Configure remote access: VPN Client-to-Site

Last update: May 30 2026

Using a VPN allows you to organize secure remote access for employees via the internet to corporate services and data hosted in the Selectel infrastructure. Using the hardware-based FortiGate firewall in Selectel, you can configure remote access to private organization networks based on SSL, IPsec, and L2TP over IPsec technologies, using various software installed on remote users' computers, laptops, and mobile phones, such as:

• FortiClient client from Fortinet;
• client from Cisco;
• using operating system tools.

To create a VPN tunnel on the firewall, you must first have the following configured:

• an external interface through which devices will connect;
• an internal network;
• access to the FortiGate web interface.

SSL-VPN modes

• Tunnel mode — a mode in which the SSL VPN client encrypts all traffic from the remote client computer and sends it to the FortiGate via an SSL VPN tunnel over an HTTPS channel between the user and the FortiGate. Tunnel mode supports a variety of protocols and applications. For tunnel mode, connecting to the FortiGate requires a standalone SSL-VPN client, FortiClient. FortiClient adds a virtual network adapter to the user's computer, designated as fortissl. This virtual adapter dynamically receives an IP address from the FortiGate every time the FortiGate establishes a new VPN connection. Inside the tunnel, all traffic is encapsulated in SSL/TLS. The main advantage of tunnel mode over web mode is that after the VPN is established, any IP network application running on the client can send traffic through the tunnel. The main disadvantage is that tunnel mode requires the installation of a software VPN client, which requires administrator privileges;

• Web mode — a mode that provides access to the network via a web browser with built-in SSL encryption. Users authenticate via the FortiGate SSL VPN web portal, which provides access to network services and resources, including HTTP/HTTPS, Telnet, FTP, SMB/CIFS, VNC, RDP, and SSH. The Bookmarks section on the SSL-VPN portal page contains links to all or some of the resources available to the user. The Quick Connection widget allows users to enter the URL or IP address of the server they want to connect to. A web-SSL-VPN user uses these two widgets to access the internal network. The main advantage of web mode is that it generally does not require the installation of additional software. This mode has the following limitations:

  • all interaction with the internal network must be carried out exclusively using a browser (via the web portal). External network applications running on the user's computer cannot send data through the VPN;
  • a secure HTTP/HTTPS gateway mechanism, which does not work for everything, but only for a few popular protocols, such as HTTP, FTP, and Windows shares.

• Split mode — a tunneling mode included in tunnel mode that directs traffic only to the specified network via the FortiGate. When split tunneling is enabled, only traffic destined for the private network behind the remote FortiGate is routed through the tunnel. All other traffic is sent over the regular encrypted route;

• Full mode — a tunneling mode where split tunneling is disabled; all IP traffic generated by the client computer, including internet traffic, is routed through the SSL-VPN tunnel to the FortiGate. This sets the FortiGate as the default gateway for the host. You can use this method to apply security features to traffic on these remote clients, as well as to monitor or restrict internet access. This increases latency and bandwidth usage.

Configure SSL VPN

Create user groups

Users will be granted remote access and will be able to utilize SSL VPN technology.

1. Go to User & Authentication → User Definition → Create New.
2. Create a local user, specify a username and password, and contact information if necessary.
3. Combine the created users into a group.
4. To create a user group, go to User & Authentication → User Groups → Create New.
5. Specify the group name, Firewall type, and the group members created earlier.

Create SSL VPN tunnel

1. Go to VPN → SSL-VPN Portal → Create New.
2. Specify a name and enable Tunnel Mode.
3. In the Source IP Pools field, specify an address pool ( **IP Range **) that will be assigned to remote users. You can add the default pool created, SSLVPN_TUNNEL_ADDR1, or a custom one configured in the same way.

In the portal settings, you can also enable client checks, restrict certain OS versions, and set other client connection parameters.

Split mode

When creating a split tunnel, traffic is routed only to the designated network.

1. Activate Enable Split Tunneling.
2. Select Routing Address to define the destination network that will be routed through the tunnel; that is, the remote clients will have access to these addresses.
3. Click + and select an address from the existing ones.
4. To create an address, click the Create button in the pop-up window or go to Policy & Objects → Addresses → Create New.

Full mode

If a full mode tunnel is required, where all remote client traffic passes through the FortiGate, the Enable Split Tunneling parameter must be disabled.

Web mode

Another setting is the Enable Web Mode parameter, which allows you to enable web mode. Here you can choose: :

• portal name (the Portal Message field);
• design;
• other settings.

The User Bookmarks field is of greatest interest — this option allows users to create their own bookmarks. In the Predefined Bookmarks field, you can create bookmarks centrally for all users. For example, you can create a bookmark for connecting to a remote desktop over the RDP protocol. This completes the SSL Tunnel configuration.

