CacheGuard MyVPN Manual

I. Introduction

VPN stands for Virtual Private Network and is mainly used to provide privacy and security to internet users. CacheGuard MyVPN is a Web application that allows you to easily become a VPN provider. With CacheGuard MyVPN, you can quickly create and manage VPN accounts for a group of persons called subscribers. This application is a friendly front end built on top of a powerful network appliance called CacheGuard Gateway.

When you use the CacheGuard MyVPN application, you automatically benefit from a dedicated and ready to use CacheGuard Gateway. Amongst other features, CacheGuard Gateway embeds a VPN server, a firewall and a caching Web proxy that are all activated by default on your dedicated CacheGuard Gateway. In addition, you will have the possibility to activate optional features such as, but not limited to, the advert blocker and the Web antivirus⁽¹⁾.

Technical Note: CacheGuard MyVPN application is reachable on the public IP address of your dedicated CacheGuard Gateway and uses the HTTPS protocol. To allows you to quickly access the Web application, in some cases⁽²⁾, the Web application may be automatically configured to use a self signed certificate. In this case, it is important to note that the first time you access the Web application, you will be warned by your Web browser about that but you will not have to worry about that. For your information CacheGuard Gateway can be configured to use a signed certificate in order to avoid that warning. You can refer to the CacheGuard documentation to learn how to import and use signed certificates.

^{(1) Activating some services on a CacheGuard Gateway may require additional machine resources and/or additional cost.

(2) The Web application is automatically activated when acquired on a public cloud marketplace in PAYG (Pay As You Go) licensing mode. Otherwise, you can refer to the embedded to learn how to activate the Web application.}

II. Service Setup

The first time you access this application, you are invited to setup some mandatory parameters that allow your service to become operational. Parameters can then be modified afterwards. It is important to note that you can't create VPN accounts for your subscribers until having successfully setup your service.

II.1 General Setup

The menu option Setup > General Setup allows you to setup your service.

II.1.a Service Identity

The most important parameters to set are the Identity Name and the Private Domain Name that will identify you as a VPN provider to your subscribers. If privacy is critical for you, we recommend that you setup a Service Identity that don't identify you as a natural person. It is very important to note that your Service Identity can't be modified without resetting your service. You can refer to the Reset Service section below for further information about resetting the service. In normal circumstances, we highly recommend that you never reset your service.

As an option, you have the possibility specify a VPN Server Address, but in most cases you do not need to specify any (which is the recommend configuration).

Technical Note: the chosen Identity Name will be used to name your system's CA certificate. That CA certificate is used to sign the VPN server certificate but also all user certificates that are delivered to your subscribers. The chosen Private Domain Name will be used as a suffix to name users certificates. The VPN Server Address can be an IP address or a hostname identifying the VPN server on the network. More specifically, if you specify a hostname, it should exist and be resoled to an IP address that identify the VPN server on the network. In absence of any value for the VPN Server Address, the VPN server will be directly referred by its public IP address (which is guessed by the application). If unsure, do not specify any value for the VPN Server Address (which is the recommended configuration).

II.1.b Email Account

As a VPN provider, you will have to send to your subscribers their VPN profiles and instructions to connect. CacheGuard MyVPN mainly uses email to communicate with your subscribers. To allow the application to send emails to your subscribers, you must provide an email account details. We recommend that you use an email account dedicated to your CacheGuard MyVPN service. Mandatory email account details to provide are as follow: the email address, the email server name, the email server port and the email account credentials (username and password). Your email account provider should be able to provide with those details (otherwise you can select another email service provider that is able to provide such details).

II.2 Reset Service

Under some circumstances you may need to replace your current VPN service by a new one. For instance, if you modify its public IP address (because its current IP address is no longer operational), your subscribers will be unable to connect the VPN service. In such a situation, the only solution is to reset the VPN service.

After a service reset, all your subscribers should receive new technical information to connect to your replacement VPN service. Fortunately, when you ask for a service reset, the application automatically informs your subscribers of that change and sends them new technical information to connect to your new VPN service. Nevertheless, you must manually send them their new passwords. The menu option Setup > Reset Service allows you to reset your service.

