Please help: 1) use DHCP of ISP; 2) give public IP + hostname in DNS; 3) VPN tunnel setup
Apologies if these are dumb questions. I am reasonably computer savvy but a complete novice at networking. I am about to be overseas for an extended period, and need my U.S. home network to be accessible as a remote home office during that time.
My home in the U.S. is in a rural area and the ISP uses DHCP for the handoff (it's a radio tower based internet service provider, and a static IP is not normally available or will be unreasonably expensive to maintain).
I want to simply set up an SSL VPN tunnel to my home network using the Fortigate 30E that I just bought.
My understanding is that I should follow these steps:
1) I need to connect the Fortigate to the ISP's DHCP server (since I don't have a static IP address). But I don't know how to obtain the address of the ISP's DHCP server that that needs to be inputted into the Fortigate during the setup process.
4) I want my laptop to be configured in such a way that all internet traffic (through web browser sessions and also applications) is being routed through the Fortigate's VPN tunnel (e.g. so if I am in China, and access my gmail account, I'm not blocked from being able to log in by the Great Chinese Firewall and also from Google's perspective it looks like I'm logging into my gmail account from my home office in the U.S.). I understand that I'll need to have the free VPN client running on my laptop (https://docs.fortinet.com/document/forticlient/6.2.0/new-features/673187/free-vpn-client) to maintain the VPN tunnel.
It seems like this VPN should be very simple, straightforward thing to set up with the Fortigate. But since I'm a total novice, it's still hard for me to figure it out and I haven't been able to get enough clarity by digging through the Fortinet KB articles. Any help would be very much appreciated.
That should allow you to always reach the DHCP assigned ISP IP address when you need to. You should be able to use that for both SSL or IP-SEC VPN terminations.
2) and 3). I have some bad news for you I’m afraid…….
The 30E isn’t the best product. It has limited memory and my understanding is that it will not never support the 7.X software releases. It (and the 50E which suffers from the same limitations) are therefore not the best products to invest in. It also means you will therefore not be able use the Let’s Encrypt features.
I would go further- if you have only just purchased the 30E return it and get the 40F- which is a far better product and is similarly priced.
4). That doesn’t sound like any real issue- you should be able to do it subject to configuration.
The fortinet documentation site (docs.fortinet.com) is very good- there is lots of information there which will help you.
EDIT: I was able to order a 40F with fast shipping, I've followed your suggestion. It will be here in a couple of days and I will have a few days after that to configure it before departing the States. When the 40F has arrived, what process would I follow for Step 2?
1) in FGT factory default the WAN Ports are set to to DHCP. So if there is anyone providing a DHCP Server there it will obtain an ip address etc. If you need to to die dial in for internet with the FGT set it to PPPoE. PPPoE by default will also obtain an ip and gw and dns from your ISP.
2) basically you could import the let's encrypt ca to your FGt and generate a CSR to singn it with let's encrypt and then import the certificate and use it anywhere. Just like any ohter cert.
The problem is that let's encrypt uses some script to automagically renew your certs regularly and you cannot run that on a FGT. So you would have to repeat the above process (execpt from the ca) everytime your cert reaches its TTL.
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
I think that is a wise move with the Fortigate 40F- it is a much better product.
In terms of the Let's Encrypt cert the ACME client is built into to the 7.0 release (as you saw from the release notes you quote). I know that perhaps contradicts what sw2090 says above but (and I stand to be corrected) I suspect he is referring to all version proir to 7.0.
The Let's Encrypt setup (the "automated" option under the local certificate generation) is pretty simple in 7.0 and I have used it myself. The link you shared describes it pretty well. The process is easy and once correctly setup the certificate renews automatically as required.
The only issue for you is that you don't have a static IP. Let's Encrypt needs a DNS entry pointing towards the IP address for the ACME client to generate and renew the certificate.
The Fortigates do have dynamic DNS functionality via the FortiGuard powered service. The details are here:-
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.