11.7. OneConnect VPN

Home Prev	cOS Core 15.00.01 Administration Guide	Next

11.7.1. Overview

The OneConnect Interface object provides support for SSL VPN connections from the Clavister OneConnect client (version 3.0 or later), or alternatively, third party OpenConnect clients running on any platform. This means there is an SSL VPN connection option for platforms, such as Linux, where Clavister does not provide a proprietary OneConnect client.

Note that the SSL VPN interface described previously in Section 11.6, SSL VPN only provides support for versions of the Clavister OneConnect client prior to 3.0 (which is also called OneConnect Classic). A comparison of the capabilities of the SSL VPN interface and the OneConnect interface can be found in a Clavister knowledge base article at the following link:

https://kb.clavister.com/332433702

IPv6 Support with the OneConnect Interface

The OneConnect Interface object allows outer tunnel IP addresses (the Server IP property) to be either IPv4 or IPv6. However, it does not support IPv6 traffic inside the tunnel.

A Summary of cOS Core Configuration Setup for OneConnect

Below is a summary of steps for setting up OneConnect VPN in cOS Core. These steps are very similar to the steps described in Section 11.6, SSL VPN for the proprietary Clavister SSL VPN clients with only small differences.

A OneConnect Interface object needs to be created which configures a particular Ethernet interface to accept OneConnect client connections.
The method of handling authentication of incoming connections can either be defined in the OneConnect Interface object or a separate Authentication Rule can be defined. Example 11.27, “Setting Up a OneConnect VPN Interface” shows how authentication can be defined within the interface object.

If a separate Authentication Rule is used the following should be noted:
1. The rule must have its Interface property set to be the name of the relevant OneConnect Interface object.
2. The Authentication Agent property of the rule must be set to to the value OneConnect.
3. The PPP Agent Options property for the rule should have only the PAP option enabled.
If only a specific IP address, network or network range is to be made available to the OneConnect client through the tunnel then this can be specified as an option on the OneConnect Interface. Otherwise, it is assumed that all client traffic will be routed through the tunnel.
Define appropriate cOS Core IP policies to allow data flow within the OneConnect tunnel. As discussed below, IP policies do not normally need to be defined for the setup of the tunnel itself, they are only needed for the traffic that flows inside the tunnel.
Specify the interfaces on which client IPs will be ARP published. This is necessary so a server behind the firewall knows how to send replies back to the client.

Usually, the only time proxy ARP needs to be enabled is if the IPs assigned to clients are part of an already existing subnet that clients need access to. In that case, proxy ARP must be enabled on the interface that has the corresponding subnet. If the traffic is routed by the firewall, for example with an Allow IP policy or a NAT IP policy, proxy ARP is not needed.

The option exists with cOS Core OneConnect VPN to automatically ARP publish all client IPs on all firewall interfaces but this is not recommended because of the security issues that it raises.
Routes for clients do not need to be defined in the routing tables as these are added automatically by cOS Core when OneConnect tunnels are established.

The clients need a trusted certificate. It is recommended to always specify both HTTPS and HTTPS Root Certificate(s) under System-> Device-> Device Settings-> Remote Management-> Advanced Settings.

	Tip: Using ACME
	A simple method to get a trusted certificate for the OneConnect server is to use the built in ACME support to get, for example, a Let's Encrypt™ or Buypass™ certificate without cost. See the Section 3.9.6, ACME section for more information.

A more detailed description of the cOS Core configuration objects is given next in Section 11.7.2, Configuring OneConnect VPN in cOS Core.

11.7.2. Configuring OneConnect VPN in cOS Core

Prerequisites

A valid and trusted certificate containing the domain name, either as Common Name (CN) or Subject Alternative Name (SAN), of the resolved IP/FQDN of the firewall to which the client connects to must be installed as the HTTPS Certificate in the Remote Management-> Advanced Settings section of cOS Core. In addition, it is advised that the full certificate chain is added.

	Note: Valid and Trusted Certificate
Valid means that its date range matches the current date. For example, the Not Before is 2024-01-01, Not After is 2025-01-01 and the current date is 2024-04-25. Trusted certificate means a digital certificate that is recognized and verified by the operating system as legitimate because it is issued by a Certificate Authority (CA) that is included in the device's list of trusted CAs.

Note: Valid and Trusted Certificate

Valid means that its date range matches the current date. For example, the Not Before is 2024-01-01, Not After is 2025-01-01 and the current date is 2024-04-25.

