Remote Worker VPN

About

Remote Worker VPN application improves core flexiWAN functionality by introducing remote access to company resources. IT admins can add the Remote Worker PVN application to their Organization from the flexiWAN AppStore in flexiManage and centrally configure and manage it from flexiManage. When installed on a flexiEdge devices, the application introduces VPN server functionality to it.

@startuml

!define AWSPUML ../../images/AWS-PlantUML/dist
!include AWSPUML/common.puml
!include AWSPUML/General/client/client.puml
!include AWSPUML/General/corporatedatacenter/corporatedatacenter.puml

left to right direction
hide stereotype
skinparam shadowing false
skinparam linetype polyline
skinparam linetype ortho
skinparam rectangle {
   borderColor<<awscloud>> #black
   roundCorner<<awscloud>> 50
   borderColor<<virtualprivatecloud>> #black
   roundCorner<<virtualprivatecloud>> 50
   borderColor<<site>> #black
   roundCorner<<site>> 50
   borderColor Transparent
   backgroundColor Transparent
   fontColor #black
   stereotypeFontColor Transparent
}

node "flexiEdge1" as FE1
cloud "Public Internet" as INET
node "flexiEdge2" as FE2
CORPORATEDATACENTER(FM, flexiManage, rectangle)
CORPORATEDATACENTER(P, User Portal, rectangle)
CLIENT(C1, Client1, rectangle)
CLIENT(C2, Client2, rectangle)

FE1 -- INET
INET -- FE2
FM . FE1
FM . FE2
P -- FM
C1 ... P
C2 ... P
C1 -- FE1
C2 -- FE2

@enduml

How does it work

Remote Worker VPN comprises the following components:

  • Application configuration accessible from App Store > Installed > Remote Worker VPN. Deployment is possible on a single or multiple flexiEdge. If installed on multiple flexiEdge devices, end users will be automatically connected to the nearest site to their geographic location.

  • Remote Worker Workspace portal page from where end-users can access resources required for VPN access. Multiple authentication methods for remote users are available, including Google Workspace and Azure. It is also possible to authenticate using flexiManage credentials (typically for IT testing and POC).

  • Remote Worker client software used for establishing VPN connections from remote devices

For the remote users to successfully use Remote Worker VPN, configuration is required from flexiManage. Once the application is configured and deployed on a single or multiple flexiEdge sites, end-users can access the Workspace portal to download the flexiWAN VPN application. Afterwards end-users can use the VPN application from their own computers to access internal resources.

For more details, follow the deployment and configurations steps below.

Requirements

Starting from release 5.2.X, every flexiEdge device should be able to run the Remote Worker VPN. Client and server VPN performance will vary based on device hardware specifications.

Installation

The Remote Worker VPN application can be installed by navigating to the App Store on the flexiManage sidebar and clicking on Available section. From there, simply click on the install icon and confirm your choice.

Remote Worker VPN

Once the application is installed, click the Open button to access the Remote Worker VPN configuration and settings page.

Remote Worker VPN

Configuration

About

Remote Worker VPN can be configured from App Store > Installed applications section in sidebar. Click on the yellow settings icon to access configuration page.

Remote Worker VPN

Configuration settings are divided into Server configuration and Authentication methods.

Server Configuration

Workspace name

Unique identifier of your organization, used for the Remote Worker portal.

Portal access link

Sharable link for remote users to log in and access VPN resources.

Max Remote Worker Users

Number of unique users which can login to workspace on a organizational level during a billing period. Three users are allowed to login for free per account in the billing period which is the sum of max remote users for all organizations under the account. To increase the license number, please contact yourfriends@flexiwan.com.

Server port

Port used for VPN server, default is 1194. A firewall rule is added to flexiEdge device when application is installed.

Route all client traffic over VPN

Forces all client traffic across VPN tunnel, using nearest flexiEdge for internet access.

DNS IP’s and domains

Define which DNS servers will remote devices use for domain name resolution.

