Interconnection of two private networks via the Internet (VPN tunnel)
WinRoute (version 6.0.0 or later) including support for VPN (VPN support is included in the typical installation see chapter Installation) must be installed in both networks to enable creation of an encrypted tunnel between a local and a remote network via the Internet (VPN tunnel).
Note: Each installation of WinRoute requires its own license (see chapter Registration and Licensing Policy).
Setting up VPN servers
First, the VPN server must be allowed by the traffic policy and enabled at both ends of the tunnel. For detailed description on configuration of VPN servers, refer to chapter VPN Server Configuration.
Definition of a tunnel to a remote server
VPN tunnel to the server on the other side must be defined at both ends. Use the Add / VPN tunnel option in the Interfaces section to create a new tunnel.
Name of the tunnel
Each VPN tunnel must have a unique name. This name will be used in the table of interfaces, in traffic rules (see chapter Definition of Custom Traffic Rules) and interface statistics (details in chapter Interface statistics).
Configuration
Selection of a mode for the local end of the tunnel:
-
Active this side of the tunnel will automatically attempt to establish and maintain a connection to the remote VPN server.
The remote VPN server specification is required through the Remote hostname or IP address entry. If the remote VPN server does not use the port 4090, a corresponding port number separated by a colon must be specified (e.g. server.company.com:4100 or 10.10.100.20:9000).
This mode is available if the IP address or DNS name of the other side of the tunnel is known and the remote endpoint is allowed to accept incoming connections (i.e. the communication is not blocked by a firewall at the remote end of the tunnel).
-
Passive this end of the tunnel will only listen for an incoming connection from the remote (active) side.
The passive mode is only useful when the local end of the tunnel has a fixed IP address and when it is allowed to accept incoming connections.
At least one end of each VPN tunnel must be switched to the active mode (passive servers cannot initialize connection).
Configuration of a remote end of the tunnel
When a VPN tunnel is being created, identity of the remote endpoint is authenticated through the fingerprint of its SSL certificate. If the fingerprint does not match with the fingerprint specified in the configuration of the tunnel, the connection will be rejected.
The fingerprint of the local certificate and the entry for specification of the remote fingerprint are provided in the Settings for remote endpoint section. Specify the fingerprint for the remote VPN server certificate and vice versa specify the fingerprint of the local server in the configuration at the remote server.
If the local endpoint is set to the active mode, the certificate of the remote endpoint and its fingerprint can be downloaded by clicking Detect remote certificate.
If the local VPN server endpoint is configured to passively accept connections, it is not possible to automatically obtain the remote certificate fingerprint. It must be obtained manually from the remote VPN server. Passive endpoint of the tunnel cannot be detected by any remote certificate.
However, this method of fingerprint setting is quite insecure a counterfeit certificate might be used. If a fingerprint of a false certificate is used for the configuration of the VPN tunnel, it is possible to create a tunnel for the false endpoint (for the attacker). Moreover, a valid certificate would not be accepted from the other side. Therefore, for security reasons, iIt is recommended to set fingerprints manually.
DNS Settings
DNS must be set properly at both sends of the tunnel so that it is possible to connect to hosts in the remote network using their DNS names. One method is to add DNS records of the hosts (to the hosts file) at each endpoint. However, this method is quite complicated and inflexible.
If the DNS forwarder in WinRoute is used as the DNS server at both ends of the tunnel, DNS queries (for DNS rules, refer to chapter DNS Forwarder) can be forwarded to hostnames in the corresponding domain of the DNS forwarder at the other end of the tunnel.
Detailed guidance for the DNS configuration is provided in chapter Example of VPN tunnel configuration.
Connection establishment
Active endpoints automatically attempt to recover connection whenever they detect that the corresponding tunnel has been disconnected (the first, connection establishment is attempted immediately after the tunnel is defined and upon clicking the Apply button in Configuration / Interfaces).
VPN tunnels can be disabled by the Disable button. Both ends of a selected tunnel should be automatically disabled (regardless of whether they are active or passive).
Note: VPN tunnels keeps their connection (by sending special packets in regular time intervals) even if no data is transmitted. This feature protects tunnels from disconnection by other firewalls or network devices between ends of tunnels.
Traffic Policy Settings for VPN
When a VPN tunnel is created (see chapter Interconnection of two private networks via the Internet (VPN tunnel)), communication between the local network and the network connected via this tunnel must be allowed by traffic rules. If basic traffic rules are already created by the wizard (refer to chapter Configuration of VPN clients), simply add a corresponding VPN tunnel into the Local Traffic rule.
Note: Traffic rules set by this method allow full IP communication between the local network, remote network and all VPN clients. For access restrictions, define corresponding traffic rules (for local traffic, VPN clients, VPN tunnel, etc.). Examples can be found in chapter Example of VPN tunnel configuration.
