Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wm999
New Contributor

Please help: 1) use DHCP of ISP; 2) give public IP + hostname in DNS; 3) VPN tunnel setup

Hello all,

 

Apologies if these are dumb questions. I am reasonably computer savvy but a complete novice at networking. I am about to be overseas for an extended period, and need my U.S. home network to be accessible as a remote home office during that time.

 

My home in the U.S. is in a rural area and the ISP uses DHCP for the handoff (it's a radio tower based internet service provider, and a static IP is not normally available or will be unreasonably expensive to maintain).

 

I want to simply set up an SSL VPN tunnel to my home network using the Fortigate 30E that I just bought.

 

My understanding is that I should follow these steps:

 

1) I need to connect the Fortigate to the ISP's DHCP server (since I don't have a static IP address). But I don't know how to obtain the address of the ISP's DHCP server that that needs to be inputted into the Fortigate during the setup process.

 

2) I want to configure the Fortigate so that it can use Let's Encrypt as a Certificate Authority (https://docs.fortinet.com/document/fortigate/7.0.0/new-features/822087/acme-certificate-support). But I don't know how to meet this condition: "The FortiGate must have a public IP address and a hostname in DNS (FQDN) that resolves to the public IP address." (And it's not clear to me if this condition can be fulfilled when the Fortigate is set up using DHCP.)

 

3) I want to configure the Fortigate as an SSL VPN tunnel using the Let's Encrypt SSL certificate created in the previous step (https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/690301/configuring-the-ssl-vpn-tunnel). 

 

4) I want my laptop to be configured in such a way that all internet traffic (through web browser sessions and also applications) is being routed through the Fortigate's VPN tunnel (e.g. so if I am in China, and access my gmail account, I'm not blocked from being able to log in by the Great Chinese Firewall and also from Google's perspective it looks like I'm logging into my gmail account from my home office in the U.S.). I understand that I'll need to have the free VPN client running on my laptop (https://docs.fortinet.com/document/forticlient/6.2.0/new-features/673187/free-vpn-client) to maintain the VPN tunnel.

 

It seems like this VPN should be very simple, straightforward thing to set up with the Fortigate. But since I'm a total novice, it's still hard for me to figure it out and I haven't been able to get enough clarity by digging through the Fortinet KB articles. Any help would be very much appreciated.

 

 

4 REPLIES 4
andrewbailey
Contributor II

Hi wm999,

 

Welcome to the forum- and certainly they aren’t dumb questions :)

 

I don’t see too many issues with what you are trying to achieve- however others maybe able to comment in more detail on the specifics.

 

A couple of comments:-

 

1). The Fortigates support dynamic DNS. The admin guide covers this here:- http://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/685361/ddns

That should allow you to always reach the DHCP assigned ISP IP address when you need to. You should be able to use that for both SSL or IP-SEC VPN terminations.

 

2) and 3). I have some bad news for you I’m afraid…….

 

The 30E isn’t the best product. It has limited memory and my understanding is that it will not never support the 7.X software releases. It (and the 50E which suffers from the same limitations) are therefore not the best products to invest in. It also means you will therefore not be able use the Let’s Encrypt features.

 

I would go further- if you have only just purchased the 30E return it and get the 40F- which is a far better product and is similarly priced.

 

4). That doesn’t sound like any real issue- you should be able to do it subject to configuration.

 

The fortinet documentation site (docs.fortinet.com) is very good- there is lots of information there which will help you.

 

I hope that helps you a bit.

 

Kind Regards,

 

 

Andy.

wm999

Hi Andy,

 

EDIT: I was able to order a 40F with fast shipping, I've followed your suggestion. It will be here in a couple of days and I will have a few days after that to configure it before departing the States. When the 40F has arrived, what process would I follow for Step 2?

sw2090
SuperUser
SuperUser

1) in FGT factory default the WAN Ports are set to to DHCP. So if there is anyone providing a DHCP Server there it will obtain an ip address etc. If you need to to die dial in for internet with the FGT set it to PPPoE. PPPoE by default will also obtain an ip and gw and dns from your ISP.

 

2) basically you could import the let's encrypt ca to your FGt and generate a CSR to singn it with let's encrypt and then import the certificate and use it anywhere. Just like any ohter cert. 

The problem is that let's encrypt uses some script to automagically renew your certs regularly and you cannot run that on a FGT. So you would have to repeat the above process (execpt from the ca) everytime your cert reaches its TTL.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
andrewbailey

Hi again wm999,

 

I think that is a wise move with the Fortigate 40F- it is a much better product.

 

In terms of the Let's Encrypt cert the ACME client is built into to the 7.0 release (as you saw from the release notes you quote). I know that perhaps contradicts what sw2090 says above but (and I stand to be corrected) I suspect he is referring to all version proir to 7.0.

 

The Let's Encrypt setup (the "automated" option under the local certificate generation) is pretty simple in 7.0 and I have used it myself. The link you shared describes it pretty well. The process is easy and once correctly setup the certificate renews automatically as required.

 

The only issue for you is that you don't have a static IP. Let's Encrypt needs a DNS entry pointing towards the IP address for the ACME client to generate and renew the certificate.

 

The Fortigates do have dynamic DNS functionality via the FortiGuard powered service. The details are here:-

 

https://docs.fortinet.com/document/fortigate/7.0.1/administration-guide/685361/ddns

 

So, the only thing I'm not sure about is if you can then use the DDNS service with the Let's Encrypt certificate.

 

I think it should work- Let's Encrypt is simply looking for DNS resolution from name to IP but I haven't personally tested it to confirm.

 

I would setup the Fortinet DDNS service first (which requires the use of the FortiGuard DNS servers) and then try creating a Let's Encrypt local certificate on the Fortigate using the DDNS domain.

 

If you don't mind let us know how you get on- it's an interesting idea should be a good solution for what you need.

 

Good luck and best regards,

 

 

Andy.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors