Description:

This document describes how to set up a VPN-SSL connection with the OpenVPN Client from a Windows PC or notebook to a LANCOM R&S®Unified Firewall (referred to here as the United Firewall).

Due to a change in the encryption algorithms in OpenVPN as of version 2.6.0 a VPN-SSL connection can only be established to a Unified Firewall with LCOS FX as of version 10.13 Rel. Please use OpenVPN in a version older than 2.6.0 (e.g. version 2.5.8) when using an older LCOS FX version.


Requirements:

  • Existing installation on a LANCOM R&S®Unified Firewall 
  • OpenVPN Client
  • Windows as of version 7
  • A configured and functional Internet connection on the Unified Firewall
  • Web browser for configuring the Unified Firewall.

    The following browsers are supported:
    • Google Chrome
    • Chromium
    • Mozilla Firefox
We recommend that you use the LANCOM Advanced VPN Client for VPN client connections. You can find articles regarding the configuration in this master document.


Scenario:

1) The Unified Firewall is connected directly to the Internet and has a public IPv4 address:

  • A company wants its sales representatives to have access to the corporate network via an VPN-SSL client-to-site connection.
  • The notebooks used by the sales representatives have the Open VPN Client installed on them.
  • The company headquarters has a Unified Firewall as a gateway with an Internet connection with the fixed public IP address 81.81.81.1.
  • The local network at the headquarters has the IP address range 192.168.3.0/24.

Diagram illustrating a VPN SSL connection setup in a Unified Firewall system connecting to the internet and a LAN headquarters security zone.


2) The Unified Firewall is connected to the Internet via an upstream router:

  • A company wants its sales representatives to have access to the corporate network via an VPN-SSL client-to-site connection.
  • The notebooks used by the sales representatives have the Open VPN Client installed on them.
  • The company headquarters has a Unified Firewall as the gateway and an upstream router for the Internet connection. The router has the fixed public IP address 81.81.81.1.
  • The local network at the headquarters has the IP address range 192.168.3.0/24.
This scenario also includes the “parallel” solution as described in this article.

Image of a network configuration interface displaying elements like Public IP address, Unified Firewall, VPN SSL connection, and LAN Headquarters connected through a router to the internet.



Procedure:

The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port forwarding to be set up on the upstream router (see section 3).


1) Configuration steps on the Unified Firewall:

1.1) Connect to the Unified Firewall, switch to the menu Certificate Management → Certificates and click on the "+” icon to create a new CA.

An image displaying a technical configuration interface with various system settings including filters, firewall, certificates, and proxy settings for user authentication and monitoring.

1.2) Modify the following parameters and click Create:

  • Certificate type: Leave the setting on Certificate.
  • Template: In the drop-down menu select the option Certificate Authority
  • Common name (CN): Enter a descriptive common name (in this example VPN-SSL-CA).
  • Private key password: Set a password. This is used to encrypt the private key.
  • Validity: Specify how long the certificate should remain valid. For a CA, the period of validity is usually set to be very high. The default setting for a CA is a validity of 5 years.

The rest of the parameters (e.g. the encryption settings) can be left at the default values.

Image showing a technical configuration menu for VPN SSL CA Certificates with options for Certificate Type, Certificate Signing Request, Certificate Authority template, encryption settings, and key usage details.

1.3) Create another certificate by clicking on the "+” icon. This is used for authenticating VPN SSL connections on the Unified Firewall.

Screenshot of a technical configuration interface displaying options for Firewall, Certificates, Monitoring, Network, and User Authentication settings.

1.4) Modify the following parameters and click Create :

  • Certificate type : Leave the setting on Certificate .
  • Template: In the drop-down menu select the option Certificate
  • Common Name (CN): Enter a descriptive common name (in this example VPN-SSL-Headquarter).
  • Private key password: Set a password. This is used to encrypt the private key.
  • Validity: Specify how long the certificate should remain valid. For a VPN certificate used to accept VPN clients, the period of validity is usually set to be very high (in this example 5 years).
  • Signing CA: From the drop-down menu, select the CA created in step 1.2.
  • CA password: Enter the private key password set in step 1.2.

The rest of the parameters (e.g. the encryption settings) can be left at the default values.

Image of a VPN SSL certificate management interface showing options for certificate type, certificate authority, encryption algorithm, and subject and SAN configuration.

1.5) Create another certificate by clicking on the "+” icon. This is used for authenticating an individual VPN SSL user.

This image displays a complex configuration menu for a technical system, featuring settings for user authentication, firewall, certificates, monitoring, VPN, proxy, and network statistics.

1.6) Modify the following parameters and click Create:

  • Certificate typeLeave the setting on Certificate .
  • Template: In the drop-down menu select the option Certificate
  • Common Name (CN): Enter a descriptive common name that characterizes the employees (in this example VPN-SSL-Employee1).
  • Private key password: Set a password. This is used to encrypt the private key.
  • Validity: Specify how long the certificate should remain valid. With VPN certificates for individual users, the period of validity is usually set quite low (in this example 1 year).
  • Signing CA: From the drop-down menu, select the CA created in step 1.2.
  • CA password: Enter the private key password set in step 1.2.


The field Subject Alternative Name can be used for easier identification of each employee, such as entering their e-mail address.

The rest of the parameters (e.g. the encryption settings) can be left at the default values.

A screenshot of a VPN SSL Employee Certificate configuration interface showing options for certificate type, validity, encryption settings, and key usage.

1.7) Switch to the menu VPN → VPN SSL → VPN SSL Settings.

Image displaying a technical configuration menu with options for Firewall, Network, Desktop, User Authentication, and VPN SSL Settings.

