OneConnect Overview

Last modified on 2 Apr, 2025. Revision 13
This article is an Overview of OneConnect which is an SSL VPN
  • Related articles
    • Up to date for
    Core 15.00.00
    Status OK

    Configuring Clients

    Configure Client for Android and ChromeOS

    Configure Client with macOS, iOS and IpadOS

    Configure Client for Windows 

    Configure OpenConnect for linux

    Oneconnect Server

    Docs: **OneConnect

    HowTo: OneConnect VPN tunnel in Netwall

    Server settings

    FieldValue
    NameInterface name, will be interface used on policies and such.  e.g OneConnectServer
    Zone(Optional) Specifies if member of zone
    Inner IPInterface IP, will become a core route, IP owned by the firewall e.g. 192.168.10.1
    Outer InterfaceListening interface for incoming connection, if more then 1 is required its possible to use Interface Group e.g. Wan
    Server IPThe listening ip address for incoming connections. e.g. Wan_ip
    Host Name(Optional) Limit the user to connect only with a DNS name, needs to resolve to Server IP from the clients perspective amd also match the certificate. e.g. vpn.example.com
    Server PortThe listening TCP port for incoming connection e.g. 443
    Use DTLSYes/No
    DTLS PortPort used for DTLS connection. e.g. 443


    Authentication settings

    Authentication Source
    OpenID Connect Docs: OpenID Connect
         		Authenticate using a OpenID provider, configured under "Policies → User Authentication → User Directories → OIDC"
    Radius Docs: Radius
         		Sends a radius Access-Request to specified radius server, configured under "Policies → User Authentication → User Directories → Radius"
    LDAP Docs: Ldap Sends a LDAP query to specified LDAP server, configured under "Policies → User Authentication → User Directories → LDAP"
    Local Docs: Local database
         		Authenticate towards the local user database in the firewall. configured under "System → Users → Local User Database"
    Authentication Rule Docs: Authentication Rule
         		More settings available with Authentication Rule configured under "Policies → User Authentication → Authentication Rules"
    User GroupsGroups the user needs to belong to in order to connect

    Client IP options

    Client IP Address PoolIP pool that will be used for clients, don't use same range as a DHCP or other features. Can be specified by ips e.g. 192.168.10.9-192.168.10.32 or with cidr e.g. 192.168.10.0/24
    Netmaske.g. 255.255.255.0
    Primary DNSPrimary dns server for clients to use, e.g. 8.8.8.8 or internal. Note that internal server needs to be include in the client routes.
    Secondary DNSSecondary dns server for clients to use, e.g. 1.1.1.1 or internal.Note that internal server needs to be include in the client routes.


    ### DNS Suffixes: Multiple suffixes can be used. e.g. example.local
    Limits:
    • If all-nets is used everything is route trough the VPN tunnel even DNS
    • If a custom route (split tunneling is used) only query that match the suffix will be send to VPN dns.


    Auto Proxy URLProxy URL to be pushed to clients


    ### Client Routes
    All-NetsAll clients traffic will be routed over the vpn.
    CustomIts possible to configure up to 32 routes, all configured under the custom will be routed over the vpn, rest will use the clients own route, e.g. their internet connection.




    OneConnect Capabilities



    OneConnect Server
    Protocol Features 
    TLS (TCP) SupportYes
    DTLS (UDP) SupportYes
    ProtocolOpenConnect
    Outer Transport ProtocolUDP, TCP
    Outer IP ProtocolIPv4, IPv6
    Inner IP ProtocolIPv4
    Routing Features
    Split Tunneling SupportYes
    Split Tunneling ConfigurationDynamically configured on the client by NetWall on every connection attempt, fully transparent for the user.
    Number of Routes32
    Largest SubnetNo limitation
    Client Support
    Support for 3rd Party ClientsYes
    Clavister Client Versions
    • OneConnect 3.0 or later
    Operating Systems Supported by Clavister Clients
    • Android 9 or later
    • iOS 14.1 or later
    • iPadOS 14.1 or later
    • macOS 11.00 (Big Sur) or later
    • Windows 10 or later
    Support for Deep LinksYes, Deeplinks for easy deployment of configuration profiles
    Support for DNS search suffixesYes
    Support for URL redirect after connection (SSO Portal from EasyAccess)Yes
    Support for HTTP proxy settingsYes, using Auto Proxy URL to WPAD file.
    Support for VPN on Demand Rules on macOS/iOS/iPadOSYes, per profile, power user setting enabled in Preferences
    NetWall Firmware Versions
    Supported FromcOS Core 13.00.09

    Certificate

    Docs: ACME

    Docs: Certificate

    Importing certificate

     Objects → General → Key Ring → Add → Certificate → Upload Certificate

    Applying certificate

    System → Device → Device Settings → Remote Management → Advanced settings

    This example is based while using the ACME feature
    WebUI HTTPS Port:Don't use same port as the OneConnect Server
    HTTPS Certificatevpn_example_com
    AvailableSelected
    vpn_example_com

    		vpn_example_com_C1 vpn_example_com_C2
    Include
    Remove

    Troubleshooting Certificates

    This website is common to use to confirm the chain or missconfiguration,

    https://whatsmychaincert.com/?vpn.example.com:443

    A common issue is with android and that the full chain is missing 

    Usually an intermediate needs to be added as root certificate.


    Related articles

    Upgrading EasyAccess to PhenixID Authentication Services
    16 Aug, 2024 changeme easyaccess phenixid pas



    Tagschangeme