Documentation

Server Management

Installing the Windows Credentials Provider
User Accounts
Roles
Authorized Keys
Event Logs
Email Messages
HTML templates
Session Management
Authentication Modules
Authentication Policies
SMTP Configuration

User Interface

Branding
User Interface Themes

Nodal VPN Client Configuration

The last step before your users can connect to your Nodal VPN is to configure or review your Client Configuration. A client configuration defines where your clients are allowed to route inside your network as well as allowing you to add connection scripts that can be run on connecting.

It’s possible to assign client configurations to different sets of users, this way you can grant access to different areas of your network to different groups of users.

---

1. Client Configuration review

When you create a new network, the system will automatically create a default client configuration for you. This will allow your users access to the same subnet that your Nodal Agent is installed on. If you need to restrict this, you must edit the configuration.

There are 4 different Client Configuration types.

• End-user Client
  This is the default client type, which is used by standard end users with the Nodal VPN client. An end-user client will prompt for authentication on every connection and supports Two Factor authentication.
• Site-to-Site Client
  This is an advanced client, designed for use with the command-line Nodal VPN client and can be used for connecting multiple remote sites together.
• Timed Client
  This is a special end-user client, which only needs authentication for a period of time, either for a set duration or up to a specific time of day. A user with this client type can disconnect and reconnect as many times as they want in that time without being prompted for further authentication
• WireGuard Client
  This client type allows a user to generate a configuration file that can be used with the native WireGuard clients. This cannot be used for Two Factor Authentication.

For this article, we will review the default end-user configuration. Click the link for the client, or click the options button, then Edit.

---

2. Routes

The first tab defines what routes are published to the client.

• Route All
  This will route all internet traffic through your VPN connection
• Server LAN Access
  This option publishes the same corporate subnet that your nodal agent is installed in (default: on)
• Client Access
  If enable (default: on), this option allows clients to access each other
• Additional Routes
  If you need add any extra routes, add them in this section and press enter or click + to add them to the list.
  As an example, if you wish to only grant clients access to a single internal IP, turn off Server LAN access and add in the target IP as an Additional Route.

---

3. Scripts

It is possible to define scripts for any OS which can be run either before the connection is up, or after the connection is established, as well as before the connection goes down, or after the connection goes down. Click Create Scripts to create a new script entry.

On the Create page, select the Target OS (Windows, Linux, OSX, Android, IOS or Other, then select either the Up Scripts or Down Scripts tab.

The contents of this script can be anything written in a scripting language that can be read by the target OS. An example pre-up script might be checking for something specific on the client before allowing a connection (i.e is it on my domain?).

Multiple scripts can be defined, which appear in the Scripts list.

---

4. Advanced

In the advanced tab, some settings related to the connection can be altered. It is recommended to leave these as the defaults in most cases.

• Keep-alive Originator
  Because UDP is stateless, we need to send keepalive packets, otherwise the connection will be closed. It is recommended to keep the default as CLIENT, but this can be set to NONE, CLIENT, SERVER, BOTH.
• Keep-alive Interval
  How many seconds between each keep-alive packet. The default of 35 seconds is reasonable here.
• Handshake Time-out
  How long to wait before a connection is considered closed. This is most useful for client disconnects so that the server knows the client has disappeared. With the default of 180 seconds a client connection will be removed after 180+around 60 seconds.
• Packet Marker
  For future expansion, when fwmark firewall tagging will be introduced.
• MTU
  The default of 0 will choose a standard MTU of 1500 minus 80 for the VPN overhead (1420). Only consider changing this if connection speeds are very poor.

---

5. Devices

There is just one setting in this tab, where you can define the maximum number of concurrently connected devices that each user can have.

A default value of 0 means this limit is the maximum that your purchased license supports.

---

6. Users

In this tab, you may assign this configuration to specific users. To add a user, type in the username and press enter to add them to the list.

Note: you may prefer to considuer assignment by using the next tab instead, Roles.

---

7. Roles

Roles are a container in Nodal VPN, which act as groups do in AD. For the purpose of client configurations, multiple users can be assigned to a role. Roles can be found at Security->Roles.

There are some built-in Roles, by default your new client configuration is attached to the Everyone role, which automatically includes all users.

As before, you can type in the name of a role and press enter to add it to the list.

Once you are happy with your Configuration, click Save to store any changes.