used when not using the CyberEdge for DNS
• Use split tunnelling: If enabled, the client VPN will only use the VPN tunnel to access networks exposed by the VPN configuration. Regular Internet traffic will be routed via the local gateway and not over the tunnel
• Use split DNS: If enabled, clients will only use the DNS server assigned by the VPN configuration. By default, this includes all domains hosted on the CyberEdge. (Note This requires support in the Client VPN application. If split tunnelling is disabled, clients will use the VPN DNS server to resolve domains)
• Additional domains: These should resolve using the VPN tunnel's DNS server when using Split DNS. Domains hosted by the CyberEdge DNS service are automatically included and do not need to be added manually

Once the client configuration is complete, click "Save" and apply changes.

Download VPN Configuration

To download the Client to site VPN configuration go to Network > Client to Site VPN and click the "Download Client Configuration". The VPN configuration file will be downloaded.