Trusted certificate means a digital certificate that is recognized and verified by the operating system as legitimate because it is issued by a Certificate Authority (CA) that is included in the device's list of trusted CAs.

Configuring OneConnect

To configure OneConnect VPN in cOS Core, a OneConnect VPN Interface object must be defined for each interface on which connections will be made. This object's key properties are the following:

General Options

Name

A descriptive name for the object used for display in the cOS Core configuration.
Inner IP

This is the local IPv4 address (IPv6 is not supported) on the firewall side within the OneConnect tunnel.

All clients that connect to the OneConnect VPN object interface are allocated an IP from the OneConnect VPN interface's IP Pool. All the IP pool addresses as well as this Inner IP address must belong to the same network.

A private IP network should be used for the IP pool and the Inner IP address must not be one of the pool addresses.

	Tip: The tunnel's Inner IP address can be pinged
	For troubleshooting purposes, an ICMP ping can be sent to the Inner IP address. In order for cOS Core to be able to respond, an IP policy must exist that allows traffic to flow from the OneConnect Interface object to the core interface (in other words, to cOS Core itself).

Outer Interface

The interface on which to listen for connection attempts by OneConnect clients. This could be a physical Ethernet interface but it could also be another logical interface. For example, a PPPoE or VLAN interface could be used.
Server IP

The Ethernet interface IP address on which to listen for connection attempts by OneConnect clients. This will typically be a public IPv4 or IPv6 address which will be initially accessed using a web browser across the Internet. The following should be noted about this IP:
1. The Server IP must be specified and will not default to the IP of the Outer Interface.
2. The Server IP cannot be an IP address which is ARP published on the interface. In order for OneConnect to work on ARP published IPs, a core route with an accompanying proxy ARP property must be used. This is done with the following steps:
  - Define a route with the Interface property set to core and the Network property set to the Server IP value.
  - Set the route's Proxy ARP property to the interfaces which clients are connecting to.
  Proxy ARP is explained further in Section 4.2.6, Proxy ARP. This topic along with using a secondary IP address is also discussed in an article in the Clavister Knowledge Base at the following link:
  
  https://kb.clavister.com/332435861
Hostname

This is an optional property. If specified, the hostname used by the client must match the value specified otherwise the firewall will not respond.
Server Port

The TCP/IP port number at the Server IP used in listening for connection attempts by OneConnect clients. The default value is 443 which is the standard port number.
DTLS Port

The port number used for DTLS communication with the client. The default value is 443 which is the standard port number.

Client Authentication

Authentication Source

This specifies the authentication method for connecting clients. The options are:
1. Authentication Rule - This requires that an Authentication Rule must also be created that triggers on the relevant traffic. The method of authentication is specified within the rule.
2. RADIUS - This option requires that a predefined RADIUS Server object is also selected.
3. LDAP - This option requires that a predefined LDAP Server object is also selected.
4. Local - This option requires that a predefined Local Database within cOS Core is also selected.

Note that the RADIUS, LDAP and Local options in the above list are provided as a shortcut to creating a separate Authentication Rule. cOS Core will automatically create an Authentication Rule in the background with these options and this rule will be deleted if the OneConnect Interface is deleted.

Client IP Options

IP Pool

As discussed previously for the Inner IP property, client IP addresses for new OneConnect client connections are handed out from a pool of private IPv4 addresses. This pool is specified by an IP address object defined in the cOS Core address book.

The pool addresses do not need to be a continuous range but must belong to the same network. The Inner IP property must also belong to this network but must not be one of the pool IPs.
Netmask

A netmask must also be set for the IP pool to limit its size. The default netmask value is 255.255.255.0 (a class C /24 subnet).
Primary DNS

The primary DNS address handed out to a connecting client.
Secondary DNS

The secondary DNS address handed out to a connecting client.
Autoproxy URL

This URL points to the location of a Proxy Auto-Configuration (PAC) file. The URL is delivered to a client in its DHCP lease using the Web Proxy Auto-Discovery (WPAD) mechanism. The PAC file defines a common proxy configuration policy for all client browsers connecting to this interface. An example URL for the file might be:
```
		https://server.example.com/proxy/proxy.pac
```
Note the following:
1. The web server hosting the PAC file must deliver it to the client browser with an MIME type of application/x-ns-proxy-autoconfig.
2. The name of the PAC file should be wpad.dat when strictly following the WPAD convention but since DHCP is being used to send the URL to the client, it can be called anything. The name proxy.pac is the standard PAC naming convention.
3. The client's browser must have the option enabled to use automatic proxy configuration. Note that with Firefox, the URL of the PAC file will still have to be entered manually after enabling the option. Most other browsers will fetch the PAC file automatically from the URL.
A further description of WPAD and PAC file construction can be found in Wikipedia, starting at the following link:

https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Protocol
DNS Suffix

This option allows one or more suffix's to be specified for DNS resolution and can simplify how resources can be specified in the client.

