23.1  VPN Server Configuration
Prev Chapter 23  Kerio VPN Next

23.1  VPN Server Configuration

VPN server is used for connection of remote endpoints of VPN tunnels and of remote clients using Kerio VPN Client.

Note: Connection to the VPN server from the Internet must be first allowed by traffic rules. For details, refer to chapters 23.2  Configuration of VPN clients and 23.3  Interconnection of two private networks via the Internet (VPN tunnel).

VPN server is available in the Interfaces tab of the Configuration → Interfaces section as a special interface.

Viewing VPN server in the table of interfaces

Figure 23.1. Viewing VPN server in the table of interfaces


Double-click on the VPN server interface (or select the alternative and press Edit, or select Edit from the context menu) to open a dialog where parameters of the VPN server can be set.

General

VPN server settings — basic parameters

Figure 23.2. VPN server settings — basic parameters


Enable VPN server

Use this option to enable /disable VPN server. VPN server uses TCP and UDP protocols, port 4090 is used as default (the port can be changed in advanced options, however, it is usually not necessary to change it). If the VPN server is not used, it is recommended to disable it.

The action will be applied upon clicking the Apply button in the Interfaces tab.

IP address assignment

Specification of a subnet (i.e. IP address and a corresponding network mask) from which IP addresses will be assigned to VPN clients and to remote endpoints of VPN tunnels which connect to the server (all clients will be connected through this subnet).

By default (upon the first start-up after installation), WinRoute automatically selects a free subnet which will be used for VPN. Under usual circumstances, it is not necessary to change the default subnet. After the first change in VPN server settings, the recently used network is used (the automatic detection is not performed again).

Warning

Make sure that the subnet for VPN clients does not collide with any local subnet!

WinRoute can detect a collision of the VPN subnet with local subnets. The collision may arise when configuration of a local network is changed (change of IP addresses, addition of a new subnet, etc.), or when a subnet for VPN is not selected carefully. If the VPN subnet collides with a local network, a warning message is displayed upon saving of the settings (by clicking Apply in the Interfaces tab). In such cases, redefine the VPN subnet.

VPN server — detection of IP collision

Figure 23.3. VPN server — detection of IP collision


It is recommended to check whether IP collision is not reported after each change in configuration of the local network or/and of the VPN!

Warning

  1. Under certain circumstances, collision with the local network might also arise when a VPN subnet is set automatically (if configuration of the local network is changed later).

  2. Regarding two VPN tunnels, it is also examined when establishing a connection whether the VPN subnet does not collide with IP ranges at the other end of the tunnel (remote endpoint).

    If a collision with an IP range is reported upon startup of the VPN server (upon clicking Apply in the Interfaces tab), the VPN subnet must be set by hand. Select a network which is not used by any of the local networks participating in the connection. VPN subnets at each end of the tunnel must not be identical (two free subnets must be selected).

  3. VPN clients can also be assigned IP addresses according to login usernames. For details, see chapter 15.1  Viewing and definitions of user accounts.

SSL certificate

Information about the current VPN server certificate. This certificate is used for verification of the server's identity during creation of a VPN tunnel (for details, refer to chapter 23.3  Interconnection of two private networks via the Internet (VPN tunnel)). The VPN server in WinRoute uses the standard SSL certificate.

When defining a VPN tunnel, it is necessary to send the local endpoint's certificate fingerprint to the remote endpoint and vice versa (mutual verification of identity — see chapter 23.3  Interconnection of two private networks via the Internet (VPN tunnel)).

Hint

Certificate fingerprint can be saved to the clipboard and pasted to a text file, email message, etc.

Click Change SSL Certificate to set parameters for the certificate of the VPN server. For the VPN server, you can either create a custom (self-subscribed) certificate or import a certificate created by a certification authority. The certificate created is saved in the sslcert subdirectory of the WinRoute installation directory as vpn.crt and the particular private key is saved at the same location as vpn.key.

Methods used for creation and import of SSL certificates are described thoroughly in chapter 11.1  Web Interface Parameters Configuration.

Note: If you already have a certificate created by a certification authority especially for your server (e.g. for secured Web interface), it is also possible to use it for the VPN server — it is not necessary to apply for a new certificate.

DNS

VPN server settings — specification of DNS servers

Figure 23.4. VPN server settings — specification of DNS servers


Specify a DNS server which will be used for VPN clients:

  • Use WinRoute as DNS server — IP address of a corresponding interface of WinRoute host will be used as a DNS server for VPN clients (VPN clients will use the DNS forwarder).

    If the DNS Forwarder is already used as a DNS server for local hosts, it is recommended to use it also for VPN clients. The DNS forwarder provides the fastest responses to client DNS requests and possible collision (inconsistency) of DNS records will be avoided.

    Note: If the DNS forwarder is disabled (refer to chapter 8.1  DNS Forwarder), the option is not available.

  • Use specific DNS servers — primary and secondary DNS servers specified through this option will be set for VPN clients.

    If another DNS server than the DNS forwarder in WinRoute is used in the local network, use this option.

Advanced

VPN server settings — server port and routes for VPN clients

Figure 23.5. VPN server settings — server port and routes for VPN clients


Listen on port

The port on which the VPN server listens for incoming connections (both TCP and UDP protocols are used). The port 4090 is set as default (under usual circumstances it is not necessary to switch to another port).

Note:

  1. If the VPN server is already running, all VPN clients will be automatically disconnected during the port change.

  2. If it is not possible to run the VPN server at the specified port (the port is used by another service), the following error will be reported in the Error log (see chapter 22.8  Error Log) upon clicking on the Apply button:

    (4103:10048) Socket error: Unable to bind socket for service to port 4090.

    (5002) Failed to start service "VPN" bound to address 192.168.1.1.

    To make sure that the specified port is really free, view the Error log to see whether an error of this type has not been reported.

Custom Routes

Other networks to which a VPN route will be set for the client can be specified in this section. By default, routes to all local subnets at the VPN server's side are defined — see chapter 23.4  Exchange of routing information).

Hint

Use the 255.255.255.255 network mask to define a route to a certain host. This can be helpful for example when a route to a host in the demilitarized zone at the VPN server's side is being added.

Prev Up Next
Chapter 23  Kerio VPN Contents 23.2  Configuration of VPN clients