6. Instructions and Troubleshooting

Instructions for Creating VPN Connections

Instructions for Creating VPN Connections

Instructions for Creating VPN connection in Ubuntu

Before setting up a VPN connection, in the user tree in the desired user’s card, check the box Allow remote access via VPN. To do this, go to Users -> User & Group:

1. Instructions for Creating VPN connection in Ubuntu.png


PPTP Protocol

Before creating a connection in Ubuntu, go to SafeUTM, Users -> VPN connections, and check the box PPTP Connection:
2. Instructions for Creating VPN connection in Ubuntu.png

Creating a connection in Ubuntu

1. Go to Settings -> Networks and in the VPN line, click (+):
3. Instructions for Creating VPN connection in Ubuntu.png

2. In the connection creation window, select Point-to-Point Tunnel Protocol (PPTP):
4. Instructions for Creating VPN connection in Ubuntu.png

3. In the Identification section fill in the following fields:

We recommend that you click Advanced and check the following:

4. Click OK and Add.
5. Set the switch of the created VPN connection to the Enabled position:
7. Instructions for Creating VPN connection in Ubuntu.png


IKEv2/IPsec Protocol

Before creating a connection in Ubuntu, configure SafeUTM:

1. Go to Users -> VPN connections.
2. Check the box IKEv2/IPsec Connection and fill in the Domain fields:
8. Instructions for Creating VPN connection in Ubuntu.png

3. Download the root certificate from Services -> TLS Certificates:
9. Instructions for Creating VPN connection in Ubuntu.png

The root certificate will be required to configure the connection of the user's workstation if the root certificate was not obtained via Let’s Encrypt. If necessary, transfer the certificate file to the workstation.

If a certificate issued by Let's Encrypt is used for a VPN connection, then installing a root certificate on the device is not required.

Creating a connection in Ubuntu

1. Open the terminal with the keyboard shortcut Ctrl+Alt+F1 and run the command: sudo apt install -y network-manager-strongswan libcharon-extra-plugins libstrongswan-extra-plugins
2. After the installation is complete, restart the computer: sudo reboot
3. Go to Settings -> Networks  and in the VPN line, click (+):
10. Instructions for Creating VPN connection in Ubuntu.png

4. In the window that opens, select IPsec\IKEv2 (strongswan):
11. Instructions for Creating VPN connection in Ubuntu.png

5. In Identification fill in the following fields:

Check the box Request an inner IP address and click Add:
12. Instructions for Creating VPN connection in Ubuntu.png

 6. Set the switch of the created VPN connection to the Enabled position.


SSTP Protocol

Before creating a connection in Ubuntu, configure SafeUTM:

1. Go to Users -> VPN connections.
2. Check the box SSTP Connection and fill in Domain and Port fields:
13. Instructions for Creating VPN connection in Ubuntu.png

Creating a connection in Ubuntu

1. Open the terminal with the keyboard shortcut Ctrl+Alt+F1 and run two commands:

sudo apt-add-repository ppa:eivnaes/network-manager-sstp
sudo apt install -y network-manager-sstp sstp-client

2. After the installation is complete, restart the computer: sudo reboot
3. Having installed the packages, go to Settings -> Networks, and in the VPN line, click (+):
14. Instructions for Creating VPN connection in Ubuntu.png

4. In the window that opens, select Point-to-Point Tunnel Protocol (SSTP):
15. Instructions for Creating VPN connection in Ubuntu.png

5. In Identification fill in the following fields:

We recommend that you click Advanced and check the following:

6. Click Add and set the switch of the created VPN connection to the Enabled position:
17. Instructions for Creating VPN connection in Ubuntu.png


L2TP/IPsec Protocol

Important: L2TP IPsec clients behind the same NAT may experience connectivity issues if there is more than one. We recommend using IKEv2 IPSec instead of L2TP IPsec.

Before creating a connection, configure SafeUTM:

1. Go to Users -> VPN connections.
2. Check the box L2TP/IPsec Connection and copy the PSK key:
18. Instructions for Creating VPN connection in Ubuntu.png

Creating a connection in Ubuntu

1. Connect the repository that contains the necessary packages to create an L2TP VPN connection, and then update the information about the repositories. To do this, run the following commands:

sudo add-apt-repository ppa:nm-l2tp/network-manager-l2tp
sudo apt update

2. Install the add-on to the standard NetworkManager using two packages: sudo apt install -y network-manager-l2tp network-manager-l2tp-gnome
3. After the installation is complete, restart the computer: sudo reboot
4. Having installed the packages, go to Settings -> Networks and in the VPN line, click (+):
17. Instructions for Creating VPN connection in Ubuntu.png

5. In the VPN connection creation window, select Layer 2 Tunneling Protocol (L2TP):
19. Instructions for Creating VPN connection in Ubuntu.png

6 . In the tab Identification fill in the following fields:

7. Go to IPsec settings and enable IPsec tunnel to L2TP host to activate the ability to configure other parameters:

The section Advanced is optional.
21. Instructions for Creating VPN connection in Ubuntu.png

Having finished configuring L2TP IPsec Options, click OK.

8. If necessary, go to PPR settings and configure Authentication, Encryption and Compression, and Other:
22. Instructions for Creating VPN connection in Ubuntu.png

After setting up PPR parameters click OK and Apply.

9. Set the switch of the created VPN connection to the Enabled position:
23. Instructions for Creating VPN connection in Ubuntu.png

Instructions for Creating VPN Connections

Automatic Connection Creation

Before configuring a VPN connection, in the user tree, open the card of the required user and set the Allow remote access via VPN flag. To do this, go to the Users -> User & Group section:

1. Automatic Connection Creation.png


L2TP/IPsec Protocol

Important: L2TP IPsec clients behind the same NAT may experience connectivity issues if there is more than one. Instructions can help solve the problem. We recommend using IKEv2 IPSec instead of L2TP IPsec.

You can run the following PowerShell script to automatically create a connection on users' computers running Windows 8.1 and 10. To do this, download the ready-made scripts for connecting your server from Users -> VPN connections.

The connection will be created with the following parameters:

  1. L2TP/IPsec protocol using a PSK key.
  2. The parameter Use the primary gateway in the remote network is disabled.
    LANs of the same class that was obtained for a VPN connection by default in Windows 7 and 10 will be accessed via a VPN connection, so you do not need to create additional routes (unless you use different network classes in the office LAN).

Create a file named safe_utm_l2tp.ps1 (in Notepad or Windows PowerShell ISE Editor) and copy the following text into it:

param([switch]$Elevated)
$currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())
if (!$currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator))  {
  if (!$elevated) {
    Start-Process `
            powershell.exe `
            -Verb RunAs `
            -ArgumentList ('-noprofile -noexit -file "{0}" -elevated' -f ( $myinvocation.MyCommand.Definition ))
  }
  exit
}
Enable-NetFirewallRule -Group "@FirewallAPI.dll,-28502"
Add-VpnConnection `
    -Force `
    -Name "SafeUTM L2TP VPN" `
    -TunnelType L2TP `
    -ServerAddress my.domain.com `
    -L2tpPsk "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" `
    -EncryptionLevel "Required" `
    -AuthenticationMethod MSChapV2 `
    -SplitTunneling $False `
    -DnsSuffix activedirectory.domain `
    -RememberCredential

Change the necessary parameters in it to match your settings:

You can run the script on the user's computer from the file context menu "Run with PowerShell". Click OK in the elevation dialog (the rights are required to allow access to shared files and printers).

After that, a connection will be created in the system and shared access to files and printers for all networks will be enabled (otherwise access to file resources in the local network may not be possible).

The user must enter their username/password at the first authorization.

Possible errors when executing the script

If the error "Script execution is disabled on this system" appears, you need to enable script execution by running the following command in PowerShell: Set-ExecutionPolicy Unrestricted


SSTP Protocol

You can run the following PowerShell script to automatically create a connection on users' computers running Windows 8.1 and 10. To do this, download the ready-made script from Users -> VPN connections.

The connection will be created with the following parameters:

  1. SSTP protocol using the PSK key.
  2. The parameter Use the primary gateway in the remote network is disabled.
    LANs of the same class that was obtained for VPN connections by default in Windows 7 and 10 will be accessed via a VPN connection, so you do not need to create additional routes (unless you use different network classes in the office LAN).

Create a text file named safe_utm_sstp.ps1 (in Notepad or Windows PowerShell ISE editor) and copy the following text there:

param([switch]$Elevated)
$currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent())
if (!$currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator))  {
  if (!$elevated) {
    Start-Process `
            powershell.exe `
            -Verb RunAs `
            -ArgumentList ('-noprofile -noexit -file "{0}" -elevated' -f ( $myinvocation.MyCommand.Definition ))
  }
  exit
}
Enable-NetFirewallRule -Group "@FirewallAPI.dll,-28502"
Add-VpnConnection `
    -Force `
    -Name "SafeUTM SSTP VPN" `
    -TunnelType SSTP `
    -ServerAddress my.domain.com:4443 `
    -EncryptionLevel "Required" `
    -AuthenticationMethod MSChapV2 `
    -SplitTunneling $False `
    -DnsSuffix activedirectory.domain `
    -RememberCredential

Change the necessary parameters in it to match your settings:

  1. SafeUTM SSTP VPN – the connection name in the system (can be arbitrary).
  2. my.domain. com:4443 – SafeUTM external interface domain and the port on which you enabled SSTP.
  3. activedirectory.domain – your Active Directory domain (if there is no domain, you need to delete this line from the script).

You can run the script on the user's computer from the file context menu "Run with PowerShell". Click OK in the elevation dialog (the rights are required to allow access to shared files and printers).

After that, a connection will be created in the system and shared access to files and printers for all networks will be enabled (otherwise access to file resources in the local network may not be possible).

The user must enter their username/password at the first authorization.

Possible errors when executing the script

If the error "Script execution is disabled on this system" appears, you need to enable script execution by running the following command in PowerShell: Set-ExecutionPolicy Unrestricted


IPsec IKEv2 Protocol

You can run a PowerShell script to automatically create a connection on users' computers running Windows 8.1 and 10. To do this, download the ready-made script from Users -> VPN connections.

The connection using the script will be created with the following parameters:

  1. IKEv2/IPsec Protocol
  2. The parameter Use the primary gateway in the remote network is disabled. LANs of the same class that was obtained for the default VPN connection in Windows 7 and 10 will be accessed via a VPN connection, so you do not need to create additional routes (unless you use different network class