Public IP modification Note: in case where your public IP address is changed, your CacheGuard MyVPN application itself should be reconfigured to become accessible again (via its new public IP address). In case where your application is reached by a name, you must ask your DNS registrar to associate your new IP address to your application name. In case where your application is directly reached by an IP address, please follow the instructions below to automatically reconfigure your application to become operational again:

Reboot the machine on which your dedicated CacheGuard Gateway is running (see below to learn how to reboot).
Reconnect to the CacheGuard MyVPN application on its new public IP address and then ask for a Reset Service.

How to reboot: in case where you use an on-premise CacheGuard Gateway (physical or virtual), turn it off and on again would be enough. In case where you use a CacheGuard Gateway on a public cloud (AWS™ or Azure™), you can just ask for a reboot via your cloud provider UI (Users Interface).

III. Subscriber Accounts Management

After having successfully setup you service, you will be able to create subscriber accounts. A subscriber is authenticated using a personal client certificate and its associated private key. Client certificates and private keys are automatically sent to subscribers by email. For security reasons, private keys are protected with passwords that you must send to your subscribers preferably by SMS, WhatsApp™ or any other mobile phone messaging system. We highly recommend that you never send passwords by email as malicious users may intercept them and thus compromise the privacy and security of your subscribers.

On boarding a new subscriber is done in 3 phases:

First you must request an account creation for the subscriber and then wait for its effective creation by the application. Account creation requests are automatically handled by the application in background.
Once the account is created, you are informed by the application and the subscriber receives a confirmation email that contains the technical information that she/he needs to connect to the VPN.
At this stage you must manually send to your subscriber the password that protects her/his private key.

You can check the status of subscriber accounts at any time. Created accounts are marked with the

sign while accounts that are not yet handled by the application are marked with the

mark. In case where an account creation fails, the account is marked with the

sign. You can refer to the Background Operations section below for further information about account creation handling by the application.

Please note that you can't send passwords to subscribers if their accounts are not yet effectively created. Passwords can be copied to the clipboard by clicking on the icon (then you will be able to paste it in mobile phone messaging App). If you use WhatsApp™, you have also the possibility to click on the icon to directly open your WhatsApp™ App with the right information (mobile phone number and the password to send).

Technical Note: a profile (or script) file is attached to the email that subscribers receive. The profile file varies depending on the subscriber's device type and contains all the technical information that allows the subscriber to automatically configure her/his device. Amongst others, the profile file embeds a PKCS12 file. A PKCS12 file contains a user certificate and its associated private key forming a pair. PKCS12 files are personally assigned to subscribers and allow them to be authenticated when connecting the VPN. Finally, private keys included in PKCS12 files are password protected.

III.1 Creating a new Subscriber Account

The menu option Subscribers > New Subscriber allows you to request for a new subscriber account. Each account is identified by a unique username. When creating an account, you must provide a username, an email address, a mobile phone number and the device type used by the subscriber. Other information such as a first or last name can also be specified.

After having created a subscriber account, you can modify it via the menu option Subscribers > All Subscriber. Please note that the username associated to an account can't be modified. Important notice: in order to validate that your service is operational, we highly recommend that you first create a subscriber account for yourself before any other account creations.

III.1.a Subscriber Email Address

It is important that you specify an operational and valid email address for a subscriber. Otherwise, the subscriber would not be able to receive technical information to connect. The subscriber account creation form allows you to check the validity of the input email address by ticking the Check Email Address checkbox. However, some email servers do not allow such a check an report an error even if the email address that you have specified is valid. In this case, you are invited to untick that checkbox.

If a subscriber doesn't receive emails that are automatically sent from the application, in most cases this means that the email address that you specified for her/him is not valid. Either because the domain part of the email address (after @) is not valid or because its local part (before @) is not valid. In the former case, an error is reported in the application (see the Help > Operations Report menu option). In the latter case, you are normally notified by your email service provider even if the application would report no error. In both cases, you are invited to fix the specified email address. By fixing (or just updating) a subscriber email address, the application automatically handle that modification by resending the subscriber technical information to the new specified email address.

