Configure Remote Access: VPN Client-to-Site

Last update: May 27 2025

Configure Remote Access: VPN Client-to-Site

Using a VPN allows you to organize secure remote access to corporate services and data hosted on Selectel infrastructure via the Internet. Using Selectel's FortiGate hardware firewall, you can set up remote access to organizations' private networks based on SSL, IPsec and L2TP over IPsec technologies, using various software installed on remote users' computers, laptops and cell phones, such as:

• Fortinet's FortiClient client;
• a client from Cisco;
• through the operating system.

Creating a VPN tunnel on the firewall requires that the firewall is already configured:

• external interface through which the devices will be connected;
• internal network;
• access to the FortiGate web interface.

SSL-VPN Modes⁠

• Tunnel mode is a mode in which the SSL VPN client encrypts all traffic from the remote client computer and sends it to the FortiGate unit through an SSL VPN tunnel over an HTTPS link between the user and the FortiGate unit. Tunnel mode supports multiple protocols and applications. Tunnel mode requires a standalone SSL-VPN client, FortiClient, to connect to the FortiGate. FortiClient adds a virtual network adapter, designated fortissl, to the user's computer. This virtual adapter dynamically obtains an IP address from the FortiGate each time the FortiGate establishes a new VPN connection. Inside the tunnel, all traffic is encapsulated in SSL / TLS. The main advantage of tunnel mode over web mode is that once the VPN is established, any IP network application running on the client can send traffic through the tunnel. The main disadvantage is that tunnel mode requires the installation of a software VPN client that requires administrator privileges;

• Web mode — A mode that provides network access using a web browser with built-in SSL encryption. Users authenticate to the FortiGate SSL VPN Web Panel, which provides access to network services and resources including HTTP / HTTPS, Telnet, FTP, SMB / CIFS, VNC, RDP and SSH. The Bookmarks section of the SSL-VPN portal page contains links to all or some of the resources available for the user to access. The Quick Connection widget allows users to enter the URL or IP address of the server they wish to connect to. The web-SSL-VPN user uses these two widgets to access the internal network. The main advantage of the web mode is that it usually does not require additional software to be installed. This mode has the following limitations:

  • all interaction with the internal network must be done exclusively using a browser (through a web portal). External network applications running on the user's computer cannot send data through the VPN;
  • A secure HTTP / HTTPS gateway mechanism that does not work to access everything, but only a few popular protocols such as HTTP, FTP and Windows shares.

• Split mode is a tunnel mode enabled tunnel mode that routes traffic only to the specified network through the FortiGate unit. When split tunneling is enabled, only traffic destined for the private network behind the remote FortiGate unit is routed through the tunnel. All other traffic is sent through the normal encrypted route;

• Full mode — Tunneling mode, when split tunneling is disabled, all IP traffic generated by the client computer, including Internet traffic, is routed through the SSL-VPN tunnel to the FortiGate unit. This sets the FortiGate as the default gateway for the host. You can use this method to apply security features to traffic on these remote clients and to monitor or restrict Internet access. This increases latency and bandwidth utilization.

Configure SSL VPN⁠

Create user groups⁠

Users will be given remote access and will be able to utilize SSL VPN technology.

1. Go to User & Authentication → User Definition → Create New.
2. Create a local user, provide a username and password, and contact information if necessary.
3. Merge the created users into a group.
4. To create a user group, go to User & Authentication → User Groups → Create New.
5. Specify the group name, Firewall type, and group members created previously.

Create an SSL VPN tunnel⁠

1. Go to VPN → SSL-VPN Portal → Create New.
2. Specify a name, enable Tunnel Mode.
3. In the Source IP Pools field, specify the address pool ( **IP Range **) that will be assigned to remote users. You can add a pool created by default SSLVPN_TUNNEL_ADDR1 or your own pool configured in the same way.

In the portal settings, you can also enable client checks, restrict certain OS versions, and set other client connection parameters.

Split mode⁠

When split tunnel is created, traffic is routed only to the designated network.

1. Enable Enable Split Tunneling.
2. Select Routing Address to define the destination network that will be routed through the tunnel, that is, these addresses will be accessed by remote clients.
3. Press + and select an address from the existing ones.
4. To create an address, click Create in the pop-up window or in the Policy field ** & Objects** → Addresses → Create New.

Full mode⁠

If you want full mode tunneling, where all remote client traffic goes through the FortiGate unit, you must disable Enable Split Tunneling.

Web mode⁠

Another setting is Enable Web Mode, which allows you to enable web mode . Here you can select:

• the name of the portal ( Portal Message field);
• design;
• other settings.

The most interesting is the User Bookmarks field — the option allows users to create their own bookmarks.In the Predefined Bookmarks field you can create bookmarks centrally for all users. For example, you can create a bookmark for connecting to a remote desktop via RDP.This completes the configuration of SSL Tunnel itself.

Configure general SSL VPN settings⁠

1. Navigate to the VPN → SSL-VPN Settings field.
2. Specify the "listening" interface, that is, the external interface to which connections from remote users (wan1 in this example) will arrive, and the port on which they will connect. When defining the port, it can be the same as others that are defined for administrative access. For example, the default is 443, which may conflict with the HTTPS port, and the FortiGate unit will display the following message:
3. Set Restrict Access to Allow access from any hosts or, if you want to restrict access, click Limit access to specific hosts and grant access to specific hosts.
4. Specify the period of inactivity after which the user will be forcibly disconnected from the VPN by enabling the Idle Logout parameter and defining a value in the Inactive For parameter, the default is 300 seconds.
5. Select a certificate for the Server Certificate option. This certificate is used to authenticate and encrypt SSL VPN traffic. By default, it is the built-in Fortinet_Factory one. It is possible to work with the built-in certificate, but users will see a warning that the certificate is invalid because there is no CA certificate in the certificate store that signed the current SSL certificate. It is recommended to purchase a certificate for your server and download it for authentication.

Add a certificate for authentication⁠

1. Go to System → Certificates.

2. Make sure that Certificates is enabled in System → Feature Visibility.

3. Select Import → Local Certificate.

4. In the window that appears, set Type — Certificate.

5. Download the Certificate file and Key file for your certificate and enter the password in the Password field.

6. The server certificate appears in the Certificates list.

7. Install a CA certificate, which is a certificate that signs both the server certificate and the user certificate, for example, to authenticate SSL VPN users. To do this, under System → Certificates, select Import → CA Certificate.

8. In the window that appears, set Type — File and upload the certificate file.

9. The CA certificate will appear in the External CA Certificates list.

10. Configure PKI users and a user group to use certificate authentication by using the CLI to create PKI users:

    config user peer
        edit pki01
            set ca CA_Cert_Name
            set subject User_Name
        next
    end

11. Make sure that the user name of the certificate matches the user name of the certificate. When you create a PKI user, a new menu is added to the GUI where you can continue with the configuration.

12. Go to **User & ** Authentication→PKI to highlight the new user.

13. Click Edit to edit the user account and set Two-factor authentication.

14. Make sure that this user is in the user group for the SSL VPN created earlier (see Creating a User Group).

You can also validate remote user certificates by enabling the Require Client Certificate option.In the Authentication/Portal Mapping section, you must map the SSL portal to a group of users. By default, all users have access to the same portals. This table allows you to map different portals to different user groups. Create a new entry in the table by clicking Create New and defining the portal and user group.After configuring the settings, click Apply and proceed to create the security policy.

Customize the policy⁠

In order for users to successfully connect to our VPN and have the necessary access, we need to create a policy that allows access from the ssl.root interface to the local network interface.

1. Go to the Policy field ** & Objects** → Firewall Policy → Create New.
2. Specify the policy name, the inbound interface must be SSL-VPN tunnel interface(ssl.root).
3. Select the outgoing interface, in this case it is the internal lan interface.
4. In the Source field, select the previously created user group, in this case it is SSLVPNGROUP, and the address object all.
5. In the Destination field, select the desired local network.
6. Specify the required services and save the policy.

Customize FortiClient⁠

The FortiNet FortiClient client is available for free download on the official website. FortiClient is compatible with multiple platforms, each of which offers free SSL VPN usage.You can also purchase a license for the client, which provides additional features and technical support. The specifics of use and compatibility can also be found on the official website in the Technical Specification section.

To configure the connection on the client:

1. Go to REMOTE ACCESS and select SSL-VPN.
2. Specify the connection name, the FortiGate IP address, and the port on which the client is connecting (configured in SSL VPN General Settings).
3. If necessary, select certificates and authentication options (either prompt for login and password each time you connect, or save the login).
4. Save this connection.
5. Try connecting with the connection name, username, and password.

If the SSL portal previously had web mode enabled, you can connect using a browser, or you can use the created bookmark without using FortiClient:

1. Enter the address of your FortiGate and the port on which the connection is available in the address bar (see SSL VPN General Settings).
2. Authorize by entering your user name and password.

Configure IPSec VPN⁠

Create user groups⁠

To create a VPN tunnel over IPsec, you must create users who will be granted remote access and group them together.

1. Go to User & Authentication → User Definition → Create New.
2. Create a local user, provide a username and password, and contact information if necessary.
3. Merge the created users into a group.
4. To create a user group, go to User & Authentication → User Groups → Create New.
5. Specify the group name, Firewall type, and group members created previously.

