Description:

This document describes how to set up a VPN-SSL connection with the OpenVPN Client from an iOS smartphone or tablet to a LANCOM R&S®Unified Firewall (referred to here as the United Firewall).


Requirements:

  • Existing installation on a LANCOM R&S®Unified Firewall
  • OpenVPN Client
  • Apple iOS
  • A configured and functional Internet connection on the Unified Firewall
  • Web browser for configuring the Unified Firewall.

    The following browsers are supported:
    • Google Chrome
    • Chromium


Scenario:

1) The Unified Firewall is connected directly to the Internet and has a public IPv4 address:

  • A company wants its sales representatives to have access to the corporate network via an VPN-SSL client-to-site connection.
  • The iOS smartphones used by the sales representatives have the Open VPN Client installed on them.
  • The company headquarters has a Unified Firewall as a gateway with an Internet connection with the fixed public IP address 81.81.81.1.
  • The local network at the headquarters has the IP address range 192.168.3.0/24.

Diagram showing a VPN CSSL connection configuration through Unified Firewalls, linking LAN Headquarters to the Internet.

 
2) The Unified Firewall is connected to the Internet via an upstream router:
  • A company wants its sales representatives to have access to the corporate network via an VPN-SSL client-to-site connection.
  • The iOS smartphones used by the sales representatives have the Open VPN Client installed on them.
  • The company headquarters has a Unified Firewall as the gateway and an upstream router for the Internet connection. The router has the fixed public IP address 81.81.81.1.
  • The local network at the headquarters has the IP address range 192.168.3.0/24.
This scenario also includes the “parallel” solution as described in this article.

Image showing a network diagram with components labeled as Public IP address, Unified Firewall, VPN SSL connection, Router, Internet, and LAN Headquarters.


Procedure:

The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port forwarding to be set up on the upstream router (see section 3).

1.) Configuration steps on the Unified Firewall:

1.1) Connect to the Unified Firewall, switch to the menu Certificate Management → Certificates and click on the "+” icon to create a new certificate.

Image showing a configuration screen of a security system interface with options for firewall settings, certificates, user authentication, and proxy CAs.

1.2) Enter the following parameters in order to create a CA:

  • Certificate type: Select Certificate.
  • Template: Select the template Certificate Authority.
  • Common Name (CN): Enter a descriptive common name.
  • Private key password: Set a password. This is used to encrypt the private key.
  • Validity: Specify how long the certificate should remain valid. For a CA, the period of validity is usually set to be very high.
  • Encryption Algorithm: From the drop-down menu, select RSA.
  • Key size: Set the value in the drop-down menu to 4096.

1.3) Create another certificate by clicking on the "+” icon.

1.4) Store the following parameters in order to create a VPN certificate, which is used to authenticate VPN clients at the Unified Firewall:

  • Certificate type: Select Certificate.
  • Template: Select the template Certificate Authority.
  • Common Name (CN): Enter a descriptive common name.
  • Private key password: Set a password. This is used to encrypt the private key.
  • Validity: Specify how long the certificate should remain valid. For a CA, the period of validity is usually set to be very high.
  • Signing CA: From the drop-down menu, select the CA created in step 1.2.
  • CA password: Enter the private key password set in step 1.2.

Image of a configuration dialog for SSL VPN user certificates showing options for certificate type, common name, and private key settings, with some options marked as deprecated.

1.5) Create another certificate by clicking on the "+” icon.

1.6) Store the following parameters in order to create a VPN certificate, which is used to authenticate a particular employee or VPN client:

  • Certificate type: Select Certificate.
  • Template: Select the template Certificate Authority.
  • Common Name (CN): Enter a descriptive common name.
  • Private key password: Set a password. This is used to encrypt the private key.
  • Validity: Specify how long the certificate should remain valid. For a CA, the period of validity is usually set to be very high.
  • Signing CA: From the drop-down menu, select the CA created in step 1.2.
  • CA password: Enter the private key password set in step 1.2.

The image displays a technical configuration menu for SSL VPN employee certificates, showing options for certificate type, private key settings, and validity parameters.

1.7) Switch to the menu VPN → VPN SSL → VPN SSL Settings

Image showing a technical VPN configuration menu with various options such as 'VPN Connections', 'Monitoring Statistics', and 'VPN SSL Settings'.

1.8) Enable the VPN SSL service and enter the following parameters:

  • Host certificate: From the drop-down menu, select the VPN certificate created in step 1.4
  • Private Key Password: Enter the private key password of the VPN certificate entered in step 1.4.
  • Routes: The networks that the VPN client should communicate with should be entered in CIDR notation (Classless Inter-Domain Routing). These are shared with all of the VPN SSL clients.
  • Protocol: Make sure, that the option UDP is selected. If TCP is used for the VPN SSL tunnel and data is transferred via TCP within the tunnel, this could lead to a "TCP meltdown".
  • Encryption algorithm: From the drop-down menu, select AES256.

Optionally you can enter a DNS and/or WINS server, which are assigned to all VPN SSL clients.

If necessary, you can change the Port.

The Address Pool is the range of IP addresses that are assigned to the dial-in VPN SSL clients. This address range must not already be in use as an internal network in the Unified Firewall.

The address pool is the range of IP addresses that are assigned to the dial-in VPN SSL clients. This address range may not already be in use as an internal network in the Unified Firewall.

