Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Can a FortiAP WiFi client access SSL VPN when both are on same firewall


I have a Fortigate 60F configured with SSL-VPN on WAN1 and external remote users (authenticated with Forticlient, user/pw + Fortitoken 2FA) who are able to connect to internal resources without issues. I have recently added 2 FortiAPs managed by the same 60F and have set policies for WiFi users to access internet - all works great. I would like some WiFi users to access the VPN (via Forticlient) as if they were working remotely while in the office (I am trying for a consistent user experience when remote workers are in the office). Initially, I tried WPA2 + captive portal with policies to internal resources but this didn't work across all clients (Windows and Macs) and if it did, it took a long time (10s of minutes) for the portal to appear - not very usable. I tried configuring all wireless clients to use WAN2 as gateway to the internet with separate static IP. They could access the internet but their VPN client timed out accessing the VPN port on WAN1. Turning off their WiFi and using external WiFi or cell data connects no problem.

Is it possible to have VPN clients on a FortiAP that is controlled by the same Fortigate that hosts the VPN server ?

Can I add policies to route WiFi users to the SSL.root interface and make that work ?

What am I missing ?

Community Manager
Community Manager


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Anthony-Fortinet Community Team.
Community Manager
Community Manager



We are still looking for someone to help you.

We will come back to you ASAP.


Anthony-Fortinet Community Team.

An internal client (wifi or wired, does not matter) should absolutely be able to connect to the SSL-VPN, at least on the superficial level.


Given that the listening interface for VPN will be some WAN, you need to ensure that you have a firewall policy that allows this traffic: <wifi-intf> -> <WAN-intf>, allowing the SSL-VPN' IP (WAN IP) and port, both TCP and UDP. I would strongly recommend not to do any UTM inspection of this (at least initially), so a specific policy just for this traffic may be desirable.


One possible road-bump, although not a default setting, is having source-restrictions.

Some customers restrict availability of the VPN to specific source-IPs (e.g. their country). If this is your case, you may need to adjust this list to include the local IPs from wifi.

Another possiblity is source-interface (+IP) restrictions in the individual group->portal mappings. It is not set by default, but I've encountered customers that don't even remember that they configured it, so it won't hurt to check it as well.

=> Have a look at to see the CLI syntax. The restrictions I described are "set source-address" in the general settings, and "set source-address" + "set source-interface" in the "config authentication-rule" sub-section. All of these should be configured so that they can accept your wifi-sourced requests.

[ corrections always welcome ]

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors