VPN Connections

VPN Connection

To gain access from outside (from home, hotel, or another office) to the enterprise's local network located behind SafeUTM, you can connect via VPN from this machine (computer or mobile device) to the SafeUTM server.

For client-to-site VPN, our server supports four tunneling protocols: IKEv2, SSTP, L2TP/IPsec, and PPTP.

For security reasons, it is not recommended to use the PPTP protocol (it is left for compatibility with outdated operating systems and equipment, as well as for authorization in a local network where there are no requirements for strict traffic encryption).

IKEv2 protocol is recommended in terms of speed and security.

You can use the user's personal account to distribute instructions on creating custom VPN connections.

Authorization by PPTP

Do not use this type of connection. This connection method is EXTREMELY insecure and has been left solely for compatibility with older solutions. Use IPsec-IKEv2.

Authorization by PPTP protocol involves authorization via a secure network tunnel between the user’s network device and the SafeUTM internet gateway.

Upon successful authorization and establishment of a network tunnel, an additional IP address will automatically be assigned to the network device to gain access to internet resources. Using authorization by PPTP does not affect the ability of a network device to access LAN resources in any way.


Configuring SafeUTM Global Settings

To set up authorization by PPTP protocol you need to perform the following actions:

  1. Go to Users -> VPN connections.
  2. Select PPTP Authorization and click Save.
    1. Authorization by PPTP.png

You can edit your login and password in the tab Users -> User & Group upon selection of a necessary user.
2. Authorization by PPTP.png

The user is assigned an IP address automatically from the pool of addresses for VPN configured in the section Users -> VPN connections (for example, 10.128.0.0/16).

In order to set up a static binding of addresses issued via VPN to certain users, go to Users -> VPN connections -> Fixed VPN IP Addresses, click "+ Add" and specify the intended user and IP address. An example of a fixed VPN IP address can be seen below:
3. Authorization by PPTP.pngWhen connecting from the internet, we recommend using IPSec IKEv2, L2TP IPSec, or SSTP for more reliable traffic encryption.


Configuring Users in SafeUTM

Allow the user to connect via VPN from the Internet by checking in the user settings (Users -> User & Group -> General tab) in the box Allow remote access via VPN.


Possible Problems


If a VPN connection is established but it is not possible to access local network resources

 

Follow the recommendations in the article Features of Routing and Access Organization.

Authorization by PPPoE

Authorization by PPPoE protocol involves authorization via a secure network tunnel between the user’s network device and the SafeUTM server. A login/password bundle is used for user authorization. With this type of authorization, the assignment of the workstation IP address is not required, since an IP address will be assigned automatically upon successful authorization and creation of a secure network tunnel.

To set up authorization by PPPoE protocol you need to perform the following actions:

  1. Go to Users -> VPN connections.
  2. Select PPPoE Authorization and click Save.
    1. Authorization by PPPoE.png

You can edit your login and password in the tab Users -> User & Group upon selection of a necessary user.
2. Authorization by PPPoE.png

The user is assigned an IP address automatically from the pool of addresses for VPN configured in the section Users -> VPN connections (for example, 10.128.0.0/16).

In order to set up a static binding of addresses issued via VPN to certain users, go to Users -> VPN connections -> Fixed VPN IP Addresses, click and specify the intended user and IP address. An example of a fixed VPN IP address can be seen below:
3. Authorization by PPPoE.png

Authorization by PPPoE is possible only in one Ethernet segment with local SafeUTM interfaces.

IPSec IKEv2

This VPN protocol is preferable and recommended for all usage scenarios.
Instructions for setting up VPN connections on different operating systems are available here.


 Setting up VPN Server in SafeUTM

  1. To enable authorization by IKEv2, check the corresponding box Connection via IKEv2/IPsec in the Web interface section Users -> VPN connections.
  2. Routes are transmitted to clients to your local networks automatically. To control access to networks, use Firewall.
  3. Connection is possible only by domain name (not by IP address), therefore it is necessary to have a domain name that resolves to the IP address of the SafeUTM external interface. In the Domain field, this DNS name must be specified. It is necessary to issue a Let's Encrypt certificate.
    1. IPSec IKEv2.png
  4. For users who need to connect from outside via VPN, check the box Allow remote access via VPN in the user tree. The username and password specified here will be used to connect.

IPsec IKEv2 Support in Client OS

SSTP

SSTP (Secure Socket Tunneling Protocol) is a protocol of secure traffic tunneling based on SSL/TLS. It is supported by Windows OS Vista and above, as well as Mikrotik, Keenetic routers, and others.


If possible, do not use this type of connection. This connection method passes through NAT better than others, but with unstable communication quality, it works much worse than other VPNs (especially when transmitting audio/video), since it encapsulates all data inside TCP. It is recommended to use IPsec-IKEv2 instead of SSTP.
UTM does not support Mikrotik connection over SSTP because Mikrotik uses an old and insecure SHA-1 algorithm.