The following screenshot shows correctly populated server settings:

Remote Worker VPN server settings

Authentication methods

The Remote Worker VPN supports several methods for end user authentication with the Remote Worker Portal.

Remote Worker VPN auth

Google Workspace

Allows Google Workspace / Google Apps for end user authentication. Supports multiple domains via the add option. By default only Domain name column is required, while other columns can be left blank. In this case all users from listed domain will be able to authenticate using their Google Workspace account.

Other fields are required only in case when specific user groups should be allowed to authenticate. For this use case, additional configuration must be made from Google Workspace. Specifically it is necessary to create an IAM service account on Google Workspace so flexiWAN backend can access Admin Directory Group in read-only mode. Note, no private information is exposed to flexiWAN, we are querying only if the logged in user is member of a specified group.

Learn more about Google IAM here.

In order for remote users to successfully authenticate using this method, the following configuration options are available:

Domain name

Enter domain name used for end user emails. Required field.

Group membership

Limit authentication to only specific user groups. Supports multiple comma separated groups. Not required field, when not used all users from Google Workspace will be able to authenticate.

Service Account

Google service account, only required when using specific groups.

Private key

Private key issued by Google.

Admin email

Google Workspace admin email address. Only used for verification, and not configuration / logging in.

Note

Private Google Mail accounts cannot be used with the Remote Worker VPN, only Google Workspace accounts are able to authenticate.

Azure AD

Allows Azure Active Directory for end user authentication. In order for remote users to successfully authenticate using this method, the following configuration options are available:

Domain

Enter domain name used for end user emails. Required field.

Groups

Limit authentication to only specific user groups. Supports multiple comma separated groups. Not required, when not used all users from Azure Active Directory will be able to authenticate.

Note

After enabling and configuring Azure Active Directory authentication method, AD administrator must attempt to authenticate first before end users. This is in order to consent authentication to Azure AD from the Remote Worker VPN. Note, no login or private information is handled by flexiWAN side.

flexiManage

Use flexiManage accounts to authenticate with the Remote Worker VPN end users. Please note, this feature is only for testing purposes and we do not recommend to utilize flexiManage for authentication in production.

Simply enable the authentication and provide remote users the link for portal authentication. Note, flexiManage portal link is different from the Workspace portal used with Google and Azure authentication.

Deployment

After configuring the Remote Worker VPN and at least one authentication method is enabled, the next step is to deploy it to a flexiEdge device. The application can be deployed on a single or multiple flexiEdge devices.

Deployment follows the usual flexiWAN deployment flow, select one or more devices and from the actions menu click on Install application.

Remote Worker VPN install

From the drop down menu, select the Remote worker VPN application and confirm.

Remote Worker VPN install

Final configuration step requires setting IP range which remote clients will use and limiting number of clients allowed to connect per flexiEdge. Note, total number of clients allowed is defined via the Remote Worker VPN configuration.

Remote Worker VPN install

After clicking on save a job is sent to the device and in a few moments Remote Worker VPN will be deployed.

flexiEdge device on which the Remote Worker VPN application is installed will now have a firewall rule allowing incoming traffic to the previously specified port within applications ettings. By default the rule cannot be edited however it can be disabled, duplicated and then more strict filtering can be applied.

firewall rule

Workspace Portal

How it works

A Workspace portal is a dedicated location where end users can log in using an URL unique to their organization and download the VPN software required for accessing company resources. Each organization can have its own URL, which is configurable from the Remote Worker VPN configuration settings.

Workspace portal offers Remote Client VPN applications for remote users to install on their devices in order to access company resources. The client application includes two segments: OpenVPN client application and flexiWAN Workspace portal authentication wrapper.