Image showing a VPN SSL settings interface with options for host certificate, private key, password, DNS settings, and encryption protocols, indicating various network configurations such as client-to-site and site-to-site bridging.

1.9) Change to the menu VPN → VPN SSL → VPN SSL Connections and click on the “+” icon to create a new VPN SSL connection.

An image showing a technical user interface with options for Firewall settings, VPN Connections, monitoring and statistics, including various VPN types such as IPsec and VPN SSL, and their status and configuration settings.

1.10) Enable the VPN connection and enter the following parameters:

  • Name: Enter a descriptive name.
  • Certificate: From the drop-down menu, select the VPN certificate for the employees created in step 1.6.
  • Connection type: Choose Client-to-Site.

With the function Set standard gateway activated, the VPN client can communicate with the Internet via the Internet connection of the Unified Firewall.

The item Client IP allows a fixed IP address to be assigned to the VPN client. If this entry is left empty, the VPN client is given an IP address from the address pool (see step 1.8).

Additional server networks optionally allows the VPN client to access other local networks. In this way, individual employees can be given access to different local networks.

Screenshot of a VPN configuration interface showing options for Employee SSL VPN connectivity settings, including connection types like Client to Site and Site to Site, with fields to preserve changes and assign custom IP addresses.

1.11) Edit the VPN SSL connection created in step 1.10 by clicking on the “pencil” icon.

Screenshot of a VPN management interface displaying various VPN connections, their statuses, and settings options like SSL VPN and IPsec.

1.12) Click Export client configuration to export the VPN profile together with the certificate.

An image displaying a technical configuration menu for SSL VPN connections, including sections for client-to-site settings, default gateway assignment, and additional server network options.

As of LCOS FX 10.5 you can export the profile directly in the menu VPN → VPN SSL → Connections by clicking on the option Export this connection for a specific connection.

It is possible that you have to click on the double arrow symbol first (right next to the field Filter) to expand the menu, so that the symbol for the profile export is visible.

Image of a complex network configuration interface displaying various settings including firewall, VPNs, monitoring statistics, and certificate management options.

1.13) Enter the following parameters and then click on Export.

  • Type: Select OVPN to generate a profile for the OpenVPN client.
  • Remote Hosts: Enter the public IPv4 address or the DynDNS name of the Unified Firewall along with the VPN SSL port (see step 1.8).
  • Key Password: Enter the private key password set in step 1.6.
  • Transport Password: Set a password. This has to be entered when the user starts the VPN connection with the OpenVPN client.

Screenshot showing the Employee Configuration Export option in a user interface.

1.14) Click the button to create a new VPN host.

Image displaying a technical interface with options for 'Firewall', 'Monitoring', and 'Statistics'.

1.15) Save the following parameters:

  • Name: Enter a descriptive name.
  • VPN connection type: Select VPN-SSL.
  • VPN SSL connection: From the drop-down menu, select the VPN SSL connection created in step 1.10

Screenshot of a VPN configuration interface showing options for employee login, host settings, connection type, and session details with the note that changes will be preserved until logout or cancellation.

1.16) In the VPN host click on the "connection" icon and, to open the firewall objects, click on the network object that the OpenVPN client should access.

Repeat this step for every network that the OpenVPN client should be able to access.

Screenshot of a user interface with the partial text 'SSLVPN Employee', likely indicating a section on a technical configuration menu.

1.17) Use the “+” sign to assign the required protocols to the VPN host.

A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.

A screenshot of a technical user interface showing settings related to SSL VPN, employee intranet configuration, and various security filters including URL and application filtering options.

1.18) Finally, implement the configuration changes by clicking Activate in the Unified Firewall.

Screenshot of a cybersecurity interface featuring Firewalt Monitoring Statistics.

1.19) This concludes the configuration steps on the Unified Firewall.



2) Configuration steps in the OpenVPN client under iOS:

2.1) Open the OpenVPN app and select the option Import profile.

Screenshot of a user interface displaying partial menu settings and statistics.

2.2) Choose one of the types of profile import available in the app and import the client configuration exported in step 1.12.

Screenshot of a VPN configuration interface highlighting the option to import a user profile using a URL, provided it is supported by the VPN service.

2.3) After a successful import the profile is shown in the profile list and can be connected by using the adjacent switch.

Image of a technical user interface showing disconnected profiles with partially visible text.


Image displaying a fragmented view of a technical interface with partially visible keywords suggesting connection settings and profile management options.

2.4) This concludes the configuration steps in the OpenVPN client.



3) Setting up port and protocol forwarding on a LANCOM router (scenario 2 only):

VPN SSL uses the UDP port 1194 by default. It must be forwarded to the Unified Firewall.

If you are using a router from another manufacturer, ask them about appropriate procedure.

3.1) Open the configuration for the router in LANconfig and switch to the menu item IP-Router → Masq . → Port forwarding table .

Image of a complex networking configuration interface displaying options for UDP pacing, interfaces configuration, masquerading, port forwarding, and VRRP.

3.2) Save the following parameters:

  • First port : Specify the Port 1194.
  • Last port : Specify the Port 1194.
  • Intranet address : Specify the IP address of the Unified Firewall in the transfer network between the Unified Firewall and the LANCOM router.
  • Protocol: From the drop-down menu, select UDP.

Screenshot of a technical configuration interface for entering new port forwarding rules, including options for enabling the entry, specifying remote street address, vase, tao, and a comment field.

3.3) Write the configuration back to the router.

 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH