9.1. Remote access VPN

To connect VPN clients to your corporate network, set up UserGate to operate as the VPN server. To do this, perform the following steps:

Name

Description

Step 1. Allow the VPN service in the zone to which VPN clients will be connecting.

Go to Network-->Zones, edit the access control parameters for the zone to which VPN clients will be connecting and allow the VPN service in this zone. In most cases, it is the Untrusted zone.

Step 2. Create a zone where your VPN clients will be placed.

Go to Network-->Zones and create a zone where you are going to place VPN clients. You will be able to use this zone in the security policies.

It is recommended that you use the existing default zone VPN for remote access.

Step 3. Create a new NAT rule for the zone.

Clients connect to a VPN using the Point-to-Point protocol. To allow the traffic flow from the zone that you have created in the previous step, create a NAT rule from this zone to all other zones that you need. Create the corresponding rule in Network policies-->NAT and routing.

By default, UserGate provides a rule called NAT from VPN for remote access to Trusted and Untrusted that allows NAT from the VPN for remote access zone to the Trusted and Untrusted zones.

Step 4. Create a firewall rule to allow the traffic flow from the created zone.

Go to Network policies-->Firewall and create a firewall rule to allow the traffic flow from the created zone to other zones.

By default, UserGate provides a firewall rule called VPN for remote access to Trusted and Untrusted that allows all the traffic from the VPN for remote access zone to the Trusted and Untrusted zones.

Step 5. Create an authentication profile.

Go to Users and devices-->Auth profiles and create an authentication profile for VPN users. You can use the same authentication profile that is set up for user authentication for Internet access. For more details on authentication profile, please refer to section Auth profiles.

Step 6. Create a VPN security profile.

A server profile defines the preshared key, encryption and authentication algorithms, and other settings. You can create multiple server profiles and use them for establishing connections with various client types.

To create a server profile, go to VPN-->Security profiles, click Add and fill out the following fields:

  • Name - name of the profile.

  • Description - description of the profile.

  • Preshared key --- the string that must be the same on the server and on the client for successful connection.

  • Security-->Encryption methods - pairs of the authentication and encryption methods. These algorithms are applied in the same order as the appear here (from top to bottom). When establishing a new connection, the system will apply the first pair that is supported both by the server and the client. For compatibility with the standard VPN clients, it is recommended that you leave the default values.

By default, UserGate provides a server profile called Remote access VPN profile that defines all the necessary settings. If you are going to use this profile, make sure to change the preshared key.

Step 7. Create a VPN device

VPN device is a virtual network interface for connecting VPN clients. This type of interface is clustered interface, which means it virtually exists on all cluster's nodes, and if high availability cluster is configured, VPN clients will be automatically switched to a backup node without VPN connection interruption. To create a new VPN interface, click on Add in Network-->Interfaces and select Add VPN. Set the following fields:

  • Name -- name of the interface as tunnelN, where N is the number of virtual device.

  • Description -- description of the interface.

  • Zone -- zone of the interface. VPN clients will be belonged to this zone when connected. Assign zone created on step 2.

  • Netflow profile -- optional netflow profile which will be used for this interface.

  • Mode -- IP address assignment mode -- Dynamic (via DHCP), Static, No address. Static mode should be used for serving VPN clients.

  • MTU -- MTU for the interface.

VPN interface tunnel1 is preconfigured for use for Remote access VPN.

Step 8. Create a VPN network.

A VPN network defines network settings that will be applied when a client connects to the server. These settings include assignment of IP addresses to a client within a tunnel, DNS settings, and optional routes that will be submitted to the client (providing that the client supports such routes). You can create multiple tunnels with different settings for different clients.

To create a VPN network, go to VPN-->VPN networks, click Add and fill out the following fields:

  • Name - name of the network.

  • Description - description of the network.

  • IP range that will be used by clients. Do not provide the network and broadcast address here.

  • Specify the DNS servers that will be provided to clients or enable the Use system DNS checkbox if you want to assign the DNS servers used by UserGate to clients.

  • Specify the routes that will be submitted to a client as classless inter-domain routing (CIDR).

UserGate already provides a network called Remote access VPN network with the recommended settings.

Step 9. Create a VPN server rule.

Create a VPN server rule based on the previously created VPN tunnel and VPN security profile. To create a rule, go to VPN-->Server rules, click Add and fill out the following fields:

  • Enabled - enables or disables the rule

  • Name - name of the rule.

  • Description - description of the rule.

  • Security profile - server profile that you have previously created.

  • VPN network - VPN tunnel that you have previously created.

  • Auth profile - authentication profile that you have previously created.

  • Interface -- VPN device that you have previously created.

  • Source - zones and addresses for which incoming VPN connections are accepted. Since most clients come from the Internet, it is recommended that you select the Untrusted zone.

  • Users - a group of users or individual users that are allowed to establish VPN connections.

By default, UserGate provides a server rule called Remote access VPN rule that uses all the necessary settings for the Remote Access VPN and allows the VPN access for all participants of the local group called VPN users.

Step 10. Set up the VPN on a client workstation.

To set up a client connection to the VPN, the following parameters must be specified on the user workstation:

  • VPN connection type - L2TP over IPSec.

  • As the IP address of the VPN server, provide the IP address of the interface in the zone specified in step 1.

  • As the preshared key (shared secret), use the preshared key that you have specified in step 6.

  • Specify the PAP protocol for user authentication.

  • As the user name, provide the user name of the account in the 'username@domain' format, e.g. testuser@testdomain.loc.

Important! For correct operation with L2TP/IPSec VPN servers, operating systems of the Microsoft Windows family require changing the Registry parameters. Please refer to Microsoft's article https://support.microsoft.com/en-us/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows for detailed instructions.