NEXCOM IFA 1610 User Manual
Page 62
Copyright © 2014 NEXCOM International Co., Ltd. All Rights Reserved.
IFA 3610/IFA 2610/IFA 1610 User Manual
Chapter 7: The VPN Menu
59
Dynamic IP Pool Start address
The first possible IP address in the network of the selected zone that should be used for the OpenVPN clients.
Dynamic IP Pool End address
The last possible IP address in the network of the selected zone that should be used for the OpenVPN clients.
Routed and bridged OpenVPN server, static and dynamic.
When configuring a pool of IP addresses to be reserved for clients connecting via OpenVPN, it is necessary to keep in
mind a few guidelines that help both the prevention of future malfunctioning and the cleaner and easier design and
set up.
Before starting the configuration of the server, there is a golden rule to remember, concerning the implementation of
the VPN multicore architecture: Regardless of the bridged or routed mode used for a multicore VPN server instance,
the reservation of static IP addresses is neglected. In other words, a client connecting to this VPN server, will receive a
dynamic IP address, even though in her configuration there is a static IP assignment.
The first choice is to define whether the OpenVPN server should act in routed or bridged mode. In the former case, it
is necessary to define a suitable VPN subnet that will provide the IP addresses for the clients. The traffic directed to this
subnet has to be filtered, if necessary, using the VPN firewall. In the latter case, the OpenVPN server is configured to
consider the clients, upon connecting, as they were physically connected to that zone, i.e., the server bridges the client
to one of the zones. In this case, a pool of IP addresses must be defined within that zone using the two option that
appear right before this box. This pool must be entirely contained in the zone’s subnet and smaller than that one. It is
also important to make sure that this pool does conflict with other pools defined in that zone, like e.g., a DHCP server.
In a bridged OpenVPN server it is possible to assign to some (or even to all) user a static IP address. When planning this
possibility, it is a good practice that these static IP addresses do not belong to any of the IP pools defined in that zone,
to prevent any conflicts of address and wrong routing. Traffic to this particular client can then be filtered using the VPN
(or IPsec) user as source or destination of traffic in the Firewall rules.
In the Advanced options box, additional options can be configured.
Number of cores
The drop-down menu allows to chose how many CPUs of the appliance can be used by the instance, hence the options
in the drop-down menu may vary.
Allow multiple connections from one account:
Normally, one client is allowed to connect from one location at a time. Selecting this option permits multiple client logins,
even from different locations. However, when the same client is connect twice or more, the VPN firewall rules do not
apply anymore.
Block DHCP responses coming from tunnel
Tick this checkbox when receiving DHCP responses from the LAN at the other side of the VPN tunnel that conflict with
the local DHCP server.
Client to client connections
Select from the drop-dow menu the modalities of the communications between clients of the OpenVPN server. This
option is only available on single-process servers, i.e., on servers running only one instance of the OpenVPN server.
▪ Not allowed: The clients can not communicate one to the other.
▪ Allow direct connections: The clients can communicate directly with each other but filtering is not possible.
▪ Filter connections in the VPN firewall: The clients can communicate with each other, but their traffic is redirected
to the VPN Firewall and can be filtered using suitable rules there.
Note:
In case of appliances having multi-core CPUs, there is no selection possible and the option Filter connections in
the VPN firewall is automatically activated.
Push these nameservers
By ticking this checkbox, the nameserver specified in the textfield below are sent to the clients upon connection.