Routing all remote traffic through the VPN tunnel
To make use of the Internet browsing configuration on the VPN server, the VPN peer or client must route all traffic through the VPN tunnel. Usually, only the traffic destined for the private network behind the FortiGate VPN server is sent through the tunnel.
The remote end of the VPN can be a FortiGate unit that acts as a peer in a gateway-to-gateway configuration, or a FortiClient application that protects an individual client PC.
- To configure a remote peer FortiGate unit for Internet browsing via VPN, see Configuring a FortiGate remote peer to support Internet browsing.
- To configure a FortiClient Endpoint Security application for Internet browsing via VPN, see Configuring a FortiClient application to support Internet browsing.
These procedures assume that your VPN connection to the protected private network is working and that you have configured the FortiGate VPN server for Internet browsing as described in Routing all remote traffic through the VPN tunnel.
Configuring a FortiGate remote peer to support Internet browsing
The configuration changes to send all traffic through the VPN differ for policy-based and route-based VPNs.
To route all traffic through a policy-based VPN
- At the FortiGate dialup client, go to Policy & Objects > Policy > IPv4.
- Select the IPsec security policy and then select Edit.
- From the Destination Address list, select all.
- Select OK.
Packets are routed through the VPN tunnel, not just those destined for the protected private network.
To route all traffic through a route-based VPN
- At the FortiGate dialup client, go to Router > Static > Static Routes.
- On a low-end FortiGate unit, go to System > Network > Routing.
- Select the default route (destination IP 0.0.0.0) and then select Edit. If there is no default route, select Create New. Enter the following information and select OK:
Destination IP/Mask | 0.0.0.0/0.0.0.0 |
Device | Select the IPsec virtual interface. |
Distance | Leave at default. |
All packets are routed through the VPN tunnel, not just packets destined for the protected private network.
Configuring a FortiClient application to support Internet browsing
By default, the FortiClient application configures the PC so that traffic destined for the remote protected network passes through the VPN tunnel but all other traffic is sent to the default gateway. You need to modify the FortiClient settings so that it configures the PC to route all outbound traffic through the VPN.
To route all traffic through VPN - FortiClient application
- At the remote host, start FortiClient.
- Go to VPN > Connections.
- Select the definition that connects FortiClient to the FortiGate dialup server.
- Select Advanced and then select Edit.
- In the Edit Connection dialog box, select Advanced.
- In the Remote Network group, select Add.
- In the IP and Subnet Mask fields, type
0.0.0.0/0.0.0.0
and select OK.
The address is added to the Remote Network list. The first destination IP address in the list establishes a VPN tunnel. The second destination address (0.0.0.0/0.0.0.0
in this case) forces all other traffic through the VPN tunnel.
- Select OK.