III.1.b Supported Devices

CacheGuard MyVPN allows you to connect Android™, Apple™ Linux and Windows™ (10 and 11) based devices/machines. Instructions to connect the VPN vary according to the device type to connect. That's why a device type must be specified when you create a subscriber account in order to allow the application to send the right instructions to the subscriber. It is important to note that one and only one device type can be associated to a subscriber and can't be modified afterwards.

Apple™ and Windows™ devices can use their native VPN clients to connect the VPN and there is no need to install a VPN client on those devices. However, configuring native VPN clients can be a complex process that requires extensive technical knowledge. But you don't need to worry because CacheGuard Gateway is capable to automatically generate those configurations for almost all types of devices. All your subscribers will have to do, is to use those automatically generated configurations. Apple™ devices are configured by importing an automatically generated Apple profile file while Windows™ machine are configured by running an automatically generated PowerShell script.

Nevertheless, Android™ and Linux users must install the strongSwan application first and then import automatically generated strongSwan profile or script files (more specifically the strongSwan VPN Client App on Android™ and the strongSwan application on Linux).

III.2 Client Device Configuration

Subscribers automatically receive and email that contains the technical information that allow them to connect their devices to the VPN. The sections below demonstrate typical emails that subscribers may receive.

III.2.b Android Based Devices

Dear ProviderName VPN user,

Attached you will find your profile file that allows you to connect your Android device to the providerName VPN and Web proxy.

Important notice: your profile file embeds a personal PKCS12 file that you are not allowed to share with third parties (one and only one connection is supported with the same PKCS12 file). Your PKCS12 file is protected by a password that you should request from your administrator.

To configure your machine proceed as follows:

Install the strongSwan VPN Client App (https://play.google.com/store/apps/details?id=org.strongswan.android) on your device (if it's not yet installed) and start it.
Delete any existing VPN profile named ProviderName in that App.
Open the VPN profile file attached to this email with the strongSwan App and import it (follow instructions given by the App).
At this stage the a VPN connection named ProviderName should appear in the list of VPN connections in your strongSwan App. To connect the VPN, all you will need to do is to turn it on.
Once connected to the VPN, the Web proxy will be available at the 172.22.1.254:8080 address. It is highly recommended to explicitly configure your device (including all your Web browsers and other applications) to always use the ProviderName proxy. Please refer to your Android documentation for more information on how to configure your device to use a proxy.

Best Regards,
Your Administrator

III.2.a Apple Devices

Dear ProviderName VPN user,

Attached you will find your profile file that allows you to connect your Apple device to the providerName VPN and Web proxy.

To configure your machine proceed as follows:

Delete any existing configuration profile named ProviderName on your device. On an iPhone, configuration profiles are located at Settings > General > VPN & Device Management.
Download the Apple profile file attached to this email. To download on an iPhone, click on it and then you should get the Profile Downloaded message (you should find the downloaded profile in your Settings).
Open then the downloaded profile file and follow instructions given by your Apple device.
At this stage the a VPN connection named ProviderName should appear in the list of VPN connections on your Apple device. To connect the VPN, all you will need to do is to turn it on.
Once connected to the VPN, the Web proxy will be automatically used. For your information the ProviderName proxy address is 172.22.1.254:8080.

Best Regards,
Your Administrator

III.2.d Linux Machines

Dear ProviderName VPN user,

Attached you will find your script file that allows you to connect your Linux device to the ProviderName VPN and Web proxy.

To configure your machine proceed as follows:

Install the strongSwan application on your machine (if it's not yet installed). On many Linux distro, you can use a package manager such as RPM or APT to install that application.
Download the bash script file attached to this email and put in a dedicated empty directory that you can name ProviderName for instance. Then enter that directory (cd ProviderName) and run it as the user root to connect the VPN. To do so, you can use the sudo bash providername.bash command.
Once connected to the VPN, the Web proxy will be available at the 172.22.1.254:8080 address. It is highly recommended to explicitly configure your device (including all your Web browsers and other applications) to always use the ProviderName proxy. Please refer to your Android documentation for more information on how to configure your device to use a proxy.