Configure general SSL VPN settings

1. Go to VPN → SSL-VPN Settings.
2. Specify the "listening" interface, i.e., the external interface that will receive connections from remote users (in this example — wan1), and the port they will connect through. When defining the port, it may overlap with others defined for administrative access. For example, 443 is specified by default, which may conflict with the HTTPS port.
3. In the Restrict Access parameter, specify Allow access from any hosts or, if you need to restrict access, click Limit access to specific hosts and grant access to specific hosts.
4. Specify the idle period after which the user will be forcibly disconnected from the VPN by enabling the Idle Logout parameter and setting a value in the Inactive For parameter; the default is 300 seconds.
5. Select a certificate for the Server Certificate parameter. This certificate is used for authentication and encryption of SSL VPN traffic. By default, this is the built-in Fortinet_Factory. You can work with the built-in certificate, but users will see a warning that the certificate is invalid because there is no CA certificate in the certificate store that signed the current SSL certificate. It is recommended to purchase a certificate for your server and upload it for authentication.

Add a certificate for authentication

1. Go to System → Certificates.

2. Ensure that Certificates is enabled in System → Feature Visibility.

3. Select Import → Local Certificate.

4. In the window that appears, set Type — Certificate.

5. Upload the Certificate file and Key file for your certificate and enter the password in the Password.

6. The server certificate will appear in the Certificates.

7. Set the CA certificate — this is the certificate that signs both the server certificate and the user certificate, for example, for SSL VPN user authentication. To do this, in the System → Certificates section, select Import → CA Certificate.

8. In the window that appears, set Type — File and upload the certificate file.

9. The CA certificate will appear in the External CA Certificates.

10. Configure PKI users and a user group to use certificate-based authentication. To do so, use the CLI to create PKI users:

    config user peer
        edit pki01
            set ca CA_Cert_Name
            set subject User_Name
        next
    end

11. Ensure that the subject matches the certificate's username. When you create a PKI user, a new menu is added to the graphical interface where you can continue the configuration.

12. Go to User & Authentication → PKI to isolate a new user.

13. Click Edit to edit the user account and enable Two-factor authentication.

14. Ensure that this user is in the user group for SSL VPN created earlier (see the Create user groups section).

You can also verify remote user certificates by enabling the Require Client Certificate parameter. In the Authentication/Portal Mapping section, you must map the SSL portal to a user group. By default, all users have access to the same portals. This table allows you to map different portals to different user groups. Create a new entry in the table by clicking Create New and defining the portal and user group. After configuration, click Apply and proceed to create a security policy.

Configure a policy

For users to successfully connect to our VPN and have the necessary access, you need to create a policy allowing access from the ssl.root interface to the local network interface.

1. Go to Policy & Objects → Firewall Policy → Create New.
2. Specify the policy name; the incoming interface must be SSL-VPN tunnel interface(ssl.root).
3. Select the outgoing interface, which in this case is the internal lan interface.
4. In the Source field, select the previously created user group, in this case SSLVPNGROUP, and the address object all.
5. In the Destination field, select the required local network.
6. Specify the required services and save the policy.

Configure FortiClient

The FortiNet FortiClient can be downloaded for free from the official website. FortiClient is compatible with a wide range of platforms, each of which allows for free use of SSL VPN. You can also purchase a license for the client, which provides additional features and technical support. You can also find usage and compatibility details on the official website in the Technical Specification.

To configure the connection on the client:

1. Go to the REMOTE ACCESS section and select SSL-VPN.
2. Specify the connection name, the FortiGate IP address, and the port the client connects through (configured in the Configure general SSL VPN settings section).
3. If necessary, select certificates and authentication parameters (either prompt for a username and password upon each connection or save the username).
4. Save this connection.
5. Try to connect by specifying the connection name, username, and password.

If web mode was previously allowed for the SSL portal, you can connect using either a browser or the created bookmark without using FortiClient:

1. Enter the FortiGate address and the port for connection in the address bar (see the Configure general SSL VPN settings section).
2. Authorize by entering your username and password.

Configure IPSec VPN

Create user groups

To create a VPN tunnel via IPsec, you must create users who will be granted remote access and combine them into a group.

1. Go to User & Authentication → User Definition → Create New.
2. Create a local user, specify a username and password, and contact information if necessary.
3. Combine the created users into a group.
4. To create a user group, go to User & Authentication → User Groups → Create New.
5. Specify the group name, Firewall type, and the group members created earlier.

IPSec Wizard

To create the tunnel itself, you can use the special IPsec Wizard, which provides the necessary configuration templates:

1. Go to VPN → IPsec Wizard.
2. In the VPN Setup step, enter the tunnel name.
3. Select the tunnel type Remote Access and the remote device type Client-based and FortiClient, which indicates that the FortiClient is used for connection.
4. Click the Next.
5. In the Authentication step, specify the incoming interface that will receive connections (in this case, wan1).
6. Select the authentication type: Pre-shared key or certificate. In this case, a secret key is selected and its value is entered in the Pre-shared key parameter.
7. Specify the previously created user group that will be granted access for connections.
8. In the Policy & Routing step, select the local interface from the drop-down menu that remote clients will connect to.
9. In the Local Address parameter, specify the subnet that users will have access to. In this case, the address object all.
10. To select a specific subnet, click + and choose an existing address.
11. To create an address, click the Create button in the pop-up window or go to Policy & Objects → Addresses → Create New.
12. In the Client Address Range field, specify the pool of addresses that will be assigned to remote clients upon connection.
13. Ensure that these addresses do not overlap with your internal addressing. Leave the Subnet Mask at its default value.
14. The DNS Server field allows you to select the DNS server that remote users will use when connecting to the tunnel. In this case, the system one is chosen.
15. The Enable Split Tunnel parameter allows you to grant users access only to specific subnets, instead of routing all their traffic through the FortiGate.
16. The Allow Endpoint Registration option allows you to receive various information about remote endpoints and make decisions based on this information (for example, whether to allow a remote endpoint to connect or not).
17. In the Client Options step, you can configure client options: saving passwords, auto-connect, and always-on connection.
18. After these actions are performed, the tunnel is created, and a summary of the objects created by the wizard appears on the screen.

Connect FortiClient

The FortiNet FortiClient can be downloaded for free from the official website. FortiClient is compatible with a wide range of platforms, each of which allows for free use of SSL VPN. You can also purchase a license for the client, which provides additional features and technical support. You can also find usage and compatibility details on the official website in the Technical Specification.

To configure the connection on the client:

1. Go to the REMOTE ACCESS section and select IPsec VPN.

2. Specify the connection name and the FortiGate IP address, and select the authentication method. In this case, Pre-shared key is selected and the secret key value is entered, as configured earlier.

3. In the Authentication field, select:

   • the Prompt on login option, so that FortiClient requests a username and password upon each connection;
   • the Save login option, so that only a password is requested upon each connection. In this case, you must enter the login in the Username field.

4. Save this connection.

After this, select the name of the saved connection, enter the username created in step 1 and its password, and click the Connect.

Configure L2TP over IPsec

Create user groups

To create a VPN tunnel via IPsec, you must create users who will be granted remote access and combine them into a group.

1. Go to User & Authentication → User Definition → Create New.
2. Create a local user, specify a username and password, and contact information if necessary.
3. Combine the created users into a group.
4. To create a user group, go to User & Authentication → User Groups → Create New.
5. Specify the group name, Firewall type, and the group members created earlier.

IPSec Wizard

To configure an L2TP over IPsec tunnel:

1. Go to VPN → IPsec Wizard to use the special wizard.
2. Select the template type Remote Access.
3. In the Remote Device Type parameter — Native and Windows Native.
4. In the Name field, enter the tunnel name.
5. Choose an external interface as the Incoming Interface through which remote users will connect. In this case, wan1.
6. For Authentication Method, select Pre-shared Key and enter the secret key value in the field below. This key will need to be entered on the client later when configuring the VPN connection.
7. In the User Group parameter, enter the created user group.
8. In the Policy & Routing step, select the local interface from the drop-down menu that remote clients will connect to.
9. In the Local Address parameter, specify the subnet that users will have access to. In this case, the address object all.
10. To select a specific subnet, click + and choose an existing address.
11. To create an address, click the Create button in the pop-up window or go to Policy & Objects → Addresses → Create New.
12. In the Client Address Range field, specify the pool of addresses that will be assigned to remote clients upon connection.
13. Ensure that these addresses do not overlap with your internal addressing.
14. Leave the Subnet Mask at its default value.
15. Click the Create.

After this, the tunnel will be created and a summary of the created objects will appear on the screen.

Configure connection in Windows

1. Go to Network and Sharing Center → Set up a new connection or network.
2. In the window that appears, select the Connect to a workplace option, then → Use my Internet connection (VPN).
3. In the Internet address field, enter the FortiGate IP address.
4. In the Destination name field, enter the name of the connection being created.
5. After this, the created connection will appear among the available networks.
6. In the Network and Sharing Center window, go to the Change adapter settings.
7. Among the displayed networks, select the created VPN connection.
8. Right-click and select Properties.
9. In the Properties window that appears, go to the Security.
10. In the Type of VPN parameter, select Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec).
11. Go to Advanced settings.
12. Select the Use preshared for authentication.
13. In the Key field, enter the secret key value specified when configuring the tunnel on the FortiGate.
14. Click the OK button to connect.
15. Enter the username created earlier and its password.