Suppose the two DNS suffixes example1.com and example2.com are specified in the OpenConnect object. If the user now tries to connect to a resource called just server, the client will first try to DNS resolve server.example1.com and if that fails it will try server.example2.com.
Client Routes

This setting can specify that only specific IPv4 addresses, networks or address ranges will be accessible through the tunnel.

Add Route Option

Proxy ARP

If OneConnect clients are to be found by a network connected to another Ethernet interface, client IP addresses need to be explicitly ARP published on that interface. By default, no addresses are proxy ARPed.

Selecting the Add Route tab in the Web Interface, allows either specific interfaces for ARP publishing to be chosen or the alternative option that can be selected is to always publish on all interfaces. In most situations it will be necessary to choose at least one interface on which to publish the client network.

Specifying IP Policies for Tunnel Traffic Flow

No IP policies need to be specified for the setup of a OneConnect tunnel itself, provided that the advanced setting SSL VPN Before Rules is enabled (by default, it is). This setting is found in the Web Interface in Network > SSL and is shared across both OneConnect and non-OneConnect SSL VPN tunnels. However, appropriate IP policies will still need to be specified by the administrator to allow traffic to flow inside the tunnel between clients and networks.

Since connections originate from the client side, the OneConnect Interface object should be the source interface of the IP policy and the source network should be the range of possible IP addresses that the clients can be given (usually the IP pool). Specifying the source network as all-nets would work but it is always more secure to use the narrowest possible IP address range.

For more information about specifying IP policies see Section 3.6, IP Rule Sets.

There is an Upper Limit for the Number of All SSL VPN Clients

There is a default upper limit of 128 simultaneously connected SSL VPN clients and this total includes both SSL VPN Interface tunnels and OneConnect Interface tunnels across the entire system. This limit can be increased by the administrator to a maximum value of 10000 (within the limits of the license) and cannot have a value less than 10.

To change this value in the Web Interface, go to Network > OneConnect and select the Advanced Settings button. The property Max Sockets defines the maximum number of clients for the combined number of OneConnect and non-OneConnect SSL VPN tunnels.

Default SSL Certificate Replacement

OneConnect using a default self-signed certificate for SSL. Replacing this is discussed in an article in the Clavister Knowledge Base at the following link:

https://kb.clavister.com/324735742

RADIUS Server Setup for Automatic Opening of URLs

One of the authentication sources that can be used for user authentication with OneConnect VPN connections is a RADIUS server. All the Clavister OneConnect clients have the ability to automatically open a specific URL in the default browser if the RADIUS server sends back the URL as part of the authentication exchange. cOS Core forwards this URL back to the client to achieve this.

In order for automatic URL opening to function, the administrator must configure the RADIUS server appropriately so it sends back the URL inside a RADIUS attribute during authentication. The RADIUS values to use for this are the following:

Vendor-ID - 5089
Vendor-assigned attribute number - 4
Attribute format - String

The behavior of the Clavister clients when they receive a URL is fixed and they will always attempt to open the URL in the default browser.

This feature can be used for Single Sign On (SSO) access to different remote applications through a web browser using a suitable Identity Provider (IDP). For example, the PhenixID Authentication Server (PAS) can be used as the IDP. Setting up SSO in the PAS product is fully described in the separate documentation for that product.

One Time Password Support

One Time Password (OTP) support is provided by the OneConnect client and needs no special configuration in cOS Core. However, the authenticating RADIUS server will need to be correctly configured for this type of multi-factor authentication. This topic is discussed further in Section 10.7, Multi-Factor Authentication.

11.7.3. OneConnect Interface Setup Examples

This section provides examples of setting up the OneConnect Interface on the firewall side.

