Configuration: VPN Settings
About the Page
Configuration: VPN Settings provides an interface to adjust how the Access Server handles routing. You can define the VPN IP subnetworks, configure the settings for routing, and define the clients' DNS server settings. The settings on this page are global in nature and therefore can be disabled as a global setting but still defined on the user and group settings.
VPN IP Network
When a VPN Client connects to your Access Server, it is assigned a unique IP address on the virtual VPN IP network. This is managed by the Dynamic IP Address network you can configure with this page.
You can define the VPN IP subnetworks that an address will be pulled from when a user connects to the network. Assuming the user does not have a pre-defined IP address, the Access Server will assign one for the connection. If you need to configure a pre-defined IP address for specific users, refer to the User Management: User Permissions page.
VPN IP Network Section
Dynamic IP Address Network
IP addresses are pulled from this subnet unless specifically pre-defined for specific users. The number of netmask bits determines an upper bound on the maximum number of VPN Clients that may concurrently use the subnet. For example, a 24-bit netmask yields a maximum of 254 simultaneous VPN Clients (provided that the license allows that number of concurrent users).
Static IP Address Network
If static IP addresses are being used, the subnet is defined here. Any static IP addresses defined for any users must be within this subnetwork. For more information regarding assigning users a static IP address, read the Assigning a static VPN client IP address to a user guide. This is an optional setting.
Group Default IP Address Network
If no address pool is defined at the group level, the IP addresses will be pulled from this subnet. This is an optional setting.
Important global settings are configured here. This is where you globally define whether or not connected users can access server side resources, whether all traffic is routed through the VPN, and whether clients can access network services on the VPN gateway IP address. If you have user or group-specific routing needs, they will need to be configured at the user/group level.
Should VPN clients have access to private subnets
- Yes, using NAT enables one directional traffic to server-side subnets. The source address of packets is altered by the Access Server to allow the traffic to appear local.
- Yes, using Routing allows for incoming and outgoing traffic but requires advanced configuration outside of the Access Server. The virtual address of each VPN Client is the source address on client packets destined for private subnets. Routing must be configured on hosts on the private subnets so that response packets can route back to the VPN Clients via the Access Server host's IP address on the private subnet. Routing for a site-to-site network with multi-directional packet traffic is covered here.
- No disables traffic for incoming and outgoing traffic at the global level. However, it is possible to still configure these settings at the Group and User level.
For more information about the differences between NAT and Routing, click here. NAT is usually preferred for allowing VPN Clients access to private subnets. Routing is more complicated to configure as it requires routing changes on the network infrastructure. Routing is offered to accommodate applications that do not function properly through NAT.
Specify the subnets to which all clients should be given access
This setting allows you to define the server side subnets that all users can access.
Allow access from these private subnets to all VPN client IP addresses and subnets
This choice only displays when you have selected Yes, using Routing. This setting creates a simple way for the admin to toggle access to the subnets defined by routing.
Should client Internet traffic be routed through the VPN?
This setting determines whether Internet traffic is routed through the private tunnel. If set to Yes then all connected user traffic will go through the private tunnel. If set to No then only traffic destined to the private networks will traverse the VPN, while other traffic will bypass the VPN.
Should clients be allowed to access network services on the VPN gateway IP address?
This setting determines if the VPN should allow access to network resources on the gateway client side. VPN Gateway Clients can be enabled in the User Permissions page.
In the DNS section, you have the option to leave the client’s DNS settings as is, use the Access Server’s DNS settings, or push specific DNS server IP addresses.
If you choose yes for Should client Internet traffic be routed through the VPN?, you must have clients use either the same DNS servers as the Access Server host or specifically defined servers here.
- Do not alter clients' DNS server settings: Internet traffic should not be routed through the VPN to choose this setting and Access Server will not push DNS servers to clients.
- Have clients use the same DNS servers as the Access Server host: when a client connects to the VPN, its DNS settings are altered so that the client resolves names using the DNS servers configured for the Unix host running Access Server.
- Have clients use specific DNS servers: You can specify particular DNS servers for the VPN clients to use by configuring the IP address of the primary DNS server and an optional IP address of a secondary DNS server.
Below these are optional DNS Resolution Zone and Default Domain Suffix settings. These settings can be altered after Access Server is setup; they are pushed to the client for each connection.
DNS Settings Section:
DNS Resolution Zones
This optional setting provides users a way to define the DNS zones within the server. Use this setting to prevent DNS resolution conflicts. If you are having DNS resolution conflicts, please read Troubleshooting DNS resolution problems.
DNS Domain Suffix
This optional setting is intended as a Windows OS specific setting. Since Windows clients might only use the first domain provided in DNS Resolutions Zones, it may be necessary to define a suffix for the domain zone here. This will resolve DNS resolution conflicts that occur within clients running on Windows that may not occur in clients installed on other operating systems.
Configuration: VPN Settings provides easy configuration of the settings for routing. Again, these settings are all global and are not absolute. If these settings are defined within the user/group settings, then those will take precedence. The next section will focus on more settings for the VPN. It allows the admin to configure additional settings for the how Access Server executes routing.