FortiOS 5.2 VPN: Remote Internet browsing using a VPN

In this recipe, you will use remote IPsec and SSL VPN tunnels to bypass Internet access restrictions.

Restricted Internet access is simulated with a Web Filter profile that blocks google.com. You will create FortiClient SSL and IPsec VPN tunnels to bypass the web filter, connect to a remote FortiGate unit, and transparently browse the Internet to google.com.

The recipe assumes that a “vpn_users“ user group and a Local LAN firewall address have already been created.

1. Starting point

In this example, we simulate restricted Internet access using a Web Filtering profile to block Google.

With the user situated behind this FortiGate, google.com cannot be accessed, and instead the FortiGuard “Web Page Blocked” message appears.

For the user to bypass this Web Filter, the following VPN configurations must be made on a remote FortiGate (which is not blocked by any filter), and the user must connect to it using FortiClient.

2. Configure the IPsec VPN

On the remote Fortigate, go to VPN > IPSec > Wizard.

Name the VPN connection* and select Dial Up – FortiClient (Windows, Mac OS, Android) and click Next.

Set the Incoming Interface to the internet-facing interface. In this case, wan1.

Select Pre-shared Key for the Authentication Method.

Enter a pre-shared key and select the vpn_users user group, then click Next.

Set Local Interface to the internal interface and set Local Address to the local LAN address.

Enter an IP range for VPN users in the Client Address Range field.

Click Next and select Client Options as desired.

When using the IPsec VPN Wizard, an IPsec firewall address range is automatically created using the name of the tunnel you entered into the Wizard. The Wizard also creates an IPsec -> internal IPv4 policy, so all that is left is to create the Internet access policy. See Step 4.

3. Configure the SSL VPN

Go to VPN > SSL > Portals, highlight the full-access portal, and select Edit.

Disable Split Tunneling so that all VPN traffic will go through the FortiGate firewall.

Go to VPN > SSL > Settings. Under Connection Settings set Listen on Port to 10443.

Under Authentication/Portal Mapping, assign the vpn_users user group to the full-access portal, and assign All Other Users/Groups to the desired portal.

By default, the FortiGate has an ssl.root firewall address. All that is left is to create the Internet access policy, as described in the following step.

4. Create security policies for VPN access to the Internet

Go to Policy & Objects > Policy > IPv4.

Create two security policies allowing remote users to access the Internet securely through the FortiGate unit; one for each VPN tunnel.

Set Incoming Interface to the tunnel interface and set Source Address to all.

For SSL VPN, set Source User(s) to the vpn_users user group.

Set Outgoing Interface to wan1 and Destination Address to all.

Set Service to ALL and ensure that you enable NAT.

5. Configure FortiClient for IPsec and SSL VPN

Open FortiClient, go to Remote Access and add new connections for both VPNs.

Provide a Connection Name and set the Type to either IPsec VPN or SSL VPN depending on the VPN configuration.

Set Remote Gateway to the FortiGate IP address.

For IPsec VPN, set Authentication Method to Pre-Shared Key and enter the key below.

For SSL VPN, set Customize Port to 10443.

(Optional) For Username, enter a username from the vpn_users user group.

Select the new connection, enter the username and password, and click Connect.

If prompted with a server authentication warning, select Yes.

6. Results

From FortiClient start an IPsec or SSL VPN session. Once the connection is established, the FortiGate assigns the user an IP address and FortiClient displays the status of the connection, including the IP address, connection duration, and bytes sent and received.

With the tunnel up, you can now visit google.com without being blocked, since the Internet traffic is handled by the remote FortiGate and the web filter on the local FortiGate has been bypassed.