23.1  VPN Server Configuration

VPN server is used for connection of remote endpoints of VPN tunnels and of remote clients using Kerio VPN Client.

Note: Connection to the VPN server from the Internet must be first allowed by traffic rules. For details, refer to chapters 23.2  Configuration of VPN clients and 23.3  Interconnection of two private networks via the Internet (VPN tunnel).

VPN server is available in the Interfaces tab of the Configuration → Interfaces section as a special interface.

Viewing VPN server in the table of interfaces

Figure 23.1. Viewing VPN server in the table of interfaces


Double-click on the VPN server interface (or select the alternative and press Edit, or select Edit from the context menu) to open a dialog where parameters of the VPN server can be set.

VPN subnet and SSL certificate

VPN server settings — basic parameters

Figure 23.2. VPN server settings — basic parameters


Enable VPN server

Use this option to enable /disable VPN server. VPN server uses TCP and UDP protocols, port 4090 is used as default (the port can be changed in advanced options, however, it is usually not necessary to change it). If the VPN server is not used, it is recommended to disable it.

The action will be applied upon clicking the Apply button in the Interfaces tab.

IP address assignment

Specification of a subnet (i.e. IP address and a corresponding network mask) from which IP addresses will be assigned to VPN clients and to remote endpoints of VPN tunnels which connect to the server (all clients will be connected through this subnet).

By default (upon the first start-up after installation), WinRoute automatically selects a free subnet which will be used for VPN. Under usual circumstances, it is not necessary to change the default subnet. After the first change in VPN server settings, the recently used network is used (the automatic detection is not performed again).

Warning

Make sure that the subnet for VPN clients does not collide with any local subnet!

WinRoute can detect a collision of the VPN subnet with local subnets. The collision may arise when configuration of a local network is changed (change of IP addresses, addition of a new subnet, etc.), or when a subnet for VPN is not selected carefully. If the VPN subnet collides with a local network, a warning message is displayed upon saving of the settings (by clicking Apply in the Interfaces tab). In such cases, redefine the VPN subnet.

VPN server — detection of IP collision

Figure 23.3. VPN server — detection of IP collision


It is recommended to check whether IP collision is not reported after each change in configuration of the local network or/and of the VPN!

Notes:

  1. Under certain circumstances, collision with the local network might also arise when a VPN subnet is set automatically (if configuration of the local network is changed later).

  2. Regarding two VPN tunnels, it is also examined when establishing a connection whether the VPN subnet does not collide with IP ranges at the other end of the tunnel (remote endpoint).

    If a collision with an IP range is reported upon startup of the VPN server (upon clicking Apply in the Interfaces tab), the VPN subnet must be set by hand. Select a network which is not used by any of the local networks participating in the connection. VPN subnets at each end of the tunnel must not be identical (two free subnets must be selected).

  3. VPN clients can also be assigned IP addresses according to login usernames. For details, see chapter 15.1  Viewing and definitions of user accounts.

SSL certificate

Information about the current VPN server certificate. This certificate is used for verification of the server's identity during creation of a VPN tunnel (for details, refer to chapter 23.3  Interconnection of two private networks via the Internet (VPN tunnel)). The VPN server in WinRoute uses the standard SSL certificate.

When defining a VPN tunnel, it is necessary to send the local endpoint's certificate fingerprint to the remote endpoint and vice versa (mutual verification of identity — see chapter 23.3  Interconnection of two private networks via the Internet (VPN tunnel)).

Hint

Certificate fingerprint can be saved to the clipboard and pasted to a text file, email message, etc.

Click Change SSL Certificate to set parameters for the certificate of the VPN server. For the VPN server, you can either create a custom (self-subscribed) certificate or import a certificate created by a certification authority. The certificate created is saved in the sslcert subdirectory of the WinRoute installation directory as vpn.crt and the particular private key is saved at the same location as vpn.key.