Best Regards,
Your Administrator

III.2.c Windows Machines

Dear ProviderName VPN user,

Attached you will find your script file that allows you to connect your Windows device to the providerName VPN and Web proxy.

To configure your machine proceed as follows:

Download the PowerShell script file attached to this email and then run it as Administrator.
At this stage the a VPN connection named providerName should appear in the list of VPN connections on your Windows machine. To connect the VPN, all you will need to do is to turn it on.
Once connected to the VPN, the Web proxy will be automatically used. For your information the ProviderName proxy address is 172.22.1.254:8080.

Best Regards,
Your Administrator

III.3 Managing Subscriber Accounts

The menu option Subscribers > All Subscribers allows you the get an overview of all subscriber accounts. You can then click on the

icon to edit a particular subscriber or the

icon to send a subscriber her/his private key password via WhatsApp™.

III.3.a Suspending and Reactivating a Subscriber

You have the possibility to suspend a subscriber at any time. Suspended subscribers can no longer access the VPN. A suspended subscriber can be reactivated afterwards. To suspend an active subscriber or reactivate a suspended subscriber you must access the subscriber account form by clicking on the the

icon.

III.3.b Cancelling a subscriber Account

You have the possibility to definitely cancel a subscription. Please note that cancelled subscriptions can no longer be activated. They remain in the application (and are not deleted) in order to do not allow to recreate new accounts with the same username. As there is a limit on the number of subscriber accounts that you can create with CacheGuard MyVPN application (according to the licensing that you chose), cancelling subscriber accounts that are no longer needed allows you to be able to create new ones.

Security Note

In a perfect world, private keys should never be disclosed to any third party including the CacheGuard Gateway itself. However, for ease of use, your dedicated CacheGuard Gateway generates them and hence knows them. With this in mind, in order to offer a highest level of security, private keys and passwords that protect them are automatically deleted from the system after a while. The deletion for a subscriber is only done once the application detects that the subscriber has been able to connect (this validates that the subscriber has received her/his private key and the password that protects it).

IV. Background Operations

When you ask for an account creation, a setup modification or any other operations, the application registers your requests without performing them immediately. But, the application regularly watch for new requests and automatically handles them in background. You can click on the

icon to refresh a page and get the latest status of your request. Pending or in progress operations are marked with the

sign while successful operations are marked as

It happens that a requested operation fails. In this case, the operation is marked with the sign. By clicking on that sign, you are redirected to the Operations Report page where you can find causes that led to the failure. Some errors can be generated by the underlying CacheGuard Gateway while others are directly generated by the application. Errors that are generated by the underlying CacheGuard Gateway are specified as being low level errors. In all cases, operations report can help you to remedy faulty operations. You can check the operations report at any time by selection the Help > Operations Report menu option.

V. MyVPN Login Password

To login to the application, the username to use is always admin. The first time you login, the default password is the same password as the password to login to your CacheGuard Gateway Web GUI. After having logged-in for the fist time, it is highly recommended that you modify your application password. To do so, use the menu option Setup > Login Password. Please note that whenever you directly reactivate the application on your dedicated CacheGuard Gateway, the application password is reset to its default value (ie. the CacheGuard Gateway Web GUI password). If you purchased the application from a public cloud marketplace (AWS, Azure), you have had the opportunity to set it during the application deployment.

VI. The Expert Mode

CacheGuard MyVPN application is based upon using a dedicated CacheGuard Gateway. The menu option Setup > Expert Mode allows you to directly access the Web GUI of your dedicated CacheGuard Gateway. This menu option redirect you to your CacheGuard Gateway's internal IP address that is only reachable once you are connected to the VPN.

Please note that configuring a CacheGuard Gateway requires technical knowledge that you need to master. You should never directly modify your CacheGuard Gateway configuration if you you do not feel absolutely confident about what your are doing. Otherwise, your service may stop working. You can refer to the CacheGuard documentation found at www.cacheguard.net to get help on how to configure and administrate a CacheGuard Gateway.