IPSec Wizard⁠

To create the tunnel itself, you can use a special IPsec Wizard that provides the necessary configuration templates:

1. Go to VPN → IPsec Wizard.
2. In the VPN Setup step, enter a name for the tunnel.
3. Select the Remote Access tunnel type and the remote device type Client-based and FortiClient, indicating that the FortiClient client is being used for the connection.
4. Click the Next button.
5. In the Authentication step, specify the incoming interface on which connections will be received (in this case it is wan1).
6. Select the authentication type: Pre-shared key or certificate. In this case, a secret key is selected and its value is entered in the Pre-shared key parameter.
7. Specify the previously created user group that will be granted access for connections.
8. In the Policy & Routing step, specify the local interface in the drop-down menu to which remote clients will connect.
9. In the Local Address parameter, specify the subnet to which users will have access. In this case, the address object all is selected.
10. To select a specific subnet, press + and select an address from the existing subnets.
11. To create an address, click Create in the pop-up window or in the Policy field ** & Objects** → Addresses → Create New.
12. In the Client Address Range field, specify the address pool that will be assigned to remote clients when they connect.
13. Make sure that these addresses do not match the internal addressing. Leave the Subnet Mask at the default value.
14. The DNS Server field allows you to select the DNS server to be used by remote users when connecting to the tunnel. In this case, the system server is selected.
15. The Enable Split Tunnel option allows you to allow users to access only specific subnets, rather than letting all of their traffic go through the FortiGate unit.
16. The Allow Endpoint Registration option allows you to obtain various information about remote endpoints and make decisions based on this information (for example, whether to allow a remote endpoint to connect or not).
17. In the Client Options step, you can configure the client options: password saving, auto-connect, and continuous connection.
18. After the performed actions, the tunnel is created and a summary of the objects created by the assistant appears on the screen.

Connect FortiClient⁠

The FortiNet FortiClient client is available for free download on the official website. FortiClient is compatible with multiple platforms, with free SSL VPN available on each platform. You can also purchase a license for the client, which provides additional features and technical support. Usability and compatibility features can also be found on the official website under Technical Specification.

To configure the connection on the client:

1. Go to REMOTE ACCESS and select IPsec VPN.

2. Specify the connection name, FortiGate IP address, and authentication method. In this case, select Pre-shared key and enter the secret key value as previously configured.

3. In the Authentication field, select:

   • Prompt on login so that FortiClient prompts for a username and password each time you connect;
   • Save login option, so that only the password is requested each time you connect. In this case, you must enter the login in the Username field.

4. Save this connection.

After that, select the name of the saved connection, enter the user name created in step 1 and its password, and click Connect.

Configure L2TP over IPsec⁠

Create user groups⁠

To create a VPN tunnel over IPsec, you must create users who will be granted remote access and group them together.

1. Go to User & Authentication → User Definition → Create New.
2. Create a local user, provide a username and password, and contact information if necessary.
3. Merge the created users into a group.
4. To create a user group, go to User & Authentication → User Groups → Create New.
5. Specify the group name, Firewall type, and group members created previously.

IPSec Wizard⁠

To configure an L2TP tunnel over IPsec:

1. Go to VPN → IPsec Wizard to use the special assistant.
2. Select the Remote Access template type.
3. In the Remote Device Type parameter, Native and Windows Native.
4. In the Name field, enter a name for the tunnel.
5. Select the external interface through which remote users will connect as the Incoming Interface. In this case, it is wan1.
6. For Authentication Method, select Pre-shared Key and enter the value of the secret key in the field below. This key must be entered on the client when configuring the VPN connection.
7. In the User Group parameter, enter the user group you created.
8. In the Policy & Routing step, specify the local interface in the drop-down menu to which remote clients will connect.
9. In the Local Address parameter, specify the subnet to which users will have access. In this case, the address object all is selected.
10. To select a specific subnet, press + and select an address from the existing subnets.
11. To create an address, click Create in the pop-up window or in the Policy field ** & Objects** → Addresses → Create New.
12. In the Client Address Range field, specify the address pool that will be assigned to remote clients when they connect.
13. Make sure that these addresses do not match the internal addressing.
14. Leave Subnet Mask at its default value.
15. Click the Create button.

After that, the tunnel will be created and a summary of the created objects will appear on the screen.

To set up a connection in Windows⁠

1. Go to Network and Sharing Center → Set up a new connection or network.
2. In the window that appears, select Connect to a workplace, then → Use my Internet connection (VPN).
3. In the Internet address field, enter the FortiGate's IP address.
4. In the Destination name field, enter the name of the connection to be created.
5. After that, the created connection will appear among the available networks.
6. In the Network and Sharing Center window, click the Change adapter settings tab.
7. Among the networks that appear, select the VPN connection you created.
8. Right-click and select Properties.
9. In the Properties window that appears, click the Security tab.
10. In the Type of VPN option, select Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec).
11. Go to Advanced settings.
12. Select the Use preshared for authentication option.
13. In the Key field, enter the value of the secret key that you specified when you configured the tunnel on the FortiGate.
14. Press the OK button to connect.
15. Enter the username you created earlier and the password for it.