Setting up SafeUTM

It is not recommended to use SSTP for VPN connections from the local network.

1. To enable SSTP, check the box SSTP connection in the web interface in Users -> VPN connections.
2. Connection is possible only by DNS name, so the IP address of SafeUTM external interface should resolve to one of the names of your external domain zone. In the Domain field, you need to specify this DNS name (use the real name with the correct A-record, because it is necessary for issuing a Let's Encrypt certificate).
3. Port - select the suggested port (from the options: 1443, 2443, 3443, 4443).
1. SSTP.png4. For users who need to connect from outside via VPN, check the box Allow remote access via VPN in the user tree. The specified username and password will be used for the connection.

VPN setup instructions for different operating systems can be found here.


If a VPN connection is established but it is not possible to access local network resources


 

Follow the recommendations in the article Features of Routing and Access Organization.

L2TP IPSec


If possible, do not use this type of connection. This connection method can be unstable, has huge redundancy, has low performance, and does not support the strongest encryption. IPsec-IKEv2 is recommended instead.
All modern operating systems support IKEv2, or there are applications for them.


Configuring SafeUTM Global Settings

1.    Go to Users -> VPN connections.
2.    Check the box L2TP/IPsec Connection.
3.    Enter the secret phrase (PSK key).
4.    Click on Save.
1. L2TP IPSec.png


Configuring Users in SafeUTM

Allow the user to connect via VPN from the Internet by checking in the user settings (Users -> User & Group -> General tab) in the box Allow remote access via VPN.

L2TP IPsec clients behind the same NAT may experience connectivity issues if there is more than one client. Instructions can help solve the problem. We recommend using IKEv2 IPSec instead of L2TP IPsec.


If a VPN connection is established, but you cannot access local network resources

Follow the recommendations in the article Features of Routing and Access Organization.

User's Personal Account


To quickly configure user connections, you can enable access to the SafeUTM web interface.

In the personal account accessible with the use of SafeUTM accounts details (local or domain, in case of integration with Active Directory), users will be able to download ready-made PowerShell scripts to create user connections and a link to instructions for setting up a VPN and running scripts.

You can enable access from the Internet to your personal account and SafeUTM administration web interface in the section Server Management -> Administrators by enabling the setting Access to the web interface from external network. After enabling the parameter, the personal account and the web administration interface will be accessible by the IP address of the SafeUTM external interface.

If the external IP address of SafeUTM is not included in the "white" networks, then you need to forward port 8443 on the upstream device.

1. User's Personal Account.png

When logging in under a user account (including those imported from Active Directory), it will be possible to download scripts for creating VPN connections and a link to instructions for their implementation.

Users will also be able to remotely administer the SafeUTM server.

Features of Routing and Access Organization


If VPN is required only to access local network resources

If you need to access the Internet directly through your provider, and you need to use a VPN only to access corporate network resources on computers connected via VPN, you need to configure the following settings.


If it is not possible to access computers in the local SafeUTM network

Enable access to files and printers for All Networks and Private Networks profile.

You can do this using PowerShell (launched with rights elevated to the administrator) by running the command: Enable-NetFirewallRule -Group "@FirewallAPI.dll,-28502"

Instructions for running PowerShell scripts

Use ready-made scripts downloaded from your server to create a VPN connection in Windows versions 8.1 and 10.


If you are using Windows 7, you must create the connection manually (see Manually create user-side VPN connections).


Which VPN protocol should I choose?

With several options for possible VPN connections, choose protocols according to the following criteria:

  1. IKEv2/IPsec is the best protocol in terms of performance and connection reliability.
  2. SSTP is a protocol based on TCP and SSL. Choose it if the IKEv2 connection does not go through your provider.
  3. L2TP/IPsec is reliable in terms of encryption, but not the most optimal in terms of speed and performance.

How do I run a PowerShell script?

1. Download the script:

From SafeUTM:

2. Right-click on the downloaded file and select Properties from the context menu.
2. Instructions for running PowerShell scripts.png

3. Check the box Unlock in the lower right corner of file properties (by default, the OS blocks the execution of files downloaded from the Internet)
3. Instructions for running PowerShell scripts.png

4. Right-click on the file again and select Run in PowerShell in the context menu.
4. Instructions for running PowerShell scripts.png

If the error "Script execution is disabled on this system" appears, you need to enable script execution by running the command in PowerShell (call it up from the Start menu): Set-ExecutionPolicy Unrestricted

5. Answer Yes to the question about making changes to your computer.

6. The connection is created. Click Connect in the list of your networks.


What should I do if I can't run the script?

You may not have enough rights to run scripts or PowerShell is not installed on the system.

Use the instructions for creating a connection in Windows 10 and Windows 7.