Kerio VPN Client enables connection from a client's host to a remote private network via an encrypted communication channel (in the operating system, this channel is represented by a virtual network interface — Kerio Virtual Network). The WinRoute VPN server assigns to this interface an IP address belonging to the particular private network.

The client's operating system must be aware of routes to individual subnets of a corresponding remote network. For this purpose, Kerio VPN Client performs automatic update of the client's routing table (it adds new routes directed to remote subnets).

During these updates, routes to all remote subnets (or a route to other networks defined in the VPN server configuration) are added except those IP addresses of which collide with IP addresses of the local network to which the client is connected. Kerio VPN Client never changes the default route (i.e. configuration of the default gateway). The encrypted traffic channel is used only for connection to a remote private network. For connection to the Internet, clients use their current Internet connections.

VPN server also assigns the client an address of a primary and optionally also a secondary WINS server. These services enable to specify hosts in remote networks by their names and browse in Microsoft Windows network neighbourhood.

The change of DNS configuration has such effect that all DNS queries from the client host are sent to a DNS server in a remote private network. Users usually do not even notice any change. Upon closing of a VPN session, the original DNS and WINS settings are recovered.

Note: The Kerio VPN Client does not allow opening of more than one concurrent VPN connections. However, it is possible to connect to any number of servers, one by one.