Configuration: VPN Settings
About the Page
The Configuration: VPN Settings page provides an interface to adjust how Access Server handles routing. You can define the VPN IP subnetworks, configure the settings for routing, and define the clients' DNS server settings. The settings here are global. Access Server also supports defining them at the user and group levels.
VPN IP Network
When a VPN Client connects to your Access Server, it is assigned a unique IP address on the virtual VPN IP network. This is managed by the dynamic IP address network you can configure with this page.
You can define the VPN IP subnetworks that an address is pulled from when a user connects to the network. Assuming the user does not have a predefined IP address, Access Server assigns one for the connection. (You configure predefined IP addresses on the User Permission page at the user level.)
| Dynamic IP Address Network | Access Server pulls IP addresses from this subnet unless predefined for specific users. The number of netmask bits determines an upper bound on the maximum number of VPN clients that may concurrently use the subnet. For example, a 24-bit netmask yields a maximum of 254 simultaneous VPN clients (provided that the subscription allows that number of concurrent users). |
| Static IP Address Network (optional) | Set up a unique subnet that Access Server uses for static IP address assignment. Any users not assigned to groups receive static IP addresses from this subnet. This is an optional setting. |
| Group default IP Address Network (optional) | When a group doesn't have a specific dynamic IP address pool, the group references this subnet list to allocate client IP addresses.
|
Routing
Important global settings are configured here. This is where you globally define whether or not connected users can access server side resources, whether all traffic is routed through the VPN, and whether clients can access network services on the VPN gateway IP address. If you have user or group-specific routing needs, they will need to be configured at the user/group level.
Routing
You can configure important global settings here. This is where you globally define whether or not connected users can access server side resources, whether all traffic routes through the VPN, and whether clients can access network services on the VPN gateway IP address. If you have user or group-specific routing needs, ensure you configure them at the user or group level.
| Should VPN clients have access to private subnets |
|
| Specify the subnets to which all clients should be given access | This setting allows you to define the server-side subnets that all users can access. |
| Allow access from these private subnets to all VPN client IP addresses and subnets | This choice only displays when you have selected Yes, using Routing. This setting creates a simple way for you to toggle access to the subnets defined by routing. |
| Should client internet traffic be routed through the VPN? | This setting determines whether internet traffic routes through the private tunnel. If set to Yes then all connected user traffic goes through the private tunnel. If set to No then only traffic destined to the private networks traverses the VPN, while other traffic bypasses the VPN. |
| Should clients be allowed to access network services on the VPN gateway IP address? | This setting determines if the VPN should allow access to network resources on the gateway client side. You can enable VPN gateway clients on the User Permissions page. |
DNS Settings
In the DNS section, you have the option to leave the client’s DNS settings as is, use the Access Server’s DNS settings, or push specific DNS server IP addresses.
If you choose yes for Should client Internet traffic be routed through the VPN?, you must have clients use either the same DNS servers as the Access Server host or specifically defined servers here.
- Do not alter clients' DNS server settings: Access Server doesn't push DNS servers to clients.
Tip: If you enable this setting, ensure internet traffic shouldn't be routed through the VPN. - Have clients use the same DNS servers as the Access Server host: When a client connects to the VPN, its DNS settings are altered so that the client resolves names using the DNS servers configured for the Unix host running Access Server.
- Have clients use specific DNS servers: You can specify particular DNS servers for VPN client use by entering an IP address for the primary DNS server and an optional IP address for a secondary DNS server.
Below these are optional DNS resolution zones and default domain suffix settings. You can alter these settings after setting up Access Server; they are pushed to the client with each connection.
| DNS Resolution Zones | This optional setting (also known as split-DNS) allows defining DNS zones that will be resolved by DNS servers pushed from Access Server. |
| DNS Domain Suffix | This optional setting is intended as a Windows-OS specific setting. Since Windows clients might only use the first domain provided in DNS Resolutions Zones, you may need to define a suffix for the domain zone here. This resolves DNS resolution conflicts that occur between clients running on Windows that may not occur in clients installed on other operating systems. |
Note: We don't recommend defining the same DNS zone in DNS Resolution Zones and DNS Domain Suffix fields.
Summary
The Configuration: VPN Settings page provides easy configuration of routing settings. Again, these settings are all global and are not absolute. The settings you define here work in conjunction with settings at the user and group level. Refer to Managing Access Control in Access Server for more.