4.1  Headquarters configuration

  1. In WinRoute under Configuration / Interfaces select a VPN server, open its settings dialog and enable it.

    Note: A free subnet which has been selected for VPN is now specified automatically in the VPN network and  Mask entries. There is no reason to change the network.

    Use the Edit SSL certificate button to create an SSL certificate with the name of the corresponding server (e.g. kwf.company.com). This certificate is used for identification of the VPN server.

    Note: It is recommended to later replace this generated certificate with a certificate authorized by a reliable public certification authority.

  2. Create a passive endpoint of the VPN tunnel (the office's server uses a dynamic IP address — therefore there must be the active endpoint of the tunnel at the office). Specify the remote endpoint SSL certificate's fingerprint by the fingerprint of the certificate of the branch office VPN server.

  3. Complete the Local Traffic rule (created by the Network Rules Wizard — see chapter 2.4  Basic Traffic Policy Configuration) with the VPN tunnel.

    NameSourceDestinationServiceActionTranslation
    Local TrafficFirewall
    All VPN clients
    Tunnel to the office
    Trusted / local
    Firewall
    All VPN clients
    Tunnel to the office
    Trusted / local
    AnyAllow 

    Table 4.1. Headquarters — the Local Traffic rule


  4. In the configuration of the DNS Forwarder (refer to chapter 2.6  DNS configuration), enable the Use custom forwarding. Define rules for the filial.company.com domain. Specify the server for DNS forwarding by the IP address of the remote firewall host's interface (i.e. interface connected to the local network at the other end of the tunnel).

    Domain / NetworkDNS server(s)
    10.1.1.0 / 255.255.255.010.1.1.1
    filial.company.com10.1.1.1

    Table 4.2. Headquarters — DNS forwarding configuration