The OpenVPN client by itself cannot authenticate with any flexiEdge, instead users always log in to the Remote Worker portal using Google Workspace, Azure AD or flexiManage authentication after which a secondary authentication for VPN session will occur. Workspace portal generates time sensitive token for actual device authentication and automatically opens OpenVPN client to authenticate to the nearest flexiEdge using the provided token. This process happens without user interaction in the background, users are only required to log in to portal and click on Launch Client.

Accessing Portal

In order share the workspace portal URL with your end users, first configure the Remote Worker VPN, then share the portal access link available from the settings.

Remote Worker VPN portal

Remote users can access the portal from the defined URL, after which they are required to authenticate using one of the set auth methods.

Remote Worker VPN portal

After authenticating using Google Workspace or Azure AD credentials, remote users can access company resources, in this case the Remote Worker VPN application which automatically downloads. Please see below section regarding client installation.

Remote Worker VPN portal

Optionally and for testing purposes, it’s possible to authenticate to portal using flexiManage account.

Remote Worker VPN portal

Remote Worker clients

The Remote Worker portal provides downloads of the Remote Worker clients which offer a VPN client for the remote workers to install and then connect to nearest flexiEdge. Please note, while the Remote Worker portal relies on the OpenVPN client, using standalone version directly from OpenVPN website will not work with the portal.

Currently, the Remote Worker portal offers VPN clients downloads for the following operating systems:

  • Windows - Supported OS’s are Windows 10 and 11. However older versions may work as well.

  • MacOS - Supported from Mojave to Monterey.

Installing client on Windows

After authenticating with the Remote Worker portal, Windows client software will automatically automatically start to download.

Remote Worker VPN client

Navigate to the download folder and locate the RemoteWorkerClient-1.0.0.exe file and run it to start the installation. Note, client versions numbers may change.

Remote Worker VPN client

In a few moments the installer will install OpenVPN client software and flexiWAN connector for the Remote Worker VPN portal authentication. Upon installation completion click finish.

Remote Worker VPN client

Navigate back to the the Remote Worker portal and click on Launch Client or simply refresh the page, after which the browser will ask to allow opening the Remote Worker Client application from it. To speed up authentication make sure to check always allow option and click on Open Link to launch the client.

Remote Worker VPN client

The client will open and automatically start to connect to the nearest flexiEdge site based on client location. In a few moments a pop-up will display showing the remote user device is now connected.

Remote Worker VPN client

That’s it, users can now access internal resources. It is recommended to use firewall rules and policies on flexiEdge sites to limit or allow access of remote user ranges. Finally, users can view connection status by opening OpenVPN application either from tray or desktop.

Remote Worker VPN client

Installing client on MacOS

After authenticating with the Remote Worker portal, MacOS client software will automatically automatically start to download.

Remote Worker VPN client

Navigate to the download folder and locate the RemoteWorker-1.0.0.pkg file and run it to start the installation. Note, client versions numbers may change. Click continue to start.

Remote Worker VPN client

To start the installation click on the Install button.

Remote Worker VPN client

Installation will shortly complete, click close to continue.

Remote Worker VPN client

A popup for Tunnelblick will show, enter your MacOS credentials so configuration can complete.

Remote Worker VPN client

Navigate back to the the Remote Worker portal and click on Launch Client or simply refresh the page, after which the browser will ask to allow opening the Remote Worker Client application from it. To speed up authentication make sure to check always allow option and click on Open Link to launch the client.

Remote Worker VPN client

Remote Worker will prompt for your MacOS username and password to initiate connection using Tunnelblick client.

Remote Worker VPN client

After a few moments client will show as connected.

Remote Worker VPN client

That’s it, users can now access internal resources. It is recommended to use firewall rules and policies on flexiEdge sites to limit or allow access of remote user ranges. Finally, users can view connection status by opening OpenVPN application either from tray or desktop.

Depending from DNS settings conifgured in Remote Worker VPN application, a DNS warning may be displayed. It’s safe to ignore and select the checkbox.

Remote Worker VPN client

Trademarks

OpenVPN is a registered trademark of OpenVPN, Inc.