23.3  Interconnection of two private networks via the Internet (VPN tunnel)

WinRoute with support for VPN (VPN support is included in the typical installation — see chapter 2.3  Installation) must be installed in both networks to enable creation of an encrypted tunnel between a local and a remote network via the Internet (“VPN tunnel”).

Note: Each installation of WinRoute requires its own license (see chapter 4  Product Registration and Licensing).

Setting up VPN servers

First, the VPN server must be allowed by the traffic policy and enabled at both ends of the tunnel. For detailed description on configuration of VPN servers, refer to chapter 23.1  VPN Server Configuration.

Definition of a tunnel to a remote server

VPN tunnel to the server on the other side must be defined at both ends. Use the Add → VPN tunnel option in the Interfaces section to create a new tunnel.

VPN tunnel configuration

Figure 23.8. VPN tunnel configuration


Name of the tunnel

Each VPN tunnel must have a unique name. This name will be used in the table of interfaces, in traffic rules (see chapter 7.3  Definition of Custom Traffic Rules) and interface statistics (details in chapter 20.2  Interface statistics).

Configuration

Selection of a mode for the local end of the tunnel:

  • Active — this side of the tunnel will automatically attempt to establish and maintain a connection to the remote VPN server.

    The remote VPN server specification is required through the Remote hostname or IP address entry. If the remote VPN server does not use the port 4090, a corresponding port number separated by a colon must be specified (e.g. server.company.com:4100 or 10.10.100.20:9000).

    This mode is available if the IP address or DNS name of the other side of the tunnel is known and the remote endpoint is allowed to accept incoming connections (i.e. the communication is not blocked by a firewall at the remote end of the tunnel).

  • Passive — this end of the tunnel will only listen for an incoming connection from the remote (active) side.

    The passive mode is only useful when the local end of the tunnel has a fixed IP address and when it is allowed to accept incoming connections.

At least one end of each VPN tunnel must be switched to the active mode (passive servers cannot initialize connection).

Configuration of a remote end of the tunnel

When a VPN tunnel is being created, identity of the remote endpoint is authenticated through the fingerprint of its SSL certificate. If the fingerprint does not match with the fingerprint specified in the configuration of the tunnel, the connection will be rejected.

The fingerprint of the local certificate and the entry for specification of the remote fingerprint are provided in the Settings for remote endpoint section. Specify the fingerprint for the remote VPN server certificate and vice versa — specify the fingerprint of the local server in the configuration at the remote server.

VPN tunnel — certificate fingerprints

Figure 23.9. VPN tunnel — certificate fingerprints


If the local endpoint is set to the active mode, the certificate of the remote endpoint and its fingerprint can be downloaded by clicking Detect remote certificate. Passive endpoint cannot detect remote certificate.

However, this method of fingerprint setting is quite insecure —a counterfeit certificate might be used. If a  fingerprint of a false certificate is used for the configuration of the VPN tunnel, it is possible to create a tunnel for the false endpoint (for the attacker). Moreover, a valid certificate would not be accepted from the other side. Therefore, for security reasons, it is recommended to set fingerprints manually.

DNS Settings

DNS must be set properly at both sends of the tunnel so that it is possible to connect to hosts in the remote network using their DNS names. One method is to add DNS records of the hosts (to the hosts file) at each endpoint. However, this method is quite complicated and inflexible.

If the DNS plug-in in WinRoute is used as the DNS server at both ends of the tunnel, DNS queries (for DNS rules, refer to chapter 8.1  DNS plug-in) can be forwarded to hostnames in the corresponding domain of the DNS plug-in at the other end of the tunnel. DNS domain (or subdomain) must be used at both sides of the tunnel.

Note: To provide correct forwarding of DNS queries sent from the WinRoute host (at any side of the VPN tunnel), it is necessary that these queries are processed by the DNS plug-in. To achieve this, set the DNS server on each firewall's interface located to the local network “to its own” (i.e. use IP address of the very interface as the DNS server address).

Detailed guidance for the DNS configuration is provided in the example in chapter 23.5  Example of Kerio VPN configuration: company with a filial office.

Routing settings

On the Advanced tab, you can set which method will be used to add routes provided by the remote endpoint of the tunnel to the local routing table as well as define custom routes to remote networks.

The Kerio VPN routing issue is described in detail in chapter 23.4  Exchange of routing information.

VPN tunnel's routing configuration

Figure 23.10. VPN tunnel's routing configuration


Connection establishment

Active endpoints automatically attempt to recover connection whenever they detect that the corresponding tunnel has been disconnected (the first connection establishment is attempted immediately after the tunnel is defined and upon clicking the Apply button in Configuration → Interfaces, i.e. when the corresponding traffic is allowed — see below).

VPN tunnels can be disabled by the Disable button. Both endpoints should be disabled while the tunnel is being disabled.

Note: VPN tunnels keeps their connection (by sending special packets in regular time intervals) even if no data is transmitted. This feature protects tunnels from disconnection by other firewalls or network devices between ends of tunnels.

Traffic Policy Settings for VPN

Once the VPN tunnel is created, it is necessary to allow traffic between the LAN and the network connected by the tunnel and to allow outgoing connection for the Kerio VPN service (from the firewall to the Internet). If basic traffic rules are already created by the wizard (refer to chapter 23.2  Configuration of VPN clients), simply add a corresponding VPN tunnel into the Local Traffic rule and the Kerio VPN service to the Firewall traffic. The resulting traffic rules are shown at figure 23.11  Traffic Policy Settings for VPN.

Traffic Policy Settings for VPN

Figure 23.11. Traffic Policy Settings for VPN


Note:

  1. To keep examples in this guide as simple as possible, it is supposed that the Firewall traffic rule allows to access any service at the firewall (see figure 23.12  Common traffic rules for VPN tunnel). Under these conditions, it is not necessary to add the Kerio VPN service to the rule.

    Common traffic rules for VPN tunnel

    Figure 23.12. Common traffic rules for VPN tunnel


  2. Traffic rules set by this method allow full IP communication between the local network, remote network and all VPN clients. For access restrictions, define corresponding traffic rules (for local traffic, VPN clients, VPN tunnel, etc.). Examples of traffic rules are provided in chapter 23.5  Example of Kerio VPN configuration: company with a filial office.