how to create vpn ssl with client openvpn

Options
2»

All Replies

  • rcd
    rcd Posts: 4 image  Freshman Member
    First Comment Friend Collector

    Hi all,

    I could make it work.

    But when you enable 2FA for the VPN, you have to enable 2FA for all your users or they can't reach the LAN.

    I thought you could enable 2FA for the users you want, and the other ones could use the VPN as usual, but apparently no.

    So I don't understand why there is a box to check/uncheck 2FA for each user ?

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,695 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @rcd

    Enabling 2FA stands for more security. Therefore, it is not a good way to enable 2FA for specific users, as it could cause security weaknesses.

    Zyxel Melen


  • PeterUK
    PeterUK Posts: 4,454 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited November 2025

    On FLEX200 (non H)not per user but per IKE gateway which can be trickly to do two on one WAN IP you can enable or disable for that gateway for given user groups when 2FA is globally enabled.

    Screenshot 2025-11-14 150823.png
  • PeterUK
    PeterUK Posts: 4,454 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
  • methesrl
    methesrl Posts: 7 image  Freshman Member
    First Comment Second Anniversary

    I set up an SSL VPN, and my PC connects seamlessly to OpenVPN. However, when OpenVPN is connected, my PC stops browsing until I disconnect the VPN. How can I fix this? Thanks

  • PeterUK
    PeterUK Posts: 4,454 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited March 31

    Is the SSL VPN set to Internet and Local Networks (Full Tunnel) ?

    On the FLEX H for the Internet over SSL VPN the WAN must be in trunk even if its passive.

    if needed add a routing rule like this

    Incoming any

    Source Address important add the IP pool of your SSL VPN like 192.168.51.0/24

    next hop WAN

    Also have you added firewall rules for zone SSL_VPN ?
    From SSL_VPN to Zywall DNS
    From SSL_VPN to WAN

    Do tests like DNS and ping

  • methesrl
    methesrl Posts: 7 image  Freshman Member
    First Comment Second Anniversary
    edited April 1

    I set up a split tunnel. I don't want to use my internet connection via VPN (full tunnel)

  • PeterUK
    PeterUK Posts: 4,454 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    open RemoteAccess_SSLVPN.ovpn in notepad do you see

    redirect-gateway
  • methesrl
    methesrl Posts: 7 image  Freshman Member
    First Comment Second Anniversary

    Yes, there is a voice

    pull-filter ignore "redirect-gateway"

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,365 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @methesrl ,

    Sorry for the late response. Could you let us know whether your PC is able to browse the internet while connected to OpenVPN? If the issue persists, we have some suggestions that may help.

    If the RemoteAccess_SSLVPN.ovpn file contains redirect-gateway, it indicates that your SSL VPN is configured as full tunnel, not split tunnel.

    We recommend reconfiguring the SSL VPN to split tunnel mode, remember to add your Local Network, then re-downloading the SSL VPN Configuration Download file and re-importing RemoteAccess_SSLVPN.ovpn file into your OpenVPN client. After that, please test again to see whether internet browsing works while the VPN is connected.

    image.png

    Zyxel_Judy

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)