You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: openvpn_tunnels.rst
+11-1Lines changed: 11 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -70,6 +70,16 @@ The web interface allows the configuration of advanced features like:
70
70
71
71
* ``Enforce a minimum TLS version``: Allows you to choose a minimum version of TLS, in which case connections will only be allowed from devices that use a version greater than or equal to the one selected
72
72
73
+
Multiple OpenVPN tunnels
74
+
------------------------
75
+
If a NethSecurity must act as the VPN server for multiple remote firewalls, create a dedicated OpenVPN tunnel for each remote peer.
76
+
The UI-supported and recommended model is one server/client pair per site-to-site connection, for example, a central firewall connected to three remote firewalls should have three separate OpenVPN server tunnels, each with its own client configuration imported on the corresponding remote firewall.
77
+
78
+
This approach allows each tunnel to be managed independently, with separate configuration, certificates, routes, status, monitoring, and troubleshooting.
79
+
It also prevents issues on one remote connection from affecting the operational management of the others.
80
+
81
+
Do not use a single OpenVPN server tunnel shared by multiple remote clients for site-to-site configurations managed from the UI.
82
+
73
83
MTU Issue and Packet Fragmentation
74
84
----------------------------------
75
85
@@ -179,4 +189,4 @@ In this scenario, you've to proceed with the generation of a completely new PKI.
179
189
These commands will generate a new CA certificate, as well as new server and client certificates signed by the new CA.
180
190
In this scenario, it is **mandatory** to download and import the new client configuration on the client side to restore the connection, so make sure to do it as soon as possible to minimize downtime.
181
191
182
-
All considerations remain the same as for Road Warrior connections. If the expired certificate is the CA certificate, you have to generate a completely new PKI, while if the expired certificate is the server or client one, you can regenerate it using the dedicated action.
192
+
All considerations remain the same as for Road Warrior connections. If the expired certificate is the CA certificate, you have to generate a completely new PKI, while if the expired certificate is the server or client one, you can regenerate it using the dedicated action.
0 commit comments