1.8) Enable the VPN SSL service via the slider, modify the following parameters and click Save:

  • Host certificate: From the drop-down menu, select the VPN certificate created in step 1.4
  • Private Key Password: Enter the private key password of the VPN certificate entered in step 1.4.
  • Routes: The networks that the VPN client should communicate with should be entered in CIDR notation (Classless Inter-Domain Routing). These are shared with all of the VPN SSL clients.
  • Protocol: Make sure, that the option UDP is selected. If TCP is used for the VPN SSL tunnel and data is transferred via TCP within the tunnel, this could lead to a "TCP meltdown".
  • Encryption algorithm: From the drop-down menu, select AES256.

Optionally you can enter a DNS and/or WINS server, which are assigned to all VPN SSL clients.

If necessary, you can change the Port.

The Address Pool is the range of IP addresses that are assigned to the dial-in VPN SSL clients. This address range must not already be in use as an internal network in the Unified Firewall.

Screenshot of a VPN SSL settings configuration interface showing various options such as host certificate, private key, password setup, DNS settings, timeout, log level, protocol, port, address pool, encryption algorithm, key renegotiation, and compression settings.

1.9) Change to the menu VPN → VPN SSL → Connections and click on the “+” icon to create a new VPN SSL connection.

Screenshot of a technical configuration interface displaying VPN settings, user authentication status, and certificate management options.

1.10) Modify the following parameters and click Create:

  • Name: Enter a descriptive name (in this example VPN_SSL_Employee1).
  • Certificate: From the drop-down menu, select the VPN certificate for the employee created in step 1.6.
  • Connection type: Choose Client-to-Site.

With the function Set Default Gateway activated, the VPN client can communicate with the Internet via the Internet connection of the Unified Firewall.

The item Client IP allows a fixed IP address to be assigned to the VPN client. If this entry is left empty, the VPN client is given an IP address from the Address Pool (see step 1.8).

Additional Local Networks optionally allows the VPN client to access other local networks. In this way, individual employees can be given access to different local networks.

Image showing a VPN SSL connection configuration menu with options for certificate details, encryption algorithms, connection types including client-to-site and site-to-site, along with additional network settings.

1.11) For the VPN SSL connection click on the Export this connection button to export the connection parameters including the certificate.

It is possible that you have to click on the double arrow symbol first (right next to the field Filter) to expand the menu, so that the symbol for the profile export is visible.

As an alternative you can also click on the "pencil" button to edit the configuration and click on Export Client Configuration afterwards.

A screenshot of a technical configuration interface displaying VPN and IPsec connection settings, along with user authentication options and certificate management tools.

1.12) Modify the following parameters and then click on Export.

  • Type: Select OVPN to generate a profile for the OpenVPN client.
  • Remote Hosts: Enter the public IPv4 address or the DynDNS name of the Unified Firewall along with the VPN SSL port (see step 1.8).
  • Key Password: Enter the private key password set in step 1.6.
  • Transport Password: Set a password. This has to be entered when the user starts the VPN connection with the OpenVPN client.

Image of a VPN SSL employee configuration interface with fields for QLANCOM client settings, remote hosts, and password management options.

1.13) Click the button to create a new VPN host.

Screenshot of a technical dashboard showing a firewall monitoring and statistics interface.

1.14) Modify the following parameters and click Create:

  • Name: Enter a descriptive name (in this example VPN-SSL-Employee1).
  • VPN connection type: Select VPN-SSL.
  • VPN-SSL Connection: From the drop-down menu, select the VPN SSL connection created in step 1.10.

Image showing a technical configuration dialog box with options related to VPN, SSL connections, and server settings, including buttons to cancel or log out.

1.15) In the VPN host click on the "connection" icon and, to open the firewall objects, click on the network object that the OpenVPN client should access.

Repeat this step for every network that the OpenVPN client should be able to access.

A screenshot of a technical interface showing partial text related to VPN and SSL configurations.

1.16) Use the “+” signs to assign the required protocols to the VPN host.

A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.

Screenshot of a network configuration interface showing options for VPN, SSL, intranet settings, and advanced features like NAT, URL content filtering, application filtering, application-based routing, and traffic shaping, with editable connection settings. Image of a technical user interface with partially obscured and unreadable configuration settings and terms.

1.17) Finally, implement the configuration changes by clicking Activate in the Unified Firewall.

Screenshot of a technical interface labeled 'ovs kiteo Firewall', likely showing settings or configurations for a network firewall.

1.18) This concludes the configuration steps on the Unified Firewall.



2) Configuration steps in the OpenVPN client:

2.1) Right click on the OpenVPN icon in the task bar.

2.2) Click Import file to import the VPN profile.

2.3) A message is displayed to indicate that the profile was successfully imported.

2.4) This concludes the configuration steps in the OpenVPN client.



3) Setting up port and protocol forwarding on a LANCOM router (scenario 2 only):

By default VPN SSL uses the UDP port 1194 . This must be forwarded to the Unified Firewall.

If you are using a router from another manufacturer, ask them about appropriate procedure.

3.1) Open the configuration for the router in LANconfig and switch to the menu item IP-Router → Masq . → Port forwarding table .

Image showing a complex configuration menu for network services, including options for UDP pacing, masquerading, port forwarding, and VRRP settings.

3.2) Save the following parameters:

  • First port : Specify the Port 1194.
  • Last port : Specify the Port 1194.
  • Intranet address : Specify the IP address of the Unified Firewall in the transfer network between the Unified Firewall and the LANCOM router.
  • Protocol: From the drop-down menu, select UDP.

Screenshot of a network configuration interface showing a partially visible port forwarding table entry.

3.3) Write the configuration back to the router.

 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH