Documentation for Kerio WinRoute

VPN Server Configuration

VPN server is used for connection of remote endpoints of VPN tunnels and of remote clients using Kerio VPN Client.

Note: Connection to the VPN server from the Internet must be first allowed by traffic rules. For detailed information, refer to chapters Configuration of VPN clients and Interconnection of two private networks via the Internet (VPN tunnel).

VPN server is available in the Interfaces tab of the Configuration / Interfaces section as a special interface.

Double-click on the VPN server interface (or select the alternative and press Edit, or select Edit from the context menu) to open a dialog where parameters of the VPN server can be set.

General

Enable VPN server

Use this option to enable/disable VPN server. VPN server uses TCP and UDP protocols, port 4090 is used as default (the port can be changed in advanced options, however, it is usually not necessary to change it). If the VPN server is not used, it is recommended to disable it.

The action will be applied upon clicking the Apply button in the Interfaces tab.

IP address assignment

Specification of a subnet (i.e. IP address and a corresponding network mask) from which IP addresses will be assigned to VPN clients and to remote endpoints of VPN tunnels which connect to the server (all clients will be connected through this subnet).

By default (upon the first start-up after installation), WinRoute automatically selects a free subnet which will be used for VPN. Under usual circumstances, it is not necessary to change the default subnet.

Warning: Make sure that the subnet for VPN clients does not collide with any local subnet!

WinRoute can detect a collision of the VPN subnet with local subnets. The collision may arise when configuration of a local network is changed (change of IP addresses, addition of a new subnet, etc.), or when a subnet for VPN is not selected carefully. If the VPN subnet collides with a local network, a warning message is displayed upon saving of the settings (by clicking Apply in the Interfaces tab). In such cases, redefine the VPN subnet.

It is recommended to check whether IP collision is not reported after each change in configuration of the local network or/and of the VPN!

Notes:

1. Under certain circumstances, collision with the local network might also arise when a VPN subnet is set automatically (if configuration of the local network is changed later).

2. Regarding two VPN tunnels, it is also examined when establishing a connection whether the VPN subnet does not collide with IP ranges at the other end of the tunnel (remote endpoint).

   If a collision with an IP range is reported upon a change of configuration of the VPN server (upon clicking Apply in the Interfaces tab), the VPN subnet must be set by hand. Select a network which is not used by any of the local networks participating in the connection. VPN subnets at each end of the tunnel must not be identical (two free subnets must be selected).

3. VPN clients can also be assigned IP addresses according to login usernames. For details, refer to chapter User Accounts.

SSL certificate

Information about the current VPN server certificate. This certificate is used for verification of the server's identity during creation of a VPN tunnel (for details, refer to chapter Interconnection of two private networks via the Internet (VPN tunnel)). The VPN server in WinRoute uses the standard SSL certificate.

The fingerprint is required for definition of VPN tunnels (see chapter Interconnection of two private networks via the Internet (VPN tunnel)).

TIP: Certificate fingerprint can be saved to the clipboard and pasted to a text file, email message, etc.

Click Change SSL Certificate to set parameters for the certificate of the VPN server. For the VPN server, you can either create a custom (self-subscribed) certificate or import a certificate created by a certification authority. Methods used for creation and import of SSL certificates are described thoroughly in chapter Web Interface Parameters Configuration.

Note: If you already have a certificate created by a certification authority especially for your server (for secured Web interface), it is also possible to use it for the VPN server it is not necessary to apply for a new certificate.

DNS

Specify a DNS server which will be used for VPN clients:

• Use WinRoute as DNS server IP address of a corresponding interface of WinRoute host will be used as a DNS server for VPN clients (VPN clients will use the DNS forwarder).

  If the DNS Forwarder is already used as a DNS server for local hosts, it is recommended to use it also for VPN clients. The DNS forwarder provides the fastest responses to client DNS requests and possible collision (inconsistency) of DNS records will be avoided.

  Note: If the DNS forwarder is disabled (refer to chapter  DNS Forwarder ), the option is not available.

• Use specific DNS servers primary and secondary DNS servers specified through this option will be set for VPN clients.

  If another DNS server than the DNS forwarder in WinRoute is used in the local network, use this option.

Advanced

Listen on port

The port on which the VPN server listens for incoming connections (both TCP and UDP protocols are used). The port 4090 is set as default (under usual circumstances it is not necessary to switch to another port).

Notes:

1. If the VPN server is already running, all VPN clients will be automatically disconnected during the port change.

2. If it is not possible to run the VPN server at the specified port (the port is used by another service), the following error will be reported in the Error log (see chapter Error Log) upon clicking on the Apply button:

   (4103:10048) Socket error: Unable to bind socket

     for service to port 4090.

   (5002) Failed to start service "VPN"

     bound to address 192.168.1.1.

   To make sure that the specified port is really free, view the Error log to see whether an error of this type has not been reported.

Custom Routes

Other networks to which a route via the VPN tunnel will be set for the client can be specified in this section. . By default, routes to all local subnets at the VPN server's side are defined see chapter Exchange of routing information).

TIP: Use the 255.255.255.255 network mask to define a route to a certain host. This can be helpful for example when a route to a host in the demilitarized zone at the VPN server's side is being added.