This guide will outline the steps to set up VPN Remote Access in FortiGate. Although you do not need FortiClient EMS, VPN with Fortinet is best used with it.
Create a loopback interface and Virtual IP
Although you can always just use the default outside interface, setting up a loopback and virtual IP (VIP) allows us to assign a separate IP to your VPN endpoint if you have a public IP available.
Proceed to Network -> Interfaces and create a new loopback interface.
Head to Policy & Objects -> Virtual IPs. Create a VIP and point it to your loopback interface.
Create the VPN Portal
First, set up an address pool in Policy & Objects –> Addresses. This is a pool of addresses your clients will receive while on VPN.
Create a VPN Portal in VPN -> SSL-VPN Portals.
The first section when creating a VPN portal is what kind of split tunneling you want to use. Most people will enable split tunneling which tunnels only the traffic you need through your VPN and the rest of the traffic goes out through the user’s regular Internet connection. This saves bandwidth for your organization by only tunneling the traffic destined for your organization’s network and not the regular Internet traffic such as YouTube or Facebook.
You have two options for split tunnel. Enabled for Trusted Destinations and Enabled Based on Policy Destination. Enabled for Trusted Destinations allows you to set networks that clients are allowed to go through the tunnel. I like to use the other option, Enabled Based on Policy Destination. This allows us to set the allowed networks in Firewall Policy instead of modifying the VPN Portal every time we need to add or remove allowed networks. We do all our policy changes in Network Policy anyway. We will use Enabled Based on Policy Destination for this guide.
Select the pool you created earlier for your Source IP Pools.
Tunnel Mode Client Options lets you enable or disable several options. They are out of scope for this guide, but we will go over DNS Split Tunneling. DNS Split Tunneling allows you to only tunnel DNS requests for certain domains to a DNS server you specify. All other domains will go through the local default DNS server instead. It is important to note however, that DNS Split Tunneling appears to be very unreliable in FortiGate. DNS may seem unresponsive for several seconds on desktop and it completely fails on Android. Your mileage will vary.
It should also be best practice to create a “no-access” portal where users who have no permissions fall into.
SSL-VPN Settings
Set up the SSL-VPN Settings in VPN –> SSL-VPN Settings.
Set the Listen on Interface(s) to the loopback interface you created earlier. The Listen on Port should be 443. Listening on 443 allows clients to connect to your VPN server even when other ports are blocked. Organizations rarely block port 443 since it is the default port used for HTTPS/SSL. You can use the built in certificates or create your own certificate, however you should use your own public certificate or have FortiGate request a LetsEncrypt certificate, which is free.
In the Address Range section, specify a custom range and add the address of your loopback interface. You can also specify DNS servers in this section.
Add users to the Authentication/Portal Mapping by clicking on Create New.
Users can either be groups (RADIUS, LDAP, Single Sign-on, Local) or individual users. In this section, it is best to assign the no-access portal you created earlier to All Other Users/Groups.
Firewall Policies
We need to create two firewall policies in Policy & Objects –> Firewall Policies. One to allow traffic to flow from the outside interface to your loopback address and another where we specify what networks the clients are allowed to access.
Create a firewall policy with the following:
- Incoming Interface: Your outside interface
- Outgoing Interface: Your loopback interface that you created earlier.
- Source: all
- Destination: The VIP that you created earlier that is assigned to your loopback interface.
- Service: HTTPS. All traffic going through this policy is HTTPS because … it’s the SSL part of SSL-VPN.
- All other options can be left as default or changed based on your preference.
The next policy will give access to networks that you allow. Create a second firewall policy with the following:
- Incoming Interface: Your outside interface.
- Outgoing Interface: Your inside interface.
- Source: Specify the pool of addresses that you created earlier that your VPN is handing out. You also need to specify a group or user. This should be identical to your Authentication/Portal Mapping from the last part of this guide. When adding the user or group, make sure you click on the User tab.
- Destination: This is where you specify the networks VPN users are allowed to access. You can limit them to only certain networks. You cannot set this to be All when split tunnel is enabled.
- Service: Usually all, but you can specify the service/port you are allowing.
- All other options can be left as default or changed based on your preference.
Profit!
These are the basics of setting up remote access VPN on FortiGate. There are other things that haven’t been covered that are important to a well configured VPN server. This includes certificates, user groups, etc.