Methods used for creation and import of SSL certificates are described thoroughly in chapter 11.1  Web interface preferences.

Note: If you already have a certificate created by a certification authority especially for your server (e.g. for secured Web interface), it is also possible to use it for the VPN server — it is not necessary to apply for a new certificate.

DNS configuration for VPN clients

To allow VPN clients to access to local hosts using the hostnames, they need at least one local DNS server.

VPN server settings — specification of DNS servers for VPN clients

Figure 23.4. VPN server settings — specification of DNS servers for VPN clients


The WinRoute's VPN server allows for the following options of DNS server configuration:

  • Use WinRoute as DNS server — IP address of a corresponding interface of WinRoute host will be used as a DNS server for VPN clients (VPN clients will use the DNS module; see chapter 8.1  DNS module). This is the default option in case that the DNS module is enabled in WinRoute.

    If the DNS module is already used as a DNS server for local hosts, it is recommended to use it also for VPN clients. The DNS module provides the fastest responses to client DNS requests and possible collision (inconsistency) of DNS records will be avoided.

  • Specific DNS servers — primary and optionally also secondary DNS server will be set for VPN clients.

    If another DNS server than the DNS module in WinRoute is used in the local network, use this option.

DNS domain extension is also assigned to VPN clients. Domain extension specifies local domain. If the VPN client's extension matches a local domain of the networks it connects to, it can use hostnames within this network (e.g. server). Otherwise, full name of the host including domain is required (e.g. server.company.local).

DNS extension can be also resolved automatically or set manually:

  • Automatic resolution can be used in case that the host belongs to the Active Directory domain and/or in case that firewall users are authenticated in this domain (see chapter 15.1  Viewing and definitions of user accounts).

  • DNS domain must be specified in case that it is a Windows NT domain or a network without a domain, or in case that another domain extension is desirable (e.g. when multiple Active Directory are mapped).

Note: DNS servers assigned by the VPN server will be used as primary/secondary DNS server(s) on the client host. This implies that all DNS queries from the client host will be sent to these servers. However, in most cases this kind of “redirection” has no side effects. Upon closing of the VPN connection, the original DNS configuration will be recovered.

WINS configuration for VPN clients

The WINS service is used for resolution of hostnames to IP addresses within Microsoft Windows networks. Assigning of a WINS server address then allows VPN clients browse in LAN hosts (Network Neighborhood / My Network Places).

VPN server settings — specification of WINS servers for VPN clients

Figure 23.5. VPN server settings — specification of WINS servers for VPN clients


WinRoute can detect WINS servers either automatically (using its host configuration) or use specified addresses of primary or/and secondary WINS server(s). Automatic configuration can be used if you are sure that WINS servers on the WinRoute host are set correctly.

Advanced Options

VPN server settings — server port and routes for VPN clients

Figure 23.6. VPN server settings — server port and routes for VPN clients


Listen on port

The port on which the VPN server listens for incoming connections (both TCP and UDP protocols are used). The port 4090 is set as default (under usual circumstances it is not necessary to switch to another port).

Note:

  1. If the VPN server is already running, all VPN clients will be automatically disconnected during the port change.

  2. If it is not possible to run the VPN server at the specified port (the port is used by another service), the following error will be reported in the Error log (see chapter 22.8  Error Log) upon clicking on the Apply button:

    (4103:10048) Socket error: Unable to bind socket for service to port 4090.

    (5002) Failed to start service "VPN" bound to address 192.168.1.1.

    To make sure that the specified port is really free, view the Error log to see whether an error of this type has not been reported.

Custom Routes

Other networks to which a VPN route will be set for the client can be specified in this section. By default, routes to all local subnets at the VPN server's side are defined — see chapter 23.4  Exchange of routing information).

Hint

Use the 255.255.255.255 network mask to define a route to a certain host. This can be helpful for example when a route to a host in the demilitarized zone at the VPN server's side is being added.