Example 11.27. Setting Up a OneConnect VPN Interface

This example shows how to set up a new OneConnect VPN interface called my_ocvpn_if. The following assumptions will be made:

The physical interface If2 is used to listen for client connections and this has an external IP address already defined in the address book called ocvpn_server_ip. Connections will be made from OneConnect clients to a server located on the network connected to the firewall's If3 Ethernet interface.
The IPv4 addresses that will be handed out to clients are defined by the address book object ocvpn_pool. For this example, this contains the simple address range 10.0.0.2-10.0.0.9.
Another address book IP object ocvpn_inner_ip is defined to be 10.0.0.1 and this will be the inner IP of the cOS Core end of the tunnel.
A Local User Database called my_oc_users already exists which contains the login credentials of users that will connect from a OneConnect client.

Command-Line Interface

Device:/> add Interface OpenConnInterface my_ocvpn_if
			InnerIP=ocvpn_inner_ip
			IPAddressPool=ocvpn_pool
			OuterInterface=If2
			ServerIP=ocvpn_server_ip
			AuthSource=Local
			LocalUserDB=my_oc_users
			ProxyARPInterfaces=If3

Note: If multiple Proxy ARP interfaces are needed, they are specified as a comma separated list. For example: If3,If4,If5.

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

Go to: Network > Interfaces and VPN > OneConnect > Add > OneConnect Interface
Now enter:
- Specify a suitable name, in this example my_ocvpn_if
- Inner IP: ocvpn_inner_ip
- Outer Interface: If2
- Server IP: ocvpn_server_ip
- Authentication Source: Local
- Local User DB: my_oc_users
- IP Pool: ocvpn_pool
Click the tab Add Route
Select the If3 interface in the Available list and press the ">>" button to move it into the Selected list
Click OK

The changed cOS Core configuration should now be deployed.

For external client connection, a web browser should be directed to the IP address my_ocvpn_if.

Example 11.28. Setting OneConnect VPN Interface Client Routes

This example shows how to change the OneConnect interface called my_ocvpn_if so that the only route added to the routing table of clients is a route to the protected network protected_server_net which is already defined in the cOS Core address book.

Command-Line Interface

Device:/> set Interface OpenConnInterface my_ocvpn_if
			ClientRoutes=protected_server_net

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

Go to: Network > Interfaces and VPN > OneConnect
Select the tunnel called my_ocvpn_if
Under Client Routes move the address object protected_server_net from Available to Selected.
Click OK

11.7.4. OpenConnect Client Setup

There are various OpenConnect clients that can be used with the OpenConnect Interface in cOS Core and it is not possible to describe setup for them all. However, some example setup procedures are discussed in a series of articles in the Clavister Knowledge Base which can be found at https://kb.clavister.com.

Client setup procedures and issues are covered by the following articles in the knowledge base:

A. The Clavister OneConnect client (version 3 or later):

Setting up the Clavister OneConnect client for Microsoft Windows is described in:

https://kb.clavister.com/336136165
Installing the Windows version of the OneConnect client if access to the Microsoft Store is unavailable:

https://kb.clavister.com/346359290
Setting up the Clavister OneConnect client for Android or ChromeOS is described in:

https://kb.clavister.com/346366860
Setting up the Clavister OneConnect client for Apple (MacOS, iOS, iPadOS) is described in:

https://kb.clavister.com/336136145

Also, finding OneConnect logs on MacOS:

https://kb.clavister.com/354847357
Configuring deep links with the Clavister OneConnect client:

https://kb.clavister.com/336146413
Solving the problem of the server certificate not being trusted by the OneConnect client:

https://kb.clavister.com/336138791

This article covers the situation where the OneConnect client gives the following message when attempting to connect to the server:
```
		Server certificate is not trusted
```
Generating CA certificates in cOS Core that can be installed on clients:

https://kb.clavister.com/343410633

This article describes how CA certificates can be generated locally in cOS Core so the firewall itself acts as the CA. This can remove the need to use certificates from a third party. Generating certificates in cOS Core is also discussed in Section 3.9.5, Generating Certificates.

Another Knowledge Base article discusses using such cOS Core generated certificates specifically with the OneConnect client and can be found at the following link:

https://kb.clavister.com/342066655

B. Third party clients:

Setting up the Digital Software Group OpenConnect client for Android is described in:

https://kb.clavister.com/329095020
Setting up the OpenConnect-GUI client for MacOS is described in:

https://kb.clavister.com/329092217
Setting up the OpenConnect client for Linux is described in:

https://kb.clavister.com/329092224

	Important: Client hostname must match certificate hostname
	A specific requirement worth mentioning again with the OneConnect Interface is that the hostname value entered into the client must be the same as either the Common Name (CN) or one of the Subject Alternative Name (SAN) options in the certificate used by the cOS Core OneConnect Interface.